top of page
  • awnifallouh

PCI DSS v3.2.1 Rides Off into the Sunset - Are You Ready for PCI DSS v4.0?


PCI DSS v4.0 Timeline

For merchants of all sizes in Australia, a crucial deadline loom. The Payment Card Industry Data Security Standard (PCI DSS) version 3.2.1 officially retires on March 31, 2024. This means it's time to transition to the new and improved PCI DSS v4.0 to ensure continued cardholder data security.

Considerations for Merchants

The onus falls on merchants to comply with PCI DSS, the high-level timeline considerations are as follow:

  • Starting from March 2024, all merchant needs to use PCI-DSS 4.0 for their compliance assessment. This involves conducting annual self-assessments or undergoing security audits by a PCI Qualified Security Assessor (QSA) depending on their transaction volume. Proactive planning is crucial for a successful transition to v4.0.

  • Between March 2024 and March 2025, all new PCI-DSS requirements which are around 51 new controls and some changes to the existing control are in place and merchants have a grace period to work toward compliance.

  • Starting on March 2025, Merchants need to be fully compliant with the PCI-DSS 4.0 requirements.

There are some additional requirements for both Payment Processors (payment gateways) and companies with Qualified Security Assessors

High Level Key differences: PCI DSS v3.2.1 and v4.0

Here are the key differences between the PCI DSS v3.2.1 and v4.0:


PCI DSS v3.2.1

PCI DSS v4.0


Explicitly defines the scope through requirement details.

Emphasises continuous monitoring and the dynamic nature of the scope


Stronger focus on MFA

Continues emphasis on MFA, adds authentication controls.


Requirements for encryption of cardholder data are addressed but provides limited guidance on its management when the decryption keys are held separately.

Expands encryption requirements to include new technologies, reach. the importance of protecting it even if decryption capabilities are out of reach.

Software development

Introduces Secure Software Lifecycle (SLC) requirements.

Further enhances software security requirements.

Risk Assessment

Requires a formal risk assessment process.

Strengthens risk assessment processes and introduces targeted risk analysis.

Penetration testing

Requires annual penetration testing.

Recommends continuous penetration testing.

Cloud computing

Guidance provided for cloud computing environments.

Enhancements for securing cloud-based infrastructure

Security awareness

Requires security awareness training.

Enhances security awareness training requirements.

Service Providers

Focuses on service provider accountability.

management. shared responsibility and third-party risk management

Reporting requirements

Specific reporting requirements outlined.

Enhanced reporting requirements, more focus on evidence-based reporting

Wireless networking

Guidance provided for secure wireless networking.

Updates wireless networking requirements for modern technologies

Actionable Steps for Merchants

The transition to PCI DSS v4.0 may seem daunting, but by adopting a proper structured approach, merchants can ensure a smooth and successful journey. Here are some key steps to take:

  1. Educate Yourself: Familiarise yourself with the key changes introduced in v4.0. Resources like the PCI Security Standards Council (PCI SSC) website offer valuable information.

  2. Gap Analysis: Conduct a thorough gap analysis to identify areas where your current PCI DSS practices may not align with v4.0.

  3. Develop a Transition Plan: Prioritise the changes needed to achieve compliance. Set clear milestones for implementing the necessary changes. Allocate sufficient resources, both financial and human, to support the transition process.

  4. Update Policies and Procedures: Revise internal policies and procedures to reflect the new controls framework.

  5. Invest in Security Measures: Depending on the changes in scope, you might need to implement additional security measures to comply with v4.0.

  6. Partner with a QSA: Engage a qualified security assessor (QSA) who is trained on v4.0 to guide you through the transition process.

  7. Continuous Monitoring: PCI DSS compliance is an ongoing process. Establish processes for continuous monitoring of your security controls and implement procedures for addressing any vulnerabilities or incidents that may arise.

How Spartans Security Can Help?

Spartans Security can be your trusted partner in achieving and maintaining PCI DSS v4.0 compliance in the Australian market. Our team consists of security professionals who are well-versed in the latest PCI DSS v4.0 requirements. We can assist you in conducting a comprehensive gap analysis to identify areas where your current PCI DSS practices may not align with v4.0 then to develop a customised transition plan with achievable milestones and resource allocation strategies. Spartans Security provides Australian merchants with the peace of mind of having a trusted advisor by their side throughout the PCI DSS v4.0 compliance journey.


By taking proactive steps and seeking guidance, Australian merchants can ensure a smooth transition to PCI DSS v4.0 and maintain a secure environment for cardholder data. Remember, staying compliant with the latest PCI DSS standard is not just a regulatory requirement, it's a vital step in protecting your customers and building trust in your business.


If you have any inquires or questions, get in touch at

22 views0 comments


bottom of page