The PCI SSC announced last Friday that they will be conducting an additional “Request For Feedback” (RFC) process in June 2021 to address the high volume of comments around the proposed DSS v4.0 changes. As part of this process we are expecting more updates and enhancements to the core v4.0 Standards documentation, which will include the following, at a minimum:

  1. – v4.0 Report on Compliance (ROC) template
  2. – Self-Assessment Questionnaires (SAQs)
  3. – Attestations of Compliance (AOC)

This also means that the timeline for the new DSS release will be impacted; the SSC shared a new target of  Q4 2021, where previous estimates indicated a Q2 2021 release. Version 3.2.1 of the Standard will get a little more time in the sun, and the new v4.0 requirements will be pushed back while the SSC does a final tune-up.

Based on the thousands of comments the SSC received through the first two RFC rounds, this is not an entirely unexpected development. While we’ll have to wait a while longer to see the final Standard, our team is encouraged by the SSC’s commitment to ”getting it right”, especially given the potentially significant changes to v4.0’s requirements and reporting.

Our PCI DSS 4.0 Road Trip will continue, though the journey just got a little longer.  Watch our social media and blog for news on timing, changes, analysis, and other interesting info; we will be providing updates as we get them.

The Security Standards Council’s official communication on the changes to the timeline are on their blog here.