Timelines & Initial Preparation Required for Your Business - McDermott

PCI DSS 4.0: Timelines and Initial Preparation Steps Required for Your Business


Last year, the Payment Card Industry Security Standards Council released version 4.0 of its Data Security Standard (PCI DSS 4.0). The new version, which brings major changes to the payments ecosystem and compliance requirements, places an increased focus on governance, organizational maturity, technical controls and targeted risk analysis.

With the PCI DSS 4.0 compliance deadline fast approaching, there are a number of preparation steps that will likely take longer than anticipated for organizations to comply with the standard. Many of the compliance measures, adjustments and implementation projects will have lead times of a year or more, especially technology-related revisions (e.g., incorporating new multi-factor authentication requirements), enhanced governance and third-party vendor contract changes. Planning for PCI DSS 4.0 compliance is a continuous effort that should be started now.

Join members of McDermott’s Global Privacy & Cybersecurity team and Alan Gutierrez-Arana, principal at Mazars, for the second in a series of PCI DSS 4.0 programs as they discuss how merchants, service providers, issuers, acquirers and other businesses subject to the standard should plan for the transition to PCI DSS 4.0. We will also explore the process for transitioning from version 3.2.1 to version 4.0 and the activities that make up these compliance efforts. This program is an essential first step as legal counsel and PCI DSS 4.0 compliance teams work together to ready their organizations to meet the compliance deadline.

Discussion topics will include:

  • Realistic timelines for PCI DSS 4.0 implementation for your business
  • Scoping the systems, people, service providers and processes that are in scope for your compliance obligations
  • Structural changes required to convert to PCI DSS 4.0
  • Relevant PCI DSS 4.0 gap assessment and testing processes
  • PCI DSS 4.0 risk assessments, both targeted and general
  • PCI DSS 4.0 legal and contractual implications for third-party service providers

A link to our prior PCI 4.0 program can be found here.


Alan Gutierrez-Arana, Principal at Mazars US

Dig Deeper

Cambridge, United Kingdom / Speaking Engagements / July 1-3, 2024

Privacy Laws & Business | 37th International Conference

Washington, DC / / May 8-10, 2024

2024 Privacy + Security Spring Academy

Washington, DC / Speaking Engagements / April 3-4, 2024

IAPP Global Privacy Summit 2024

Webinar / McDermott Webinar / March 19,2024

Healthcare Privacy Risks and Enforcement

Brussels, Belgium / Speaking Engagements / March 12-13, 2024

IIC European Telecommunications & Media Forum 2024

Get In Touch