Is the cardholder in scope for PCI DSS?
No.
Recent FAQ Changes RSS
Latest changes to PCI SSC frequently asked questions.
How does an e-commerce merchant meet the SAQ A eligibility criteria for scripts?
This FAQ is only intended to clarify the specific SAQ A eligibility criteria called out below. The contents of this FAQ should not be interpreted to impact or contradict any …
How are third-party service providers (TPSPs) expected to demonstrate PCI DSS compliance for TPSP services that meet customers’ PCI DSS requirements or may impact the security of a customer’s cardholder data and/or sensitive authentication data?
A TPSP is expected to provide evidence of compliance with applicable PCI DSS requirements.
If the TPSP undergoes its own PCI DSS assessment, it is expected to provide sufficient …
What should an entity do if its PCI DSS assessment will not be complete prior to that standard's retirement date?
Compliance questions, including questions about whether it is acceptable to submit a PCI DSS assessment report after that standard's retirement date, should be directed to organizations that manage compliance programs …
Where can I find the current version of PCI DSS?
The current version of PCI DSS can be found in the PCI SSC Document Library. All retired versions are also available as archived documents in the Document Library.
Compliance …
When should an entity implement PCI DSS requirements noted as best practices until a future date?
Updates to PCI DSS are intended to address evolving threats in the payments ecosystem, therefore, entities are strongly encouraged to complete their transition to the most current PCI DSS version, …
What is meant by "At-Risk Timeframe" and at risk referenced in the Final PFI Report?
The At-Risk Timeframe refers to the period of time data elements, such as account data, were at risk for this Entity Under Investigation during the incident under investigation. A data …
For PCI DSS, can multi-factor authentication (MFA) implementations indicate the success of a factor prior to presentation of subsequent factors?
Yes. PCI DSS v4.x requires the success of all authentication factors before access is granted. However, it is acceptable under PCI DSS to indicate that one factor has been successful …
Does PCI DSS Requirement 8.2.2 allow users to share authentication credentials?
Yes, but use of any shared authentication credentials such as group, shared, or generic IDs (including for administrator accounts such as admin or root) must be prevented unless needed …
What is the completion date for PCI DSS assessments documented in a Report on Compliance and its related Attestations of Compliance?
For PCI DSS assessments documented in a Report on Compliance (ROC), the Date of Report is considered the completion date for the PCI DSS assessment. This denotes the date when …