Académique Documents
Professionnel Documents
Culture Documents
Clarifies intent of requirement. Ensures that concise wording in the standard portrays the
Clarification
desired intent of requirements.
Evolving Changes to ensure that the standards are up to date with emerging threats and changes in
Requirement the market.
Section
1
Change Type
PCI DSS v3.0 PCI DSS v3.1
All All Addressed minor typographical errors Clarification
(grammar, punctuation, formatting, etc.) and
incorporated minor updates for readability
throughout the document.
Introduction Introduction Changed reference from protecting cardholder Clarification
data to protecting account data.
Introduction Introduction Clarified that PCI DSS applies to any entity Clarification
that stores, processes or transmits account
data.
Introduction Introduction Changed reference from personally Clarification
identifiable information to personal
information.
PCI DSS Applicability PCI DSS Applicability Changed reference from financial institutions Clarification
Information Information to acquirers, issuers.
PCI DSS Applicability PCI DSS Applicability Removed reference to environments to clarify Clarification
Information Information applicability at the organization level rather
than the system level.
Aligned with language used earlier in the same Clarification
Scope of PCI DSS Scope of PCI DSS
section regarding steps for confirming
Requirements Requirements
accuracy of the defined CDE.
Use of Third Party Use of Third Party Clarified that validation processes for service Clarification
Service Providers / Service Providers / providers include undergoing their own annual
Outsourcing Outsourcing assessments or undergoing multiple on-
demand assessments.
PCI DSS Assessment PCI DSS Assessment Reordered assessment steps to clarify that a Clarification
Process Process ROC, SAQ, or AOC may be submitted without
all requirements being in place.
General General Updated language in requirements and/or Clarification
testing procedures for consistency.
2.2.3 2.2.3 Removed SSL as an example of a secure Evolving
technology. Added note that SSL and early Requirement
TLS are no longer considered to be strong
cryptography and cannot be used as a security
control after June 30, 2016. Additional
guidance provided in Guidance column. Also
impacts Requirements 2.3 and 4.1.
2.3 2.3 Removed SSL as an example of a secure Evolving
technology and added a note to the Requirement
requirement. See explanation above at 2.2.3.