Latest changes to PCI SSC frequently asked questions.
No, entities are not expected to conduct onsite assessments of work-from-home (WFH) environments, as home environments are not owned or controlled by the entity. Entities are expected to have controls …
The PCI SSC document library contains an overview that answers numerous questions about the PCI 3DS Core Security Standard (otherwise known as the PCI 3DS Security Requirements and Assessment Procedures …
There are two PCI DSS requirements that may be affected when considering 8-digit BINs. Requirement 3.3 pertains to masking (concealing) digits of the PAN so that the full PAN is …
No. However, PCI DSS does not consider SSL or early TLS to be strong cryptography. Transport Layer Security (TLS) is a protocol that encrypts traffic between two endpoints to provide …
No. The PCI 3DS Attestation of Compliance (AOC) can only document a "Compliant" finding if all requirements are tested and found to be "In Place" or a combination of "In …
No, an EMVCo Letter of Approval (LOA) is not required for a PCI 3DS Assessor to perform an assessment to the PCI 3DS Core Security Standard. If an EMVCo LOA …
Requirements P2-7.1 and P2-7.2, which relate to data center and CCTV security, apply to 3DS Directory Server (DS) and 3DS Access Control Server (ACS) systems. As noted in the Overview …
Yes, a 3DS entity may choose to outsource the hosting and management of its HSM infrastructure to a third-party service provider as long as all applicable requirements are met. The …
No. The "Compliant but with Legal exception" option in Part 3 of an Attestation of Compliance (AOC) allows an entity to document that they could not implement one or more …
An initial assessment is an entity?s first formal PCI DSS assessment that results in the submission of a compliance validation document. Examples of validation documents include an Attestation of Compliance …
