Compliance Standards Library

PCI 4.0 Frequently Asked Questions

  • Updated

What is PCI 4.0?

  • PCI 4.0 is the most current version of PCI.

What is different about PCI 4.0 from the previous version? 

  • PCI 4.0 has new controls, reworked control language, additional control clarity, and new ways to demonstrate compliance. The Vanta product is also far more comprehensive, with a more detailed and applicable suite of tests and evidence requests. Vanta also offers two new dedicated Report on Compliance (ROC) products for Merchants and Service Providers with evidence specific to what a PCI-QSA (assessor) will seek. We retain support for SAQ-A, SAQ-A EP, SAQ-D Merchant, and SAQ-D Service Provider. A changelog of new/updated requirements between 3.2.1 and 4.0 can be found here.
    • Please note: This list is not comprehensive of all changes made in Vanta but represents what changed in the source documentation.

If my company is certified under PCI 3.2.1, when must I comply with the newest version?

  • The last day any new assessment or report paperwork can use PCI 3.2.1 is March 31, 2024. Suppose you will not be done with your implementation before that date, or you will not have SAQ or ROC documentation completed on or before that date. In that case, you should move to PCI 4.0 immediately rather than continue to pursue 3.2.1.

If my company has used Vanta for PCI 3.2.1, will we get credit for PCI 4.0 requirements?

  • Evidence has been recycled where possible between the two, but 4.0 represents a significant revision to the standard in numerous ways. Some 3.2.1 evidence or work will not be sufficient for 4.0 and is not being carried over because of this.
  • Customers are encouraged to approach 4.0 as a major version update with breaking changes rather than a revision because that is what it is compared to 3.2.1.

As a Vanta customer, we have paid for PCI 3.2.1. Will we also need to purchase PCI 4.0?

  • Existing customers using Vanta for PCI 3.2.1 get free access to the new version. Current customers of the PCI 3.2.1 will see the PCI 3.2.1 and PCI 4.0 standards on their Compliance page.

What will Vanta automate? 

  • Templates for documents and policies
  • Automated tests
Customers who are currently on the current top-level SAQ-D and ROC product will be upgraded to SAQ-D when they move to 4.0. Your Customer Success Manager, support staff, or Partner can enable the ROC version if needed.