Please note that, when PCI DSS v3.0 was published in late 2013, Requirements 6.5.10, 8.5.1, 9.9, 11.3, and 12.9 were noted as “best practices” until 30 June 2015. All of these “best practices” are now requirements as of 1 July, 2015.
Here is a list of the items that will be audited in any assessment starting on July 1, 2015.
Verify that processes are in place to protect applications from vulnerabilities as listed in the requirement.
Additional requirement for service providers only: Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.
Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.
Maintain an up-to-date list of devices. The list should include at a minimum the data items as defined in the requirement.
Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).
Provide training for personnel to be aware of attempted tampering or replacement of devices.
Penetration tests must be performed against the new requirements of PCI DSS 3.1.
Additional requirement for service providers only: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.