So, it has been over a week since v4 came out in draft for comments from QSAs, Participating Organizations and other stakeholders. Yet there has been nary a peep online about it even from The PCI Guru. I know a lot of people are pinging me and complaining because they want to know what is going on.
I would love to share my observations and opinions, but …
The Council made us all agree to a Non-Disclosure Agreement (NDA) that does not allow us to openly discuss the new version of the PCI DSS outside of our own organizations. Because of this, you should not hear word one about the new version until the Council tells us it can be openly discussed.
It is not that we do not want to share. It is that we are not legally allowed to share.
So please be patient.
Update: From the November 2019 Assessor Newsletter.
“Can I share information about PCI DSS v4.0 outside of my company?
We have received several inquiries about whether POs, QSAs, and ASVs are permitted to share information externally about PCI DSS v4.0, and if so, what information can be shared with other organizations. We encourage PCI SSC stakeholders to help raise awareness in the payments industry around the planned update to PCI DSS; however, access to RFC content and participation in RFCs is a benefit reserved for PCI SSC stakeholders. It is permissible for your organization to share information about PCI DSS v4.0 based on publicly available information from the Council, which is available in PCI SSC FAQs, blogs, and PCI SSC presentations from Community Meetings and other PCI SSC public events.
Note: The content of the RFC documents is strictly under NDA and cannot be shared, used, or quoted.
If you share any information about PCI DSS v4.0, as referenced above from publicly available materials from PCI SSC, you are asked to please reiterate the following in any material your organization presents or publishes:
- Information provided is your company’s opinion and does not represent the position of the PCI Security Standards Council. For information from the PCI Security Standards Council on PCI DSS v4.0, individuals should visit the PCI SSC website.
- Information about PCI DSS v4.0 is based on an early draft of the standard that will most likely change significantly over the several months.
Thank you for help in increasing awareness of PCI DSS and for your cooperation with these guidelines. It will help minimize confusion and ensure that clear, consistent, and accurate information is being communicated to the payments industry.”
PCI Guru 