Recent FAQ Changes

❓ FAQ 1175 Deleted 2026-06-05T14:01:13.006892+00:00

If a merchant is using a payment application listed as 'acceptable only for pre-existing deployments', is the merchant allowed to install more copies of the application?

Compliance validation programs are managed by the individual payment brands, not by the PCI Security Standards Council. Payment brand validation programs may include whether certain applications must be PA-DSS validated, …

❓ FAQ 1178 Deleted 2026-06-05T14:01:13.006892+00:00

How do I reduce the scope of a PCI DSS assessment?

Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of an entity's network is strongly recommended as a method that may reduce the scope of a …

❓ FAQ 1166 Deleted 2026-06-05T14:01:13.006892+00:00

Which PCI PTS point-of-interaction (POI) devices can be used in a validated P2PE solution?

The PCI P2PE Standard and Program require the use of a PTS-approved (non-expired) point-of-interaction (POI) device, which has been evaluated and approved via the PCI PTS program with SRED (secure …

❓ FAQ 1604 New 2026-06-05T09:15:37+00:00

Do ASV scans in SAQ A apply to merchants with webpages that redirect to TPSPs or include TPSPs’ embedded iframes?

Yes. SAQ A for PCI DSS v4.x includes requirements for external vulnerability scanning by a PCI SSC Approved Scanning Vendor (ASV) for merchant e-commerce webpages, even where payment processing is …

❓ FAQ 1128 Deleted 2026-03-31T00:03:19.016691+00:00

What happens if I'm using a PA-DSS validated payment application that is breached?

Events such as these should be accounted for in any service contract you sign with a software vendor. The Council requires that approved PA-QSAs carry appropriate liability insurance.

❓ FAQ 1174 Deleted 2026-03-31T00:03:19.016691+00:00

For the list of Validated PA-DSS Applications, what is the difference between Revalidation Date and Expiry Date?

Revalidation Date: Annually, the software vendor is required to revalidate by completing Part 3b of the Attestation of Validation form, confirming that no changes have been made to the application …

❓ FAQ 1213 Deleted 2026-03-31T00:03:19.016691+00:00

Are there any plans to standardize the reporting requirements (reports) for the PCI DSS, PA-DSS, ASV, QSA and PTS programs that are sent to each of the payment brands?

The PCI Security Standards Council (PCI SSC) mission is to develop, maintain and build awareness around the standards and supporting programs. Additionally, the PCI SSC strives to ensure that implementing …

❓ FAQ 1263 Deleted 2026-03-31T00:03:19.016691+00:00

Recent FAQ Changes RSS