Discover Atlas: Tevora's New Technology Platform Atlas

Dark teal and black gradient

Blog

PCI

Preparing for PCI DSS v5.0: What We Know, What We Don’t, and What to Do Next 

June 16, 2026

By Eric Sampson

The payment security community is already looking beyond today’s requirements and asking what the next major evolution of PCI DSS may bring. The PCI Security Standards Council (often called the PCI Council) has signaled that work is underway toward a framework update, with what would become PCI DSS v5.0.  

Almost no information is available regarding the expected PCI DSS v5.0 release, other than the indication that the update would address AI systems. But the lack of concrete direction that has not stopped forward-thinking security and compliance leaders from asking the question: what can I expect from a potential PCI standard update?  

For those organizations looking to get ahead, you do not necessarily need to wait for a final document to begin preparing. The transition from PCI DSS v3.2.1 to v4.0 (and then to v4.0.1) already showed the Council’s direction of travel: more flexibility through customized approaches, more emphasis on targeted risk analysis, and a stronger expectation that security be operated continuously rather than treated as a once-a-year compliance event. Those patterns, combined with the broader momentum of AI governance frameworks, offer useful clues about what security leaders should be planning for now. 

Taking a step back: When was PCI DSS v4.0 Released?  

PCI DSS v4.0 was officially published by the PCI Security Standards Council on March 31, 2022, marking the most significant update to the standard in years. The release was designed to address emerging threats, support more flexible ways of meeting security objectives, and reinforce the idea that payment security should be an ongoing discipline rather than a point-in-time exercise. The Council also gave organizations a meaningful runway to adapt: PCI DSS v3.2.1 remained active until March 31, 2024, creating a two-year transition period for companies to understand the changes, adjust internal processes, and begin implementing new controls. 

The transition was not especially simple. For many compliance teams, the move from PCI DSS v3.2.1 to v4.0 introduced new terminology, more emphasis on targeted risk analysis, and a broader shift toward continuous validation and flexible implementation models. Then, on June 11, 2024, the Council published PCI DSS v4.0.1, a limited revision intended to clarify wording, correct formatting issues, and reduce confusion without adding new requirements. PCI DSS v4.0 remained active through December 31, 2024, after which v4.0.1 became the only active version supported by the Council. Future-dated requirements from the 4.x line were set to become effective after March 31, 2025, which added another milestone for organizations already trying to keep pace. 

What do we know today about PCI DSS v5.0? 

What we know today about PCI DSS v5.0 is still limited, and that uncertainty is important to acknowledge upfront. At the time of writing, PCI DSS v5.0 remains a future-looking concept, with very little information provided by the PCI Council. The current active line is still PCI DSS v4.0.1, and the Council continues to focus its official updates, clarifications, and supporting guidance there. In practical terms, that means organizations should still keep v4.0.1 as its primary priority, even when looking forward to a new release.  

What is more concrete is the strategic direction. Recent guidance from the Council, especially around the responsible use of AI in PCI-related assessment activity, suggests that the ecosystem is beginning to think more seriously about how AI should be governed in security-sensitive contexts. The key message is not that AI changes the fundamentals of compliance, but that AI-assisted processes still require accountability, validation, and human judgment. That matters because it hints at the kinds of questions a future PCI standard update could emphasize: how organizations control AI use, how they document risk, and how they maintain confidence that critical security decisions are still explainable and defensible. 

History also offers some useful clues. PCI DSS v4.0 was released with a substantial transition period, and the compliance timeline has included multiple milestones rather than a single cutoff date. If the Council follows a similar pattern for any future major version, organizations will likely have some time to prepare once a new release is announced.  

But the real lesson from the last transition is that readiness takes longer than many teams expect. The hard part is building the governance, documentation, and operating discipline needed to comply with new requirements, without disruption. That is why the smartest organizations are using today’s uncertainty not as a reason to wait, but as an opportunity to strengthen their foundations. 

What can we guess about PCI DSS v5.0 based on other AI-related compliance frameworks? 

If we look across today’s leading AI governance models, a consistent pattern emerges. Most AI-related compliance frameworks and regulations focus on managing data exposure, documenting risk, ensuring transparency, enabling human oversight, and continuously monitoring systems after deployment.  

The EU AI Act, one of the first established AI-related regulations, is a strong example of this risk-based thinking. It classifies AI uses by risk level and applies stricter obligations where potential harm is higher, including requirements around transparency, human oversight, data governance, accuracy, robustness, and cybersecurity. Meanwhile, the NIST AI Risk Management Framework (RMF) approaches the same challenge through the lifecycle functions of Govern, Map, Measure, and Manage. Although one is regulatory and the other voluntary, both point in the same direction: organizations need to know where AI is being used, understand the risks it introduces, define controls, and maintain evidence that those controls are working. 

ISO/IEC 42001 adds a complementary dimension to this landscape by showing how AI governance can be systematized and embedded into an auditable control environment. As a management system standard, it emphasizes defined ownership, documented controls, and continuous oversight of AI systems in operation. If PCI DSS were to explicitly bring AI systems into scope, ISO 42001 offers some indications of how that could be implemented in practice: by treating AI components as governed assets subject to the same rigor as traditional systems. 

(Read more about ISO 42001 in our recent blog article here.) 

While we cannot know if PCI DSS v5.0 will mimic existing frameworks, we can guess that if AI is explicitly addressed in a future PCI update, the requirements are likely to focus less on AI as a buzzword and more on practical control questions: What data is the system using? What could leak? Who is accountable for outcomes? How is the system monitored? And what happens when it behaves unexpectedly?  

How can companies prepare for PCI DSS v5.0 today? 

Even without a final PCI DSS v5.0 text, organizations can take meaningful steps today to reduce future scramble. The most effective posture is not to guess at every future requirement, but to strengthen the disciplines that almost any future version will demand: visibility, governance, documentation, and continuous risk management. Companies that are currently operating under PCI DSS v4.0.1 are in a particularly good position to do this, because many of the habits encouraged by 4.x are exactly the habits that support AI readiness as well. 

One smart starting point is a structured readiness assessment. Rather than waiting for the Council to publish final language, organizations can inventory current AI use cases, identify where those tools intersect with payment data or security processes, and map existing controls to likely areas of future scrutiny. That includes reviewing who owns AI governance internally, what approval process exists for new AI use cases, how vendors are evaluated, and what evidence is retained to show that risk decisions were made intentionally. This kind of exercise helps turn uncertainty into a practical workplan. 

It is also useful to benchmark against established AI frameworks now. For multinational or highly regulated organizations, the EU AI Act offers a useful model for risk classification, transparency, human oversight, and cybersecurity expectations. For organizations looking for a flexible operational framework, the NIST AI RMF provides a practical structure for governance and continuous monitoring. Neither one is a substitute for PCI DSS, but both can help teams identify gaps early, especially around AI inventory, third-party oversight, data governance, validation, and incident response. 

The bottom line is that preparing for PCI DSS v5.0 is less about predicting exact wording and more about building maturity now. Organizations that treat AI as part of their broader security and compliance program, not as a separate experiment, will be better positioned no matter how the next standard evolves. If the future of PCI includes clearer AI-related expectations, the winners will be the teams that already know their use cases, understand their risks, and can demonstrate disciplined oversight long before an assessor asks for it. 

Back to Resource Center

Explore More In-Depth PCI Resources

View Our Resources