Frequently Asked Questions

< Back to search page

I’m in the middle of a PCI DSS assessment when a new version is released – should I start again using the new version?

FAQ Response

Organizations that have already begun their PCI DSS validation when a new version is released can complete their assessment and validation process to the previous version prior to its retirement. Once the previous version has been retired, all validation efforts must be to the most current PCI DSS version.

As clarifications and additional guidance provided in updated PCI DSS versions may facilitate the implementation of requirements and address current threats, organizations are strongly encouraged to complete their transition to the most current PCI DSS version as early as possible.

May 2015
Article Number 1266

Related Articles

What are acceptable formats for truncation of primary account numbers?

How does encrypted cardholder data impact PCI DSS scope for third-party service providers?

Does a QSA need to be onsite at the client’s premises for all aspects of a PCI DSS assessment?

If a merchant develops an application that runs on a consumer’s device (e.g. smartphone, tablet, or laptop) that is used to accept payment card data, what are the merchant’s obligations regarding PCI DSS and PA-DSS for that application?

How does encrypted cardholder data impact PCI DSS scope?