What is the role of the Advisory Board?
The role of the Advisory Board will be to provide strategic and technical guidance to the PCI Security Standards Council, reflecting different stakeholder perspectives. The Advisory Board does not have …
Recent FAQ Changes RSS
Latest changes to PCI SSC frequently asked questions.
How does an organization maintain compliance when a standard changes?
To minimize changes to the standards, the PCI Security Standards Council (PCI SSC) has established a lifecycle approach for PCI DSS and PA-DSS, where major version changes to the standards …
How does PA-DSS support a merchant's PCI DSS compliance?
Traditional PCI DSS compliance may not apply to payment application vendors since most vendors do not store, process, or transmit cardholder data. However, because these payment applications are used by …
Is IDS required if centralized log correlation is in place?
Although log correlation can be a valuable tool in a company's information security strategy, it is not a replacement for an intrusion detection system. The IDS wording in PCI DSS …
What are the requirements under PCI DSS with respect to transmission of cardholder data via Bluetooth technology?
The PCI DSS requirement 4.1 states "use strong cryptography and security protocols such as SSL / TLS/ IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.? While …
What is the purpose of requiring account lockout, per PCI DSS requirement 8.5.14?
The intent of PCI DSS requirement 8.5.14 is to lock out accounts due to suspicious activity, to prevent a malicious user from gaining access to users’ accounts, by continually trying …
Can the full credit card number be displayed within a browser window?
PCI DSS requirement 3.3 requires that the PAN be masked when it is displayed (for example, on screens, logs, reports, receipts), unless the viewing party has a specific need to …
Are digital images containing cardholder data and/or sensitive authentication data included in the scope of the PCI DSS?
Forms and images containing cardholder data are subject to the PCI DSS. PCI DSS requirement 3.4 requires that all cardholder data be rendered unreadable. It does not differentiate between how …
Does PCI DSS apply to paper with cardholder data (receipts, reports, etc.)?
PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted by any media, including paper records. PCI DSS requirements 9.6 through 9.10 specifically address …
Are digital leased lines considered public or private?
For PCI DSS requirement 4.1, digital leased lines are considered to be private since they are dedicated to the individual customer’s traffic.