Latest changes to PCI SSC frequently asked questions.
All service providers are expected to meet PCI DSS requirements as applicable to the services offered to their customers. In addition, PCI DSS Appendix A1: Additional PCI DSS Requirements for …
The PA-DSS details the requirements a payment application must meet in order to facilitate a customer’s PCI DSS compliance. PA-DSS validated payment applications, when implemented in a PCI DSS-compliant environment, …
The intent of this requirement is to address the acceptability of disk encryption for rendering cardholder data unreadable. Disk encryption encrypts data stored on a computer’s mass storage and automatically …
No. PCI DSS Requirement 4.2.2. prohibits the sending of unprotected primary account numbers (PANs) via end-user messaging technologies, whether sent internally or over public networks. E-mail, instant messaging, SMS, and …
PCI DSS does not prevent the use of end-user technologies (such as email, SMS, chat, etc.) to request or receive cardholder data. However, if an end-user messaging technology is used …
Any cardholder data that is stored, processed, or transmitted must be protected in accordance with PCI DSS. If faxes are sent or received via modem over a traditional PSTN phone …
PCI DSS does not define minimum or maximum times for how long cardholder data may be stored. PCI DSS Requirement 3.2.1 specifies that a data retention and disposal policy must …
PCI DSS Requirement 10.4.1 defines several events and system types that require daily log reviews, but Requirement 10.4.2 allows the organization to determine the log review frequency for all other …
No, PCI DSS Requirement 9.5 does not require devices to be fixed in place or physically attached to a surface. Requirement 9.5 and its three sub-requirements address three areas of …
Yes. Using strong cryptography to hash the password meets the intent of the PCI DSS Requirement 8.3.2, which requires that all authentication factors be rendered unreadable during transmission and storage …
