PCI DSS 4.0: Have Your Say

PCI DSS 4.0: Have Your Say

The PCI Council has issued a Request for Comments (RFC) on an early draft of PCI Data Security Standard Version 4.0. You can submit your comments from 28 October to 13 December 2019.

Background on PCI DSS v4.0
PCI DSS is being updated to address PCI SSC stakeholder feedback and to support a range of environments, technologies and methodologies for achieving security.

Key priorities for PCI DSS v4.0 include strengthening security and adding flexibility. With this in mind, the RFC draft of PCI DSS v4.0 includes these key updates:

* New requirements: New and revised requirements to address evolving risks and threats to payment data and to reinforce security as a continuous process;
* New focus on security objectives: Requirements and validation options are redesigned to focus on security objectives to support organizations using different methodologies to meet the intent of PCI DSS requirements.

RFC Participation
The PCI DSS v4.0 RFC is open to PCI SSC Participation Organizations (POs), Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs). Access to the RFC is available via the PCI SSC portal, including instructions on how to view the documents and submit feedback. Participants will also be required to accept a Non-Disclosure Agreement (NDA).

The RFC includes:

* A first draft of PCI DSS v4.0 that includes proposed updates for consideration;
* Draft samples of two additional documents intended to support a proposed new validation method;
* A Summary of Changes document that outlines the proposed changes in the draft standard;
* Additional guidance about the draft RFC materials to help participants focus their review and maximize the value of their feedback.

Per the RFC process, every piece of feedback will be reviewed and considered, and PCI SSC will prepare a summary for RFC participants showing all feedback received and how it was addressed. Please review the RFC Process Guide for more information.