QSAs, ISAs and ASVs got the monthly PCI Assessor Newsletter on Friday, February 28, (or should have) and there were two items that I thought should be shared with the larger audience because v4 keeps coming up in conversation and due to the non-disclosure agreements (NDA) we are under, the PCI community has largely been silent on the topic.
So while I may get in trouble for sharing this information, I feel it needs to be shared because, as Aristotle is attributed as saying, “Nature abhors a vacuum.” Thanks to human nature and our silence, that vacuum has been filled with speculation and rumor about v4. The problem with all of this is that NOTHING has been finalized about v4 and will not be finalized for a while. So what you may have heard about v4 is what was in a first draft and who knows if it will end up in the final version? No one will know that until the Council publishes the final version.
These two statements go a long way in helping everyone outside of the PCI assessor and participating organization communities to understand what is going on and hopefully will dispel a lot of those rumors and speculation.
Reminders about the Draft PCI DSS v4.0
As the PCI Security Standards Council continues to review over 3,200 feedback items received during the Draft PCI DSS v4.0 RFC period, we would like to remind you about a few important points.We still have a lot of work ahead of us on PCI DSS v4.0, and we want to confirm that there is still at least a year before the standard is finalized and at least 2 years before PCI DSS v4.0 will be required. We strongly urge all entities to wait until the final version of PCI DSS v4.0 is released and that entities should not be trying to implement any new or updated requirements included in any PCI DSS draft before the final release! Please remind your clients that PCI DSS v4.0 is still draft only and does not supersede PCI DSS v3.2.1. Any actual changes, including new and updated requirements, for PCI DSS v4.0, will likely be quite different in the final, published version.
Also, note that the draft version of PCI DSS v4.0 is no longer available through the RFC portal (or otherwise). It was only available in the portal during the RFC period (28 October to 13 December 2019). We have already started making changes to the PCI DSS v4.0 draft as part of our RFC feedback review process.
We will provide PCI stakeholders with another opportunity to review the next draft of PCI DSS v4.0 via a second RFC later in 2020. We will provide more details as we progress. Stay tuned for further communications from us about your feedback and the next PCI DSS v4.0 RFC. More information about our upcoming RFCs and our RFC process can be found on our Request for Comments page.
Responsibilities for Sharing the Draft PCI DSS v4.0 RFC Materials
We are aware that some assessors are sharing information about the Draft PCI DSS v.40 RFC outside of their organizations. This article is intended to remind assessors of their obligations in this regard.The draft PCI DS v4.0 and all supporting documents provided within the portal during the RFC period are shared strictly under NDA, which prevents you from using or quoting the content from any RFC documents outside of your organization. Access to RFC content and participation in RFCs is a benefit reserved for PCI SSC stakeholders. That being said, we do encourage PCI SSC stakeholders to help raise awareness in the payments industry around the planned update to PCI DSS and it is permissible for your organization to share information about PCI DSS v4.0 based on publicly available information from the Council, which is available in PCI SSC FAQs, blogs, and PCI SSC presentations from Community Meetings and other PCI SSC public events.
If you do share information from the Council about PCI DSS v4.0, reiterate the following in any material your organization presents or publishes:
- Information provided is your company’s opinion and does not represent the position of the Council. For information from the Council on PCI DSS v4.0, they should visit the PCI SSC website.
- Information about PCI DSS v4.0 is based on an early draft of the standard that will most likely change significantly over the next months.
So there you have it straight from the source.
Again, the bottom line is that NOTHING about v4 has been finalized and it will be a while before it is finalized and made public. So focus on complying with v3.2.1 and the Council will let us all know when v4 is ready to roll out.
PCI Guru 