Recent FAQ Changes RSS

The intent of the PCI DSS logging requirements is to provide a complete record of who did what, where, when, and how, so it can be used for investigation in …

Although log correlation is a valuable tool in a company's information security strategy, it does not replace intrusion detection mechanisms, such as IDS/IPS. Intrusion detection mechanisms provide proactive detection of …

Whether an MPLS network can be considered a private network is dependent upon the specific provider and configuration of that network. The implementation would need to be evaluated to determine …

If the cardholder data is stored in non-persistent memory (e.g. RAM), encryption of cardholder data is not required. However, proper controls must be in place to ensure that memory maintains …

PCI DSS applies to any primary account number (PAN), including active, expired, or cancelled PAN, except where the organization can provide documentation which confirms that the PAN is inactive or …

The Council encourages organizations to seek professional guidance in achieving compliance and completing the Self-Assessment Questionnaire. Entities can use any security professional they choose; however, PCI SSC recommends engaging a …

A system-level object is anything on a computer system required for its operation, including but not limited to application executables and configuration files, system configuration files, static and shared libraries …

Each of PCI SSC's Participating Payment Brand members (American Express, Discover, JCB International, Mastercard, UnionPay, and Visa) currently have their own PCI compliance programs for the protection of their affiliated …

No. As per section 2.2 of the QSA Qualification Requirements, "The QSA Company must have separation of duties controls in place to ensure Assessor-Employees conducting or assisting with PCI …