Recent FAQ Changes

❓ FAQ 1223 New 2011-10-06T00:00:00+00:00

Does PCI DSS, PA-DSS, or PTS apply to ATMs?

PCI DSS applies to any entity that stores, processes, or transmits cardholder data, the Payment Application Data Security Standard (PA-DSS) applies to payment applications that store, process, or transmit cardholder …

❓ FAQ 1210 New 2011-10-03T00:00:00+00:00

Are audio/voice recordings permitted to contain sensitive authentication data?

PCI SSC FAQ's are designed to provide merchants, assessors, acquirers and other Council stakeholders with clear and timely guidance on PCI standards. They are a critical two way communication channel …

❓ FAQ 1146 New 2011-09-29T00:00:00+00:00

What is the difference between masking and truncation?

Masking is addressed in PCI DSS Requirement 3.3, whereas truncation is one of several options specified to meet PCI DSS Requirement 3.4. Masking and truncation are both methods of rendering …

❓ FAQ 1092 New 2011-09-29T00:00:00+00:00

Does PCI DSS apply to merchants who outsource all payment processing operations and never store, process or transmit cardholder data?

PCI DSS applies to any entity that stores, processes or transmits cardholder data.

If a merchant outsources all their payment operations, the applicable PCI DSS requirements for the protection …

❓ FAQ 1090 New 2011-09-27T00:00:00+00:00

What are acceptable formats for masking of primary account numbers (PAN)?

PCI DSS Requirement 3.3 specifies that PAN is masked when displayed and that a maximum of the first 6 and last 4 digits of the PAN can be displayed. Note …

❓ FAQ 1212 New 2011-03-31T00:00:00+00:00

What is the involvement of the PCI SSC on the compliance validation processes for PCI DSS assessments and scan reports?

While the PCI Security Standards Council (PCI SSC) manages the security standards and provides training for security assessors, we do not enforce compliance or define validation reporting requirements. Compliance validation …

❓ FAQ 1229 New 2011-03-28T00:00:00+00:00

What is SAQ C-VT?

SAQ C-VT is a self-assessment questionnaire designed for brick-and-mortar (card-present) or mail/telephone-order (card-not-present) merchants that process cardholder data via virtual terminals on personal computers connected to the Internet, and that …

❓ FAQ 1177 New 2011-03-08T00:00:00+00:00

How does my company become a qualified assessor (QSA, PA-QSA, QSA (P2PE), PA-QSA (P2PE)), or Approved Scanning Vendor (ASV)?

The PCI Security Standards Council (PCI SSC) maintains a robust evaluation and qualification program for approved security assessors and scanning vendors. Information on becoming a qualified assessor or scan vendor …

❓ FAQ 1063 New 2011-03-08T00:00:00+00:00

Does SAQ C-VT replace SAQ C?

SAQ C-VT does not replace SAQ C. Each SAQ is designed to support a different type of cardholder data environment. At a high level, SAQ C is intended for merchants …

❓ FAQ 1064 New 2011-03-08T00:00:00+00:00

What is a VT or Virtual Terminal?

A virtual terminal is web browser-based access to an acquirer, processor or third party service provider website to authorize payment card transactions over the Internet, where the merchant manually enters …

Recent FAQ Changes RSS