Frequently Asked Question
When should an entity implement PCI DSS requirements noted as best practices until a future date?
Updates to PCI DSS are intended to address evolving threats in the payments ecosystem, therefore, entities are strongly encouraged to complete their transition to the most current PCI DSS version, including the adoption of new requirements, as early as possible.
Future-dated requirements that have not yet been implemented by the entity may be marked as “Not Applicable” in any Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) completed prior to the requirement’s effective date. However, commencing on the new requirements’ effective date, all requirements applicable to an entity's assessment, including the newly effective requirements, must be fully considered as part of the entity's PCI DSS assessment.
Note that questions about compliance programs and reporting requirements, including whether there are any specific reporting requirements for new requirements, should be directed to compliance-accepting entities, which are the entities to which those assessment results (for example, a Report on Compliance) are submitted. The compliance-accepting entity is typically a payment brand or acquirer.
Contact details for the payment brands can be found in FAQ #1142: How do I contact the payment card brands?
Also refer to the following FAQs:
- FAQ 1485: What is the meaning of ‘initial PCI DSS assessment’?
- FAQ 1266: If an entity is in the middle of a PCI DSS assessment when a new version of the standard is released-should the assessment be started again using the new version?
- FAQ 1564: How does an entity report the results of a PCI DSS assessment for new requirements that are noted in PCI DSS as best practices until a future date?
- FAQ 1573: Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?