Latest changes to PCI SSC frequently asked questions.
No. An individual's private work-from-home (WFH) environment is not considered a "sensitive area," and personnel working from home are not required to meet PCI DSS Requirements 9.1.1 or 9.3 for …
No, PCI SSC does not require QSAs or ISAs to visit personnel private residences for any purpose, including the review of work-from-home (WFH) environments to validate PCI DSS requirements. Entities …
No, entities are not expected to conduct onsite assessments of work-from-home (WFH) environments, as home environments are not owned or controlled by the entity. Entities are expected to have controls …
The PCI SSC document library contains an overview that answers numerous questions about the PCI 3DS Core Security Standard (otherwise known as the PCI 3DS Security Requirements and Assessment Procedures …
There are two PCI DSS requirements that may be affected when considering 8-digit BINs. Requirement 3.3 pertains to masking (concealing) digits of the PAN so that the full PAN is …
No. However, PCI DSS does not consider SSL or early TLS to be strong cryptography. Transport Layer Security (TLS) is a protocol that encrypts traffic between two endpoints to provide …
No. The PCI 3DS Attestation of Compliance (AOC) can only document a "Compliant" finding if all requirements are tested and found to be "In Place" or a combination of "In …
No, an EMVCo Letter of Approval (LOA) is not required for a PCI 3DS Assessor to perform an assessment to the PCI 3DS Core Security Standard. If an EMVCo LOA …
Requirements P2-7.1 and P2-7.2, which relate to data center and CCTV security, apply to 3DS Directory Server (DS) and 3DS Access Control Server (ACS) systems. As noted in the Overview …
Yes, a 3DS entity may choose to outsource the hosting and management of its HSM infrastructure to a third-party service provider as long as all applicable requirements are met. The …
