Blog Details

Commonly Asked Questions About PCI DSS 3.0

Get the facts before the 2015 deadline. (originally posted on –

 The newest Payment Card Industry Data Security Standard (PCI DSS) officially goes into effect on January 1, 2015. With the introduction of PCI DSS version 3.0, many merchants want to know how it will affect their business. Here are answers to a few commonly asked questions.

1. Why is there a new standard?

As always, new security guidance addresses the latest vulnerabilities affecting today’s merchants and also includes additional clarification. Three main reasons contributed to this updated security standard:

  • Increased clarification: The new standard helps merchants more accurately comply with the PCI DSS by clarifying some of the previously unspecific requirements.
  • Additional guidance: New guidance sections provide layman’s explanations of why standards are important and how noncompliance may put your business at increased risk.
  • Evolving requirements: As technology, threats, and security risks change, the PCI DSS must adapt to the changing environment. PCI DSS 3.0 has evolved to not only address emerging threats, but also new technology like EMV, P2PE, and mobile payments.


2. Who does this affect?

The transition from PCI 2.0 to PCI 3.0 will affect everyone governed by PCI. If you store, process, or transmit payment card information, this change affects you.

3. When is the PCI DSS 3.0 deadline?

January 1, 2014 was PCI 3.0’s effective date. However, PCI DSS 2.0 compliant merchants have until January 1, 2015 to transition to the new standard. Some changes will continue to be best practices until June 1, 2015 (see question 8).

This means merchants do not need to revalidate until their compliance expires. For example, if your annual validation occurs in November 2014, you technically don’t need to validate compliance to 3.0 until November 2015. However, you are required to be compliant with the new standard starting January 1, 2015.

4. What does PCI DSS 3.0 mean for my business?

If you follow PCI 3.0 requirements, you will eliminate the majority of your business risk to compromise. PCI DSS 3.0 focuses on detecting, rather than reacting to, security vulnerabilities. But the standard only works if merchants comply. The best thing merchants can do now is review their compliance status. If you have a passing grade, great! Now it’s time to review PCI 3.0 requirements to make sure you will be in compliance once January 1, 2015 hits. If you have a failing grade, PCI 3.0 is a great time to reevaluate your security and begin securing your business.

5. What will happen on January 1, 2015?

If you haven’t complied with PCI 3.0 by January 1, 2015, you will technically be in violation of PCI DSS. If you are compromised, you may face heavy fines due to your noncompliance.

6. What is the biggest change for ecommerce merchants?

If you are an ecommerce merchant, the biggest change for you will be the new SAQ A-EP. Originally, ecommerce merchants were validated using SAQ A but many of those merchants must now move to a SAQ A-EP, which includes more requirements. Learn which ecommerce methods qualify for SAQ A-EP.

7. What new documentation does PCI DSS 3.0 require?

Documentation is a key theme of PCI 3.0. For example:

  • 1.1.3 requires a cardholder data flow diagram that shows how cardholder data enters your network.
  • 2.4 involves the creation of an inventory list of all your in-scope device types and their function (e.g., POS systems, computers).
  • 9.9.1 requires an up-to-date list of all devices, including physical location, serial numbers and make/model.
  • 11.1.1 involves maintaining a complete list of authorized wireless access points and the justification for each.
  • 12.8.5 requires a list of all third party service providers in use, a list of all PCI requirements the service providers meet, and a list of PCI requirements the merchant is required to meet

8. What are the new ‘best practice’ requirements?

The PCI Council knows some requirements will take more time for merchants to apply. There are six requirements considered ‘best practice’ until they are officially required on June 2015. They are:

  • 6.5.6: Insecure handling of PAN and SAD in memory
  • 6.5.11: Broken authentication and session management
  • 8.5.1: Unique authentication credentials for service providers with access to customer environments
  • 9.9: Protecting of point-of-sale devices from tampering
  • 11.3: Developing and implementing a methodology for penetration testing
  • 12.9: Additional requirement for service providers on data security

9. How can I ensure compliance with PCI DSS 3.0?

The only way to ensure lasting compliance with the PCI DSS 3.0 is to make data security part of your company culture. According to Bob Russo, GM of the PCI Security Standards Council, PCI 3.0 is “about making PCI compliance part of your business, not a once-a-year, study-for-the-test kind of thing.” The new standard helps you implement security controls without disrupting your day-to-day processes—allowing you to focus on your business while maintaining appropriate data protection.