What should I do about the impending release of PCI DSS v3?

The existing version 2 of Payment Card Industry Data Security Standard (PCI DSS) is to be replaced in November 2013 by version 3 as part of the 3 year life cycle of the standard. A question we are being regularly asked is “what should I do about v3 being released?” The answer is quite straightforward, as an organisation that processes payment cards, either as a merchant or a service provider, you need to be compliant. You should not wait for the new version, but proceed with gaining/demonstrating compliance against the current valid version of the standard.

Although the PCI Security Standards Council (SSC) is releasing version 3 in November 2013, version 2 is not being withdrawn until 1st January 2015. This allows a 14 month period where you can continue to demonstrate compliance against version 2 or move to the new version to demonstrate compliance against.

The best strategy for an organisation would be to continue with compliance against version 2 and move to version 3 sometime during the 14 month overlap as the body of knowledge about changes matures and tools are developed to support the new version.

IT Governance Ltd as a PCI QSA company can support your compliance activities against the current version and advice on the impact version 3 may have on your organisation. Once version 3 of the standard has been formally launched we will be able to help any organisation with compliance activities against version 3.

We will be posting our views on the proposed changes during the lead up to the release of the version 3 of the PCI DSS.


  1. Henk Crous 26th September 2013