OCTOBER 29 2019: The V4 draft is out to QSACs, participating organizations and ASVs. “
This document constitutes “Confidential Information” of PCI Security Standards Council, LLC (PCI SSC) for purposes of the PCI SSC Group Participation Agreement between your organization and PCI SSC (the NDA). It is being provided in connection with the corresponding request for comment issued by PCI SSC (RFC), solely for purposes of enabling your organization to provide corresponding comments directly to PCI SSC during the applicable RFC period. Neither you nor your organization may use or disclose this document or any portion thereof except in accordance with the terms of the NDA. This document is a draft, is subject to further comment and modification, and should not be relied upon for any purpose. Recipients of this document are requested to submit, with their comments, notification of any relevant third party intellectual property rights of which they may be aware that might be infringed by any implementation of the requirements, standards or specifications set forth in this document, and to provide supporting documentation.”
OCTOBER 28 2019 Council update: The PCI DSS v4.0 RFC is scheduled to begin on 28 October and is open to PCI SSC Participation Organizations (POs), Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs).
In October 2019, actual drafts of PCI DSS v4.0 will be distributed to stakeholders to review. All Participating Organizations, Qualified Security Assessors (QSAs), and Approved Scanning Vendors (ASVs) will be invited to participate.
Another round of feedback will occur in mid-2020.
The request for comment (RFC) process will also be a key discussion topic at the 2019 PCI Community Meetings in Vancouver, Dublin, and Melbourne.
The 12 core requirements will not fundamentally change in PCI DSS version 4.0. Updates will be made to improve security and provide more flexibility for meeting security objectives. The upcoming RFC will include the full draft of the standard, along with information about the proposed changes.
With this in mind, the planned updates for PCI DSS v4.0 include:
- Add and revise requirements to address evolving risks and threats to payment data and to reinforce security as a continuous process; and
- Redesign requirements and validation options to focus on security objectives and support organizations using different methodologies to meet the intent of PCI DSS requirements.
PCI DSS v4.0 will not publish until late 2020, at the earliest. And rest assured that once it is published, there will be a transition period.
Ad below this line: