How do I contact the payment card brands?
Contact details for the payment brands are provided below:
American Express
- Website: http://www.americanexpress.com/datasecurity
- Email: AmericanExpressCompliance@trustwave.com
Discover - Website: …
Recent FAQ Changes RSS
Latest changes to PCI SSC frequently asked questions.
How do I contact the payment card brands?
Contact details for the payment brands are provided below:
American Express
- Website: www.americanexpress.com/datasecurity
- Email: AmericanExpressCompliance@trustwave.com
Discover - Website: http://www.discovernetwork.com/merchants/data-security/index.html - …
Is MPLS considered a private or public network when transmitting cardholder data?
Whether an MPLS network can be considered a private network is dependent upon the specific provider and configuration of that network. The implementation would need to be evaluated to determine …
Is intrusion detection required if centralized log correlation is in place?
Although log correlation is a valuable tool in a company?s information security strategy, it is not a replacement for intrusion detection mechanisms, such as IDS/IPS. Intrusion detection mechanisms provide proactive …
What are the PCI DSS requirements regarding transmission of cardholder data via Bluetooth technology?
PCI DSS Requirement 4.1 states that strong cryptography and security protocols must be used to safeguard sensitive cardholder data during transmission over open, public networks. Bluetooth technology is included in …
What is the purpose of requiring consoles/PCs to become ?locked? after 15 minutes of idle time, per PCI DSS Requirement 8.1.8?
The intent of this requirement is to prevent an unauthorized person from using an unattended console/PC to gain access to the user’s computer and accounts, and potentially to the company’s …
Are digital leased lines considered public or private?
For PCI DSS Requirement 4.1, digital leased lines are generally considered to be private since they are dedicated to the individual customer’s traffic.
This determination, however, is dependent upon …
What is an "inactive user account" as used in PCI DSS Requirement 8.1.4?
An inactive user account is one that has not been used in over 90 days. Inactive accounts are often targets for attackers since they are generally not monitored, and changes …
Is it permissible to use FTP if proper security measures are implemented?
FTP is considered an insecure protocol as it does not provide protection for its communication channel or logon details.
PCI DSS Requirement 1.1.6 states that firewalls and router configurations …
Is it permissible to use self-decrypting files for encryption to send cardholder data?
PCI DSS Requirement 4.1 states that transmission of cardholder data over an open or public network must be secured using strong cryptography and security protocols. Examples provided in the requirement …