P2PE v3.x Technical FAQs
Updated version published, replaces version from
Recent Updates
The latest changes across all tracked PCI resources.
The AI Exchange: Innovators in Payment Security Featuring SISA
Welcome to the PCI Security Standards Council’s blog series, The AI Exchange: Innovators in Payment Security. This special, ongoing feature of our PCI Perspectives blog offers a resource for …
Meet the Council’s New Director, Training Programs
The PCI Security Standards Council (PCI SSC) is pleased to welcome its newest team member, Emily Wilder, Director, Training Programs. As Director, Training Programs, Emily serves as the …
Request for Comments: PCI Key Management Operations (KMO) v1.0 Standard
From 24 November to 9 January, eligible PCI SSC stakeholders are invited to review and provide feedback on the draft PCI Key Management Operations (KMO) v1.0 Standard during …
PCI SSC Publishes Mobile Payments on COTS (MPoC) Guidance Document
The PCI Security Standards Council (PCI SSC) has published a Mobile Payments on Commercial Off-The-Shelf (MPoC) Guidance Document, a new resource developed to support consistent interpretation and …
PCI MPoC Guidance
How do individuals obtain examination accommodation or adjustments for PCI SSC programs?
Individuals with a physical or mental impairment, or a limitation described as a disability under the Americans with Disabilities Act (ADA) or other applicable law, may request examination accommodations or …
Are OEMs and/or hardware/software resellers considered third-party service providers for PCI DSS Requirements 12.8 and 12.9?
Original equipment manufacturers (OEMs) and equipment resellers may provision equipment initially for the cardholder data environment (CDE), but once the equipment has been provisioned, they may no longer be involved …
What is the purpose of PCI DSS Requirement 8.2.8, which requires users to reauthenticate after 15 minutes of idle time?
The intent of this requirement is to prevent an unauthorized person from using an unattended console/PC to gain access to the user's computer and accounts, and potentially to the company's …
What is the impact if an entity uses a third-party service provider (TPSP) to meet a PCI DSS requirement(s), when that TPSP’s PCI DSS assessment completion date is close to a year ago, as documented in the TPSP’s Attestation of Compliance (AOC)?
Any evidence reviewed as part of a PCI DSS assessment, where the assessor deems it to be valid when it is reviewed, remains valid for that assessment and does not …
How does my company become a qualified assessor (QSA, PA-QSA, QSA (P2PE), PA-QSA (P2PE)), or Approved Scanning Vendor (ASV)?
The PCI Security Standards Council (PCI SSC) maintains a robust evaluation and qualification program for approved security assessors and scanning vendors. Information on becoming a qualified assessor or scan vendor …
What is the relationship between the PCI Data Security Standard and the Payment Application Data Security Standard and PTS Device Security Requirements?
PCI DSS is the standard for merchants and service providers to protect cardholder data. The PA-DSS and PTS device security requirements support the overall implementation of PCI DSS by allowing …
How does PA-DSS support a merchant's PCI DSS compliance?
The PA-DSS details the requirements a payment application must meet in order to facilitate a customer’s PCI DSS compliance. PA-DSS validated payment applications, when implemented in a PCI DSS-compliant environment, …
What is the intent of PCI DSS Requirement 3.4.1?
The intent of this requirement is to address the acceptability of disk encryption for rendering cardholder data unreadable. Disk encryption encrypts data stored on a computer’s mass storage and automatically …
Are manual imprinter machines in scope for PCI DSS requirements?
No. There are no PCI DSS requirements that apply to manual imprinters (also known as “zip-zap” and “knuckle-buster” machines). They are not card reading devices as defined in Requirement 9.9, …