From 28 October to 13 December 2019, PCI SSC stakeholders can participate in a Request for Comments (RFC) on an early draft of PCI Data Security Standard Version 4.0 (PCI DSS v4.0 Draft v0.1 for RFC).
Background on PCI DSS v4.0
PCI DSS is being updated to address PCI SSC stakeholder feedback and to support a range of environments, technologies and methodologies for achieving security.
Key priorities for PCI DSS v4.0 include strengthening security and adding flexibility. With this in mind, the RFC draft of PCI DSS v4.0 includes these key updates:
- New requirements: New and revised requirements to address evolving risks and threats to payment data and to reinforce security as a continuous process;
- New focus on security objectives: Requirements and validation options are redesigned to focus on security objectives to support organizations using different methodologies to meet the intent of PCI DSS requirements.
Please note that the version of the standard provided for RFC is a draft. The RFC provides an opportunity for stakeholders to provide feedback about potential new requirements and updates before the standard is finalized.
RFC periods are avenues for PCI SSC stakeholders to provide feedback on existing and new PCI Security Standards. Stakeholder feedback plays a critical role in the ongoing maintenance and development of these resources for the payments industry.
The PCI DSS v4.0 RFC is open to PCI SSC Participation Organizations (POs), Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs).
PO Business and Technical Contacts and QSA and ASV Primary Contacts can access the RFC via the PCI SSC portal, which includes instructions on how to view the documents and submit feedback. Participants will also be required to accept a Non-Disclosure Agreement (NDA).
The RFC includes:
- A first draft of PCI DSS v4.0 that includes proposed updates for consideration;
- Draft samples of two additional documents intended to support a proposed new validation method;
- A Summary of Changes document that outlines the proposed changes in the draft standard;
- Additional guidance about the draft RFC materials to help participants focus their review and maximize the value of their feedback.
Per the RFC process, every piece of feedback will be reviewed and considered, and PCI SSC will prepare a summary for RFC participants showing all feedback received and how it was addressed. Please review the RFC Process Guide for more information.
Also on the blog: 5 Questions About PCI DSS v4.0