Latest changes to PCI SSC frequently asked questions.
Yes, if the software in question meets all stated eligibility criteria in effect at the time of submission, software-as-a-service may be validated to the Secure Software Standard and listed on …
While onsite assessments continue to be the expected method for PCI SSC assessments, the use of remote assessment methods may provide a suitable alternative in legitimate scenarios where an onsite …
When assessment results are associated with compliance programs defined and managed by one or more payment brands, the compliance-accepting entity is the entity to which those assessment results (for example, …
Masking is addressed in PCI DSS Requirement 3.3, whereas truncation is one of several options specified to meet PCI DSS Requirement 3.4.
Requirement 3.3 relates to protection of PAN …
Systems that store, process, or transmit only truncated PANs (where a segment of PAN data has been permanently removed) may be considered out of scope for PCI DSS if those …
PCI SSC updates its standards to address changes in payment industry threats, risks, and best practices. To ensure organizations have enough time to transition to a new standard, the previous …
This update includes minor clarifications about acceptable PAN / BIN lengths, as follows:
In the PCI DSS Applicability Information section of the standard, it is stated that sensitive authentication data must not be stored after authorization even if encrypted, and that this applies …
No. An individual's private work-from-home (WFH) environment is not considered a "sensitive area," and personnel working from home are not required to meet PCI DSS Requirements 9.1.1 or 9.3 for …
No, PCI SSC does not require QSAs or ISAs to visit personnel private residences for any purpose, including the review of work-from-home (WFH) environments to validate PCI DSS requirements. Entities …
