Professional Documents
Culture Documents
September 2020
In this issue:
As we enter the last quarter of 2020 and PCI SSC Community Meeting season, we are focused on engaging with our stakeholders by
providing the most current and relevant information to the industry. This year has been one of many changes, pivots and firsts, including
changes to a fully remote staff for organizations who were brick and mortar, pivoting how we train participants in our programs and our first
insights and virtual networking opportunities to interact with your colleagues. The changes we had to make because of the global
pandemic has allowed us to expand the content we bring to the industry and provide access to a wider range of participants. This has
been done by filling one more day with sessions for each community meeting and opening attendance to all program participants at a
discounted rate.
We recognize 2020 has been a wild ride for many organizations including PCI SSC. We continue to work on the upcoming release of PCI
DSS v4.0 (RFC is open now), updates to existing standards like Card Production and the Software Security Framework, and are
developing guidance around your work as assessors. We appreciate your input on how this year has changed the way you do business
and what we can do to help you continue to uphold the integrity of the programs you participate in through PCI SSC. Keep the feedback
coming!
We have endeavored to keep things as ‘normal’ as possible while also making changes to support the community such as keeping the All
Assessor Session and opening it to every assessor and not just those able to attend a community meeting. Engagement with the assessor
community has been invaluable in our efforts to improve the programs generally while increasing the overall value of the programs to the
community.
Thank you for participation and we look forward to seeing you at the Community Meetings!
Sincerely,
Elizabeth Terry
The second Request for Comments (RFC) period for the draft version of PCI DSS v4.0 is now
open to all Participating Organizations, QSAs, and ASVs. The RFC closes on 13 November 2020.
Primaries for these organizations can now access the PCI DSS v4.0 Draft v0.2 for RFC via the
Portal. Please make sure you review the supporting materials, including the Read-Me First
PCI SSC’s RFC process allows us to maximize opportunities for collaboration and stakeholder
feedback. The first RFC for PCI DSS v4.0 was held from October – December of 2019. We
received almost 3200 items of feedback from that RFC and have reviewed all that feedback and
made updates that are reflected in the standard for this, the second RFC of PCI DSS v4.0. It
means that you, the stakeholders, have two opportunities to provide feedback on PCI DSS v4.0
before the updates become final. Join in this collaborative effort and take advantage of this
Along with the RFC materials for this second RFC and per our published RFC process, an RFC
Feedback Summary from the 2019 PCI DSS RFC is provided to RFC participants via the PCI
Portal. This RFC Feedback Summary includes each feedback item received, the company that
provided each feedback item, and how the PCI Council actioned each feedback item. Because we
share your feedback via this feedback summary, please remember to not include company
sensitive information in your RFC feedback and remember to keep your comments professional
and collaborative.
As a reminder: You receive RFC documents under NDA which prevents you from sharing them
outside of your organization. We understand that you may want to share this PCI DSS v4.0 Draft
with your clients and partners; however, the NDA does not permit sharing of any of the RFC
documents. Please also keep in mind that this is only a draft version and it does not supersede PCI
DSS v3.2.1. Any actual changes, including new and updated requirements, for PCI DSS v4.0 may
be very different in the final, published version. If you have any questions, please contact your
We look forward to your feedback. Be sure to coordinate with your organization’s primary contact
to gain access to the RFC materials, consolidate your company’s submissions per the RFC Read-
Me document, and submit comments by 20:00 EST on November 13. More information about our
RFC process can be found on the Request for Comments page on the PCI SSC website and on
the newly published resource guide What to Know Before Participating in a PCI SSC RFC.
PCI SSC is pleased to confirm two additional Request for Comment (RFC) periods that are both
Card Production v3 Draft Standard – The v3 draft of the Card Production standard is an update
to the existing security requirements incorporating prior feedback and FAQs, and the RFC is
designed to get feedback on those changes as well as on the existing requirements. It will be
followed next year by a second RFC for the v3 draft that will contain a much more extensive set of
changes as well as incorporating feedback received from this RFC. Both RFCs will be open to all
POs, PCI Recognized Labs, QSAs, Card Production Security Assessors, Qualified PIN Assessors,
PTS HSM v4 Draft Standard – The v4 draft of the PTS HSM standard is a general update of the
existing standard with an emphasis on new criteria for multi-tenant HSMs, also referred to as cloud
based HSMs operated as a service. The upcoming PTS HSM RFC is open to PCI Recognized
Labs and participating PTS vendors. A second RFC will also be scheduled for next year that will be
open to all Participating Organizations, Labs, QSAs, Card Production Security Assessors, Qualified
For more information on current and upcoming RFCs, please refer to PCI SSC’s Request for
In response to stakeholder feedback about the impact COVID-19 has had on implementations, PCI
SSC is updating the effective dates for key block implementations in P2PE requirement 18-3. A
technical FAQ, which serves as normative to the PCI P2PE Standard, will convey the revised dates
until such time the P2PE Standard is updated. The new dates are provided in the excerpt below.
• 18-3 Encrypted symmetric keys must be managed in structures called key blocks. The
key usage must be cryptographically bound to the key using accepted methods.
• Phase 1 – Implement Key Blocks for internal connections and key storage within Service
Provider Environments – this would include all applications and databases connected to
June 2021).
• Phase 3 – Implement Key Block to extend to all merchant hosts, point-of-sale (POS)
The individual payment card brands manage compliance programs that utilize PCI Security
Standards. Organizations should contact the applicable payment brand(s) directly with any
compliance questions. For more information, please refer to the official PCI SSC announcement
here.
When the Payment Application Data Security Standard (PA-DSS) v3.2 and Program closes in
October 2022, it will be replaced by the Secure Software Standard and Program which is part of
In the interim, to help minimize disruption and ease the transition process for stakeholders, the PA-
DSS and Secure Software Programs will run in parallel, with the PA-DSS Program continuing to
open and fully supported until October 2022, with no changes to how existing PA-DSS
validated applications are handled. They will remain on the List of PA-DSS Validated
Payment Applications until their expiry dates, and per the normal process vendors can
submit changes to them until PA-DSS v3.2 expiry (28 October 2022).
• New PA-DSS submissions: Vendors will be able to submit new payment software
For more information about the transition from PA-DSS to the Secure Software Standard and
Over the last few months, PCI SSC’s Assessor Quality Management (AQM) team has seen a few
applications submitted for PA-DSS validation that are not eligible. As a reminder, PA-QSAs are
responsible for assessing and verifying the eligibility of a payment application prior to submitting to
PCI SSC for validation. To help us bring back a baseline standard of quality, please remember the
following when reviewing a vendor’s payment application for eligibility under the PA-DSS program:
• Please check the PA-DSS Program Guide and other PCI SSC issued guidance
documents to ensure the application is eligible for PA-DSS validation: Table 4.1a in the
Payment Card Industry (PCI) PA-DSS Program Guide, v3.2 provides a description and
program guidance regarding payment applications to which PA-DSS does apply. Please
also refer to the Eligibility Checklist: “Which Applications are Eligible for PA-DSS
Validation” located in the Document Library on the PCI SSC website. An application
should be assessed against both the Program Guide and the Eligibility Checklist for
eligibility. The Checklist does not replace the direction given in the Program Guide.
• Remember that PA-QSAs are the SMEs for payment application eligibility, not the
vendors. If your client is having a difficult time understanding eligibility requirements for
PA-DSS, please review the above-mentioned documentation with them. For any
questions concerning eligibility, please contact the PA-DSS program manager at pa-
• As you speak with your vendors, PA-QSAs and assessor companies may want to
consider transitioning from PA-DSS to the PCI Software Security Framework (SSF). The
SSF expands beyond the scope of the Payment Application Data Security Standard (PA-
DSS) and will replace PA-DSS, its program, and the PA-DSS List of Validated Payment
Applications when PA-DSS is retired in 2022. For more information on moving from PA-
DSS to SSF, please refer to the following guidance document: Transitioning from PA-DSS
to the PCI Software Security Framework. This document provides key information and
resources to help organizations plan for transitioning from PA-DSS to the PCI Software
Training is now open with classes available on the new eLearning platform. Existing PA-
QSA are eligible for a modified training requirement to transition to Secure Software
Assessors. For more information on Secure Software Assessor Training please refer to
In summary, check the application eligibility against the program guide and eligibility checklist
before submitting and speak with your vendors about transitioning to the SSF.
We hope you find these resources to be helpful. As always, AQM is here to help. Please contact
As announced last month, PCI SSC introduced expired listings to the PCI P2PE website in
September to move P2PE Solutions, Components, and Applications (P2PE Products) off the active
listings when those P2PE Products have been overdue for validation by more than 180 days.
To support the expired listings for P2PE Solutions, PCI SSC has also:
• Updated the SAQ P2PE and the stand-alone P2PE SAQ AOC to rev1.1, to include minor
updates and to reference the PCI list of Point-to-Point Solutions with Expired Validations.
• Updated FAQ FAQ 1247 “Who can use SAQ P2PE?” to reference the PCI list of Point-to-
Point Solutions with Expired Validations and to explain what an expired solution is.
• Added new FAQ 1483 “If a P2PE Solution is on PCI’s list of Point-to-Point Encryption
Solutions with Expired Validations, does the solution meet the eligibility criteria for SAQ
P2PE?”
• Added new FAQ 1484 “If a P2PE Solution is shown as red or orange on PCI’s list of
Validated P2PE Solutions, does the solution meet the eligibility criteria for SAQ P2PE?
See the FAQ of the Month below for a featured new P2PE FAQ 1482 that addresses whether
P2PE Products on an expired listing are still considered validated per the P2PE Program Guide.
Validations, does the solution meet the eligibility criteria for SAQ P2PE?
P2PE solutions on the PCI list of Point-to-Point Encryption Solutions with Expired Validations are
no longer considered “validated” per the P2PE Program Guide. Because these P2PE solution
providers did not renew their listings in accordance with PCI SSC requirements, the validations are
therefore expired.
Merchants using an expired P2PE solution should check with their acquirer or individual payment
Participation Opportunities
We will gather virtually to hear important Council updates, regional insights, and startling industry
reports. Watch our video and see why now, more than ever, we must work together to help secure
payment data.
Read our recent Q&A with Lance Johnson about the Community Meetings on our blog: PCI SSC
Continue to check our event website for the most up-to-date information and details.
With the North America and Europe Community Meetings moving to online events, this year’s
This year the Assessor Sessions are open to All Assessors and will be held the week following the
Community Meeting:
• PCI SSC 2020 North America Assessor Session - 13 October 2020: 10:00-11:30 EDT
• PCI SSC 2020 Europe Assessor Session - 27 October 2020: 10:00-11:30 CEST
The Assessor Sessions are your meetings - you drive the content. This is your last chance to
submit your questions ahead of the scheduled session you plan to attend. This will ensure that we
can answer your questions during the event and address any common themes we may find.
Sponsor and Exhibitor Opportunities are Available for 2020 PCI SSC Events
Looking to gain high-level exposure for your company? Become a sponsor or exhibitor at a 2020
Sign up to exhibit at the 2020 PCI SSC Community Meetings and secure your spot. Email us or
visit our website to learn about available sponsorship opportunities for 2020:
Take advantage of these unique opportunities to position your company as a leader in the payment
PCI Security Standards Council (PCI SSC) is pleased to announce that it has extended its
monthly, award-winning Women in Payments blog series through 2021. The original 12-part blog
series, Closing the Gender Gap in Payment Security, which debuted earlier this year, highlights a
professional, senior-level, female in the payments industry who represents PCI’s Board of Advisors
and the payment card brands. The series, which earned an “Award of Distinction” in the category
of ‘Web Based Production: Video Series’ at the 2020 Videographer Awards, aims to call attention
In 2021, the blog series will expand to include all senior-level women who are active participants,
Thank you to all who submitted proposals for the 2021 SIG project. The PCI SSC has begun
reviewing and consolidating the list of 2021 proposals to ensure projects are aligned with current
PCI SSC priorities and stakeholder needs, and are not already being addressed in other forums.
They will be listed on the website by this November, and PCI SSC Participating Organizations will
have the opportunity to vote on 2021 SIG proposals via the portal from Monday, 9 November to
Monday, 30 November. Results of the election will be shared in December 2020. Once
announcements are made, PCI SSC will work with those selected to create charters prior to the
Training
Registration is Open for Online, Instructor-led SSF Training Classes
Software Security Framework Assessors (SSF Assessors) are independent security organizations
that are qualified by PCI SSC to perform assessments to the Secure Software Standard, the
SSF Assessor Company qualification is open to any company that meets the Software Security
join the first PCI SSC program of this kind, which includes a new methodology for validating
software security and a separate secure software lifecycle qualification for vendors with robust
Eligible organizations can apply now to become SSF Assessor Companies by visiting the Secure
SLC Assessor or Secure Software Assessor pages on the PCI SSC website and following the
Informational training is for individuals who would like to increase their knowledge but do not
necessarily need to achieve qualification. This training is a great fit for any individual who may want
to understand what the standard and program entail, what to expect from an assessment, but who
Prepare your employees and your company to protect payment data. Plan now to register for an
eLearning Internal Security Assessor (ISA) training class with an online exam.
Romana Sturdikova.
Romana Sturdikova.
Registration information can be found here or for more information about enrolling, please contact
us at: administration@pcisecuritystandards.org.
*Please note, the exam for the 15 October class delivered in Japanese will require participants to
As a reminder, the following classes are scheduled for the remainder of the year via remote
instructor-led training:
• QSA Last chance: register now for class on 15 October (in Japanese) !
• Secure Software Lifecycle Assessor Registration now open for 12 November class!
Please check the eLearning page often as training classes are added here.
> More information
Get your team trained online in 2020! We are pleased to offer many of our PCI training programs
via eLearning with remote exam for organizations wishing to train their teams remotely. Corporate
PCI Security Standards Council, LLC 401 Edgewater Place Suite 600 Wakefield, MA 01880
You received this email because you are subscribed to Qualified Security Assessor (QSA) ™ from PCI Security Standards Council, LLC.
Update your email preferences to choose the types of emails you receive. Unsubscribe from all future emails