thePCI Portal

eye on PCI v4

August 25 2020:

The council is still analyzing feedback from previous RFC (plan is to comment on all feedback).  Council is preparing the next RFC while updating supporting documents (glossary, prioritized approach, SAQs, etc) and training.


An extended transition period is planned. 3.2.1 to be retired 2 years AFTER the release of v4.0.  Future dated requirements will extend beyond the retirement of v3.2.1.

Ad below this line:


April 30, 2020:  Assessor Newsletter

When will PCI DSS v4.0 will be released?
The final version of PCI DSS v4.0 is currently expected in mid-2021. PCI DSS v3.2.1 will remain active for 2 years after PCI DSS v4.0 is released to allow organizations time to transition to the new version. While PCI DSS v4.0 is under development, we ask you to encourage your clients to remain diligent with their PCI DSS v3.2.1 compliance efforts. Not only will this help ensure their continued security, but this will facilitate their transition to PCI DSS v4.0. Here is the link to our latest
PCI DSS v4.0 blog.

Will a more detailed analysis of the RFC 2019 feedback be provided?
During our review of the more than 3,000 RFC feedback items, we have been sharing statistics about that RFC feedback with our stakeholders. Once we have finished reviewing the feedback and making updates to PCI DSS v4.0, per our published RFC process, an RFC Feedback Summary will be provided to RFC participants via the PCI Portal. This summary, showing how each item of feedback was addressed, will be shared when the next PCI DSS RFC takes place.

What is the timing of the next RFC for PCI DSS v4.0 and who will have access to it?
The next RFC for PCI DSS v4.0 will be in September/October of 2020 and will include the second draft of PCI DSSv4.0, which we are currently developing based on the feedback received during the 2019 RFC. The opportunity to review and provide feedback on PCI DSS RFCs is provided to the primary contacts of QSA companies, ASV companies, and Participating Organizations. Only primary contacts have access to RFCs in the PCI Portal; their responsibilities are to coordinate with others in their company to review RFC materials, consolidate the company’s feedback, and submit that feedback to PCI SSC via the PCI Portal on their company’s behalf.


OCTOBER 29 2019:  The V4 draft is out to QSACs, participating organizations and ASVs. 

This document constitutes “Confidential Information” of PCI Security Standards Council, LLC (PCI SSC) for purposes of the PCI SSC Group Participation Agreement between your organization and PCI SSC (the NDA). It is being provided in connection with the corresponding request for comment issued by PCI SSC (RFC), solely for purposes of enabling your organization to provide corresponding comments directly to PCI SSC during the applicable RFC period. Neither you nor your organization may use or disclose this document or any portion thereof except in accordance with the terms of the NDA. This document is a draft, is subject to further comment and modification, and should not be relied upon for any purpose. Recipients of this document are requested to submit, with their comments, notification of any relevant third party intellectual property rights of which they may be aware that might be infringed by any implementation of the requirements, standards or specifications set forth in this document, and to provide supporting documentation.”

OCTOBER 28 2019 Council update: The PCI DSS v4.0 RFC is scheduled to begin on 28 October and is open to PCI SSC Participation Organizations (POs), Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs).

In October 2019, actual drafts of PCI DSS v4.0 will be distributed to stakeholders to review.  All Participating Organizations, Qualified Security Assessors (QSAs), and Approved Scanning Vendors (ASVs) will be invited to participate.
Another round of feedback will occur in mid-2020.

The request for comment (RFC) process will also be a key discussion topic at the 2019 PCI Community Meetings in Vancouver, Dublin, and Melbourne.
The 12 core requirements will not fundamentally change in PCI DSS version 4.0. Updates will be made to improve security and provide more flexibility for meeting security objectives. The upcoming RFC will include the full draft of the standard, along with information about the proposed changes.
With this in mind, the planned updates for PCI DSS v4.0 include:

  • Add and revise requirements to address evolving risks and threats to payment data and to reinforce security as a continuous process; and
  • Redesign requirements and validation options to focus on security objectives and support organizations using different methodologies to meet the intent of PCI DSS requirements.

PCI DSS v4.0 will not publish until late 2020, at the earliest. And rest assured that once it is published, there will be a transition period.

Ad below this line:

Leave a Reply