Frequently Asked Question

How do the requirements in PCI DSS version 3 that are "best practices" until June 30th 2015 impact my PCI DSS assessment?

In PCI DSS version 3, Requirements 6.5.10, 8.5.1, 9.9, 11.3, and 12.9 are considered ?best practices? until June 30th, 2015, after which they become requirements.  This is intended to give organizations additional time to implement these new requirements without falling out of compliance. 

In 2014, organizations that have not yet implemented these future-dated requirements may validate to either version 2 or version 3 of PCI DSS.  Organizations that have implemented these requirements would validate them as part of a version 3 assessment.  Both the ROC Reporting Template and Self-assessment Questionnaire (SAQ) for PCI DSS version 3 include options for reporting whether a future-dated requirement has been included in the assessment.

It is strongly recommended that organizations start implementing these new requirements as soon as possible. However, they are not required to be in place until July 1st, 2015.

It should also be noted that organizations working to implement the updated penetration testing requirements (Requirement 11.3) in version 3 will still need to meet the version 2 penetration testing requirements until version 3 is in place.
Originally published: December 2013
Article Number: 1270

Featured FAQ Articles