PCI DSS
Updated version published, replaces version from
Recent Updates RSS
The latest changes across all tracked PCI resources.
Just Published: PCI DSS v4.0.1
To address stakeholder feedback and questions received since PCI DSS v4.0 was published in March 2022, the PCI Security Standards Council (PCI SSC) has published a limited revision to the …
What is the scope of a PCI DSS assessment for service providers that can impact the security of payment account data, if the service provider does not directly store, process, or transmit payment account data?
The scope of a PCI DSS assessment for service providers that can impact the security of payment account data (which consists of cardholder data and/or sensitive authentication data), but which …
Is the expectation that any PFI investigation initiated must result in a PFI Final Report?
Yes, a PFI Final Report is required. The expectation is that the PFI must complete the merchant’s PFI Investigation and produce the Final PFI Report, with details of adequate evidence …
Is the expectation that any PFI investigation initiated must result in a PFI Final Report?
Yes, a PFI Final Report is required. The expectation is that the PFI must complete the merchant?s PFI Investigation and produce the PFI Final Report, with details of adequate evidence …
Does PCI DSS apply to service providers that can impact the security of payment account data, if the service provider does not directly store, process, or transmit payment account data?
Yes. PCI DSS is intended for all entities that store, process, or transmit cardholder data and/or sensitive authentication data or could impact the security of payment account data (which consists …
Is the expectation that any PFI investigation initiated must result in a PFI Final Report?
Yes, a PFI Final Report is required. The expectation is that the PFI must complete the merchant?s PFI Investigation and produce the PFI Final Report, with details of adequate evidence …
Is the expectation that any PFI investigation initiated must result in a PFI Final Report?
Yes, a PFI Final Report is required. The expectation is that the PFI must complete the merchant’s PFI Investigation and produce the Final PFI Report, with details of adequate evidence …
Can service providers use eligibility criteria from a merchant Self-Assessment Questionnaire (SAQ) to determine applicable PCI DSS requirements for the service provider’s assessment?
No. It was never the intent that a service provider uses a merchant SAQ to determine applicable requirements for a service provider's PCI DSS assessment. The only correct SAQ for …
Is the expectation that any PFI investigation initiated must result in a PFI Final Report?
Yes, a PFI Final Report is required. The expectation is that the PFI must complete the merchant?s PFI Investigation and produce the PFI Final Report, with details of adequate evidence …
New Standards Section Completes Phase Two of PCI SSC Website Redesign
The PCI Security Standards Council (PCI SSC) is pleased to announce the completion of the second phase of our website redesign which began in 2022. Phase Two features the introduction …
QSA Program Guide
Version: V4.1
Files: 2 files in 2 versions
Document unarchived
Files: 2 files in 2 versions
Document unarchived
Qualification Requirements for QSAs
Version: V4.2
Files: 4 files in 4 versions
Document unarchived
Files: 4 files in 4 versions
Document unarchived
Request for Comments: PCI PTS POI Modular Security Requirements v7.0
From 21 May to 21 June, eligible PCI SSC stakeholders are invited to review and provide feedback on the draft PCI PIN Transaction Security (PTS) Point of Interaction (POI) Modular …
Request for Comments: Mobile Payments on COTS (MPoC) v1.1
From 20 May to 20 June, eligible PCI SSC stakeholders are invited to review and provide feedback on the draft Mobile Payments on COTS (MPoC) v1.1 during a 30-day request …