PCI SSC stakeholders play an important role in the ongoing evolution of the PCI Data Security Standard (PCI DSS). Here we cover three key things to know about the development of PCI DSS version 4.0 and how to be part of it.
1. The feedback process for PCI DSS v4.0 is different from previous versions of PCI DSS.The feedback process for PCI DSS v4.0 introduces more opportunities for stakeholders to participate in the development process for the standard.
For past revisions, formal feedback opportunities were limited to one comment period for PCI SSC Participating Organizations and assessors based on the current version of the standard.
For PCI DSS v4.0, PCI SSC is expanding these opportunities to maximize collaboration and stakeholder involvement in updating the standard. We are doing this by conducting more request for comments (RFC) periods and sharing actual drafts of PCI DSS v4.0 for stakeholders to review during these comment periods.
Here’s a summary of the RFCs for PCI DSS v4.0:
- The first RFC, which solicited feedback on PCI DSS v3.2, took place at the end of 2017.
- Two additional RFCs, where drafts of PCI DSS v4.0 will be shared with stakeholders for review and input, are currently planned for October 2019 and mid-2020. All Participating Organizations, Qualified Security Assessors (QSAs), and Approved Scanning Vendors (ASVs) are invited to participate.
The PCI SSC website includes a listing of current and upcoming RFCs, and PCI SSC stakeholders will receive communications with additional information on how to participate. PCI DSS v4.0 and the RFC process will also be a key discussion topic at the 2019 PCI Community Meetings in Vancouver, Dublin, and Melbourne.
Key points: Mark your calendars for the first 30-day RFC scheduled to open in October, which will include a first draft of the standard. If you aren’t a Participating Organization, consider joining now so you can provide feedback on the PCI DSS and attend the PCI Community Meetings for free!
2. Key priorities for PCI DSS v4.0 are security and flexibility.PCI SSC stakeholder feedback plays a key role in helping ensure that PCI Standards continue to meet the needs of the global payment card industry. This feedback, together with the changes in payments, technology and security, is driving our approach to PCI DSS v4.0.
Key priorities for version 4.0 are to continue to provide the critical foundation for securing payment data in a rapidly evolving ecosystem, and to add flexibility for organizations using a broad range of methods and technologies to achieve PCI DSS security objectives.
With this in mind, the planned updates for PCI DSS v4.0 include:
- Add and revise requirements to address evolving risks and threats to payment data and to reinforce security as a continuous process; and
- Redesign requirements and validation options to focus on security objectives and support organizations using different methodologies to meet the intent of PCI DSS requirements.
Key points: The 12 core requirements will not fundamentally change in PCI DSS version 4.0. Updates will be made to improve security and provide more flexibility for meeting security objectives. The upcoming RFC will include the full draft of the standard, along with information about the proposed changes.
3. Feedback will drive PCI DSS v4.0 development and timing.
For the first time ever, the feedback process for PCI DSS v4.0 involves two RFCs on actual drafts of the standard. Per the RFC process, every piece of feedback will be reviewed and considered, and PCI SSC will prepare a summary for RFC participants showing how the feedback was addressed.
This collaborative approach means that stakeholders have a real opportunity to help shape the new version of the standard. It also means that the development process could take longer than previous revisions, depending on the volume and type of feedback received.
With this in mind, we don’t expect to publish PCI DSS v4.0 until late 2020, at the earliest. As with all PCI DSS updates, once version 4.0 is published, version 3.2.1 will remain valid for a period of time to support organizations transitioning to the new version of the standard.
We will continue to provide updates on PCI DSS v4.0 development via PCI SSC communications channels.
Key points: PCI DSS v4.0 isn’t coming before late 2020. Subscribe to the PCI Perspectives blog to stay informed on its development, and rest assured that once it is published, there will be a transition period.
Also on the blog: PCI DSS: Looking Ahead to Version 4.0
