Assessors and Solutions | Document Library | Training and Qualification | Newsroom | Special Interest Groups

September 2020
In this issue:

• The Second PCI DSS v4.0 Draft for RFC is Here!

• Upcoming RFC Opportunities
• P2PE Key Blocks Announcement
• Transitioning From PA-DSS, Expiring 2022
• PA-DSS Quality Reminder: Which Applications are Eligible for PA-DSS Validation?
• Updates to P2PE SAQ, AOC, and new and updated FAQs
• FAQ of the Month
• Registration to Attend a 2020 PCI SSC Online Community Meeting
• Join Us for the Assessor Sessions at the 2020 Community Meetings
• Sponsor and Exhibitor Opportunities are Available for 2020 PCI SSC Events
• Nominate a Female Cybersecurity Professional for our Women in Payments Blog Series
• 2021 Special Interest Group Proposals Now Closed
• Registration is Open for Online, Instructor-led SSF Training Classes
• Become an ISA with eLearning Available On-demand or via Instructor-led Class
• eLearning Training Schedule
• Corporate Group Training is Available via eLearning

A Message from Elizabeth Terry, Senior Manager, Community Engagement

Dear Assessor Community,

As we enter the last quarter of 2020 and PCI SSC Community Meeting season, we are focused on engaging with our stakeholders by

providing the most current and relevant information to the industry. This year has been one of many changes, pivots and firsts, including

changes to a fully remote staff for organizations who were brick and mortar, pivoting how we train participants in our programs and our first

set of fully virtual Community Meetings.

While we will not be “seeing” everyone and enjoying that face to face time, we created an agenda filled with PCI SSC updates, industry

insights and virtual networking opportunities to interact with your colleagues. The changes we had to make because of the global

pandemic has allowed us to expand the content we bring to the industry and provide access to a wider range of participants. This has

been done by filling one more day with sessions for each community meeting and opening attendance to all program participants at a

discounted rate.

We recognize 2020 has been a wild ride for many organizations including PCI SSC. We continue to work on the upcoming release of PCI

DSS v4.0 (RFC is open now), updates to existing standards like Card Production and the Software Security Framework, and are

developing guidance around your work as assessors. We appreciate your input on how this year has changed the way you do business

and what we can do to help you continue to uphold the integrity of the programs you participate in through PCI SSC. Keep the feedback

coming!

We have endeavored to keep things as ‘normal’ as possible while also making changes to support the community such as keeping the All

Assessor Session and opening it to every assessor and not just those able to attend a community meeting. Engagement with the assessor

community has been invaluable in our efforts to improve the programs generally while increasing the overall value of the programs to the

community.

Thank you for participation and we look forward to seeing you at the Community Meetings!

Sincerely,

Elizabeth Terry

Senior Manager, Community Engagement

PCI News & Program Updates

The Second PCI DSS v4.0 Draft for RFC is Here!

The second Request for Comments (RFC) period for the draft version of PCI DSS v4.0 is now

open to all Participating Organizations, QSAs, and ASVs. The RFC closes on 13 November 2020.

Primaries for these organizations can now access the PCI DSS v4.0 Draft v0.2 for RFC via the

Portal. Please make sure you review the supporting materials, including the Read-Me First

Instructions and the Summary of Changes.

PCI SSC’s RFC process allows us to maximize opportunities for collaboration and stakeholder

feedback. The first RFC for PCI DSS v4.0 was held from October – December of 2019. We

received almost 3200 items of feedback from that RFC and have reviewed all that feedback and

made updates that are reflected in the standard for this, the second RFC of PCI DSS v4.0. It

means that you, the stakeholders, have two opportunities to provide feedback on PCI DSS v4.0

before the updates become final. Join in this collaborative effort and take advantage of this

opportunity to help shape the new version of the standard.

Along with the RFC materials for this second RFC and per our published RFC process, an RFC

Feedback Summary from the 2019 PCI DSS RFC is provided to RFC participants via the PCI

Portal. This RFC Feedback Summary includes each feedback item received, the company that

provided each feedback item, and how the PCI Council actioned each feedback item. Because we

share your feedback via this feedback summary, please remember to not include company

sensitive information in your RFC feedback and remember to keep your comments professional

and collaborative.

As a reminder: You receive RFC documents under NDA which prevents you from sharing them
outside of your organization. We understand that you may want to share this PCI DSS v4.0 Draft

with your clients and partners; however, the NDA does not permit sharing of any of the RFC

documents. Please also keep in mind that this is only a draft version and it does not supersede PCI

DSS v3.2.1. Any actual changes, including new and updated requirements, for PCI DSS v4.0 may

be very different in the final, published version. If you have any questions, please contact your

Program Manager at qsa@pcisecuritystandards.org or asv@pcisecuritystandards.org.

We look forward to your feedback. Be sure to coordinate with your organization’s primary contact

to gain access to the RFC materials, consolidate your company’s submissions per the RFC Read-
Me document, and submit comments by 20:00 EST on November 13. More information about our
RFC process can be found on the Request for Comments page on the PCI SSC website and on

the newly published resource guide What to Know Before Participating in a PCI SSC RFC.

> More information

Upcoming RFC Opportunities

PCI SSC is pleased to confirm two additional Request for Comment (RFC) periods that are both

planned for the November/December 2020 timeframe:

Card Production v3 Draft Standard – The v3 draft of the Card Production standard is an update

to the existing security requirements incorporating prior feedback and FAQs, and the RFC is

designed to get feedback on those changes as well as on the existing requirements. It will be

followed next year by a second RFC for the v3 draft that will contain a much more extensive set of

changes as well as incorporating feedback received from this RFC. Both RFCs will be open to all

POs, PCI Recognized Labs, QSAs, Card Production Security Assessors, Qualified PIN Assessors,

SSF Assessors, and ASVs.

PTS HSM v4 Draft Standard – The v4 draft of the PTS HSM standard is a general update of the

existing standard with an emphasis on new criteria for multi-tenant HSMs, also referred to as cloud

based HSMs operated as a service. The upcoming PTS HSM RFC is open to PCI Recognized

Labs and participating PTS vendors. A second RFC will also be scheduled for next year that will be

open to all Participating Organizations, Labs, QSAs, Card Production Security Assessors, Qualified

PIN Assessors, SSF Assessors, and ASVs.

For more information on current and upcoming RFCs, please refer to PCI SSC’s Request for

Comments web page.

> More information

P2PE Key Blocks Announcement

In response to stakeholder feedback about the impact COVID-19 has had on implementations, PCI

SSC is updating the effective dates for key block implementations in P2PE requirement 18-3. A

technical FAQ, which serves as normative to the PCI P2PE Standard, will convey the revised dates

until such time the P2PE Standard is updated. The new dates are provided in the excerpt below. 

• 18-3 Encrypted symmetric keys must be managed in structures called key blocks. The

key usage must be cryptographically bound to the key using accepted methods. 

The phased implementation dates are as follows:  

• Phase 1 – Implement Key Blocks for internal connections and key storage within Service

Provider Environments – this would include all applications and databases connected to

hardware security modules (HSM). Effective date: 1 June 2019. (past) 

• Phase 2 – Implement Key Blocks for external connections to Associations and

Networks. New Effective Date: 1 January 2023 (replaces previous effective date of 1

June 2021). 

• Phase 3 – Implement Key Block to extend to all merchant hosts, point-of-sale (POS)

devices and ATMs. New Effective Date: 1 January 2025 (replaces previous effective

date of 1 June 2023). 

The individual payment card brands manage compliance programs that utilize PCI Security

Standards. Organizations should contact the applicable payment brand(s) directly with any

compliance questions. For more information, please refer to the official PCI SSC announcement

here.

> More information

Transitioning From PA-DSS, Expiring 2022

When the Payment Application Data Security Standard (PA-DSS) v3.2 and Program closes in

October 2022, it will be replaced by the Secure Software Standard and Program which is part of

the PCI Software Security Framework.

In the interim, to help minimize disruption and ease the transition process for stakeholders, the PA-

DSS and Secure Software Programs will run in parallel, with the PA-DSS Program continuing to

operate as it does now:

• Existing PA-DSS validated payment applications: The PA-DSS Program remains

open and fully supported until October 2022, with no changes to how existing PA-DSS

validated applications are handled. They will remain on the List of PA-DSS Validated

Payment Applications until their expiry dates, and per the normal process vendors can

submit changes to them until PA-DSS v3.2 expiry (28 October 2022).

• New PA-DSS submissions: Vendors will be able to submit new payment software

products for PA-DSS validation and listing until 30 June 2021.

For more information about the transition from PA-DSS to the Secure Software Standard and

Program, please review the following resources:

• PCI Software Security Framework FAQS: PA-DSS Impact and Transition

• Resource Guide: Transitioning from PA-DSS to the Software Security Framework

• FAQ 1275 “What are the PA-DSS Expiry Dates?”

• January 2019 Announcement

• June 2019 Announcement

> More information on becoming a Software Security Framework Assessor company

> More information on becoming a Secure Software Assessor

> More information on becoming a Secure SLC Assessor

PA-DSS Quality Reminder: Which Applications are Eligible for PA-DSS Validation?

Over the last few months, PCI SSC’s Assessor Quality Management (AQM) team has seen a few

applications submitted for PA-DSS validation that are not eligible. As a reminder, PA-QSAs are

responsible for assessing and verifying the eligibility of a payment application prior to submitting to

PCI SSC for validation. To help us bring back a baseline standard of quality, please remember the

following when reviewing a vendor’s payment application for eligibility under the PA-DSS program:

• Please check the PA-DSS Program Guide and other PCI SSC issued guidance

documents to ensure the application is eligible for PA-DSS validation: Table 4.1a in the

Payment Card Industry (PCI) PA-DSS Program Guide, v3.2 provides a description and

program guidance regarding payment applications to which PA-DSS does apply. Please

also refer to the Eligibility Checklist: “Which Applications are Eligible for PA-DSS

Validation” located in the Document Library on the PCI SSC website. An application

should be assessed against both the Program Guide and the Eligibility Checklist for

eligibility. The Checklist does not replace the direction given in the Program Guide.

• Remember that PA-QSAs are the SMEs for payment application eligibility, not the

vendors. If your client is having a difficult time understanding eligibility requirements for

PA-DSS, please review the above-mentioned documentation with them. For any

questions concerning eligibility, please contact the PA-DSS program manager at pa-

dss@pcisecuritystandards.org. It is important that quality issues are resolved prior to

submitting an application for validation to AQM, as quality issues ultimately reflect on

assessors and assessor companies.

• As you speak with your vendors, PA-QSAs and assessor companies may want to

consider transitioning from PA-DSS to the PCI Software Security Framework (SSF). The

SSF expands beyond the scope of the Payment Application Data Security Standard (PA-
DSS) and will replace PA-DSS, its program, and the PA-DSS List of Validated Payment

Applications when PA-DSS is retired in 2022. For more information on moving from PA-

DSS to SSF, please refer to the following guidance document: Transitioning from PA-DSS

to the PCI Software Security Framework. This document provides key information and

resources to help organizations plan for transitioning from PA-DSS to the PCI Software

Security Framework. Additionally, registration for Software Security Framework Assessor

Training is now open with classes available on the new eLearning platform. Existing PA-

QSA are eligible for a modified training requirement to transition to Secure Software
 Assessors. For more information on Secure Software Assessor Training please refer to

the Training & Qualification section of the PCI SSC website.

In summary, check the application eligibility against the program guide and eligibility checklist

before submitting and speak with your vendors about transitioning to the SSF.

We hope you find these resources to be helpful. As always, AQM is here to help. Please contact

the Program Manager at pa-dss@pcisecuritystandards.org if you have any queries.

Updates to P2PE SAQ, AOC, and new and updated FAQs

As announced last month, PCI SSC introduced expired listings to the PCI P2PE website in

September to move P2PE Solutions, Components, and Applications (P2PE Products) off the active

listings when those P2PE Products have been overdue for validation by more than 180 days.

To support the expired listings for P2PE Solutions, PCI SSC has also:

• Updated the SAQ P2PE and the stand-alone P2PE SAQ AOC to rev1.1, to include minor

updates and to reference the PCI list of Point-to-Point Solutions with Expired Validations.

• Updated FAQ FAQ 1247 “Who can use SAQ P2PE?” to reference the PCI list of Point-to-

Point Solutions with Expired Validations and to explain what an expired solution is.

• Added new FAQ 1483 “If a P2PE Solution is on PCI’s list of Point-to-Point Encryption

Solutions with Expired Validations, does the solution meet the eligibility criteria for SAQ

P2PE?”

• Added new FAQ 1484 “If a P2PE Solution is shown as red or orange on PCI’s list of

Validated P2PE Solutions, does the solution meet the eligibility criteria for SAQ P2PE?

All these FAQs can be found at: https://www.pcisecuritystandards.org/faqs

See the FAQ of the Month below for a featured new P2PE FAQ 1482 that addresses whether

P2PE Products on an expired listing are still considered validated per the P2PE Program Guide.

> More information

FAQ of the Month

FAQ of the Month

If a P2PE Solution is on PCI’s list of Point-to-Point Encryption Solutions with Expired

Validations, does the solution meet the eligibility criteria for SAQ P2PE?

P2PE solutions on the PCI list of Point-to-Point Encryption Solutions with Expired Validations are

no longer considered “validated” per the P2PE Program Guide. Because these P2PE solution

providers did not renew their listings in accordance with PCI SSC requirements, the validations are

therefore expired.

Merchants using an expired P2PE solution should check with their acquirer or individual payment

brands about their eligibility to complete SAQ P2PE.

> View the FAQs

Participation Opportunities

Registration to Attend a 2020 PCI SSC Online Community Meeting

We will gather virtually to hear important Council updates, regional insights, and startling industry

reports. Watch our video and see why now, more than ever, we must work together to help secure

payment data.

Register today for one of our Community Meetings:

• North America Community Meeting: 6 – 9 October 2020

• Europe Community Meeting: 20 – 23 October 2020

• Asia-Pacific Community Meeting: 4 – 6 November 2020

Read our recent Q&A with Lance Johnson about the Community Meetings on our blog: PCI SSC

to Host its 2020 Community Meetings Online as Virtual Events.

Continue to check our event website for the most up-to-date information and details.

> More information

Join Us for the Assessor Sessions at the 2020 Community Meetings

With the North America and Europe Community Meetings moving to online events, this year’s

Assessor Sessions have also been moved to an online format.

This year the Assessor Sessions are open to All Assessors and will be held the week following the

Community Meeting:

• PCI SSC 2020 North America Assessor Session - 13 October 2020: 10:00-11:30 EDT

• PCI SSC 2020 Europe Assessor Session - 27 October 2020: 10:00-11:30 CEST

The Assessor Sessions are your meetings - you drive the content. This is your last chance to
submit your questions ahead of the scheduled session you plan to attend. This will ensure that we

can answer your questions during the event and address any common themes we may find.

> Submit your questions

Sponsor and Exhibitor Opportunities are Available for 2020 PCI SSC Events

Looking to gain high-level exposure for your company? Become a sponsor or exhibitor at a 2020

PCI SSC Event.

Sign up to exhibit at the 2020 PCI SSC Community Meetings and secure your spot. Email us or

visit our website to learn about available sponsorship opportunities for 2020:

• North America Community Meeting Sponsorship Opportunities

• Europe Community Meeting Sponsorship Opportunities

• Asia-Pacific Community Meeting Sponsorship Opportunities

Take advantage of these unique opportunities to position your company as a leader in the payment

security industry and gain visibility for your brand!

> Reserve a spot in the Vendor Showcase

> Sponsorship information

Nominate a Female Cybersecurity Professional for our Women in Payments Blog Series

PCI Security Standards Council (PCI SSC) is pleased to announce that it has extended its

monthly, award-winning Women in Payments blog series through 2021. The original 12-part blog

series, Closing the Gender Gap in Payment Security, which debuted earlier this year, highlights a

professional, senior-level, female in the payments industry who represents PCI’s Board of Advisors

and the payment card brands. The series, which earned an “Award of Distinction” in the category

of ‘Web Based Production: Video Series’ at the 2020 Videographer Awards, aims to call attention

to the deficit of women in cybersecurity professions.

In 2021, the blog series will expand to include all senior-level women who are active participants,

and in good standing, in any of PCI SSC’s many programs.

Submit your nomination until 2 October.

> Read more about the nomination criteria

2021 Special Interest Group Proposals Now Closed

Thank you to all who submitted proposals for the 2021 SIG project. The PCI SSC has begun

reviewing and consolidating the list of 2021 proposals to ensure projects are aligned with current

PCI SSC priorities and stakeholder needs, and are not already being addressed in other forums.

They will be listed on the website by this November, and PCI SSC Participating Organizations will

have the opportunity to vote on 2021 SIG proposals via the portal from Monday, 9 November to

Monday, 30 November. Results of the election will be shared in December 2020. Once

announcements are made, PCI SSC will work with those selected to create charters prior to the

commencement of the new SIG in 2021.

Training
Registration is Open for Online, Instructor-led SSF Training Classes

Software Security Framework Assessors (SSF Assessors) are independent security organizations

that are qualified by PCI SSC to perform assessments to the Secure Software Standard, the

Secure SLC Standard or both. 

SSF Assessor Company qualification is open to any company that meets the Software Security

Framework Assessor Qualification Requirements. It provides an opportunity for new candidates to

join the first PCI SSC program of this kind, which includes a new methodology for validating

software security and a separate secure software lifecycle qualification for vendors with robust

security development practices.

Eligible organizations can apply now to become SSF Assessor Companies by visiting the Secure

SLC Assessor or Secure Software Assessor pages on the PCI SSC website and following the

steps outlined in the registration process.

These online classes are available for qualification or informational training:

• 11 November: Secure Software Assessor Class

• 12 November: Secure SLC Assessor Class

Informational training is for individuals who would like to increase their knowledge but do not

necessarily need to achieve qualification. This training is a great fit for any individual who may want

to understand what the standard and program entail, what to expect from an assessment, but who

does not need or want to qualify as an assessor for that program.

> More on the Secure SLC program

> More on the Secure Software Assessor program

Become an ISA with eLearning Available On-demand or via Instructor-led Class

Prepare your employees and your company to protect payment data. Plan now to register for an

eLearning Internal Security Assessor (ISA) training class with an online exam.

Registration is Open for Upcoming ISA Training Opportunities:

• eLearning on-demand - Available now

• Remote instructor-led classes:

o 15 Oct: Translated in Japanese* - Hurry! Class almost full!

o 28 Oct: Delivered in Portuguese - For more information on this class, contact

Romana Sturdikova.

o 10 Nov: Delivered in Spanish - For more information on this class, contact

Romana Sturdikova.

Registration information can be found here or for more information about enrolling, please contact

us at: administration@pcisecuritystandards.org.

> More information

*Please note, the exam for the 15 October class delivered in Japanese will require participants to

visit a testing center in-person.

eLearning Training Schedule

As a reminder, the following classes are scheduled for the remainder of the year via remote

instructor-led training:

• 3DS Assessor Future class date to be announced soon!

• QSA Last chance: register now for class on 15 October (in Japanese) !

• Secure Software Assessor Registration now open for 11 November class!

• Secure Software Lifecycle Assessor Registration now open for 12 November class!

• P2PE Registration now open for 20 November class!

• QPA Registration now open for 2 December class!

Please check the eLearning page often as training classes are added here.
> More information

Corporate Group Training is Available via eLearning

Get your team trained online in 2020! We are pleased to offer many of our PCI training programs

via eLearning with remote exam for organizations wishing to train their teams remotely. Corporate

Group Training offered as eLearning incorporates a combination of computer-based training as

well as remote instructor-led training sessions with online exam.

> More information

Subscribe to the Blog Events FAQ of the Month

Archives
Keep up to date with PCI SSC blog 2020 PCI SSC North America
notifications delivered straight to your August 2020: FAQ 1477
email inbox. Subscribe here. Community Meeting
6 - 9 October – An Online Event
July 2020: FAQ 1091
> Subscribe to the blog
2020 PCI SSC Europe Community June 2020: FAQ 1481
Meeting
20 - 23 October – An Online Event May 2020: FAQ 1333

2020 PCI SSC Asia-Pacific April 2020: FAQ 1210

Community Meeting
March 2020: FAQ 1473
4 - 6 November – An Online Event
February 2020: FAQ 1280
> View all upcoming events

January 2020: FAQ 1471 & 1472

November 2019: FAQ 1469

October 2019: FAQ 1468

September 2019: FAQ 1468

August 2019: FAQ 1458

July 2019: FAQ 1439

June 2019: FAQ 1467

 May 2019: FAQ 1086

April 2019: FAQ 1464

March 2019: FAQ 1443

> View all FAQs

PCI Security Standards Council, LLC 401 Edgewater Place Suite 600 Wakefield, MA 01880
You received this email because you are subscribed to Qualified Security Assessor (QSA) ™ from PCI Security Standards Council, LLC.
Update your email preferences to choose the types of emails you receive. Unsubscribe from all future emails