Essential Guide

Get started Bring yourself up to speed with our introductory content.

PCI 3.0 special report: Reviewing the state of payment card compliance

Learn about the critical changes in PCI DSS 3.0, the history of the PCI Data Security Standard, and what the future may hold for payment card industry compliance.


It's been three years in the making. The third iteration of the Payment Card Industry Data Security Standard, arguably enterprise information security's most important and successful mandate, updates the rules merchants must follow to protect customer payment card data.

credit card with padlock

PCI DSS 3.0 raises the bar for vulnerability assessments, password management and provider compliance. Which changes will have the greatest effect on the PCI compliance process? Does PCI 3.0 go too far, or not far enough? How should enterprises prepare for PCI 3.0 assessments in 2015? We tackle those questions and more in this exclusive SearchSecurity special report.

1News & Analysis-

PCI Data Security Standard 3.0

PCI 3.0 is here. Read our news coverage detailing the changes and get expert analysis on what they mean for payment card compliance.


PCI 3.0: New requirements cover pen testing, service providers

Version 3.0 of the Payment Card Industry Data Security Standard has few surprises, but a host of new requirements and challenges for merchants. Continue Reading


PCI DSS version 3.0 analysis: The five most important changes

PCI DSS version 3.0 isn't a wholesale revision, but longtime PCI expert Ed Moyle says merchants' transitions must start now to avoid problems later. Continue Reading


PCI QSA analysis: PCI DSS 3.0 is a step forward

A veteran Qualified Security Assessor believes PCI DSS 3.0 will help both QSAs and enterprises, but says further clarifications are needed to avoid PCI assessment disputes. Continue Reading


PCI DSS review: Assessing the PCI standard nine years later

As the industry preps for PCI DSS 3.0, compliance expert Mike Chapple reviews PCI's successes and failures. Has it made card data more secure? Continue Reading


Early look at PCI 3.0 emphasizes vulnerability assessments, passwords and payment data flow

The proposed PCI DSS 3.0 standard would emphasize in-house vulnerability assessments, add password flexibility and highlight provider compliance. Continue Reading


2013 PCI Community Meeting highlights: Point-of-sale security, PCI 3.0, and more

PCI Community Meeting attendees this week discussed POS security and EMV issues; officials say feedback will influence more changes in the final PCI DSS 3.0. Continue Reading



PCI DSS 3.0 is the third major iteration of the Payment Card Industry Data Security Standard, a set of policies and procedures administered by the Payment Card Industry Security Standards Council (PCI SSC) to ensure the security of electronic payment data and sensitive authentication data. Continue Reading


PCI SSC leaders answer questions on PCI 3.0

Listen to an exclusive interview with the top executives of the PCI Security Standards Council.


Podcast: The SSC's Russo and Leach discuss the final version of PCI 3.0

PCI SSC General Manager Bob Russo and CTO Troy Leach discuss the final version of PCI DSS 3.0, explain why certain changes were made, and foreshadow what's next for the Security Standards Council. Continue Reading


PCI DSS: A history in pictures

SearchSecurity is pleased to present an original visual timeline detailing the history of the PCI DSS, listing dates, events and people that have been crucial in the creation and evolution of the payment card industry compliance mandate.


Visual timeline: The history of PCI DSS

The origins of the PCI Data Security Standard date to the late 1990s. Explore key events in the history of PCI DSS, from Y2K to PCI DSS 3.0. Continue Reading


Bonus content: Events in PCI DSS history

As a supplement to our "Visual timeline: The history of PCI DSS," review these historical articles detailing notable events that shaped the creation and development of the Payment Card Industry Data Security Standard.


Lack of guideline uniformity puts Visa merchants in quandary

Compliance with Visa's 2001 mandate may be hard because of a lack of uniformity between Visa's North American and International divisions' guidelines. Continue Reading


Swiping back: Praise for PCI Data Security Standard

PCI is winning praise from security experts for providing specific requirements on encrypting data, implementing access controls and configuring firewalls. Continue Reading


New PCI Council details changes to Data Security Standard

Version 1.1 clarifies existing requirements, as well as adds some requirements, but contrary to speculation over the past few months, it does not relax or water down security requirements for merchants and vendors. Continue Reading


TJX breach worse than originally feared

Customers who used their cards at the company's stores between January 2003 and June 2004 were discovered to be at risk. Continue Reading


PCI DSS assessors see lessons in TJX data breach

According to several PCI auditors, companies should study the TJX security breach for clear lessons on what not to do with customer data. Continue Reading


First Data CISO calls for PCI DSS changes

Phil Mellinger, who developed the precursor to the current PCI DSS rules, is calling for an overhaul to eliminate subjectivity. Continue Reading


PCI DSS: The bar should not be lowered

PCI SSC general manager Bob Russo says the baseline principle of protecting customer data will not be advanced by a loosening of PCI DSS requirements. Continue Reading


PCI Council adds new standard for payment applications

The new Payment Application Data Security Standard, or PA-DSS, is based on Visa's Payment Application Best Practices, or PABP. Continue Reading


In FTC settlement, TJX agrees to 20 years of audits

TJX agreed to implement tighter security and allow its data to be audited to settle charges that its poor security led to the massive data security breach. Continue Reading


PCI SSC launches assessor quality assurance program

The program will involve staff members who will be dedicated to quality assurance, and will evaluate feedback from merchants on assessors. Continue Reading


Expert predicts PCI DSS problems for retailers

An expert says it could cost millions of dollars for retailers to rip and replace outdated systems and devices still using Wired Equivalent Privacy, or WEP, to secure 802.11 Wi-Fi networks. Continue Reading


Heartland breach highlights PCI DSS limitations

Eric Ogren says the standard is often overkill for enterprises and the prescriptive nature of PCI inhibits innovation in such areas as virtualization and cloud computing. Continue Reading


TJX, Heartland hacker sentenced to 20 years in prison

A federal judge sentenced Albert Gonzalez to 20 years in prison for his involvement in a series of massive data security breaches at Heartland Payment Systems and other companies. Continue Reading


PCI DSS 2.0 addresses secure coding, key management

Minor changes will be the rule for the 2.0 iteration of PCI DSS, including clarifications on secure coding and key management and a change that recommends merchants use data discovery tools to find cardholder data before a PCI assessment. Continue Reading


PCI DSS risk assessment methodology unique to each company

According to a new report by the PCI SSC, organizations need to create a risk assessment methodology that works for their specific business environment. Continue Reading

5Ask the Experts-

Your questions answered

SearchSecurity experts Mike Chapple (enterprise compliance, standards and frameworks) and Joseph Granneman (security management) are standing by to answer your questions about PCI DSS compliance.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.