From 23 September to 13 November 2020, PCI SSC stakeholders can participate in a Request for Comments (RFC) on a draft of PCI Data Security Standard Version 4.0 (PCI DSS v4.0 Draft v0.2 for RFC). This is the second RFC for the draft of PCI DSS v4.0. The first RFC was held in late 2019, and feedback received during that RFC has been incorporated into the draft.
Background on PCI DSS v4.0
PCI DSS is being updated to address PCI SSC stakeholder feedback and to support a range of environments, technologies and methodologies for achieving security.
Key priorities for PCI DSS v4.0 include strengthening security and adding flexibility. The updates in the RFC draft of PCI DSS v4.0 were made with these objectives in mind:
- Continue to provide the critical foundation for securing payment data in a rapidly evolving ecosystem.
- Promote security as a continuous process.
- Improve flexibility for organizations using a broad range of methods and technologies to achieve PCI DSS security objectives.
PCI SSC stakeholder feedback plays a key role in helping ensure that PCI Standards continue to meet the needs of the global payment card industry. Your feedback, together with the changes in payments, technology, and security, is driving our approach to PCI DSS v4.0.
For more information about the PCI DSS v4.0 timelines and development process, see our PCI Perspectives Blog post: PCI DSS v4.0: Anticipated Timelines and Latest Updates.
Also on the blog: What to Know Before Participating in a PCI SSC RFC
RFC Participation
RFCs are avenues for PCI SSC stakeholders to provide feedback on existing and new PCI security standards. This feedback plays a critical role in the ongoing maintenance and development of these resources for the payments industry.
The PCI DSS v4.0 RFC is open to PCI SSC Participation Organizations (POs), Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs). Access to the RFC is available to each organizations’ primary contacts via the PCI SSC portal, including instructions on how to access the documents and submit feedback. Participants will also be required to accept a Non-Disclosure Agreement (NDA).
The RFC will include the following documents for comment:
- The current draft of PCI DSS v4.0 (Draft v0.2) with proposed updates for consideration.
- A draft sample of a reporting template to support the draft standard.
In addition to the materials provided for comment, the following will be included to assist with your reviews:
- A Summary of Changes document that describes the proposed changes from PCI DSS v3.2.1 through to PCI DSS v4.0 draft v0.2.
- Instructions and guidance about the draft materials to help focus your review and maximize the value of your feedback.
- RFC Feedback Summary Report from the PCI DSS v4.0 Draft v0.1 RFC held in 2019.
Every piece of feedback will be reviewed and considered. Upon completion of the feedback reviews and subsequent updates to the standard, a summary of feedback will be prepared for RFC participants. Please review the RFC Process Guide for more information.
