PCI SSC recently concluded the review of over 3,000 comments submitted for the first PCI DSS v4.0 RFC last year. This RFC set the record for the most industry submitted comments for a single PCI SSC standard and was the first time the industry had reviewed a working draft of PCI DSS. Another RFC of the draft standard is planned for later this year. This collaborative approach provides stakeholders a real opportunity to help shape the new version of the standard.
You can read more about the PCI DSS v4.0 development timeline in this blog post.
Feedback Regarding Proposed Requirement Updates
The PCI DSS v4.0 draft provided for RFC in 2019 included proposed new requirements and changes to existing requirements. The intent of these updates was to address evolving risks and threats to payment data, improve flexibility for stakeholders, and to reinforce security as a continuous process.
Below we have highlighted some of the topics that generated a lot of feedback.
- Requirement 4: Protect cardholder data (CHD) with strong cryptography during transmission
- Protection for all transmissions of CHD
- Use of self-signed/internal certificates
- Requirement 8: Identify users and authenticate access
- Password length, history, and change frequency that aligns with industry guidance
- Comparing new passwords against a list of known, bad passwords
- Confirming all multi-factor authentication factors before providing any indication of success or failure of a factor
- Secure authentication for application/system accounts
- Requirement 9: Restrict physical access to cardholder data
- Location of sensitive areas within cardholder data environments
- Requirement 11: Regularly test security systems and processes
- Authenticated scanning for vulnerability scans
- Requirement 12: Support information security with policies and programs
- Usage policies for protecting critical technologies
- Annual risk assessments
- Methodologies for data discovery and data leak prevention
It is not unusual for RFCs to produce conflicting feedback about the same topic from different organizations, and the feedback received during the PCI DSS v4.0 RFC is no exception. The feedback topics identified above received both positive and negative feedback. When evaluating this feedback, PCI SSC considers a variety of factors to determine the best path forward. These factors include the specific insights provided on a topic, the specific comment and solution suggested by the feedback submitter to address the comment, and of the entirety of feedback on a given topic.
Discussions on these feedback topics have included weighing the security value of the requirement, how to ensure the meaning and intent of the requirement is clear, how to ensure the requirement can be implemented across all types of environments and stakeholders, and how to provide more flexibility in ways to meet a requirement. The feedback and resulting discussions are currently being considered as we prepare the draft of PCI DSS v4.0 for the next RFC.
Feedback Regarding New Customized Approach Option
The PCI DSS v4.0 draft also included the customized approach, a new approach to meeting and validating PCI DSS requirements. This new approach gives more flexibility to organizations using different security technologies and methodologies to meet the objective of PCI DSS requirements. Because this is a new approach, we received a lot of feedback on this topic. We are using this feedback to develop additional guidance on the new approach, which will be included for review in the next RFC.
Summary of Feedback
The full RFC Feedback Summary Report from the 2019 RFC will be provided via the PCI Portal in September/October 2020 at the same time the next RFC period starts. This summary will show each item of feedback that was received and how the item was addressed.
Preparation for the Next RFC
The next RFC is scheduled for September/October 2020 and will be open to all Participating Organizations and the assessor community.
PCI SSC RFCs are open to the industry via the Participating Organization (PO) membership. If your organization would like to participate in the next PCI DSS RFC, you can do so by becoming a PO. Learn more about the program and benefits here.
More information about our upcoming RFCs and our RFC process can be found on our Request for Comments page.