Recent FAQ Changes

❓ FAQ 1093 Updated 2025-06-11T14:55:00+00:00

Do PCI DSS requirements for protecting stored cardholder data apply to mainframes?

Yes. PCI DSS Requirement 3.5.1 applies to mainframes that store cardholder data. If a company has legitimate business or technical constraints in meeting this or any other requirement, compensating controls …

❓ FAQ 1092 Updated 2025-06-11T14:54:59+00:00

Does PCI DSS apply to merchants who outsource all payment processing operations and never store, process or transmit cardholder data?

Yes. PCI DSS is intended for any entity that stores, processes, or transmits cardholder data — regardless of whether these activities are conducted directly or by a third-party service provider.

…

❓ FAQ 1597 New 2025-05-28T09:17:10+00:00

What are the expectations for entities when assigning risk rankings to vulnerabilities and resolving or addressing those vulnerabilities?

There are several PCI DSS requirements that govern vulnerability management and reference related timeframes. These requirements are described under the general topics of 1) identifying and risk ranking vulnerabilities, and …

❓ FAQ 1331 Updated 2025-05-23T09:27:57+00:00

Can SAQ eligibility criteria be used as a guide for determining applicability of PCI DSS requirements for merchant assessments documented in a Report on Compliance?

Service providers cannot use SAQ eligibility criteria to determine applicability of PCI DSS requirements for assessments documented in a Report on Compliance (ROC). The only acceptable SAQ for service providers …

❓ FAQ 1596 New 2025-05-14T15:33:16+00:00

Is phishing-resistant authentication alone acceptable as multi-factor authentication for PCI DSS Requirements 8.4.1 and 8.4.3?

No, phishing-resistant authentication cannot be used without an additional authentication factor to meet Requirements 8.4.1 or 8.4.3 because of the increased risk with these types of access.

Use of …

❓ FAQ 1595 New 2025-05-14T15:33:03+00:00

Are passkeys synced across devices, implemented according to the FIDO2 requirements, acceptable for use as phishing-resistant authentication to meet PCI DSS Requirement 8.4.2?

Yes. Passkeys synced across devices (also called synced passkeys), implemented according to the FIDO2 requirements, are considered phishing-resistant authentication, and may be used as a single authentication factor in place …

❓ FAQ 1593 New 2025-03-26T15:36:10+00:00

How should PCI DSS v4.x requirements noted as superseded by another requirement be reported after 31 March 2025?

After 31 March 2025, superseded requirements should be marked as Not Applicable (N/A) in a Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ).

Three PCI DSS v4.x requirements include …

❓ FAQ 1592 New 2025-03-26T15:35:57+00:00

Are providers of third-party scripts for e-commerce environments considered third-party service providers for PCI DSS Requirements 12.8 and 12.9?

A provider of third-party scripts is not considered a third-party service provider (TPSP) for PCI DSS Requirements 12.8 and 12.9 as part of an entity’s assessment of the entity’s e-commerce …

❓ FAQ 1591 New 2025-03-26T15:32:04+00:00

Why do requirements 8.3.9 and 8.3.10.1 focus on passwords/passphrases used for single-factor authentication, when multi-factor authentication is required for all access into the CDE?

PCI DSS Requirement 8.4.2 for multi-factor authentication (MFA) is not mandatory for access to in-scope system components outside of the CDE. If a user’s access to a system component can …

❓ FAQ 1590 New 2025-03-26T15:31:46+00:00

Do PCI DSS Requirements 8.3.9 and 8.3.10.1 apply to all system components?

No. PCI DSS Requirements 8.3.9 and 8.3.10.1 do not apply to in-scope system components where multi-factor authentication (MFA) is used.

Requirements 8.3.9 and 8.3.10.1 apply if passwords/passphrases are used …

Recent FAQ Changes RSS