Why The Roaring Silence About PCI DSS v4?

So, it has been over a week since v4 came out in draft for comments from QSAs, Participating Organizations and other stakeholders. Yet there has been nary a peep online about it even from The PCI Guru. I know a lot of people are pinging me and complaining because they want to know what is going on.

I would love to share my observations and opinions, but …

The Council made us all agree to a Non-Disclosure Agreement (NDA) that does not allow us to openly discuss the new version of the PCI DSS outside of our own organizations.  Because of this, you should not hear word one about the new version until the Council tells us it can be openly discussed.

It is not that we do not want to share. It is that we are not legally allowed to share.

So please be patient.

Update: From the November 2019 Assessor Newsletter.

Can I share information about PCI DSS v4.0 outside of my company?
We have received several inquiries about whether POs, QSAs, and ASVs are permitted to share information externally about PCI DSS v4.0, and if so, what information can be shared with other organizations. We encourage PCI SSC stakeholders to help raise awareness in the payments industry around the planned update to PCI DSS; however, access to RFC content and participation in RFCs is a benefit reserved for PCI SSC stakeholders. It is permissible for your organization to share information about PCI DSS v4.0 based on publicly available information from the Council, which is available in PCI SSC FAQs, blogs, and PCI SSC presentations from Community Meetings and other PCI SSC public events.

Note: The content of the RFC documents is strictly under NDA and cannot be shared, used, or quoted.

If you share any information about PCI DSS v4.0, as referenced above from publicly available materials from PCI SSC, you are asked to please reiterate the following in any material your organization presents or publishes:

  • Information provided is your company’s opinion and does not represent the position of the PCI Security Standards Council. For information from the PCI Security Standards Council on PCI DSS v4.0, individuals should visit the PCI SSC website.
  • Information about PCI DSS v4.0 is based on an early draft of the standard that will most likely change significantly over the several months.

Thank you for help in increasing awareness of PCI DSS and for your cooperation with these guidelines. It will help minimize confusion and ensure that clear, consistent, and accurate information is being communicated to the payments industry.”

Screen Shot 2019-12-16 at 1.32.38 PM

3 Responses to “Why The Roaring Silence About PCI DSS v4?”

  1. 1 Saeedeh AL
    December 7, 2019 at 4:18 AM

    Hi everyone, I have a question not related to this post. I couldn’t find any right place to put my question, so I’m going to ask here. It’s about PCI PTS.
    If I have for example an Android POI that you can download and install any application on it, without any signature checking by firmware or OS, isn’t it against PCI PTS Requirements? or should we have any other security policy to manage that? and which entity must check this case? PCI PTS requirements or acquirer or merchant or vendor?
    the POI I’m talking about has a valid PCI PTS certificate and I’m wondering how is it possible to have such an OS or firmware certified by PCI PTS?!
    Thank you in advance

    • December 8, 2019 at 11:18 AM

      For example, Square meets the POI requirement by isolating the device from the payment process with the exception of manual entry of PAN through the virtual keyboard. Also, Square is the merchant of record, not the person with the iPhone, iPad or Android device.

      Other solutions from Verifone and Ingenico use Bluetooth attached POI that are P2PE/E2EE solutions so that the cardholder data is encrypted through the cellphone.

  2. 3 javi
    November 8, 2019 at 8:15 AM

    How democratic of them… :/
    I wonder why all the cloke and dagger. Are they expecting the community not to agree with the direction the PCI DSS is heading? Or maybe maximizing profit, perchance?
    Cardholder data security is, after all, a multi-billion dollar industry and changes to the standard translate into the higher cost for all organizations, and more savings (due to risk reduction) for the card-issuing industry (Visa, Amex, MC, etc.).

    Pardon the cynicism, but the lack of transparency is irritating.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

November 2019

%d bloggers like this: