Is sampling allowed in PCI DSS v4.0?
Yes. Assessors have two options when performing PCI DSS testing procedures; they can either: 1) test a representative sample of the population according to the assessor's defined sampling methodology, or …
Latest changes to PCI SSC frequently asked questions.
Yes. Assessors have two options when performing PCI DSS testing procedures; they can either: 1) test a representative sample of the population according to the assessor's defined sampling methodology, or …
An initial assessment means an entity has never undergone a prior PCI DSS assessment that resulted in the submission of a compliance validation document. Examples of validation documents include an …
Merchants and service providers should always consult with their acquirer (merchant bank) or payment brand directly, as applicable, to confirm their PCI DSS validation and reporting method (for example, whether …
Yes. The PCI DSS Attestation of Compliance is intended to be shared externally to requesting entities, according to applicable Participating Payment Brand rules and as noted in the Qualified Security …
There are several PCI DSS requirements that specify performance upon a significant change in an entity's environment. While what constitutes a significant change is highly dependent on the configuration of …
Yes, an entity may redact sensitive information from their PCI DSS Attestation of Compliance (AOC), providing that the resulting document contains, unredacted, all information relevant to the purpose for which …
Entities should always contact their acquirer or the payment brands directly for information about their compliance programs and reporting requirements. Contact details for the payment brands can be found in …
Where a future-dated requirement has not yet been implemented by an entity and the Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) is completed prior to the effective date of …
No. The period for which an entity's PCI DSS assessment result is valid does not change if the standard against which the entity was assessed has been retired. However, how …
Yes. However, regardless of how the QSA obtains evidence to support a PCI DSS assessment, the QSA conducting the PCI DSS assessment has the ultimate responsibility for their client's assessment …