Recent FAQ Changes

❓ FAQ 1281 Updated 2025-06-11T14:57:47+00:00

Are point-of-interaction devices required to be physically secured (for example, with a cable or tether) to prevent removal or substitution to meet PCI DSS Requirement 9.5?

No. PCI DSS does not require that point-of-interaction (POI) devices be physically attached or fixed in place. However, Requirements under Requirement 9.5.1 require controls to detect and prevent tampering or …

❓ FAQ 1234 Updated 2025-06-11T14:57:26+00:00

I have had an external vulnerability scan completed by an ASV – does this mean I am PCI DSS compliant?

PCI DSS Requirement 11.3.2.1 addresses the need for quarterly external vulnerability scans to be performed by a PCI SSC Approved Scanning Vendor (ASV). The ASV will produce a scan report …

❓ FAQ 1222 Updated 2025-06-11T14:57:12+00:00

Does cardholder name, expiration date, etc. need to be rendered unreadable if stored in conjunction with the PAN (Primary Account Number)?

No. Only the Primary Account Number (PAN) must be rendered unreadable when it is stored, in accordance with Requirement 3.5.1. Other elements of cardholder data, such as cardholder name, expiration …

❓ FAQ 1210 Updated 2025-06-11T14:56:01+00:00

Are audio/voice recordings permitted to contain sensitive authentication data?

PCI DSS Requirement 3.3.1 prohibits storage of sensitive authentication data (SAD), including card validation codes and values, after authorization even if the data is encrypted. Storage of card validation codes …

❓ FAQ 1093 Updated 2025-06-11T14:55:00+00:00

Do PCI DSS requirements for protecting stored cardholder data apply to mainframes?

Yes. PCI DSS Requirement 3.5.1 applies to mainframes that store cardholder data. If a company has legitimate business or technical constraints in meeting this or any other requirement, compensating controls …

❓ FAQ 1092 Updated 2025-06-11T14:54:59+00:00

Does PCI DSS apply to merchants who outsource all payment processing operations and never store, process or transmit cardholder data?

Yes. PCI DSS is intended for any entity that stores, processes, or transmits cardholder data — regardless of whether these activities are conducted directly or by a third-party service provider.

…

❓ FAQ 1597 New 2025-05-28T09:17:10+00:00

What are the expectations for entities when assigning risk rankings to vulnerabilities and resolving or addressing those vulnerabilities?

There are several PCI DSS requirements that govern vulnerability management and reference related timeframes. These requirements are described under the general topics of 1) identifying and risk ranking vulnerabilities, and …

❓ FAQ 1331 Updated 2025-05-23T09:27:57+00:00

Can SAQ eligibility criteria be used as a guide for determining applicability of PCI DSS requirements for merchant assessments documented in a Report on Compliance?

Service providers cannot use SAQ eligibility criteria to determine applicability of PCI DSS requirements for assessments documented in a Report on Compliance (ROC). The only acceptable SAQ for service providers …

❓ FAQ 1596 New 2025-05-14T15:33:16+00:00

Is phishing-resistant authentication alone acceptable as multi-factor authentication for PCI DSS Requirements 8.4.1 and 8.4.3?

No, phishing-resistant authentication cannot be used without an additional authentication factor to meet Requirements 8.4.1 or 8.4.3 because of the increased risk with these types of access.

Use of …

❓ FAQ 1595 New 2025-05-14T15:33:03+00:00

Are passkeys synced across devices, implemented according to the FIDO2 requirements, acceptable for use as phishing-resistant authentication to meet PCI DSS Requirement 8.4.2?

Yes. Passkeys synced across devices (also called synced passkeys), implemented according to the FIDO2 requirements, are considered phishing-resistant authentication, and may be used as a single authentication factor in place …

Recent FAQ Changes RSS