Recent FAQ Changes

❓ FAQ 1283 Updated 2023-10-09T11:57:00+00:00

How do PCI standards apply to organizations that develop software that runs on a consumer's device (for example, a smartphone, tablet, or laptop) and is used to accept payment card data?

If the consumer is also the cardholder and is using the device solely for their own cardholder data entry, and the software is only used by that cardholder using his …

❓ FAQ 1571 Updated 2023-10-09T11:56:00+00:00

Is the expectation that any PFI investigation initiated must result in a PFI Final Report?

Yes, a PFI Final Report is required. The expectation is that the PFI must complete the merchant?s PFI Investigation and produce the PFI Final Report, with details of adequate evidence …

❓ FAQ 1280 Updated 2023-10-09T11:56:00+00:00

Can card verification codes be stored for card-on-file or recurring transactions?

No. It is not permitted to retain card verification codes once the specific purchase or transaction for which it was collected has been authorized. Card verification codes are typically used …

❓ FAQ 1574 New 2023-10-09T11:55:00+00:00

If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is used to accept payment account data, can the organization store card verification codes for those consumers?

No. PCI DSS prohibits storage of card verification codes, for example, after transaction authorization or to facilitate potential future transactions. There are four common scenarios where organizations may want to, …

❓ FAQ 1571 Updated 2023-10-09T11:55:00+00:00

Is the expectation that any PFI investigation initiated must result in a PFI Final Report?

Yes, a PFI Final Report is required. The expectation is that the PFI must complete the merchant’s PFI Investigation and produce the Final PFI Report, with details of adequate evidence …

❓ FAQ 1571 Updated 2023-09-21T00:00:00+00:00

Is the expectation that any PFI investigation initiated must result in a PFI Final Report?

Yes, a PFI Final Report is required. The expectation is that the PFI must complete the merchant?s PFI Investigation and produce the PFI Final Report, with details of adequate evidence …

❓ FAQ 1331 Updated 2023-09-21T00:00:00+00:00

Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?

Service providers cannot use SAQ eligibility criteria to determine applicability of PCI DSS requirements for assessments documented in a Report on Compliance. The only acceptable SAQ for service providers is …

❓ FAQ 1573 New 2023-09-11T14:22:00+00:00

Recent FAQ Changes RSS

How do PCI standards apply to organizations that develop software that runs on a consumer's device (for example, a smartphone, tablet, or laptop) and is used to accept payment card data?

Is the expectation that any PFI investigation initiated must result in a PFI Final Report?

Can card verification codes be stored for card-on-file or recurring transactions?

If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is used to accept payment account data, can the organization store card verification codes for those consumers?

Is the expectation that any PFI investigation initiated must result in a PFI Final Report?

Is the expectation that any PFI investigation initiated must result in a PFI Final Report?

Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?

Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?

Is the expectation that any PFI investigation initiated must result in a PFI Final Report?

Is the expectation that any PFI investigation initiated must result in a PFI Final Report?