Request for Comments

Provide Valuable Feedback

The PCI Security Standards Council (PCI SSC) highly values feedback from the global payment card industry in the development of PCI Security Standards and programs. Dedicated comment periods are one of the several ways that PCI SSC solicits feedback from stakeholders.

The Process

Request for Comments (RFC) periods are avenues for PCI SSC stakeholders to provide feedback on existing and new PCI Security Standards. This feedback plays a critical role in the ongoing maintenance and development of these resources for the payment card industry.

All comments will be available for viewing by those who participated in that RFC. Your comment(s), your organization’s name, and how PCI SSC actioned your feedback comments will be made available in the PCI SSC portal.

PCI SSC has developed detailed and easy-to-understand guidance on its official RFC process. To learn more, please check out the PCI Perspectives Blog, RFC Process Guide, RFC-at-a-Glance infographic and What to Know Before Participating in a PCI SSC RFC resource guide.

Current and Upcoming RFCs

RFC Dates* Open to
RFC Dates* Open to
Draft PCI Secure SLC Standard v2.0 Q4 2024 - Q1 2025 Participating Organizations; PCI Recognized Labs; Qualified Security Assessors; Software Security Framework Assessors (Secure Software & Secure SLC); Card Production Security Assessors; Qualified PIN Assessors.
Draft PCI Secure Software Standard v2.0 Q1 2025 Participating Organizations; PCI Recognized Labs; Qualified Security Assessors; Software Security Framework Assessors (Secure Software & Secure SLC); Card Production Security Assessors; Qualified PIN Assessors.
PCI Key Management Operations (KMO) Security Requirements v1.0 RFC Q1 2025 Participating Organizations; PCI Recognized Labs; Participating PTS Vendors; Qualified Security Assessors; Software Security Framework Assessors (Secure Software & Secure SLC); Card Production Security Assessors; Qualified PIN Assessors.
PCI PTS Hardware Security Module (HSM) v5.0 RFC2 Q2 2025 Participating Organizations; PCI Recognized Labs; Participating PTS Vendors; Qualified Security Assessors; Software Security Framework Assessors (Secure Software & Secure SLC); Card Production Security Assessors; Qualified PIN Assessors.

* Future RFC dates are estimates and subject to change.

For additional information about current RFCs or details about previous RFCs, please use your secure credentials to log into the PCI SSC portal.

Resources

The RFC Process is for all PCI Security Standards—both new standards under development and existing standards subject to revision.

Request for comment (RFC) periods are opportunities for PCI SSC stakeholders to provide feedback on existing and new PCI Security Standards.

When participating in an RFC, follow these steps to ensure your time is spent effectively and to facilitate quality contributions to PCI SSC standards and programs.