PCI 3.0 Is Coming - Are You Ready?

Every 3 years the Payment Card Industry Data Security Standard (PCI) is updated to a new version. The time for the next release is right around the corner.

Version 2.0 will be replaced by PCI 3.0 in just a few weeks, and the question you need to ask yourself is:

Are you prepared for PCI 3.0?

Starting on January 1, 2014, you will be able to apply the new standard to your business and comply with all that it contains, but if there are elements in the new version of PCI 3.0 that you cannot meet, all hope is not lost. You can continue to validate your compliance to version 2.0 of the PCI Standard for all of 2014 if you so choose.

In other words, next year you can pick to comply with either PCI 2.0 or PCI 3.0.

When the standard is released it is understood that you might have to change your operations in order to meet the new version, so you are given a year to make those adjustments.

But wait, there's more!

There is more good news if you want to look at the new standard.

From the perspective of the merchant, the new standard (at least the draft version we were able to preview before the official release) does not look significantly different from the previous one. More information is required from the network diagram, and the penetration testing requirement has more guidance, but there are few substantive changes.

On the other hand, service providers (those who can affect the security of a merchant like a POS provider or a web hosting provider) will need to provide more information to the merchants who are working on PCI compliance under PCI 3.0.

The standard expects more due diligence focused on how a service provider affects the security of the merchant who is taking credit cards. This is probably the greatest difference between 2.0 and PCI 3.0, and it will be interesting to see how this plays out in the future.

It is important to remember the PCI is the minimum security that a merchant should put into place so that their customers’ credit cards are protected. Security should be viewed as any other company policy – you always need to run your business in a certain manner, not just during your validation efforts.

If you integrate security into your regular business practices first, then you will find that PCI will naturally follow.

  • Changes to PCI DSS and What It Means for You

    February 20, 2018

    Are you compliant with PCI DSS Version 3.2? Restaurants, retailers, hotels, doctors' and lawyers' offices, and many more, all need to watch for PCI DSS updates to remain compliant.

    Read More
  • About the PCI Security Standards Council

    January 20, 2014

    The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements.

    Read More
  • Why Comply with PCI Security Standards

    January 01, 2014

    Why should you, as a merchant, comply with the PCI Security Standards? At first glance, especially if you are a smaller organization, it may seem like a lot of effort, and confusing to boot. But not only is compliance becoming increasingly important, it may not be the headache you expected.

    Read More