SideGuy · Compliance clarity · reviewed 2026-06-09

PCI DSS 3.2.1 vs 4.0: what changed and what you have to do now

PCI 3.2.1 is retired — 4.0 (and the 4.0.1 refresh) is the standard now. The headline isn't 'a few new rules'; it's a shift in philosophy: from a rigid checklist to outcome-based security you can meet your own way. Here's what changed and what trips teams up.

The operator's bottom line: PCI DSS 3.2.1 is retired (sunset March 2024) — every assessment now runs against 4.0 / 4.0.1, and the once-optional "future-dated" requirements became mandatory on March 31, 2025. Practically, that means MFA on all access into the cardholder data environment (not just remote/admin), 12-character passwords (up from 7), and documented targeted risk analyses for any frequency you set. The big new lever is the Customized Approach, but by an operator who did both: keep the Defined Approach for the bulk of your controls and reach for Customized only where mature controls genuinely meet the objective a different way — it buys flexibility at a real documentation and QSA-validation cost.

Side-by-side

Dimension	PCI DSS 3.2.1	PCI DSS 4.0
Validation approach	Defined approach only — meet the requirement exactly as written	Adds a Customized Approach — meet the security objective your own way (with a targeted risk analysis)
Multi-factor auth	MFA for remote + admin access to the CDE	MFA for all access into the cardholder data environment
Risk analyses	Largely prescriptive frequencies	Targeted Risk Analyses let you justify frequencies — but you must document them
Passwords	7 characters	12 characters (or 8 if the system can't support 12), with stronger guidance
Scope & roles	Implicit	Explicit roles/responsibilities per requirement + clearer scoping documentation
Timeline	Retired (sunset March 2024)	Mandatory now; the future-dated requirements became effective March 31, 2025

The honest verdict.
4.0 isn't optional and the grace period is over — the future-dated requirements that were 'best practice' until March 31, 2025 are now mandatory. The biggest practical change is the Customized Approach: powerful if you're security-mature (meet the objective your way), but it demands rigorous documentation. Most teams should stick to the Defined Approach for the bulk of requirements and use Customized only where it genuinely fits.

Which one do you actually need?

Pick PCI DSS 3.2.1 if…

Nothing — 3.2.1 is retired. If you're still validating against it, you're out of date and need to migrate to 4.0 now.

Pick PCI DSS 4.0 if…

Everyone handling card data. Use the Defined Approach by default; reach for the Customized Approach only on specific requirements where your mature controls meet the objective differently.

Questions operators actually ask

Is PCI DSS 3.2.1 still valid?

No — 3.2.1 was retired (sunset March 2024). All assessments are against 4.0 / 4.0.1 now. If a vendor or QSA is still citing 3.2.1, that's a red flag.

What's the 'Customized Approach'?

New in 4.0: instead of meeting a requirement exactly as written (Defined Approach), you can meet its security objective with your own controls — but you must document a targeted risk analysis and the QSA must validate it. It's flexibility for mature teams, with a documentation cost.

What were the future-dated requirements?

A set of 4.0 requirements that were optional 'best practice' during the transition and became mandatory on March 31, 2025 — including expanded MFA, stronger passwords, and several targeted-risk-analysis items. They're all in force now.

How big is the migration from 3.2.1?

Bigger than a version bump but not a rebuild — most controls carry over. The work is in the new items (all-access MFA, targeted risk analyses, documentation) and deciding where, if anywhere, to use the Customized Approach.

Not sure which fits your stage? No meeting required — text the question and get an operator-honest answer.
See the Compliance department →

Related compliance comparisons

Written by PJ Zonis · SideGuy Solutions · operator-honest, vendor-neutral · Compliance hub