Request for Comments (RFC) periods are avenues for PCI SSC stakeholders to provide feedback on existing and new PCI Security Standards. This feedback plays a critical role in the ongoing maintenance and development of these resources for the payment card industry. The PCI SSC has formally documented the process for conducting RFC periods in a newly published RFC Process Guide, so that it is consistent for all standards and provides information back to the community on how we address feedback from stakeholders. In this post PCI SSC Director of Standards Coordination Lauren Holloway highlights what stakeholders need to know about the RFC process.
How has PCI SSC formalized the RFC process?
Lauren Holloway: The PCI SSC seeks feedback from a diverse group of stakeholders in a number of ways including during comment periods while developing or updating our standards. We turn that feedback into action. This inclusive development process is necessary to help us set standards that enhance payment card security.
With release of new guidance, the PCI SSC has formally documented the process for conducting RFC periods so that it is consistent for all standards and provides information back to the community on how we address feedback from stakeholders. The RFC periods will now follow this formal, consistent process:
Multi-purpose – RFCs are used for three types of revisions (Major, Minor, Limited). The depth of an RFC depends on the type of revision required.
Flexible – Depending on topic and revision type, an RFC may initially be targeted to Subject Matter Experts requesting feedback on an initial draft or proposed modifications, after which it is made available to the full body of affected stakeholders. In some cases, the initial RFC is made directly available to all affected stakeholders.
Comprehensive – All new standards and major revisions to existing standards get a minimum of two RFCs. Minor revisions get at least one RFC.
Scheduled – The duration of all RFCs is a minimum of 30 days. Stakeholders will be notified in advance as to when they can participate in a given RFC.
Feedback – When there is more than one RFC period for a document, a feedback summary document (with all feedback comments, company name for the feedback contributor, and how PCI SSC actioned that feedback) is included for review with the next respective RFC. In all cases, a feedback summary document is made available for stakeholders after the standard is published.
As part of this effort, we have published a new RFC Process Guide as well as an RFC-at-a-Glance infographic to help stakeholders understand and participate in the RFC process. We have also updated the PCI SSC website with a dedicated webpage on the RFC process.
What is the desired goal of formalizing the RFC process?
Lauren Holloway: Our goal is to increase participation from stakeholders in the RFC process, as payment card industry feedback is critical to the ongoing development of PCI Security Standards and programs. We have made improvements to the RFC process and formalized it, based on feedback received from surveying PCI SSC stakeholders in 2018. A consistent documented process lets our stakeholders know what to expect and that advance knowledge should encourage greater participation in our RFCs and provide us with more feedback. The intent is to turn that feedback into action.
How will this new process benefit the payment card industry?
Lauren Holloway: The new process will make it easier for PCI SSC stakeholders to be involved in the evolution of PCI Security Standards and programs and help us to address industry challenges.
Will participant's comments be seen by others? Where will the feedback be posted?
Lauren Holloway: YES! All comments will be available for viewing by those who participated in that RFC. The comment(s), organization’s name, and how PCI SSC actioned the feedback comments will be made available in the PCI SSC portal.
Does this new RFC process include updates to the RFC portal that has been used previously for RFCs?
Lauren Holloway: We also received feedback and suggestions related to the RFC portal from our 2018 survey and are working on upgrades that will be available later in 2019.
What RFC opportunities are anticipated for 2019?
Lauren Holloway: We have added a section to our website to highlight our RFC process and to list upcoming RFCs so check that location as well as the PCI SSC portal frequently for the latest info on current and upcoming RFCs.