Latest changes to PCI SSC frequently asked questions.
PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted by any media, including paper records. PCI DSS requirements 9.6 through 9.10 specifically address …
For PCI DSS requirement 4.1, digital leased lines are considered to be private since they are dedicated to the individual customer’s traffic.
PCI DSS requirement 8.5 requires all user passwords be securely managed. These requirements apply to all non-consumer users (not the cardholder) and administrators, not to credentials supplied by applications or …
An inactive user is one whose account has not been used in over 90 days. Note that section 8.5 requirements only apply to “non-consumer users” or those individuals that access …
Per the Scope of Assessment section of the PCI DSS Requirements and Security Assessment Procedures, there are two options for hosting providers and other third party providers to validate compliance:
…While some ASVs may report DoS vulnerabilities as relatively high risks, the PCI SSC has clearly instructed ASVs to not consider this vulnerability when determining compliance of the ASV scan …
If the cardholder data is stored in non-persistent memory (e.g. RAM), encryption of cardholder data is not required. However, proper controls must be in place to ensure that memory maintains …
Without proper network segmentation to isolate the systems that store, process or transmit cardholder data from those that do not, all system components in that network are considered part of …
The PCI DSS is a global standard and is applicable to all entities that process, transmit or store cardholder data regardless of geographic location. Each payment brand manages their PCI …
Any payment card (credit, debit, prepaid, stored value, gift or chip) bearing the logo of one of the PCI Security Standards Council?s five founding payment brands is required to be …
