Gartner Research

What's Changing and How to Respond to PCI v3.0

Published: 20 August 2014

ID: G00260459

Analyst(s): Avivah Litan , Rajpreet Kaur


Payment Card Industry (PCI) v3.0, effective January 2015, is almost 30% larger than PCI v2.0, and introduces significant amounts of new work. Security managers who need to comply with PCI should use this research as a guide to understand what's changed and how to respond.

Table Of Contents
  • Impacts


  • Changes in Version 3.0

Impacts and Recommendations

  • Security managers must deal with over 13%, or 39 of PCI v2.0 requirements, have significantly changed with PCI v3.0, including requirements for key management, system inventories, device inspections and service provider agreements
  • Security managers must address the fact that more than 27%, or 81 of the PCI v2.0 requirements, have undergone minor changes in PCI v3.0, including requirements for security documentation, network segmentation and Web application protection
  • A new PCI Self-Assessment Questionnaire (SAQ A-EP) for e-commerce sites that redirects payment traffic to service providers clarifies that the Web application and Web server involved in the payment process are now in scope of the PCI audit
  • Point-to-point encryption and tokenization technologies are not addressed in PCI v3.0, but security managers are adopting them as an efficient way to limit the scope of PCI audits

Gartner Recommended Reading

©2021 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. It consists of the opinions of Gartner’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party. For further information, see Guiding Principles on Independence and Objectivity.

Already have a Gartner Account?

Purchase this Document

To purchase this document, you will need to register or sign in above

Become a client

Learn how to access this content as a Gartner client.