When validating compliance, either through a Report on Compliance (ROC) or a self-assessment questionnaire (SAQ), requirements should not be ?combined? from the two versions of the standard ? validation will be to either version 2.0 or version 3.0 in its entirety.

It is understood that organizations may need time to complete their transition from PCI DSS version 2.0 to version 3.0, and that during the transition their environment may reflect aspects of both versions of the standard. However, when it comes to reporting and validating compliance, only one version can be used.

To ensure everyone has enough time to transition without falling out of compliance, entities may choose to validate to either version 2.0 or version 3.0 until December 31st, 2014. After this date, all compliance validations must be to version 3.0. As always, entities with specific questions about how to report their compliance validation should consult with their acquirer (merchant bank) or payment brand, as applicable.