The PCI Security Standards Council has opened a six-week public comment period from June 3 to July 20, 2026, for eligible stakeholders to review and provide feedback on the proposed PCI Data Security Standard (PCI DSS) v4.0.1. This revision follows the current v4.0 standard and may introduce new requirements or clarifications affecting organizations that handle payment card data.
The Payment Card Industry Security Standards Council (PCI SSC) has announced a six-week request for comments (RFC) period for the proposed PCI Data Security Standard (PCI DSS) v4.0.1, running from June 3 through July 20, 2026. This development represents a significant opportunity for eligible stakeholders to influence the evolution of payment card data security requirements.
The comment period is specifically open to eligible PCI SSC stakeholders, which typically includes participating organizations such as payment brands, acquiring banks, processors, merchants, and qualified security assessors (QSAs). Organizations must have formal stakeholder status with the PCI SSC to participate in this review process.
The RFC process is a critical component of the PCI SSC's collaborative approach to developing security standards, ensuring that practical implementation concerns and industry feedback are incorporated before final publication.
While the specific details of the proposed changes in PCI DSS v4.0.1 have not been publicly disclosed, version increments typically address:
Organizations subject to PCI DSS compliance should prepare for potential impacts from v4.0.1:
The six-week comment period concludes on July 20, 2026. Following this period, the PCI SSC will:
1. Review and analyze all submitted feedback 2. Incorporate appropriate changes based on stakeholder input 3. Publish the final version of PCI DSS v4.0.1 4. Provide implementation guidance and transition timelines
Based on historical patterns, organizations can expect a grace period of 12-18 months between final publication and mandatory compliance with any new requirements, allowing adequate time for system updates and validation processes.
While awaiting the final v4.0.1 publication, organizations should:
Only eligible PCI SSC stakeholders can participate, including payment brands, acquiring banks, processors, merchants, and qualified security assessors with formal stakeholder status.
The six-week request for comments period runs from June 3 to July 20, 2026.
The specific changes haven't been disclosed, but version updates typically include clarifications, corrections, and refinements rather than major new requirements.
Historically, organizations receive 12-18 months from final publication to achieve mandatory compliance with new PCI DSS requirements.
No, organizations should maintain current compliance with PCI DSS v4.0 requirements while monitoring v4.0.1 developments for future planning.
PoliWriter creates all the policies and documentation you need for compliance, customized to your organization. AI-powered, audit-ready, hours not months.
Get Started Free