Before introducing revisions to PCI DSS and PA-DSS the Council must weigh many considerations,
- What will improve payment security?
- Global applicability and local market concerns
- Appropriate sunset dates for other standards or requirements
- Cost/benefit of changes to infrastructure
- Cumulative impact of any changes
Based on feedback from the industry, in 2010 the Council moved from a two-year to a three-year
standards development lifecycle. The additional year provides a longer period to gather feedback and
more time for organizations to implement changes before a new version is released. Version 3.0 will
introduce more changes than Version 2.0. The core 12 security areas remain the same, but the updates
will include several new sub-requirements that did not exist previously. Recognizing that additional time
may be necessary to implement some of these sub-requirements, the Council will introduce future
implementation dates accordingly. This means until 1 July 2015 some of these sub-requirements will be
best practices only, to allow organizations more flexibility in planning for and adapting to these changes.
Additionally, while entities are encouraged to begin implementation of the new version of the Standards
as soon as possible, to ensure adequate time for the transition, Version 2.0 will remain active until 31