Recent FAQ Changes

❓ FAQ 1302 Updated 2020-03-20T00:00:00+00:00

How does use of an expired PTS device affect my PCI DSS compliance?

While PCI DSS does not require that PCI PTS-approved devices be used, some payment brands have their own requirements for using PTS-approved devices, including whether PTS devices with expired approvals …

❓ FAQ 1281 Updated 2020-03-20T00:00:00+00:00

Are point-of-sale devices required to be physically secured (e.g. with a cable or tether) to prevent removal or substitution in order to meet PCI DSS Requirement 9.9?

No, PCI DSS Requirement 9.9 does not require devices to be fixed in place or physically attached to a surface. Requirement 9.9 and its three sub-requirements address three areas of …

❓ FAQ 1210 Updated 2020-03-20T00:00:00+00:00

Are audio/voice recordings permitted to contain sensitive authentication data?

PCI DSS Requirement 3.2 prohibits storage of sensitive authentication data (SAD), including card validation codes and values, after authorization even if the data is encrypted. Storage of card validation codes …

❓ FAQ 1138 Updated 2020-03-20T00:00:00+00:00

Does PCI SSC provide a list of PCI DSS-compliant service providers?

No, PCI SSC does not provide a list of PCI DSS-compliant service providers, nor does PCI SSC certify service providers as PCI DSS compliant.

PCI DSS is applicable to …

❓ FAQ 1078 Updated 2020-03-20T00:00:00+00:00

In what circumstances is multi-factor authentication required?

As described in PCI DSS Requirement 8.3, multi-factor authentication (previously referred to as two-factor authentication) is required for all remote network access that originates from outside the entity's own network, …

❓ FAQ 1078 Updated 2020-03-18T15:05:00+00:00

In what circumstances is multi-factor authentication required?

As described in PCI DSS Requirement 8.3, multi-factor authentication (previously referred to as two-factor authentication) is required for all remote network access that originates from outside the entity’s own network, …

❓ FAQ 1302 Updated 2020-03-18T15:00:00+00:00

How does use of an expired PTS device affect my PCI DSS compliance?

While PCI DSS does not require that PCI PTS-approved devices be used, some payment brands have their own requirements for using PTS-approved devices, including whether PTS devices with expired approvals …

❓ FAQ 1473 New 2020-03-18T00:00:00+00:00

What is the role of acquirers and assessors in determining the applicability of PCI DSS requirements for a merchant?s PCI DSS assessment?

Acquirers, on behalf of the payment brands, are responsible for determining the PCI DSS validation and reporting method of their merchant customers, including how compliance is to be evidenced?for example, …

❓ FAQ 1472 New 2019-11-26T20:47:00+00:00

How can I determine whether a QSA is authorized to perform PCI DSS assessments in all countries that are in scope for my company's PCI DSS assessment?

The Servicing Markets element of the Qualified Security Assessor (QSA) listing indicates the geographic regions or countries for which the QSA Company is authorized by PCI SSC to perform PCI …

❓ FAQ 1471 New 2019-11-26T20:42:00+00:00

What does "Servicing Markets" on the QSA listing mean?

The Servicing Markets element of the Qualified Security Assessor (QSA) listing indicates the geographic regions or countries for which the QSA Company is authorized by PCI SSC to perform PCI …

Recent FAQ Changes RSS