PCI DSS 3.0: 10 Commonly Asked Questions

Get the facts and get compliant.

By: Chase Palmer

The newest Payment Card Industry Data Security Standard (PCI DSS) officially went into effect on January 1, 2015. [PCI DSS Version 3.0 was retired on 30 June 2015. Check out PCI 3.1] With the introduction of PCI DSS version 3.0, many merchants want to know how it will affect their business. Here are answers to a few commonly asked questions.

1. Why is there a new standard?

As always, new security guidance addresses the latest vulnerabilities affecting today’s merchants and also includes additional clarification. Three main reasons contributed to this updated security standard:

• Increased clarification: The new standard helps merchants more accurately comply with the PCI DSS by clarifying some of the previously unspecific requirements.
• Additional guidance: New guidance sections provide layman’s explanations of why standards are important and how noncompliance may put your business at increased risk.
• Evolving requirements: As technology, threats, and security risks change, the PCI DSS must adapt to the changing environment. PCI DSS 3.0 has evolved to not only address emerging threats, but also new technology like EMV, P2PE, and mobile payments.

SEE ALSO: PCI DSS FAQ

2. Who does this affect?

The transition from PCI 2.0 to PCI 3.0 affects everyone governed by PCI. If you store, process, or transmit payment card information, this change affects you.

3. When is the PCI DSS 3.0 deadline?

January 1, 2015 was PCI 3.0’s due date. However, some changes will continue to be best practices until June 1, 2015 (see question 8).
This means merchants do not need to revalidate until their compliance expires. For example, if your annual validation occurs in November 2014, you technically don’t need to validate compliance to 3.0 until November 2015. However, you are required to be compliant with the new standard starting January 1, 2015.

4. What does PCI DSS 3.0 mean for my business?

If you follow PCI 3.0 requirements, you will eliminate the majority of your business risk to compromise. PCI DSS 3.0 focuses on detecting, rather than reacting to, security vulnerabilities. But the standard only works if merchants comply. The best thing merchants can do now is review their compliance status. If you have a passing grade, great! Now it’s time to review PCI 3.0 requirements to make sure you you're in compliance. If you have a failing grade, PCI 3.0 is a great time to reevaluate your security and begin securing your business.

5. What happened on January 1, 2015?

If you haven’t complied with PCI 3.0 by January 1, 2015, you will technically be in violation of PCI DSS. If you are compromised, you may face heavy fines due to your noncompliance.

6. What is the biggest change for ecommerce merchants?

If you are an ecommerce merchant, the biggest change for you will be the new SAQ A-EP. Originally, ecommerce merchants were validated using SAQ A but many of those merchants must now move to a SAQ A-EP, which includes more requirements. Learn which ecommerce methods qualify for SAQ A-EP.

7. What new documentation does PCI DSS 3.0 require?

Documentation is a key theme of PCI 3.0. For example:

• 1.1.3 requires a cardholder data flow diagram that shows how cardholder data enters your network.
• 2.4 involves the creation of an inventory list of all your in-scope device types and their function (e.g., POS systems, computers).
• 9.9.1 requires an up-to-date list of all devices, including physical location, serial numbers and make/model.
• 11.1.1 involves maintaining a complete list of authorized wireless access points and the justification for each.
• 12.8.5 requires a list of all third party service providers in use, a list of all PCI requirements the service providers meet, and a list of PCI requirements the merchant is required to meet

8. What are the new ‘best practice’ requirements?

The PCI Council knows some requirements will take more time for merchants to apply. There are six requirements considered ‘best practice’ until they are officially required on June 2015. They are:

• 6.5.6: Insecure handling of PAN and SAD in memory
• 6.5.11: Broken authentication and session management
• 8.5.1: Unique authentication credentials for service providers with access to customer environments
• 9.9: Protecting of point-of-sale devices from tampering
• 11.3: Developing and implementing a methodology for penetration testing
• 12.9: Additional requirement for service providers on data security

9. How can I ensure compliance with PCI DSS 3.0?

The only way to ensure lasting compliance with the PCI DSS 3.0 is to make data security part of your company culture. According to Bob Russo, GM of the PCI Security Standards Council, PCI 3.0 is “about making PCI compliance part of your business, not a once-a-year, study-for-the-test kind of thing.” The new standard helps you implement security controls without disrupting your day-to-day processes—allowing you to focus on your business while maintaining appropriate data protection.

SEE ALSO: Staying Compliant: Visa’s New Level 4 Requirements

10. What is SecurityMetrics doing to help me with PCI DSS 3.0?

To simplify the transition, SecurityMetrics updated its SAQs, customer interface, and PCI scoping wizard on January 1, 2015. As part of the PCI 3.0 SAQ, select standards are written in easy-to-understand language for the ease of the user. Because PCI 3.0 introduces more SAQs, SecurityMetrics offers combination SAQs when more than one SAQ applies. SecurityMetrics is excited for the new 3.0 changes, but understands this can be a frustrating time for merchants. That’s why live 24/7 support is always available for all SecurityMetrics customers.

Need help getting PCI compliant? We can help!

Chase Palmer is the Senior Program Manager and has been working at SecurityMetrics for seven years. He manages the company’s largest corporate partners in running mass Level 4 PCI DSS programs worldwide. Chase has a Bachelor’s degree in Business Management from Western Governor’s University. He currently lives in Provo, Utah, and he loves everything about motorcycles.