This article is part of an Essential Guide, our editor-selected collection of our best articles, videos and other content on this topic. Explore more in this guide:
1. - PCI Data Security Standard 3.0: Read more in this section
- PCI 3.0: New requirements cover pen testing, service providers
- PCI DSS version 3.0 analysis: The five most important changes
- PCI QSA analysis: PCI DSS 3.0 is a step forward
Explore other sections in this guide:
PCI DSS 3.0 is the third major iteration of the Payment Card Industry Data Security Standard, a set of policies and procedures administered by the Payment Card Industry Security Standards Council (PCI SS)) to ensure the security of electronic payment data and sensitive authentication data.
Notable new or updated requirements in PCI DSS 3.0 include methodology-based penetration testing to verify that the methods used to segment the merchant cardholder data environment (CDE) from other IT infrastructure, an inventory of all hardware and software components within the cardholder data environment, documentation detailing which requirements are managed by third-party vendors vs. which are managed by the organization itself, antimalware detection and remediation processes for systems considered to be not commonly affected by malicious software, physical access controls for onsite personnel and methods to protect payment data-capture devices from tampering and substitution.
PCI DSS is updated on a three-year cycle; the previous revision was PCI DSS 2.0, released in 2010. The next major revision to the standard is expected to be released in 2016. The standard, created by the major credit card companies in 2004 to foster widespread adoption of consistent data security practices throughout the payment processing ecosystem, consists of introductory information outlining the purpose and scope of the standard; 12 requirements and their associated sub-requirements; and four appendices outlining additional compliance guidance for various special circumstances.