The PCI Security Standards Council announced today that PCI DSS 2.0 is now effective. What does this mean for you as a company that must comply with PCI DSS?

Breaking the Law, Breaking the Law, by bitzcelt

First, don’t panic. PCI DSS v1.2.1 is still valid until the end of 2011. If you are working on project plans to finalize compliance against this version, continue to do so, and start working on your PCI 2.0 plans. Your acquirer can provide specific guidance on exactly when you need to send them a validated 2.0 Report on Compliance.

Next, you should have a gap analysis done against the new standard—sooner rather than later (I happen to know a team of folks that would be GREAT at this….). While there are not any major new requirements, QSAs have to validate more documentation and will be asking you more questions this time around. If you are to be successful validating against version 2.0 later this year,  you should know where you stand today and spend the next several months addressing your gaps.

Finally, take the time this year to follow behind your QSA. Don’t expect him to find all of your gaps, and be sure you are actually complying with the standard, not letting a QSA decide your company’s fate.

Welcome to 2011 folks!

This post originally appeared on

Possibly Related Posts: