Can merchants assess against PCI DSS version 3.0 if they use a service provider that is validated to PCI DSS version 2?
As organizations will be transitioning between version 2.0 and version 3.0 of PCI DSS during 2014, it may be necessary for an organization validating to PCI DSS version 3.0 to include information from a service provider who is validated to PCI DSS version 2.0.
A service provider?s version 2.0 compliance validation is acceptable for use in a merchant?s version 3.0 assessment as long as the service provider?s version 2.0 validation was dated on or before December 31, 2014, and the validation is still current (i.e. 12 months have not passed since the service provider?s validation).
If a merchant validating to version 3.0 relies on a service provider that is compliant to version 2.0 for delivery of one or more PCI DSS requirements, the merchant may still validate to version 3.0 and note in their ROC or SAQ that the provider who is managing those requirements on their behalf is meeting the requirements in PCI DSS version 2.0.
Entities should also contact their acquirer or the payment brands directly to determine their compliance reporting requirements, including how to report any third party service providers. Contact details for the payment brands can be found in FAQ #1142How do I contact the payment card brands?