| #1572 |
Can a compensating control be used for requirements with a periodic or defined frequency, where an entity did not perform the activity within the required timeframe? |
Aug 2023 |
| #1571 |
Is the expectation that any PFI investigation initiated must result in a PFI Final Report? |
Jun 2023 |
| #1570 |
Does TDEA meet the requirements of “strong cryptography” as defined in PCI DSS? |
Aug 2023 |
| #1569 |
Is sampling allowed in PCI DSS v4.0? |
May 2023 |
| #1568 |
Is the PCI DSS Attestation of Compliance intended to be shared? |
Apr 2023 |
| #1567 |
Can a Qualified Security Assessor (QSA) rely on the results from non PCI DSS assessment (for example, a SOC 2 or SOC 3 audit) for a PCI DSS assessment? |
Mar 2023 |
| #1566 |
Can a Qualified Security Assessor (QSA) ask an auditor from the same company (for example, one conducting a SOC 2 or SOC 3 audit) to collect evidence for a PCI DSS assessment? |
Mar 2023 |
| #1565 |
Does an entity’s PCI DSS assessment result expire when the standard against which the entity was assessed is retired? |
Mar 2023 |
| #1564 |
How does an entity report the results of a PCI DSS assessment for new requirements that are noted in PCI DSS as best practices until a future date? |
Mar 2023 |
| #1563 |
What should an entity do if its PCI DSS v3.2.1 assessment will not be complete prior to that standard’s retirement date of 31 March 2024? |
Mar 2023 |
| #1562 |
Is a QSA Employee that designs, develops, or implements specific controls for a customer also permitted to assess those same controls? |
Nov 2022 |
| #1561 |
What impact does the inclusion of UnionPay in PCI DSS documents have on an entity’s PCI DSS assessment? |
Oct 2022 |
| #1554 |
What is a PCI SSC Participating Payment Brand? |
Nov 2021 |
| #1549 |
Is software-as-a-service (SaaS) eligible for Secure Software Standard validation and listing? |
Nov 2021 |
| #1548 |
Are Secure Software Assessors or Secure Software Lifecycle Assessors required to report Continuing Professional Education (CPE) credits to PCI SSC? |
Nov 2021 |
| #1547 |
Are currently listed PA-DSS payment applications required to be revalidated using the Secure Software Standard? |
Nov 2021 |
| #1546 |
Can multiple changes for a Secure Software listing be submitted within a single change submission? |
Nov 2021 |
| #1545 |
Are there prerequisite PCI SSC program requirements to meet before qualifying as an SSF Assessor Company? |
Nov 2021 |
| #1544 |
Does PCI SSC provide a list of software vendors whose software development process(es) have been validated to the Secure SLC Standard? |
Nov 2021 |
| #1543 |
Who is qualified to perform assessments to the PCI Secure SLC Standard? |
Nov 2021 |
| #1542 |
What is the process for PCI Secure SLC Qualification? |
Nov 2021 |
| #1541 |
When must validated payment software be revalidated? |
Nov 2021 |
| #1540 |
What software is eligible for validation to the PCI Secure Software Standard? |
Nov 2021 |
| #1539 |
Who is qualified to perform assessments to the PCI Secure Software Standard? |
Nov 2021 |
| #1538 |
What is the process to initiate a software evaluation to the PCI Secure Software Standard? |
Nov 2021 |
| #1537 |
Are remote assessments permitted for PCI DSS? |
Oct 2021 |
| #1536 |
What is a compliance-accepting entity? |
Oct 2021 |
| #1533 |
For PCI DSS, why is storage of sensitive authentication data (SAD) after authorization not permitted even when there are no primary account numbers (PANs) in an environment? |
Jul 2021 |
| #1496 |
Are entities expected to do onsite audits of personnel work-from-home environments? |
May 2021 |
| #1495 |
Is an assessor required to visit work-from-home environments to determine if personnel are meeting PCI DSS requirements? |
May 2021 |
| #1494 |
For personnel working from home, is the work-from-home environment considered a 'sensitive area' for PCI DSS Requirement 9? |
May 2021 |
| #1493 |
What is the PCI 3DS (3D Secure) Core Security Standard? |
Apr 2021 |
| #1492 |
How can an entity meet PCI DSS requirements for PAN masking and truncation if it has migrated to 8-digit BINs? |
Feb 2021 |
| #1491 |
Does PCI DSS define which versions of TLS must be used? |
Jan 2021 |
| #1490 |
Can a PCI 3DS Assessment result in a finding of 'Compliant' if some requirements are not tested? |
Dec 2020 |
| #1489 |
Is an EMVCo Letter of Approval required prior to conducting a PCI 3DS Assessment? |
Dec 2020 |
| #1488 |
What types of 3DS components are in scope for Requirement P2-7 in the PCI 3DS Core Security Standard? |
Dec 2020 |
| #1487 |
Can a 3DS entity outsource the hosting and management of its HSMs to a third-party service provider? |
Dec 2020 |
| #1486 |
Can the 'Compliant but with Legal exception' option in the AOC be used to identify where a testing procedure could not be performed due to a legal constraint? |
Dec 2020 |
| #1485 |
What is the meaning of “initial PCI DSS assessment”? |
Apr 2023 |
| #1484 |
If a P2PE Solution is shown as red or orange on PCI's list of Validated P2PE Solutions, does the solution meet the eligibility criteria for SAQ P2PE? |
Sep 2020 |
| #1483 |
If a P2PE Solution is on PCI's list of Point-to-Point Encryption Solutions with Expired Validations, does the solution meet the eligibility criteria for SAQ P2PE? |
Sep 2020 |
| #1482 |
Are P2PE Products (P2PE Solutions, P2PE Components, P2PE Applications) on the P2PE Expired Listings still considered 'validated' per the P2PE Program Guide? |
Oct 2020 |
| #1481 |
What type of assessor signatures are allowable for PCI SSC attestation documentation? |
Jun 2020 |
| #1480 |
Which P2PE Program Guide version do I use? |
May 2020 |
| #1479 |
Can PCI-listed P2PE v2 components be used as part of a P2PE v3 solution? |
May 2020 |
| #1478 |
Can PCI-listed P2PE v3 components be used as part of a P2PE v2 solution? |
May 2020 |
| #1477 |
Are software vendors wishing to undergo validation to the PCI Secure Software Lifecycle (Secure SLC) Standard also required to have payment software listed or in the process of being validated to the PCI Secure Software Standard? |
May 2020 |
| #1473 |
What is the role of compliance-accepting entities and assessors in determining the applicability of PCI DSS requirements for merchant and service provider PCI DSS assessments? |
Mar 2023 |
| #1472 |
How can I determine whether a QSA is authorized to perform PCI DSS assessments in all countries that are in scope for my company's PCI DSS assessment? |
Nov 2019 |
| #1471 |
What does 'Servicing Markets' on the QSA listing mean? |
Nov 2019 |
| #1470 |
Are PFIs required to fill out all the fields in the Final PFI Report? |
Nov 2019 |
| #1469 |
How do PCI PTS-approved HSM expiry dates affect a PCI-listed P2PE Solution or Component? |
Nov 2019 |
| #1468 |
Can I have the same assessor company or individual assessor perform a PCI DSS and PIN Assessment for our organization? |
Sep 2019 |
| #1467 |
Can organizations use alternative password management methods to meet PCI DSS Requirement 8? |
May 2019 |
| #1464 |
Does the use of expired PTS POI devices meet eligibility criteria for SAQ B-IP? |
Mar 2019 |
| #1462 |
What does 'Window of Payment Card Data Storage' mean in the Final PFI Report template? |
Jan 2019 |
| #1461 |
What are the security considerations for TLS 1.3? |
Jan 2019 |
| #1460 |
Where should reports be sent when the PFI investigation has concluded there is no evidence of a breach? |
Nov 2018 |
| #1458 |
What date should be used for 'Date of Report' in the ROC? |
Jul 2019 |
| #1457 |
Are either Software-based PIN Entry on COTS Solutions or Contactless Payments on COTS Solutions eligible for a P2PE Solution approval? |
Apr 2020 |
| #1456 |
Can PCI SSC revoke a QSA Company's eligibility to participate in the Associate QSA Program due to quality concerns in connection with that program, and not revoke qualification as a QSA Company? |
Apr 2018 |
| #1455 |
Does a QSA need to be onsite at the client's premises for all aspects of a PCI DSS assessment? |
Jan 2018 |
| #1454 |
What is the intent of 'administrative access' in PCI DSS? |
Oct 2017 |
| #1453 |
Can a PFI Company provide QSA services to an entity after performing a PFI investigation for that entity? |
Aug 2022 |
| #1452 |
How does Triple DEA (TDEA) impact ASV Scan results? |
Sep 2017 |
| #1451 |
Can PFIs provide reports to their clients before sending the report to the affected payment brands? |
Nov 2021 |
| #1450 |
Where can I find more information about the Assessment Guidance for Non-listed Encryption Solutions (aka NESA)? |
Aug 2017 |
| #1449 |
Is two-step authentication acceptable for PCI DSS Requirement 8.3? |
Aug 2018 |
| #1448 |
What is meant by 'at risk' and 'at-risk timeframe' referenced in the Final PFI Report? |
Apr 2017 |
| #1447 |
How does PCI DSS Requirement 11.3.4.1 impact timing of penetration tests for service providers? |
Apr 2017 |
| #1446 |
How did Prioritized Approach Tool calculations change for PCI DSS v3.2? |
Mar 2017 |
| #1445 |
How should QSA assistance with completion of Self-Assessment Questionnaire (SAQs) be documented? |
Feb 2017 |
| #1444 |
Can a PFI Company perform subsequent PFI investigations for the same entity? |
Aug 2022 |
| #1443 |
What is the intent of the SAQ eligibility criteria? |
Nov 2016 |
| #1442 |
Can merchants using non-console administrative access be eligible for SAQ B-IP, C-VT, or C? |
Nov 2016 |
| #1441 |
Retired - How do the updated SSL/early TLS migration dates apply to service providers? |
|
| #1440 |
How does PCI DSS Appendix A2 apply after the SSL/early TLS migration deadline? |
Aug 2018 |
| #1439 |
How do PCI DSS Requirements 2, 6 and 8 apply to SAQ A merchants |
May 2019 |
| #1438 |
How is the payment page determined for SAQ A merchants using iframe? |
Sep 2016 |
| #1437 |
Can PCI DSS be used to protect non-payment card data? |
Aug 2016 |
| #1436 |
Who has to comply with the PCI standards? |
Nov 2021 |
| #1435 |
What is the Council's guidance on the use of SHA-1? |
Aug 2016 |
| #1434 |
How do PCI PTS-approved POI device expiry dates affect a PCI-listed P2PE solution? |
Apr 2020 |
| #1427 |
Are OEMs and/or hardware/software resellers subject to PCI DSS Requirements 12.8 and 12.9? |
Jun 2016 |
| #1426 |
Is 'two-step' authentication the same as 'two-factor' or 'multi-factor' authentication? |
Feb 2017 |
| #1425 |
What is the difference between 'multi-factor' authentication and 'two-factor' authentication? |
Jun 2016 |
| #1385 |
Which types of tokens are addressed by the PCI SSC tokenization documents? |
Apr 2016 |
| #1384 |
What is the difference between 'acquiring tokens', 'issuer tokens', and 'Payment Tokens'? |
Apr 2016 |
| #1383 |
To whom do the PCI Token Service Provider Security Requirements apply? |
Apr 2016 |
| #1382 |
Can a partial PCI DSS assessment be documented in a Report on Compliance (ROC)? |
Feb 2016 |
| #1375 |
Can an Attestation of Compliance (AOC) be provided to an assessed entity before the Report on Compliance (ROC) is finalized? |
Feb 2016 |
| #1374 |
Is Payment Account Reference (PAR) as defined by EMVCo considered PCI Account Data? |
Jan 2016 |
| #1373 |
Retired - How should entities complete their ROC or SAQ for PCI DSS v3.1 using the new SSL/TLS migration dates? |
|
| #1372 |
Retired - How should entities apply the new SSL/TLS migration dates to Requirements 2.2.3, 2.3 and 4.1 for PCI DSS v3.1? |
|
| #1369 |
Does PCI P2PE allow for partial assessments of third parties with services that will be used in one or more P2PE solutions? |
May 2020 |
| #1368 |
Can PCI-listed P2PE v3 applications be used in PCI P2PE v2 listed solutions/components? |
May 2020 |
| #1367 |
Can PCI-listed P2PE v2.0 applications be used in PCI P2PE v3 solutions/components? |
Apr 2020 |
| #1358 |
Which version of the P2PE Standard should be used for a P2PE assessment? |
Apr 2020 |
| #1356 |
What does 'Duly Authorized Officer' mean? |
Jun 2023 |
| #1355 |
Are applications listed as Acceptable only for Pre-existing Deployments able to meet the current PA-DSS and PCI DSS? |
Sep 2015 |
| #1354 |
Can sensitive information be redacted from the PCI DSS Attestation of Compliance before it is shared with other entities? |
Apr 2023 |
| #1339 |
Are POI devices with only PTS-approved firmware (i.e., no additional software) eligible for use in a PCI P2PE solution? |
Apr 2020 |
| #1338 |
What is the difference between POI firmware and additional software that may be present on the POI device? |
Sep 2015 |
| #1335 |
Does PCI DSS apply to bank account data? |
Jun 2023 |
| #1334 |
Where can I find unlocked versions of the AOCs and SAQs? |
Jul 2015 |
| #1333 |
Can PCI DSS compliance be determined by testing only pre-production environments using test data? |
Jul 2015 |
| #1332 |
Is a merchant website still in scope for PCI DSS if it meets all the criteria for SAQ A? |
Jul 2015 |
| #1331 |
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance? |
Apr 2023 |
| #1330 |
For P2PE solutions, can you use PCI approved POI devices with SRED, where the PTS listing indicates 'Non CTLS'? |
Jul 2015 |
| #1329 |
What is the current version of PA-DSS? |
Jun 2016 |
| #1328 |
Which version of PCI DSS should an entity use? |
Mar 2023 |
| #1327 |
Do PANs need to be masked on cardholder statements sent by issuers to customers? |
Aug 2022 |
| #1326 |
How does PCI DSS apply to EMVCo Payment Tokens? |
May 2015 |
| #1325 |
Does PCI SSC provide a 'PCI DSS Compliant' logo? |
Apr 2015 |
| #1324 |
What changes are PFI companies allowed to make to the PFI Reporting Templates? |
May 2020 |
| #1323 |
Are disaster-recovery (DR) sites in scope for PCI DSS? |
Mar 2015 |
| #1322 |
What are the expiry dates for PTS POI device approvals? |
Apr 2020 |
| #1321 |
Do parent/subsidiary companies validate as a single entity or as separate entities? |
Jan 2015 |
| #1320 |
Who do I report insecure merchant behavior to? |
Jan 2015 |
| #1319 |
Are merchants allowed to request card-verification codes/values from cardholders? |
Jan 2015 |
| #1318 |
What is the maximum period of time that cardholder data can be stored? |
Jan 2015 |
| #1317 |
What is meant by “significant change” in PCI DSS? |
Apr 2023 |
| #1316 |
Are merchants required to perform the 'Expected Testing' in the SAQs? |
Jan 2015 |
| #1315 |
Is storage of truncated PAN considered storage of 'cardholder data' per the SAQ eligibility criteria? |
Jan 2015 |
| #1314 |
Is storage of encrypted cardholder data considered 'cardholder data' per the SAQ eligibility criteria? |
Jan 2015 |
| #1313 |
Can SAQ B-IP be used if cardholder data is transmitted over wireless? |
Dec 2014 |
| #1312 |
If an entity uses a service provider that is not PCI DSS compliant, how does this impact the entity's compliance? |
May 2015 |
| #1311 |
Are PFI Companies which are 'in remediation' permitted to perform investigations? |
Dec 2014 |
| #1310 |
Are merchants allowed to request that cardholder data be provided over end-user messaging technologies? |
Nov 2014 |
| #1309 |
Must payment applications ensure that hashed and truncated versions cannot be correlated? |
Nov 2014 |
| #1308 |
How can an entity ensure that hashed and truncated versions cannot be correlated, as required in PCI DSS Requirement 3.4? |
Nov 2014 |
| #1306 |
Are PCI Forensic Investigators (PFIs) permitted to enter into retainer-type agreements with merchants and service providers? |
Apr 2017 |
| #1305 |
Do you offer examination accommodation? |
Sep 2014 |
| #1304 |
What devices does PCI DSS Requirement 10.6.2 apply to? |
Aug 2018 |
| #1302 |
How does use of an expired PTS device affect my PCI DSS compliance? |
Mar 2020 |
| #1301 |
How do PTS-approved payment terminals support PCI DSS compliance? |
Aug 2014 |
| #1300 |
How does PCI DSS apply to payment terminals? |
Aug 2014 |
| #1299 |
Are manual imprinter machines in scope for PCI DSS requirements? |
Jul 2014 |
| #1293 |
If a merchant's e-commerce implementation meets the criteria that all elements of payment pages originate from a PCI DSS compliant service provider, is the merchant eligible to complete SAQ A or SAQ A-EP? |
Jun 2014 |
| #1292 |
Why is there a different approach for Direct Post implementations than for iFrame and URL redirect - what are the technical differences and how do they impact the security of e-commerce transactions? |
Aug 2015 |
| #1291 |
Why is SAQ A-EP used for Direct Post while SAQ A is used for iFrame or URL redirect? |
Aug 2015 |
| #1290 |
If a merchant uses a service provider to host part or all of their CDE, and the service provider has been validated as PCI DSS compliant, is the merchant's assessor required to go onsite to the third party location and retest the PCI DSS requirements? |
May 2015 |
| #1289 |
Does the PA-DSS v3 requirement for hashing stored passwords meet PCI DSS Requirement 8.2.1? |
May 2015 |
| #1288 |
Does PA-DSS Requirement 3.3.2 apply to passwords used by the payment application to access other systems/applications (e.g. for the payment application to access a third-party database)? |
Jun 2014 |
| #1287 |
Why does PA-DSS v3 require passwords to be protected by a one-way hash (Requirement 3.3.2), whereas PANs can be stored in an encrypted form (Requirement 2.3)? |
May 2015 |
| #1286 |
Does PCI DSS apply to virtual (electronic-only) PANs? |
Nov 2021 |
| #1285 |
Does PCI DSS apply to one-time or single-use PANs? |
Nov 2021 |
| #1284 |
Are acquirers considered service providers for the purpose of PCI DSS Requirements 12.8 and 12.9? |
Jul 2014 |
| #1283 |
If a merchant develops an application that runs on a consumer's device (e.g. smartphone, tablet, or laptop) that is used to accept payment card data, what are the merchant's obligations regarding PCI DSS and PA-DSS for that application? |
Jun 2014 |
| #1282 |
Can an entity be PCI DSS compliant if they use a service provider that is validated to a previous version of PCI DSS? |
Aug 2018 |
| #1281 |
Are point-of-sale devices required to be physically secured (e.g. with a cable or tether) to prevent removal or substitution in order to meet PCI DSS Requirement 9.9? |
Mar 2020 |
| #1280 |
Can card verification codes/values be stored for card-on-file or recurring transactions? |
Oct 2017 |
| #1279 |
How does using a PA-DSS validated application affect the scope of a merchant's PCI DSS assessment? |
Jun 2014 |
| #1278 |
Are PA-DSS applications considered valid if installed on an operating system that is not included in the payment application listing? |
Jun 2014 |
| #1277 |
Are merchants required to meet PCI DSS Requirement 12.9? |
Jun 2014 |
| #1275 |
What are the PA-DSS Expiry Dates? |
Jun 2015 |
| #1274 |
Can my payment application be validated using PA-DSS Version 2? |
Jun 2015 |
| #1273 |
Can my payment application be validated using PA-DSS Version 3.0 or 3.1? |
Jun 2015 |
| #1272 |
Can my payment application be validated using PA-DSS Version 1.2.1? |
Jun 2015 |
| #1271 |
Can I combine sections from different versions of the PA-DSS? |
Jun 2015 |
| #1270 |
Retired - How do the requirements in PCI DSS version 3 that are 'best practices' until June 30th 2015 impact my PCI DSS assessment? |
|
| #1266 |
If an entity is in the middle of a PCI DSS assessment when a new version of the standard is released – should the assessment be started again using the new version? |
Mar 2023 |
| #1265 |
Can I combine sections from different versions of the PCI DSS?` |
May 2015 |
| #1263 |
What are the Card Production Logical and Physical Security Requirements? |
Dec 2013 |
| #1262 |
Will PA-DSS validated applications continue to be Acceptable for New Deployments if they run on an unsupported operating system? |
Dec 2013 |
| #1261 |
Does a P2PE validated application also need to be validated against PA-DSS? |
Apr 2020 |
| #1258 |
Does PCI SSC endorse specific products to meet PCI DSS requirements? |
Aug 2013 |
| #1257 |
Can I report on my Prioritized Approach progress instead of producing a Report on Compliance or Attestation of Compliance? |
Aug 2013 |
| #1254 |
What is the intent of PCI DSS requirement 10? |
May 2014 |
| #1253 |
Does hashing of passwords meet the intent of PCI DSS Requirement 8.2.1? |
May 2014 |
| #1252 |
Do all PCI DSS requirements apply to every system component? |
May 2014 |
| #1251 |
What is the process to use previously-deployed POI devices in a PCI P2PE Solution? |
Apr 2020 |
| #1248 |
In P2PE, how do 'hybrid' decryption environments differ from 'hardware' decryption environments? |
Apr 2020 |
| #1247 |
Who can use SAQ P2PE? |
Sep 2020 |
| #1246 |
Can a QSA that is not also a P2PE Assessor validate an encryption solution meets P2PE Requirements? |
May 2013 |
| #1235 |
If a merchant or service provider has internal corporate credit cards used by employees for company purchases like travel or office supplies, are these corporate cards considered 'in scope' for PCI DSS? |
Feb 2013 |
| #1234 |
I have had an external vulnerability scan completed by an ASV - does this mean I am PCI DSS compliant? |
Feb 2013 |
| #1233 |
How does encrypted cardholder data impact PCI DSS scope for third-party service providers? |
Aug 2016 |
| #1229 |
What is SAQ C-VT? |
Feb 2013 |
| #1228 |
Retired - Will the PCI Security Standards Council approve and list vendors for participation in forensics investigations? |
|
| #1227 |
Who are the founders of the PCI Security Standards Council? |
Nov 2021 |
| #1226 |
What is the role of the Advisory Board? |
Jan 2013 |
| #1225 |
What is the relationship between the PCI Data Security Standard and the Payment Application Data Security Standard and PTS Device Security Requirements? |
Jan 2013 |
| #1224 |
What does one function per server mean? |
Aug 2022 |
| #1223 |
Does PCI DSS, PA-DSS, or PTS apply to ATMs? |
Aug 2013 |
| #1222 |
Does cardholder name, expiration date, etc. need to be rendered unreadable if stored in conjunction with the PAN (Primary Account Number)? |
May 2014 |
| #1221 |
Do shared hosting providers need to comply with PCI DSS? |
Aug 2018 |
| #1220 |
Are compliance certificates recognized for PCI DSS validation? |
Jul 2015 |
| #1217 |
Does the PCI DSS apply to issuers? |
Jan 2013 |
| #1216 |
Does the PCI DSS apply to acquirers? |
Jan 2013 |
| #1215 |
What is the PCI DSS Self-Assessment Questionnaire? |
Nov 2016 |
| #1214 |
Do the PCI DSS requirements apply to card manufacturers, embossers, card personalizers, or entities that prepare data for card manufacturing? |
Jan 2013 |
| #1213 |
Are there any plans to standardize the reporting requirements (reports) for the PCI DSS, PA-DSS, ASV, QSA and PTS programs that are sent to each of the payment brands? |
Jan 2013 |
| #1212 |
What is the involvement of the PCI SSC on the compliance validation processes for PCI DSS assessments and scan reports? |
Jan 2013 |
| #1211 |
To whom should media inquiries or requests for interviews about the PCI Security Standard Council be directed? |
Jan 2013 |
| #1210 |
Are audio/voice recordings permitted to contain sensitive authentication data? |
Mar 2020 |
| #1196 |
If I am deemed PCI DSS compliant today by one of the payment card brands, will the other brands in the PCI Security Standards Council recognize this designation of compliance and if so, what information must be put forth to achieve such recognition? |
Dec 2012 |
| #1195 |
What is the difference between a Validated Payment Application which is shown on the PCI SSC website as 'Acceptable for New Deployments' and one which is shown as 'Acceptable only for Pre-Existing Deployments'? |
Dec 2012 |
| #1183 |
The PA-DSS Program Guide says application version numbers may consist of a combination of fixed and variable alphanumeric characters. What does this mean? |
May 2015 |
| #1182 |
Is it acceptable to make minor changes to a PA-DSS validated application and retain the existing version number? |
Nov 2012 |
| #1181 |
How can I check whether a payment application is PA-DSS validated? |
Nov 2012 |
| #1178 |
How do I reduce the scope of a PCI DSS assessment? |
Nov 2012 |
| #1177 |
How does my company become a qualified assessor (QSA, PA-QSA, QSA (P2PE), PA-QSA (P2PE)), or Approved Scanning Vendor (ASV)? |
Nov 2012 |
| #1176 |
How does an organization maintain compliance when a standard changes? |
Aug 2021 |
| #1175 |
If a merchant is using a payment application listed as 'acceptable only for pre-existing deployments', is the merchant allowed to install more copies of the application? |
Nov 2012 |
| #1174 |
For the list of Validated PA-DSS Applications, what is the difference between Revalidation Date and Expiry Date? |
Nov 2012 |
| #1173 |
Who is qualified to perform PA-DSS assessments? |
Nov 2012 |
| #1172 |
Does the Prioritized Approach replace the PCI DSS? |
Nov 2012 |
| #1171 |
Is the Prioritized Approach mandatory? |
Nov 2012 |
| #1170 |
How does the Prioritized Approach work? |
Nov 2012 |
| #1169 |
What are the Council's requirements for QSA and ASV Companies to maintain a Quality Assurance (QA) manual? |
Oct 2012 |
| #1168 |
What assurances does the Council provide regarding the quality of organizations assessing my systems for compliance with the PCI standards? |
Nov 2012 |
| #1166 |
Which PCI PTS point-of-interaction (POI) devices can be used in a validated P2PE solution? |
Apr 2020 |
| #1165 |
Are P2PE solution providers required to have their solutions validated and listed by the Council? |
Jun 2016 |
| #1164 |
Is the PCI P2PE Standard applicable for merchants that have developed/implemented their own encryption solution? |
Apr 2020 |
| #1163 |
Is a 'P2PE Assessor' required for a merchant's PCI DSS assessment if the merchant uses a Council-listed P2PE solution? |
Jun 2016 |
| #1162 |
Can merchants use encryption solutions not listed on the PCI Council's website to reduce their PCI DSS validation effort? |
Apr 2020 |
| #1158 |
What effect does the use of a PCI-listed P2PE solution have on a merchant's PCI DSS validation? |
Jun 2016 |
| #1157 |
What should a merchant do if cardholder data is accidentally received via an unintended channel? |
Oct 2012 |
| #1156 |
Are call center environments considered 'sensitive areas' for PCI DSS Requirement 9.1.1? |
Oct 2012 |
| #1155 |
Which service provider category should I use for Part 2 of the PCI DSS Attestation of Compliance (AOC) for Service Providers? |
Jul 2015 |
| #1154 |
Is pre-authorization account data in scope for PCI DSS? |
May 2014 |
| #1153 |
How does PCI DSS apply to VoIP? |
Oct 2012 |
| #1152 |
Can an entity be PCI DSS compliant if they have performed vulnerability scans at least once every three months, but do not have four “passing” scans? |
Jun 2023 |
| #1147 |
What is the purpose of requiring consoles/PCs to become 'locked' after 15 minutes of idle time, per PCI DSS Requirement 8.1.8? |
Jul 2014 |
| #1146 |
What is the difference between masking and truncation? |
Sep 2021 |
| #1142 |
How do I contact the payment card brands? |
Nov 2021 |
| #1141 |
Retired - What are the fines and penalties assessed to companies for non-compliance with the PCI DSS? |
|
| #1140 |
Which Self-assessment Questionnaire (SAQ) should I complete? |
Jul 2015 |
| #1139 |
Can I fax payment card numbers and still be PCI DSS Compliant? |
Aug 2014 |
| #1138 |
Does PCI SSC provide a list of PCI DSS-compliant service providers? |
Mar 2020 |
| #1137 |
How can I validate if a number is a legitimate credit card number? |
Jul 2012 |
| #1136 |
Can the full payment card number be printed on the consumer's copy of the receipt? |
May 2014 |
| #1135 |
Can VLANS be used for network segmentation? |
Jul 2012 |
| #1134 |
What are the steps needed to perform a self assessment to validate compliance with PCI DSS? |
Jul 2015 |
| #1133 |
Why are there multiple PCI DSS Self-assessment Questionnaires (SAQs)? |
Nov 2016 |
| #1132 |
What is an Attestation of Compliance? |
Jul 2012 |
| #1131 |
Does the council have a mapping between PCI DSS and ISO 27002 (formerly ISO 17799) or other standards? |
Jul 2012 |
| #1130 |
Are operating systems that are no longer supported by the vendor non-compliant with the PCI DSS? |
Jun 2013 |
| #1129 |
Does media containing cardholder data (for example, backup tapes or disks) need to be physically labeled as confidential for PCI DSS Requirement 9.6.1? |
May 2014 |
| #1128 |
What happens if I'm using a PA-DSS validated payment application that is breached? |
Jul 2012 |
| #1127 |
Is there opportunity to provide feedback on the PCI Council's standards? |
Jul 2012 |
| #1126 |
How do I determine whether my business would be required to conduct an independent assessment or a self-assessment? |
Jul 2012 |
| #1125 |
Are there any plans for PCI SSC to be a single point of contact for a merchant, financial institute or processor to send a PCI DSS compliance report to? |
Dec 2012 |
| #1124 |
PCI DSS provides a common data security standard across all payment brands. Are there any plans to provide a common structure of penalties and/or fines for non-compliance to this standard? |
Jul 2012 |
| #1123 |
In what way does the PCI Security Standards Council make payment card data more secure? |
Jul 2012 |
| #1122 |
What is the scope of the PCI Security Standards Council's activities? |
Jul 2012 |
| #1117 |
Are truncated Primary Account Numbers (PAN) required to be protected in accordance with PCI DSS? |
Sep 2021 |
| #1115 |
How does PCI DSS apply to individual PCs or workstations? |
Jun 2012 |
| #1096 |
When a QSA or ASV is newly approved, who is the contact at the PCI Security Standards Council to request a press release? |
Apr 2012 |
| #1095 |
What will be the role of the PCI Security Standards Council in expanding the global coverage of both QSAs and ASVs? |
Jul 2012 |
| #1094 |
Will the PCI Security Standards Council be involved in performing forensics investigations as a result of an account data compromise event? |
Apr 2012 |
| #1093 |
Does Requirement 3.4 apply to mainframes? |
Apr 2012 |
| #1092 |
Does PCI DSS apply to merchants who outsource all payment processing operations and never store, process or transmit cardholder data? |
Apr 2012 |
| #1091 |
What are acceptable formats for truncation of primary account numbers? |
Jun 2022 |
| #1089 |
Are hashed Primary Account Numbers (PAN) considered cardholder data that must be protected in accordance with PCI DSS? |
Apr 2012 |
| #1088 |
What is meant by 'adequate network segmentation' in the PCI DSS? |
May 2014 |
| #1087 |
For vulnerability scans, what is meant by “quarterly” or “at least once every three months”? |
Jul 2023 |
| #1086 |
How does encrypted cardholder data impact PCI DSS scope? |
Aug 2016 |
| #1085 |
Can unencrypted PANs be sent over e-mail, instant messaging, SMS, or chat? |
Aug 2022 |
| #1084 |
What is the intent of PCI DSS Requirement 3.4.1? |
May 2014 |
| #1083 |
What is the mission of the PCI Security Standards Council? |
Apr 2012 |
| #1082 |
If a merchant has multiple processing environments, should the merchant complete multiple SAQ to validate their PCI DSS compliance? |
Jul 2015 |
| #1081 |
Does PCI DSS Requirements 10.2 and 10.3 mean that both database and application logging is required? |
May 2014 |
| #1080 |
Are administrators allowed to share passwords? |
Oct 2012 |
| #1079 |
What is the definition of 'merchant'? |
Nov 2021 |
| #1078 |
In what circumstances is multi-factor authentication required? |
Mar 2020 |
| #1077 |
How extensive must background checks be for employees who have access to cardholder data? |
May 2014 |
| #1076 |
Is it permissible to use FTP if proper security measures are implemented? |
May 2015 |
| #1075 |
Is it permissible to use self-decrypting files for encryption to send cardholder data? |
May 2015 |
| #1074 |
Is intrusion detection required if centralized log correlation is in place? |
May 2014 |
| #1073 |
Do PCI DSS Requirements apply to Bluetooth technology? |
Aug 2022 |
| #1072 |
What is the purpose of requiring account lockout, per PCI DSS Requirements 8.1.6 and 8.1.7? |
Jul 2014 |
| #1071 |
Can the full credit card number be displayed within a browser window? |
May 2015 |
| #1070 |
Are digital images containing cardholder data and/or sensitive authentication data included in the scope of the PCI DSS? |
Aug 2022 |
| #1069 |
Does PCI DSS apply to paper with cardholder data (for example, receipts, reports, etc.)? |
Aug 2022 |
| #1068 |
Are digital leased lines considered public or private? |
Aug 2022 |
| #1067 |
What is meant by 'non-consumer users' in PCI DSS Requirement 8? |
May 2014 |
| #1066 |
What is an 'inactive user account' as used in PCI DSS Requirement 8? |
Aug 2022 |
| #1065 |
Should service providers demonstrate PCI DSS compliance as part of their client's assessment or in their own separate assessment? |
Jul 2015 |
| #1064 |
What is a VT or Virtual Terminal? |
Apr 2012 |
| #1063 |
Does SAQ C-VT replace SAQ C? |
Apr 2012 |
| #1062 |
What is meant by a 'payment application' in Part 2d of the Attestation of Compliance? |
Jul 2015 |
| #1061 |
Retired - How frequently will the PCI Security Standards Council update the PCI DSS and PA-DSS? |
|
| #1060 |
How would an identified Denial of Service (DoS) vulnerability affect a company's ability to pass a PCI DSS vulnerability scan from an Approved Scanning Vendor (ASV)? |
Apr 2012 |
| #1055 |
Should I complete the Prioritized Approach milestones in sequential order? |
Nov 2012 |
| #1054 |
Does the PCI Security Standards Council provide information on security breaches, status of investigations, or PCI DSS compliance status? |
Mar 2017 |
| #1053 |
Can a payment application that uses cryptographic keys hard-coded by the vendor be PA-DSS compliant if they cannot be changed by the customer? |
Apr 2012 |
| #1052 |
Can a payment application that implements the same cryptographic keys across multiple installations be PA-DSS compliant? |
Apr 2012 |
| #1051 |
Can application whitelisting be used to meet PCI DSS Requirement 5? |
Jul 2015 |
| #1050 |
I make ATMs, what do I need to do for PTS? |
Jan 2014 |
| #1046 |
Will the PCI Security Standards Council 'approve' my organization's implementation of compensating controls in my effort to comply with the PCI DSS? |
Apr 2012 |
| #1045 |
Is MPLS considered a private or public network when transmitting cardholder data? |
May 2014 |
| #1044 |
Do ISPs that provide only internet connection need to comply with the PCI DSS? |
Apr 2012 |
| #1043 |
Is frame relay considered a private network and are there any encryption requirements? |
Apr 2012 |
| #1042 |
Should cardholder data be encrypted while in memory? |
Apr 2012 |
| #1041 |
What is the scope of a PCI DSS assessment for a network that is not segmented? |
Apr 2012 |
| #1040 |
Is it required that all of a company's sites, even those located in other countries, must be included in the company's PCI DSS review? |
Apr 2012 |
| #1039 |
Does PCI DSS apply to debit cards, debit payments, and debit systems? |
Nov 2021 |
| #1038 |
Does PCI DSS apply to 'hot cards,' expired, cancelled or invalid card account numbers? |
Jul 2015 |
| #1037 |
Do hosting providers have responsibility for liabilities/fines? |
Apr 2012 |
| #1036 |
How can I provide feedback (negative or positive) about my QSA/ASV? |
Apr 2012 |
| #1035 |
What is the definition of 'remote access'? |
Jun 2016 |
| #1034 |
What are system-level objects, as identified in PCI DSS Requirement 10.2.7? |
May 2014 |
| #1033 |
Can you provide clarification for logging/audit trail per PCI DSS requirements 10.2.5 and 10.2.6? |
May 2014 |
| #1032 |
Can you provide clarification of PCI DSS requirement 10.3.6? |
May 2014 |
| #1024 |
Is PCI DSS a global standard? |
Apr 2012 |
| #1023 |
What are the requirements that have to be satisfied to be in compliance with the PCI Data Security Standard? |
Apr 2012 |
| #1022 |
Do small merchants with limited transaction volumes need comply with PCI DSS? |
Jul 2015 |
| #1021 |
How much will it cost for a vendor to have their products validated to PA-DSS by a PA-QSA? |
Nov 2012 |
| #1020 |
How does PA-DSS support a merchant's PCI DSS compliance? |
May 2014 |
| #1019 |
If my business was deemed compliant but my system was still breached and payment account data compromised after the fact, what liability would my business incur? |
Apr 2012 |
| #1018 |
Retired - Will the PCI Security Standards Council list compliant service providers and/or merchants on its Web site? |
|
| #1017 |
How can my organization find assistance in completing the Self-Assessment Questionnaire? |
Apr 2012 |
| #1016 |
Retired - I want to add input into this process. How do I become a member of the Council? |
|
| #1015 |
What are the consequences to my business if I do not comply with the PCI DSS? |
Apr 2012 |
| #1014 |
Do QSAs and ASVs need to send reports of compliance (ROCs) or scanning results to the PCI Security Standards Council directly? |
Apr 2012 |
| #1011 |
Once my business has been determined to be compliant by a QSA, would I or the QSA need to communicate this fact to the PCI Security Standards Council? |
Apr 2012 |
| #1009 |
In case of a suspected breach, should the PCI Security Standards Council be contacted directly? |
Apr 2012 |
| #1004 |
Does the PCI Security Standards Council enforce compliance? |
Apr 2012 |
| #1003 |
Where is the PCI Security Standards Council Located? |
Apr 2012 |
