PCI DSSv4.0 Best practice until 31st March 2025

PCI DSS v4.0, the latest release has listed controls to be followed as best practices until 2025. Post this, these set of controls will be made mandatory. As of now, let us take a look at the best practices to be followed until 2025, in PCI DSS v4.0. The best practices are not mandatory as of now, but are to be implemented as per the discretion of the organization. Many of these best practices are based on feedback received from the PCI Security Standards Council's (SSC) global community of assessors and industry experts.

Some of the key best practices to be followed until 2025 in PCI DSS v4.0 are as follows:

PCI DSS v4.0.1 Controls Now Mandatory After 31 March 2025
The PCI DSS v4.0 future-dated requirements that were previously considered best practices are now mandatory for applicable entities. Organizations should review their control implementation, evidence readiness, and ongoing monitoring process to ensure they remain compliant.

Future-dated controls are now mandatory where applicable.

Organizations should reassess control gaps.

Evidence should be updated for current assessments.

Compensating/customized approaches should be documented where applicable.

Ongoing compliance should be treated as continuous, not annual.

How to Prepare for PCI DSS v4.0.1 Assessment

Reconfirm scope.

Review applicable requirements.

Map evidence owners.

Test controls.

Validate remediation.

Prepare SAQ/ROC/AOC documentation.

Maintain post-certification activities.

Since PCI DSS v4.0.1 controls now require active implementation where applicable, businesses preparing for a PCI DSS compliance audit should review scope, evidence, remediation status, and post-certification monitoring before assessment.

We have consolidated the list of Best Practice Controls for PCI DSS v4.0 for you,  Grab you copy now.