Latest changes to PCI SSC frequently asked questions.
Subject to early expiry and the terms of the Software Security Framework Vendor Release Agreement (VRA), validations to the Secure Software Standard are valid for three years. Further information on …
No, companies are not required to participate in other PCI SSC programs before becoming an SSF Company.
Yes, if the software in question meets all stated eligibility criteria in effect at the time of submission, software-as-a-service may be validated to the Secure Software Standard and listed on …
While onsite assessments continue to be the expected method for PCI SSC assessments, the use of remote assessment methods may provide a suitable alternative in legitimate scenarios where an onsite …
When assessment results are associated with compliance programs defined and managed by one or more payment brands, the compliance-accepting entity is the entity to which those assessment results (for example, …
Masking is addressed in PCI DSS Requirement 3.3, whereas truncation is one of several options specified to meet PCI DSS Requirement 3.4.
Requirement 3.3 relates to protection of PAN …
Systems that store, process, or transmit only truncated PANs (where a segment of PAN data has been permanently removed) may be considered out of scope for PCI DSS if those …
PCI SSC updates its standards to address changes in payment industry threats, risks, and best practices. To ensure organizations have enough time to transition to a new standard, the previous …
This update includes minor clarifications about acceptable PAN / BIN lengths, as follows:
In the PCI DSS Applicability Information section of the standard, it is stated that sensitive authentication data must not be stored after authorization even if encrypted, and that this applies …
