Request for Comments: PCI DSS v4.0 Draft Validation Documents

From 28 June to 28 July, PCI SSC stakeholders can participate in a Request for Comments (RFC) on a draft of the PCI DSS v4.0 draft validation documents. As indicated in a recent post on the PCI DSS v4.0 timeline, this RFC was added as a unique opportunity for the industry to provide feedback on drafts of the v4.0 Report on Compliance (ROC) Template and the ROC Attestations of Compliance (AOC). This RFC also introduces a new approach to merchant self-assessments, called Merchant Assessment Forms (MAFs), intended to replace Self-Assessment Questionnaires.

Additional material, including the Read-Me-First Instructions, has been included with the RFC materials to help with review of the validation documents. We ask RFC participants to review the Read Me First document before the other RFC documents for key information about:

• Downloading the RFC materials,
• Suggestions for how to provide effective feedback,
• Extra material intended to facilitate review of the RFC documents,
• Overview and Things to Consider information for each RFC document,
• Answers to anticipated Frequently Asked Questions

Also on the blog: What to Know Before Participating in a PCI SSC RFC

PCI SSC will review and consider every piece of feedback. Upon completion of the feedback review and subsequent updates to the documents, a summary of feedback will be prepared for RFC participants that will include all RFC comments, each organization’s name, and how PCI SSC actioned each feedback. Please review the RFC Process Guide and our resource guide: What to Know Before Participating in a PCI SSC RFC for more information.