PCI MPoC Guidance
Recent Updates RSS
The latest changes across all tracked PCI resources.
How did Prioritized Approach Tool calculations change for PCI DSS v3.2?
The Prioritized Approach Tool for PCI DSS v3.2 includes an update to the built-in formulas to remove “N/A” (Not Applicable) responses from the Percent Complete calculation. Previously, a response of …
What is the difference between "multi-factor" authentication and "two-factor" authentication?
The term “two-factor” was replaced with the term “multi-factor” in several requirements in PCI DSS v3.2 (Requirements 8.3, 8.3.1, 8.3.2, and 8.5.1). The intent of this change was to use …
What is the current version of PA-DSS?
The current version of PA-DSS is v3.2. Effective 1 September 2016, all new payment applications must be validated using PA-DSS v3.2.
New payment application validations and High Impact Changes …
Are manual imprinter machines in scope for PCI DSS requirements?
No. There are no PCI DSS requirements that apply to manual imprinters (also known as “zip-zap” and “knuckle-buster” machines). They are not card reading devices as defined in Requirement 9.9, …
Are call center environments considered "sensitive areas" for PCI DSS Requirement 9.1.1?
PCI DSS Requirement 9.1.1 addresses the need for video cameras and/or access control mechanisms to monitor individual physical access to sensitive areas. “Sensitive areas” refers to any data center, server …
What is the intent of PCI DSS requirement 10?
The intent of PCI DSS requirement 10 is to ensure organizations have the necessary logs in place to provide an accurate and unaltered record of what has taken place within …
What is the relationship between the PCI Data Security Standard and the Payment Application Data Security Standard and PTS Device Security Requirements?
PCI DSS is the standard for merchants and service providers to protect cardholder data. The PA-DSS and PTS device security requirements support the overall implementation of PCI DSS by allowing …
Can application whitelisting be used to meet PCI DSS Requirement 5?
Whether a particular whitelisting implementation can meet PCI DSS Requirement 5 will depend on the specific implementation. The intent of Requirement 5 is to detect, remove and protect system components …
How does my company become a qualified assessor (QSA, PA-QSA, QSA (P2PE), PA-QSA (P2PE)), or Approved Scanning Vendor (ASV)?
The PCI Security Standards Council (PCI SSC) maintains a robust evaluation and qualification program for approved security assessors and scanning vendors. Information on becoming a qualified assessor or scan vendor …
What does "one function per server" mean?
The intent of the one primary function per server requirement (Requirement 2 of the PCI DSS) is to ensure that your organization’s system configuration standards and related processes address server …
What is the intent of PCI DSS Requirement 3.4.1?
The intent of this requirement is to address the acceptability of disk encryption for rendering cardholder data unreadable. Disk encryption encrypts data stored on a computer’s mass storage and automatically …
What is the role of the Advisory Board?
The role of the Advisory Board will be to provide strategic and technical guidance to the PCI Security Standards Council, reflecting different stakeholder perspectives. The Advisory Board does not have …
What is the definition of "remote access"?
The term “remote access” refers to access to a computer network from a location outside of that network. Examples of remote access include access from the Internet, an “untrusted” network …
Can the full payment card number be printed on the consumer's copy of the receipt?
PCI DSS Requirement 3.3 states that PAN must be masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that …