Version 3.0 of the Payment Card Industry Data Security Standard (PCI-DSS) has been released by the PCI Security Standards Council. The security requirements are intended to strengthen the security of cardholder data and encourage the adoption of uniform data security standards within the payment card industry. PCI-DSS applies to all entities that are involved in payment card processing. This includes merchants, processors, acquirers, issuers and service providers as well as entities that store, process and transmit cardholder data.

Version 3.0 contains new technical requirements that businesses within the payment card industry should comply with. Version 3.0 goes into effect on January 1. However, companies have until December 31 to make the transition from Version 2.0 to Version 3.0. The most notable change is that 3.0 takes a more holistic approach toward data security and encourages the integration of this security into standard business protocols.

This article will examine the new technical data security requirements of Version 3.0., including the 12 requirements of PCI-DSS compliance, the technical differences between versions and 3.0’s integration of data security into standard business protocol. Finally, it will examine an area in which 3.0 could be updated in the future.

Requirements of PCI-DSS

PCI-DSS contains 12 principles that companies should follow in ensuring the security of cardholder data. These principles are:

  • Install and maintain a firewall to protect cardholder data
  • Do not use vendor-supplied passwords
  • Protect cardholder data
  • Encrypt cardholder data that is transmitted across public networks
  • Ensure that systems are protected against malware and viruses
  • Maintain secure systems and applications
  • Restrict those who can access cardholder data
  • Authenticate those who access system components
  • Restrict physical access to data
  • Monitor access to network resources
  • Test security systems and processes
  • Maintain a policy that addresses information security

These 12 requirements should be considered a minimum baseline standard that a company should follow. Noncompliance could lead to fines by the payment card brands in the event of a data breach. In addition, noncompliance could lead to class-action data security suits. Even though compliance with PCI-DSS is important, there have been instances in which a company that is PCI-DSS-compliant has been subject to a data breach. In other words, compliance with the standards is not an absolute guarantee of security.  

Version 3.0 New Technical Requirements

While PCI-DSS contains general principles that companies handling payment card data should follow, the sub-requirements for each section are particularly detailed. Version 3.0 imposes a number of new technical requirements that were not included in 2.0. These technical requirements are broad-ranging and include recommendations for strengthening password security, limitations on physical access, implementing a methodology for penetration testing and informing cardholders regarding the entity's responsibility for the security of payment card data.

  • Requirement 5.1.2 requires periodic evaluations of those systems that are not typically impacted by malicious software to determine whether those systems still do not need antivirus software.
  • Requirement 8.2.3 requires that passwords meet a minimum length of seven characters and contain numeric and alphabet characters.
  • Requirement 8.5.1 states that a service provider that has remote access to a customer's premises must utilize a unique authentication credential for each customer. This helps to mitigate any security compromise that might arise to multiple customers as a result of a hacker obtaining security information for one customer.  
  • Requirement 8.6 states that there must be the assignment of certain authentication mechanisms. For example, authentication mechanisms like security tokens, smart cards or certificates must be assigned to an individual account rather than shared among multiple accounts.
  • Requirement 9.3 provides that physical access to critical areas should be controlled. Access should be based on an individual’s job function and should be revoked upon termination.
  • Requirement 9.9 is intended to protect devices that capture payment card data from intrusion. Requirement 9.9 recommends testing procedures to ensure that devices are periodically inspected for tampering and intrusion.
  • Requirements 11.3 and 11.4 provide for the implementation of a methodology for penetration assessment. The assessment should be based on industry-accepted penetration-testing approaches and should include coverage for all critical systems. All traffic should be monitored at the perimeter of cardholder data and at critical points within the data environment. A proactive approach to unauthorized activity detection is necessary to ensure that attacks do not go undetected.
  • Finally, Requirement 12.9 provides that service providers should acknowledge in writing to customers that they are responsible for the security of cardholder data held by the provider.

Improving Business-as-Usual Practices

While Version 3.0 imposes new technical requirements, the biggest changes aim to make PCI-DSS compliance part of a company's business-as-usual practice. To accomplish this objective, 3.0 recommends taking several different steps to incorporate security into business practices.

First, 3.0 recommends ensuring that failures in security are remediated as soon as possible. Responding to a security failure would include identifying the cause of the failure, addressing any security issues that arose during the failure, implementing practices to prevent the failure from occurring in the future and providing enhanced monitoring.

Second, 3.0 recommends reviewing the impact of a new change on the security environment. For example, if a new system is implemented or if there is a change in network configurations, then it is important to determine the impact of this change on the entity's PCI-DSS compliance.

Third, any changes to an entity's organizational structure—such as a merger, for example—should result in a review of the impact of this change on PCI-DSS compliance.

Fourth, a company should periodically conduct assessments to ensure that the company continues to comply with PCI-DSS requirements and that personnel are following appropriate security protocols.

Finally, a company should review its hardware and software technology on an annual basis to verify that these technologies are supported by the entity's vendor and continue to meet PCI-DSS security requirements.


Version 3.0 takes a more holistic approach towards payment card security compared to Version 2.0. Companies that handle payment card data would do well to examine the new requirements and transition to these new requirements in a seamless manner. The likelihood is that a number of these requirements are already utilized by companies processing payment card information. To the extent that a company processing payment card information is not following Version 3.0, the entity should work to become compliant as soon as possible in order to deter possible future cyber-attacks. While Version 3.0 endeavors to take a more comprehensive approach to payment card security, there are potential gaps in 3.0 that will need to be addressed by the PCI Security Standards Council in the future. Cyber criminals are targeting mobile devices in an attempt to gain sensitive financial information, and Version 3.0 leaves a gap as to their security. Companies endeavoring to secure sensitive financial information should work to protect the security of this information when it is transmitted on mobile devices.

Written By

Rebecca Shwayri


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»