Latest changes to PCI SSC frequently asked questions.
Entities should always contact their acquirer or the payment brands directly for information about their compliance programs and reporting requirements. Contact details for the payment brands can be found in …
Where a future-dated requirement has not yet been implemented by an entity and the Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) is completed prior to the effective date of …
No. The period for which an entity's PCI DSS assessment result is valid does not change if the standard against which the entity was assessed has been retired. However, how …
Yes. However, regardless of how the QSA obtains evidence to support a PCI DSS assessment, the QSA conducting the PCI DSS assessment has the ultimate responsibility for their client's assessment …
No, due to the variability of scope coverage and assessor validation procedures, a QSA cannot rely on reports from other attestation engagements (like SOC 2 or SOC 3) for a …
Compliance-accepting entities (typically, payment brands and acquirers) are responsible for determining the PCI DSS validation and reporting methods of their merchants and service providers, including how compliance is to be …
Compliance questions, including questions about whether it is acceptable to submit a PCI DSS v3.2.1 assessment report after that standard’s retirement date of 31 March 2024, should be directed to …
The current version of PCI DSS is v4.0. PCI DSS v3.2.1 is also valid through 31 March 2024, after which that version will be retired.After 31 March 2024, PCI DSS …
Yes, providing that the Attestation of Compliance (AOC) includes all information relevant to the services offered to customers. The level of detail provided in an AOC to customers might be …
FTP is considered an insecure protocol as it does not provide protection for its communication channel or logon details. PCI DSS Requirement 1 states that network security controls (NSCs), such …
