As we’ve been writing, PCI DSS 4.0 is upon us. We’ve discussed some of the broader changes around the newer versions, but we have yet to dig deeper into the timeline for version 4.0.
This article will discuss the preliminary steps you can take to prepare for the update. With a focus on understanding your IT infrastructure and the impact of the regulations on how you can use it, you can start to get your feet wet with the new standards and some of the curveballs they might throw at you.
What Is PCI DSS 4.0?
Not to get bogged down in the specifics, PCI DSS 4.0 is the latest update to the PCI DSS standard that has been long in the works. After a few timeline adjustments over the past few years, we’re finally moving past the older version 3.2.1 for a more modern set of standards that can address new technologies like cloud-driven eCommerce and mobile device security.
Some of the major changes in PCI DSS 4.0 include:
- Widespread Updates to Requirements: The core 12 requirements of PCI compliance have seen a broad update, including changed standards on encryption, key management, authentication, and data handling. The entire set of changes is beyond the scope of this article, but these changes are pushing for more flexible and effective security controls around common buying scenarios online.
- Customized Validation: Enterprise organizations with highly unique infrastructure can meet the spirit of the requirements through a personalized approach to validation, coordinated with their auditor and the guidelines in the new 4.0 standard.
- Emphasis on Risk Assessment: Many security regulations and frameworks are turning to risk-based approaches that promote comprehensive security and system knowledge over checklist approaches to compliance. PCI DSS 4.0 and the turn to risk management are pushing businesses to integrate risk assessment as part of a more comprehensive and effective security approach.
Many of these changes are layered; some are immediate requirements for version 4.0 certification, and others are considered best practices until their full implementation later.
Timeline for PCI DSS 4.0 as of Third Quarter 2022
The basic timeline for PCI DSS 4.0 right now is relatively straightforward but sets a horizon for the setting sun on version 3.2.1:
- PCI DSS Released (Q1 2022): The full version of PCI DSS 4.0 was released in March 2022.
- ISA/QSA Training and Supporting Documents Released (Q2 2022): Soon after, training and preparatory documents for Internal Security Assessors (ISAs) and Qualified Security Assessors (QSAs) to conduct audits for organizations.
- Version 3.2.1 Retired (Q1 2024): Businesses have roughly two years to finalize their initial switch to version 4.0 (or, at least, for the baseline requirements), before version 3.2.1 is officially retired by March 2024 at the latest. After this point, all payment processors, merchants handling payment information, or other related businesses must meet PCI DSS 4.0.
- Future-Dated Requirements Become Standard (Q1 2025): Roughly three years from release, future-dated requirements (or those designated by the standard as such) move from “best practices” to full requirements.
How Are Businesses Preparing for this First Phase?
It’s important not to get stuck on the idea that, because it is early, there is plenty of time to get ready. It’s always preferable to work on something while there is time available to get it right, rather than working with a deadline you can’t meet because you waited too long to implement changes.
In these earliest stages, there are a few clear steps to take to get your business ready. These include:
Inventory Affected Infrastructure
One of the core requirements of PCI DSS is for your business to create and maintain an IT infrastructure inventory that handles protected cardholder data. This includes servers, workstations, networking infrastructure, mobile devices, removable storage, employees, and third-party vendors.
To support businesses creating their PCI inventory, the PCI Security Standards Council released a scoping document and aid in 2016. This document is the latest version of such an aid and still stands as a useful reference until (or if even) a newer version is published.
Determine Your Business Type with the Self-Assessment Questionnaire
Depending on your business type and the types of payments you accept, you are eligible to complete a Self-Assessment Questionnaire (SAQ).
- PCI DSS SAQ Type A: A self-assessment for businesses that accept eCommerce or telephone orders, outsource payment processing to a third party, and where reports come from PCI DSS compliant vendors.
- PCI DSS SAQ Type B: A self-assessment for merchants that only accept face-to-face purchases, that the terminals for these channels are not feeding data to other merchant systems or the Internet, and the merchant does not store that data electronically.
- PCI DSS SAQ Type C: A self-assessment for merchants with processing services that connect to the Internet but are not connected to other merchant systems, and the merchant does not store electronic customer data.
- PCI DSS SAQ Type D: A catch-all for merchants who do not fit into the above categories. This includes merchants who accept digital eCommerce and face-to-face transactions or store card data electronically.
Decide on Standard or Customized Approaches
Highly customized approaches can allow plenty of flexibility for an enterprise at the cost of having a highly unique infrastructure that isn’t easily slot into the defined PCI DSS standards.
Generally speaking, a good rule of thumb for customized approaches is:
- Suppose you are a large enterprise with in-house software or infrastructure or a small business with very, very unique products and services. In that case, it may be worth your investment to work with your auditor on a customized approach to validation.
- If you are using easily obtainable or industry-standard hardware and software, or if you’re a smaller operation without dedicated IT support, then a standard approach will probably be a better option.
Line Up with an Auditor
You’re going to work for an auditor for your annual validations–even if you fall into a category where you can provide ongoing self-assessments, a skilled and experienced auditor can ensure that you are not only meeting the minimum requirements but that you are prepared to continue down the road to PCI DSS 4.0 compliance.
Stay PCI Compliant with Lazarus Alliance
We work with hundreds of companies that, in one way or another, handle credit card data. They know that, for the protection of customer data and their reputation, as well as their ability to do business, that stay compliant with the latest version of the PCI standards.
If you’re ready to kick start your path to PCI DSS 4.0 compliance, the Lazarus Alliance is the experienced security firm to support you the entire way.
Are You Thinking Ahead for PCI DSS 4.0?
Call Lazarus Alliance at 1-888-896-7580 or fill in this form.
What Is Autonomous Malware?
We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI. With that in mind, a new generation of threats, broadly known as...Continue reading→
What CISA’s Emergency Directive 26-01 Means for Everyone
In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→
Cybersecurity and Vetting AI-Powered Tools
A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→
Shutdown Security And Cyber Vulnerability
When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%. Cybersecurity failures during government disruptions rarely start with...Continue reading→
Identity and the Shift from Malware
The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing. We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→
Maintaining Compliance Against Prompt Injection Attacks
The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→
Are We Already Talking About CMMC 3.0?
The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→
Centralizing Identity-Based Risk
As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector. It has become imperative for providers to centralize identity management...Continue reading→
Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide
FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility. This is where deviation requests and significant change requests come into play. These two...Continue reading→
The Costs of Compliance and Data Breaches
Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks. Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→
Related Posts