What’s Different in PCI Version 3.0?

pciv3As of January 1, 2015, PCI DSS Version 2.0 (PCIv2) will no longer be an accepted standard. If you are a merchant who deals with credit cards, becoming familiar with version 3.0 of the Payment Card Industry Data Security Standard (PCIv3) should be a priority.

PCI Version 3.0 aims to better confront the challenges of protecting credit card data.

So what should the average merchant know about the changes in PCI version 3.0? What are the differences between version 2.0 and 3.0 that are most likely to affect you?

1) In Version 3.0 the SAQ documents have changed.

Your business may have qualified to use one SAQ document in version 2.0, but the appropriate SAQ category may be different as of version 3.0.

How do I know which version 3.0 SAQ document to fill out?  Please see our guide that assists merchants with choosing the correct PCI 3.0 SAQ document.

2) Penetration testing requirements have been updated.

Penetration testing may be the least complied-with element of the PCI DSS.  Even among businesses that claim to be having penetration testing done, many aren’t doing it the right way.  In PCIv3 penetration testing is highlighted and the requirements for penetration testing are more rigorous.

Penetration testing is found in section 11.3, so merchants should check if the new SAQ category that they fall into contains section 11.3.

For more details about complying with penetration testing see our PCI DSS v3 penetration testing guide.

3) Merchants should document what elements of the PCI DSS are handled by service providers.

Most businesses work along with service providers.  Some examples of service providers are web hosting companies and managed service providers who handle a company’s firewalls and IDS.  A merchant needs to confirm that service providers are also complying with the PCI DSS.  New in PCI version 3.0, merchants need to document which PCI DSS requirements are the responsibility of the merchant and which are the responsibility of the service provider.

4) Physical security requirements have been updated.

Section 9 of PCIv3 includes information about restricting access to sensitive areas and gives attention to POS terminals.  Point-of-sale terminals need to be inspected periodically and employees need to be trained to spot signs of tampering.  Merchants are encouraged to review this section carefully.

5) Merchants need to maintain an inventory of system components that are in scope for PCI DSS.

A list of all hardware and software components within the cardholder data environment should be maintained and needs to include a description of function or use for each item.

Other various changes:

PCI Item
Explanation of Changes
Overall Compliance Cycle PCI DSS is no longer a once-a-year auditing activity but needs to be a continuous day-to-day practice.
Requirement 2.4 Maintain an inventory of system components in scope for PCI DSS.
Requirement 5.1.2 For systems not commonly affected by malware, evaluate them for malware threats.
Requirement 5.3 Evaluate that anti-virus solutions are actively running (formerly in 5.2), and cannot be disabled or altered.
Requirement 6.5.10 Assess coding practices to protect against broken authentication and session management.
Requirement 8.2.3 Deeper assessment for managing password strength and complexity.
Requirement 9.9 Protect devices that capture payment card data from tampering and substitution.
Requirement 10.2.5 Audit use of and changes to identification and authentication mechanisms.
Requirement 10.2.6 Assess/restrict stopping or pausing of the audit logs.
Requirement 11.1.x Create inventory of authorized wireless access points and scan for unauthorized wireless devices.
Requirement 11.3 Implement a methodology for penetration testing.
Requirement 12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.