Merchants and service providers must comply with PCI DSS v3 before their next re-certification

With the lifecycle for PCI DSS v3 moving into its second year, the PCI SSC starting to collect feedback on the implementation of version 3, and the looming retirement of v2 on 31 December 2014, the only way for merchants and service providers to achieve compliance will be to meet the requirements of version 3.

It is important for organisations that need to comply to be aware of the differences between PCI DSS version 2 and version 3 so they can identify changes to their controls. For those who have not started to work towards version 3 certification, it is important to start before their re-certification is due. Failure to pass the audit will move them into remediation, and they can incur monthly fines while they implement the necessary controls.

Visa Inc. introduces an enhanced PCI DSS enforcement plan

For merchants and service providers that handle Visa cards, there is additional pressure to achieve compliance to the Standard: Visa Inc. introduced an enhanced PCI DSS enforcement plan with an announcement on 21 October 2014. While this announcement does not apply to Visa Europe, it can be expected that Visa Europe will want to see compliance rates improve as they have with the other payment brands.

Security will help you achieve compliance, but compliance does not mean security

The PCI SSC emphasised at its community meeting that you can achieve compliance through security, but compliance does not mean security. It is important for merchants and service providers to implement the PCI controls as part of business as usual; this is something that the PCI SSC strongly recommends.

The importance of seeking the help of a QSAC

For level 2 merchants and service providers who aspire to grow and achieve the status of level 1, it is important to engage with a Qualified Security Assessor Company (QSAC). This will ensure that they have confidence in their controls by the time they reach the volume of transactions that will move them across the boundary, and meet the requirements of a QSA audit. They will then have built up the necessary evidence to show that the controls have been implemented correctly and operate as desired. 

Next steps

As we move towards the end of 2014, it is essential that organisations that need to comply with PCI DSS v3 start the process immediately.

You can talk to IT Governance, an approved QSA company that takes a pragmatic approach to compliance. It offers the full range of services that clients may require and is independent from acquirers and payment brands, meaning that its focus is on ensuring the client is operating securely and not just safeguarding the acquiring bank or payment.

We also offer a PCI v3 Transition Consultancy service.

For more information call IT Governance on +44 (0)845 070 1750 or email