No, due to the variability of scope coverage and assessor validation procedures, a QSA cannot rely on reports from other attestation engagements (like SOC 2 or SOC 3) for a …
Compliance-accepting entities (typically, payment brands and acquirers) are responsible for determining the PCI DSS validation and reporting methods of their merchants and service providers, including how compliance is to be …
Compliance questions, including questions about whether it is acceptable to submit a PCI DSS v3.2.1 assessment report after that standard’s retirement date of 31 March 2024, should be directed to …
The current version of PCI DSS is v4.0. PCI DSS v3.2.1 is also valid through 31 March 2024, after which that version will be retired.After 31 March 2024, PCI DSS …
Yes, providing that the Attestation of Compliance (AOC) includes all information relevant to the services offered to customers. The level of detail provided in an AOC to customers might be …
FTP is considered an insecure protocol as it does not provide protection for its communication channel or logon details. PCI DSS Requirement 1 states that network security controls (NSCs), such …
The intent of the PCI DSS logging requirements is to provide a complete record of who did what, where, when, and how, so it can be used for investigation in …
Although log correlation is a valuable tool in a company's information security strategy, it does not replace intrusion detection mechanisms, such as IDS/IPS. Intrusion detection mechanisms provide proactive detection of …
Whether an MPLS network can be considered a private network is dependent upon the specific provider and configuration of that network. The implementation would need to be evaluated to determine …
If the cardholder data is stored in non-persistent memory (e.g. RAM), encryption of cardholder data is not required. However, proper controls must be in place to ensure that memory maintains …