Recent FAQ Changes RSS

PCI DSS does not define a specific maximum or minimum length of time for which cardholder data can be stored. PCI DSS Requirement 3.2.1 requires entities to implement data retention …

PCI DSS Requirement 3.5.1 states that if hashed and truncated versions of the same PAN, or different truncation formats, are present in the environment, additional controls must be implemented to …

No. PCI DSS does not require that point-of-interaction (POI) devices be physically attached or fixed in place. However, Requirements under Requirement 9.5.1 require controls to detect and prevent tampering or …

PCI DSS Requirement 11.3.2.1 addresses the need for quarterly external vulnerability scans to be performed by a PCI SSC Approved Scanning Vendor (ASV). The ASV will produce a scan report …

No. Only the Primary Account Number (PAN) must be rendered unreadable when it is stored, in accordance with Requirement 3.5.1. Other elements of cardholder data, such as cardholder name, expiration …

PCI DSS Requirement 3.3.1 prohibits storage of sensitive authentication data (SAD), including card validation codes and values, after authorization even if the data is encrypted. Storage of card validation codes …

Yes. PCI DSS Requirement 3.5.1 applies to mainframes that store cardholder data. If a company has legitimate business or technical constraints in meeting this or any other requirement, compensating controls …

Yes. PCI DSS is intended for any entity that stores, processes, or transmits cardholder data — regardless of whether these activities are conducted directly or by a third-party service provider.

Service providers cannot use SAQ eligibility criteria to determine applicability of PCI DSS requirements for assessments documented in a Report on Compliance (ROC). The only acceptable SAQ for service providers …