FAQ #1265 Diff

No.  When validating compliance, either through a Report on Compliance (ROC) or a self-assessment questionnaire (SAQ), requirements should not be ?combined?"combined" from the two versions of the standard ? validation willmust be to eitherone version 2.0in its entirety.When the PCI DSS is updated, it is understood that organizations may need time to complete their transition from a previous version to the current one.  During this transition, their environment may reflect aspects of both versions of the standard. However, when it comes to reporting and validating compliance, only one version can be used.As always, entities with specific questions about how to report their compliance validation should consult with their acquirer (merchant bank) or version 3.0 in its entirety.

It is understood that organizations may need time to complete their transition from PCI DSS version 2.0 to version 3.0, and that during the transition their environment may reflect aspects of both versions of the standard. However, when it comes to reporting and validating compliance, only one version can be used.

To ensure everyone has enough time to transition without falling out of compliance, entities may choose to validate to either version 2.0 or version 3.0 until December 31st, 2014. After this date, all compliance validations must be to version 3.0. As always, entities with specific questions about how to report their compliance validation should consult with their acquirer (merchant bank) or payment brand, as applicable.applicable..