Where can I find the current version of PCI DSS?
The current version of PCI DSS can be found in the PCI SSC Document Library. All retired versions are also available as archived documents in the Document Library.
Compliance …
Recent FAQ Changes RSS
Latest changes to PCI SSC frequently asked questions.
When should an entity implement PCI DSS requirements noted as best practices until a future date?
Updates to PCI DSS are intended to address evolving threats in the payments ecosystem, therefore, entities are strongly encouraged to complete their transition to the most current PCI DSS version, …
What is meant by "At-Risk Timeframe" and at risk referenced in the Final PFI Report?
The At-Risk Timeframe refers to the period of time data elements, such as account data, were at risk for this Entity Under Investigation during the incident under investigation. A data …
For PCI DSS, can multi-factor authentication (MFA) implementations indicate the success of a factor prior to presentation of subsequent factors?
Yes. PCI DSS v4.x requires the success of all authentication factors before access is granted. However, it is acceptable under PCI DSS to indicate that one factor has been successful …
Does PCI DSS Requirement 8.2.2 allow users to share authentication credentials?
Yes, but use of any shared authentication credentials such as group, shared, or generic IDs (including for administrator accounts such as admin or root) must be prevented unless needed …
What is the completion date for PCI DSS assessments documented in a Report on Compliance and its related Attestations of Compliance?
For PCI DSS assessments documented in a Report on Compliance (ROC), the Date of Report is considered the completion date for the PCI DSS assessment. This denotes the date when …
What is the completion date for PCI DSS assessments documented in a Self-Assessment Questionnaire and its related Attestations of Compliance?
For PCI DSS assessments documented in a Self-Assessment Questionnaire (SAQ), the Self-Assessment completion date denotes the date the PCI DSS self-assessment was completed, either by the entity, or, if applicable, …
How does PCI DSS Requirement 6.4.3 apply to 3DS scripts called from a merchant check-out page as part of 3DS processing?
The objective of PCI DSS Requirement 6.4.3 is to ensure that unauthorized code cannot be executed in the payment page as it is rendered in the consumer's browser.
In …
Is the expectation that any PFI investigation initiated must result in a PFI Final Report?
Yes, a PFI Final Report is required. The expectation is that the PFI must complete the merchant's PFI Investigation and produce the Final PFI Report, with details of adequate evidence …
Is the expectation that any PFI investigation initiated must result in a PFI Final Report?
Yes, a PFI Final Report is required. The expectation is that the PFI must complete the merchant’s PFI Investigation and produce the Final PFI Report, with details of adequate evidence …