Index of PCI Frequently Asked Questions

If you ever wanted to see all the published PCI FAQs in one place, this page indexes every one that we are aware of.

The best ways to keep up to date are to use the PCI FAQ page “Newly Added” and “Most Recently Updated” queries or to follow the FAQ RSS feed.

Note: This page is maintained manually and was last updated on 2019-09-04 it indexes 268 FAQs with the last being #1467.

Article Link
#1003 Where is the PCI Security Standards Council Located?
#1004 Does the PCI Security Standards Council enforce compliance?
#1009 In case of a suspected breach, should the PCI Security Standards Council be contacted directly?
#1014 Do QSAs and ASVs need to send reports of compliance (ROCs) or scanning results to the PCI Security Standards Council directly?
#1015 What are the consequences to my business if I do not comply with the PCI DSS?
#1016 I want to add input into this process. How do I become a member of the Council?
#1017 How can my organization find assistance in completing the Self-Assessment Questionnaire?
#1018 Will the PCI Security Standards Council list compliant service providers and/or merchants on its Web site?
#1019 If my business was deemed compliant but my system was still breached and payment account data compromised after the fact, what liability would my business incur?
#1020 How does PA-DSS support a merchant’s PCI DSS compliance?
#1021 How much will it cost for a vendor to have their products validated to PA-DSS by a PA-QSA?
#1022 Do small merchants with limited transaction volumes need comply with PCI DSS?
#1023 What are the requirements that have to be satisfied to be in compliance with the PCI Data Security Standard?
#1024 Is PCI DSS a global standard?
#1032 Can you provide clarification of PCI DSS requirement 10.3.6?
#1033 Can you provide clarification for logging/audit trail per PCI DSS requirements 10.2.5 and 10.2.6?
#1034 What are system-level objects, as identified in PCI DSS Requirement 10.2.7?
#1035 What is the definition of “remote access”?
#1036 How can I provide feedback (negative or positive) about my QSA/ASV?
#1037 Do hosting providers have responsibility for liabilities/fines?
#1038 Does PCI DSS apply to “hot cards”, expired, cancelled or invalid card account numbers?”
#1039 Does PCI DSS apply to debit cards, debit payments, and debit systems?
#1040 Is it required that all of a company’s sites, even those located in other countries, must be included in the company’s PCI DSS review?
#1041 What is the scope of a PCI DSS assessment for a network that is not segmented?
#1042 Should cardholder data be encrypted while in memory?
#1043 Is frame relay considered a private network and are there any encryption requirements?
#1044 Do ISPs that provide only internet connection need to comply with the PCI DSS?
#1045 Is MPLS considered a private or public network when transmitting cardholder data?
#1046 Will the PCI Security Standards Council “approve” my organization’s implementation of compensating controls in my effort to comply with the PCI DSS?
#1050 I make ATMs, what do I need to do for PTS?
#1051 Can application whitelisting be used to meet PCI DSS Requirement 5?
#1052 Can a payment application that implements the same cryptographic keys across multiple installations be PA-DSS compliant?
#1053 Can a payment application that uses cryptographic keys hard-coded by the vendor be PA-DSS compliant if they cannot be changed by the customer?
#1054 Does the PCI Security Standards Council provide information on security breaches, status of investigations, or PCI DSS compliance status?
#1055 Should I complete the Prioritized Approach milestones in sequential order?
#1060 How would an identified Denial of Service (DoS) vulnerability affect a company’s ability to pass a PCI DSS vulnerability scan from an Approved Scanning Vendor (ASV)?
#1061 How frequently will the PCI Security Standards Council update the PCI DSS and PA-DSS?
#1062 What is meant by a “payment application” in Part 2d of the Attestation of Compliance?
#1063 Does SAQ C-VT replace SAQ C?
#1064 What is a VT or Virtual Terminal?
#1065 Should service providers demonstrate PCI DSS compliance as part of their client’s assessment or in their own separate assessment?
#1066 What is an “inactive user account” as used in PCI DSS Requirement 8.1.4?
#1067 What is meant by “non-consumer users” in PCI DSS Requirement 8?
#1068 Are digital leased lines considered public or private?
#1069 Does PCI DSS apply to paper with cardholder data (for example, receipts, reports, etc.)?
#1070 Are digital images containing cardholder data and/or sensitive authentication data included in the scope of the PCI DSS?
#1071 Can the full credit card number be displayed within a browser window?
#1072 What is the purpose of requiring account lockout, per PCI DSS Requirements 8.1.6 and 8.1.7?
#1073 What are the PCI DSS requirements regarding transmission of cardholder data via Bluetooth technology?
#1074 Is intrusion detection required if centralized log correlation is in place?
#1075 Is it permissible to use self-decrypting files for encryption to send cardholder data?
#1076 Is it permissible to use FTP if proper security measures are implemented?
#1077 How extensive must background checks be for employees who have access to cardholder data?
#1078 In what circumstances is multi-factor authentication required?
#1079 What is the definition of “merchant”?
#1080 Are administrators allowed to share passwords?
#1081 Does PCI DSS Requirements 10.2 and 10.3 mean that both database and application logging is required?
#1082 If a merchant has multiple processing environments, should the merchant complete multiple SAQ to validate their PCI DSS compliance?
#1083 What is the mission of the PCI Security Standards Council?
#1084 What is the intent of PCI DSS Requirement 3.4.1?
#1085 Can unencrypted PANs be sent over e-mail, instant messaging, SMS, or chat?
#1086 How does encrypted cardholder data impact PCI DSS scope?
#1087 For vulnerability scans, what is meant by quarterly?
#1088 What is meant by “adequate network segmentation” in the PCI DSS?
#1089 Are hashed Primary Account Numbers (PAN) considered cardholder data that must be protected in accordance with PCI DSS?
#1091 What are acceptable formats for truncation of primary account numbers
#1092 Does PCI DSS apply to merchants who outsource all payment processing operations and never store, process or transmit cardholder data?
#1093 Does Requirement 3.4 apply to mainframes?
#1094 Will the PCI Security Standards Council be involved in performing forensics investigations as a result of an account data compromise event?
#1095 What will be the role of the PCI Security Standards Council in expanding the global coverage of both QSAs and ASVs?
#1096 When a QSA or ASV is newly approved, who is the contact at the PCI Security Standards Council to request a press release?
#1115 How does PCI DSS apply to individual PCs or workstations?
#1117 Are truncated Primary Account Numbers (PAN) required to be protected in accordance with PCI DSS?
#1122 What is the scope of the PCI Security Standards Council’s activities?
#1123 In what way does the PCI Security Standards Council make payment card data more secure?
#1124 PCI DSS provides a common data security standard across all payment brands. Are there any plans to provide a common structure of penalties and/or fines for non-compliance to this standard?
#1125 Are there any plans for PCI SSC to be a single point of contact for a merchant, financial institute or processor to send a PCI DSS compliance report to?
#1126 How do I determine whether my business would be required to conduct an independent assessment or a self-assessment?
#1127 Is there opportunity to provide feedback on the PCI Council’s standards?
#1128 What happens if I’m using a PA-DSS validated payment application that is breached?
#1129 Does media containing cardholder data (for example, backup tapes or disks) need to be physically labeled as confidential for PCI DSS Requirement 9.6.1?
#1130 Are operating systems that are no longer supported by the vendor non-compliant with the PCI DSS?
#1131 Does the council have a mapping between PCI DSS and ISO 27002 (formerly ISO 17799) or other standards?
#1132 What is an Attestation of Compliance?
#1133 Why are there multiple PCI DSS Self-assessment Questionnaires (SAQs)?
#1134 What are the steps needed to perform a self assessment to validate compliance with PCI DSS?
#1135 Can VLANS be used for network segmentation?
#1136 Can the full payment card number be printed on the consumer’s copy of the receipt?
#1137 How can I validate if a number is a legitimate credit card number?
#1138 Does PCI SSC provide a list of PCI DSS-compliant service providers?
#1139 Can I fax payment card numbers and still be PCI DSS Compliant?
#1140 Which Self-assessment Questionnaire (SAQ) should I complete?
#1141 What are the fines and penalties assessed to companies for non-compliance with the PCI DSS?
#1142 How do I contact the payment card brands?
#1146 What is the difference between masking and truncation?
#1147 What is the purpose of requiring consoles/PCs to become “locked” after 15 minutes of idle time, per PCI DSS Requirement 8.1.8?
#1152 Can an entity be PCI DSS compliant if they have performed quarterly scans, but do not have four “passing” scans?”
#1153 How does PCI DSS apply to VoIP? (formerly Is VoIP in scope for PCI DSS?)
#1154 Is pre-authorization account data in scope for PCI DSS?
#1155 Which service provider category should I use for Part 2 of the PCI DSS Attestation of Compliance (AOC) for Service Providers?
#1156 Are call center environments considered “sensitive areas” for PCI DSS Requirement 9.1.1?
#1157 What should a merchant do if cardholder data is accidentally received via an unintended channel?
#1158 What effect does the use of a PCI-listed P2PE solution have on a merchant’s PCI DSS validation?
#1162 Can merchants use encryption solutions not listed on the PCI Council’s website to reduce their PCI DSS validation effort?
#1163 Is a “P2PE Assessor” required for a merchant’s PCI DSS assessment if the merchant uses a Council-listed P2PE solution?”
#1164 Is the PCI P2PE Standard applicable for merchants that have developed/implemented their own encryption solution?
#1165 Are P2PE solution providers required to have their solutions validated and listed by the Council?
#1166 Which PCI PTS point-of-interaction (POI) devices can be used in a validated P2PE solution?
#1168 What assurances does the Council provide regarding the quality of organizations assessing my systems for compliance with the PCI standards?
#1169 What are the Council’s requirements for QSA and ASV Companies to maintain a Quality Assurance (QA) manual?
#1170 How does the Prioritized Approach work?
#1171 Is the Prioritized Approach mandatory?
#1172 Does the Prioritized Approach replace the PCI DSS?
#1173 Who is qualified to perform PA-DSS assessments?
#1174 For the list of Validated PA-DSS Applications, what is the difference between Revalidation Date and Expiry Date?
#1175 If a merchant is using a payment application listed as “acceptable only for pre-existing deployments”, is the merchant allowed to install more copies of the application?
#1176 How does an organization maintain compliance when a standard changes?
#1177 How does my company become a qualified assessor (QSA, PA-QSA, QSA (P2PE), PA-QSA (P2PE)), or Approved Scanning Vendor (ASV)?
#1178 How do I reduce the scope of a PCI DSS assessment?
#1181 How can I check whether a payment application is PA-DSS validated?
#1182 Is it acceptable to make minor changes to a PA-DSS validated application and retain the existing version number?
#1183 The PA-DSS Program Guide says application version numbers may consist of a combination of fixed and variable alphanumeric characters. What does this mean? 
#1195 What is the difference between a Validated Payment Application which is shown on the PCI SSC website as “Acceptable for New Deployments” and one which is shown as “Acceptable only for Pre-Existing Deployments”?
#1196 If I am deemed PCI DSS compliant today by one of the payment card brands, will the other brands in the PCI Security Standards Council recognize this designation of compliance and if so, what information must be put forth to achieve such recognition?
#1210 Are audio/voice recordings permitted to contain sensitive authentication data?
#1211 To whom should media inquiries or requests for interviews about the PCI Security Standard Council be directed?
#1212 What is the involvement of the PCI SSC on the compliance validation processes for PCI DSS assessments and scan reports?
#1213 Are there any plans to standardize the reporting requirements (reports) for the PCI DSS, PA-DSS, ASV, QSA and PTS programs that are sent to each of the payment brands?
#1214 Do the PCI DSS requirements apply to card manufacturers, embossers, card personalizers, or entities that prepare data for card manufacturing?
#1216 Does the PCI DSS apply to acquirers?
#1217 Does the PCI DSS apply to issuers?
#1220 Are compliance certificates recognized for PCI DSS validation?
#1221 Do shared hosting providers need to comply with PCI DSS?
#1222 Does cardholder name, expiration date, etc. need to be rendered unreadable if stored in conjunction with the PAN (Primary Account Number)?
#1223 Does PCI DSS, PA-DSS, or PTS apply to ATMs?
#1224 What does one function per server mean?
#1225 What is the relationship between the PCI Data Security Standard and the Payment Application Data Security Standard and PTS Device Security Requirements?
#1226 What is the role of the Advisory Board?
#1227 Who are the founders of the PCI Security Standards Council?
#1228 Will the PCI Security Standards Council approve and list vendors for participation in forensics investigations?
#1229 What is SAQ C-VT?
#1233 How does encrypted cardholder data impact PCI DSS scope for third-party service providers?
#1234 I have had an external vulnerability scan completed by an ASV – does this mean I am PCI DSS compliant?
#1235 If a merchant or service provider has internal corporate credit cards used by employees for company purchases like travel or office supplies, are these corporate cards considered ‘in scope’ for PCI DSS?
#1246 Can a QSA that is not also a P2PE Assessor validate an encryption solution meets P2PE Requirements?
#1247 Who can use SAQ P2PE?
#1248 In P2PE, how do “hybrid” decryption environments differ from “hardware” decryption environments?
#1251 What is the process to use previously-deployed POI devices in a PCI P2PE solution?
#1252 Do all PCI DSS requirements apply to every system component?
#1253 Does hashing of passwords meet the intent of PCI DSS Requirement 8.2.1?
#1254 What is the intent of PCI DSS requirement 10?
#1257 Can I report on my Prioritized Approach progress instead of producing a Report on Compliance or Attestation of Compliance?
#1258 Does PCI SSC endorse specific products to meet PCI DSS requirements?
#1261 Does a P2PE validated application also need to be validated against PA-DSS?
#1262 Will PA-DSS validated applications continue to be Acceptable for New Deployments if they run on an unsupported operating system?
#1263 What are the Card Production Logical and Physical Security Requirements?
#1265 Can I combine sections from different versions of the PCI DSS?`
#1266 I’m in the middle of a PCI DSS assessment when a new version is released – should I start again using the new version?
#1270 How do the requirements in PCI DSS version 3 that are “best practices” until June 30th 2015 impact my PCI DSS assessment?
#1271 Can I combine sections from different versions of the PA-DSS?
#1272 Can my payment application be validated using PA-DSS Version 1.2.1?
#1273 Can my payment application be validated using PA-DSS Version 3.0 or 3.1?
#1274 Can my payment application be validated using PA-DSS Version 2?
#1275 What are the PA-DSS Expiry Dates?
#1277 Are merchants required to meet PCI DSS Requirement 12.9?
#1278 Are PA-DSS applications considered valid if installed on an operating system that is not included in the payment application listing?
#1279 How does using a PA-DSS validated application affect the scope of a merchant’s PCI DSS assessment?

Can card verification codes/values be stored for card-on-file or recurring transactions?

Formerly: Can card verification codes/values be stored for recurring transactions?

#1281 Are point-of-sale devices required to be physically secured (e.g. with a cable or tether) to prevent removal or substitution in order to meet PCI DSS Requirement 9.9?
#1282 Can an entity be PCI DSS compliant if they use a service provider that is validated to a previous version of PCI DSS?
#1283 If a merchant develops an application that runs on a consumer’s device (e.g. smartphone, tablet, or laptop) that is used to accept payment card data, what are the merchant’s obligations regarding PCI DSS and PA-DSS for that application?
#1284 Are acquirers considered service providers for the purpose of PCI DSS Requirements 12.8 and 12.9?
#1285 Does PCI DSS apply to one-time or single-use PANs?
#1286 Does PCI DSS apply to virtual (electronic-only) PANs?
#1287 Why does PA-DSS v3 require passwords to be protected by a one-way hash (Requirement 3.3.2), whereas PANs can be stored in an encrypted form (Requirement 2.3)?
#1288 Does PA-DSS Requirement 3.3.2 apply to passwords used by the payment application to access other systems/applications (e.g. for the payment application to access a third-party database)?
#1289 Does the PA-DSS v3 requirement for hashing stored passwords meet PCI DSS Requirement 8.2.1?
#1290 If a merchant uses a service provider to host part or all of their CDE, and the service provider has been validated as PCI DSS compliant, is the merchant’s assessor required to go onsite to the third party location and retest the PCI DSS requirements?
#1291 Why is SAQ A-EP used for Direct Post while SAQ A is used for iFrame or URL redirect?
#1292 Why is there a different approach for Direct Post implementations than for iFrame and URL redirect – what are the technical differences and how do they impact the security of e-commerce transactions?
#1293 If a merchant’s e-commerce implementation meets the criteria that all elements of payment pages originate from a PCI DSS compliant service provider, is the merchant eligible to complete SAQ A or SAQ A-EP?
#1299 Are manual imprinter machines in scope for PCI DSS requirements?
#1300 How does PCI DSS apply to payment terminals?
#1301 How do PTS-approved payment terminals support PCI DSS compliance?
#1302 How does use of an expired PTS device affect my PCI DSS compliance?
#1304 What devices does PCI DSS Requirement 10.6.2 apply to?
#1305 Do you offer examination accommodation?
#1306 Are PCI Forensic Investigators (PFIs) permitted to enter into retainer-type agreements with merchants and service providers?
#1308 How can an entity ensure that hashed and truncated versions cannot be correlated, as required in PCI DSS Requirement 3.4?
#1309 Must payment applications ensure that hashed and truncated versions cannot be correlated?
#1310 Are merchants allowed to request that cardholder data be provided over end-user messaging technologies?
#1311 Are PFI Companies which are “in remediation” permitted to perform investigations?”
#1312 If an entity uses a service provider that is not PCI DSS compliant, how does this impact the entity’s compliance?
#1313 Can SAQ B-IP be used if cardholder data is transmitted over wireless?
#1314 Is storage of encrypted cardholder data considered “cardholder data” per the SAQ eligibility criteria?
#1315 Is storage of truncated PAN considered storage of “cardholder data” per the SAQ eligibility criteria?
#1316 Are merchants required to perform the “Expected Testing” in the SAQs?”
#1317 What is a “significant change” for PCI DSS Requirements 11.2 and 11.3?
#1318 What is the maximum period of time that cardholder data can be stored?
#1319 Are merchants allowed to request card-verification codes/values from cardholders?
#1320 Who do I report insecure merchant behavior to?
#1321 Do parent/subsidiary companies validate as a single entity or as separate entities?
#1322 What are the expiry dates for PTS POI device approvals?
#1323 Are disaster-recovery (DR) sites in scope for PCI DSS?
#1324 What changes are PFI companies allowed to make to the PFI Reporting Templates?
#1325 Does PCI SSC provide a “PCI DSS Compliant” logo?”
#1326 How does PCI DSS apply to EMVCo Payment Tokens?
#1327 Do PANs need to be masked on cardholder statements sent by issuers to customers?
#1328 What version of PCI DSS should I use?
#1328 Which Version of PCI DSS should I use?
#1329 What is the current version of PA-DSS?
#1330 For P2PE solutions, can you use PCI approved POI devices with SRED, where the PTS listing indicates “Non CTLS”?
#1331 Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for onsite assessments?
#1332 Is a merchant website still in scope for PCI DSS if it meets all the criteria for SAQ A?
#1333 Can PCI DSS compliance be determined by testing only pre-production environments using test data?
#1334 Where can I find unlocked versions of the AOCs and SAQs?
#1335 Does PCI DSS apply to bank account data?
#1338 What is the difference between POI firmware and additional software that may be present on the POI device?
#1339 Are POI devices with only the PTS-approved firmware (i.e., no additional software) eligible for use in a PCI P2PE solution?
#1354 Can the AOC be redacted to protect sensitive information?
#1355 Are applications listed as Acceptable only for Pre-existing Deployments able to meet the current PA-DSS and PCI DSS?
#1356 What does “Duly Authorized Officer” mean?
#1358 Which version of the P2PE Standard should be used for a P2PE assessment?
#1367 Can PCI-listed P2PE v1.1 applications be used in PCI P2PE v2 solutions?
#1368 Can PCI-listed P2PE v2 applications be used in a PCI P2PE v1.1 listed solution?
#1369 Does PCI P2PE v2 allow for partial assessments of third parties with services that will be used in one or more P2PE solutions?
#1372 How should entities apply the new SSL/TLS migration dates to Requirements 2.2.3, 2.3 and 4.1 for PCI DSS v3.1?
#1373 How should entities complete their ROC or SAQ for PCI DSS v3.1 using the new SSL/TLS migration dates?
#1374 Is Payment Account Reference (PAR) as defined by EMVCo considered PCI Account Data?
#1375 Can an Attestation of Compliance (AOC) be provided to an assessed entity before the Report on Compliance (ROC) is finalized?
#1382 Can a partial PCI DSS assessment be documented in a Report on Compliance (ROC)?
#1383 To whom do the PCI Token Service Provider Security Requirements apply?
#1384 What is the difference between “acquiring tokens”, “issuer tokens”, and “Payment Tokens”?”
#1385 Which types of tokens are addressed by the PCI SSC tokenization documents?
#1425 What is the difference between “multi-factor” authentication and “two-factor” authentication?”
#1426 Is “two-step” authentication the same as “two-factor” or “multi-factor” authentication?”
#1427 Are OEMs and/or hardware/software resellers subject to PCI DSS Requirements 12.8 and 12.9?
#1434 How do PCI PTS-approved POI device expiry dates affect a PCI-listed P2PE solution?
#1435 What is the Council’s guidance on the use of SHA-1?
#1436 Who has to comply with the PCI standards?
#1437 Can PCI DSS be used to protect non-payment card data?
#1438 How is the payment page determined for SAQ A merchants using iframe?
#1439 How do PCI DSS Requirements 2, 6 and 8 apply to SAQ A merchants?
#1440 How does PCI DSS Appendix A2 apply after the SSL/early TLS migration deadline?
#1441 How do the updated SSL/early TLS migration dates apply to service providers?
#1442 Can merchants using non-console administrative access be eligible for SAQ B-IP, C-VT, or C?
#1443 What is the intent of the SAQ eligibility criteria?
#1444 Can a PFI Company perform subsequent PFI investigations for the same entity?
#1445 How should QSA assistance with completion of Self-Assessment Questionnaire (SAQs) be documented?
#1446 How did Prioritized Approach Tool calculations change for PCI DSS v3.2?
#1447 How does PCI DSS Requirement impact timing of penetration tests for service providers?
#1448 What is meant by ‘at risk’ and ‘at-risk timeframe’ referenced in the Final PFI Report?
#1449 Is two-step authentication acceptable for PCI DSS Requirement 8.3?
#1450 Where can I find more information about the Assessment Guidance for Non-listed Encryption Solutions (aka NESA)?
#1451 Can PFIs provide reports to their clients before sending the report to the affected payment brands?
#1452 How does Triple DEA (TDEA) impact ASV Scan results?
#1453 Can a PFI Company provide QSA services to an entity after performing a PFI investigation for that entity?
#1454 What is the intent of “administrative access” in PCI DSS?
#1455 Does a QSA need to be onsite at the client’s premises for all aspects of a PCI DSS assessment?
#1456 Can PCI SSC revoke a QSA Company’s eligibility to participate in the Associate QSA Program due to quality concerns in connection with that program, and not revoke qualification as a QSA Company?
#1457 Is a Software-based PIN Entry on COTS Solution eligible for a P2PE Solution approval?
#1458 What date should be used for “Date of Report” in the ROC?
#1460 Where should reports be sent when the PFI investigation has concluded there is no evidence of a breach?
#1461 What-are-the-security-considerations-for-TLS-1-3?
#1462 What does “Window of Payment Card Data Storage” mean in the Final PFI Report template?
#1464 Does the use of expired PTS POI devices meet eligibility criteria for SAQ B-IP?
#1467 Can organizations use alternative password management methods to meet PCI DSS Requirement 8?
#1468 Can I have the same assessor company or individual assessor perform a PCI DSS and PIN Assessment for our organization?



PCI Pilot™ is coming soon!

Our highly-anticipated online tool will be launching very soon to make your PCI SAQ process quick and seamless.

Sign-up today and be among the first to know when PCI Pilot™ is live!