Frequently Asked Questions

< Back to search page

I’m in the middle of a PCI DSS assessment when a new version is released – should I start again using the new version?

FAQ Response

Organizations that have already begun their PCI DSS validation when a new version is released can complete their assessment and validation process to the previous version prior to its retirement. Once the previous version has been retired, all validation efforts must be to the most current PCI DSS version.

As clarifications and additional guidance provided in updated PCI DSS versions may facilitate the implementation of requirements and address current threats, organizations are strongly encouraged to complete their transition to the most current PCI DSS version as early as possible.

May 2015
Article Number 1266

Related Articles

Does a QSA need to be onsite at the client’s premises for all aspects of a PCI DSS assessment?

If a merchant develops an application that runs on a consumer’s device (e.g. smartphone, tablet, or laptop) that is used to accept payment card data, what are the merchant’s obligations regarding PCI DSS and PA-DSS for that application?

What are acceptable formats for truncation of primary account numbers?

What is the role of acquirers and assessors in determining the applicability of PCI DSS requirements for a merchant’s PCI DSS assessment?

Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for onsite assessments?