Latest changes to PCI SSC frequently asked questions.
Payment applications that are listed as Acceptable only for Pre-existing Deployments have previously been validated as meeting PA-DSS but the validation is no longer current. This may be due to …
The P2PE Standard does not require applications solely used in a P2PE solution to be validated to PA-DSS. PA-DSS and P2PE are distinct PCI standards with separate requirements and programs, …
Assessed entities have the discretion to either have enterprise functions assessed separately as an internal service provider or include those functions in each individual corporate entity’s PCI DSS assessment. Regardless …
PCI DSS applies to entities involved in payment card processing or that otherwise store, process, or transmit cardholder data; the Payment Application Data Security Standard (PA-DSS) applies to payment applications …
No. If cryptographic keys are provided by the application vendor as part of the application, the keys must be unique to each customer or installation. An application that requires the …
No. In order to meet PA-DSS and PCI DSS requirements, the payment application must facilitate the customers' ability to perform key changes periodically and as required by the customer in …
Without proper network segmentation to isolate the systems that store, process or transmit cardholder data from those that do not, all system components in that network are considered part of …
Since the individual payment brands are responsible for their own PCI DSS compliance programs, organizations should follow each brand's specific compliance processes and procedures.
The PCI DSS is a global standard and is applicable to all entities that process, transmit or store cardholder data regardless of geographic location. Each payment brand manages their PCI …
For more information about strong cryptography, refer to the Information Supplement: PCI Cryptography Guidance, available under Guidance Document in the PCI SSC Document Library. Our document library can be …
