PCI Watch - Tracking changes across the Payment Card Industry

❓ PCI SSC FAQs FAQ #1598 New 2025-06-26T19:20:22+00:00

Are Approved Scanning Vendors and Qualified Security Assessors considered third-party service providers for PCI DSS Requirements 12.8 and 12.9?

No, Approved Scanning Vendors (ASVs) and Qualified Security Assessors (QSAs) are not considered third-party service providers (TPSPs) for purposes of PCI DSS Requirements 12.8 and 12.9, if an ASV or …

❓ PCI SSC FAQs FAQ #1572 Updated 2025-06-26T19:16:07+00:00

Can a compensating control be used for requirements with a periodic or defined frequency, where an entity did not perform the activity within the required timeframe?

No.

Several PCI DSS requirements specify that a security activity is to be performed periodically or at a defined frequency. If an entity fails to perform the control on …

📣 PCI SSC Communications Blog New 2025-06-23T17:37:37+00:00

Coffee with the Council Podcast: Meet This Year’s North America Community Meeting Keynote Speaker, Reed Timmer

This episode of Coffee with the Council is brought to you by our podcast sponsor, Feroot.

Welcome to our podcast series, Coffee with the Council. I'm Alicia …

📣 PCI SSC Communications Blog New 2025-06-18T13:56:15+00:00

Welcome Our Newest Associate Participating Organizations

We are pleased to welcome the newest organizations that have joined as Associate Participating Organizations of the PCI Security Standards Council (PCI SSC). These organizations play a crucial role in …

📣 PCI SSC Communications Blog New 2025-06-17T14:57:55+00:00

Join Us at the Payment Industry Event of the Year

Registration is now open for the PCI Security Standards Council’s 2025 Community Meetings! Register now and secure your experience filled with sessions led by industry experts, exciting keynotes, networking …

📣 PCI SSC Communications Industry Bulletin New 2025-06-17T13:00:14+00:00

PCI Security Standards Council Bulletin: Extension of Expiration of the PCI PTS POI v6 Security Requirements and Approvals

📘 PCI SSC Document Library PTS Updated 2025-06-17T07:00:00+00:00

Device Testing and Approval Program Guide

Updated version published, replaces version from 2024-04-03T07:00:00+00:00

📣 PCI SSC Communications Global Content Library New 2025-06-17T00:00:00+00:00

Save the Date: 2025 Community Meetings

PCI SSC Community Meetings bring together the brightest minds in payment security. Don’t miss the opportunity to collaborate and learn about the lates...

📣 PCI SSC Communications Blog New 2025-06-16T14:40:39+00:00

Request for Comments: PCI Key Management Operations (KMO) v1.0 Standard

From 16 June to 18 July, eligible PCI SSC stakeholders are invited to review and provide feedback on the draft PCI Key Management Operations (KMO) v1.0 Standard during a 30-day …

❓ PCI SSC FAQs FAQ #1447 Updated 2025-06-11T14:59:19+00:00

How often must service providers test penetration testing segmentation controls under PCI DSS?

PCI DSS Requirement 11.4.6 requires service providers that use segmentation to isolate the cardholder data environment (CDE) from other networks to perform penetration tests on those segmentation controls at least …

❓ PCI SSC FAQs FAQ #1319 Updated 2025-06-11T14:59:01+00:00

Are merchants allowed to request card-verification codes/values from cardholders?

Yes. Card verification codes/values (e.g., CVV2, CVC2, CID, or CAV2) are commonly requested during card-not-present (CNP) transactions such as e-commerce or mail order/telephone order (MOTO) to help verify that the …

❓ PCI SSC FAQs FAQ #1318 Updated 2025-06-11T14:58:25+00:00

What is the maximum period of time that cardholder data can be stored?

PCI DSS does not define a specific maximum or minimum length of time for which cardholder data can be stored. PCI DSS Requirement 3.2.1 requires entities to implement data retention …

❓ PCI SSC FAQs FAQ #1308 Updated 2025-06-11T14:58:15+00:00

How can an entity ensure that hashed and truncated versions cannot be correlated?

PCI DSS Requirement 3.5.1 states that if hashed and truncated versions of the same PAN, or different truncation formats, are present in the environment, additional controls must be implemented to …

❓ PCI SSC FAQs FAQ #1281 Updated 2025-06-11T14:57:47+00:00

Are point-of-interaction devices required to be physically secured (for example, with a cable or tether) to prevent removal or substitution to meet PCI DSS Requirement 9.5?

No. PCI DSS does not require that point-of-interaction (POI) devices be physically attached or fixed in place. However, Requirements under Requirement 9.5.1 require controls to detect and prevent tampering or …

📘 PCI SSC Document Library PTS Updated 2025-06-10T07:00:00+00:00

PTS HSM Technical Frequently Asked Questions

Updated version published, replaces version from 2025-06-10T07:00:00+00:00

Recent Updates RSS