PCI DSS v4.0.1 Request for Comments Opens: What Organizations Need to Know

PCI Security Standards Council Opens Comment Period for DSS v4.0.1

The Payment Card Industry Security Standards Council (PCI SSC) has announced a six-week request for comments (RFC) period for the proposed PCI Data Security Standard (PCI DSS) v4.0.1, running from June 3 through July 20, 2026. This development represents a significant opportunity for eligible stakeholders to influence the evolution of payment card data security requirements.

Who Can Participate in the RFC Process

The comment period is specifically open to eligible PCI SSC stakeholders, which typically includes participating organizations such as payment brands, acquiring banks, processors, merchants, and qualified security assessors (QSAs). Organizations must have formal stakeholder status with the PCI SSC to participate in this review process.

The RFC process is a critical component of the PCI SSC's collaborative approach to developing security standards, ensuring that practical implementation concerns and industry feedback are incorporated before final publication.

Expected Changes and Updates in v4.0.1

While the specific details of the proposed changes in PCI DSS v4.0.1 have not been publicly disclosed, version increments typically address:

• Clarifications to existing requirements that have generated frequent questions
• Minor corrections to technical specifications or implementation guidance
• Updates to reflect emerging threats or payment technologies
• Refinements based on real-world implementation feedback from v4.0

The current PCI DSS v4.0, which became effective in March 2022, introduced significant changes including new authentication requirements, enhanced validation methods, and updated cryptographic standards.

Compliance Implications for Organizations

Organizations subject to PCI DSS compliance should prepare for potential impacts from v4.0.1:

Immediate Actions

• Monitor the RFC outcomes and final publication timeline
• Review current compliance posture against existing v4.0 requirements
• Engage with qualified security assessors to understand potential changes

Strategic Planning

• Budget for potential system updates or security enhancements
• Plan compliance timeline adjustments if new requirements are introduced
• Consider participating in the RFC process if your organization is an eligible stakeholder

Timeline and Implementation Expectations

The six-week comment period concludes on July 20, 2026. Following this period, the PCI SSC will:

1. Review and analyze all submitted feedback 2. Incorporate appropriate changes based on stakeholder input 3. Publish the final version of PCI DSS v4.0.1 4. Provide implementation guidance and transition timelines

Based on historical patterns, organizations can expect a grace period of 12-18 months between final publication and mandatory compliance with any new requirements, allowing adequate time for system updates and validation processes.

What Organizations Should Do Now

While awaiting the final v4.0.1 publication, organizations should:

• Maintain current compliance with PCI DSS v4.0 requirements
• Stay informed about the RFC outcomes and final changes
• Engage with compliance partners including QSAs and technology vendors
• Assess current security posture to identify areas that may be affected by updates

The RFC process demonstrates the PCI SSC's commitment to collaborative standard development, ensuring that payment card data security requirements remain both effective and implementable across diverse business environments.