Latest changes to PCI SSC frequently asked questions.
After 31 March 2025, superseded requirements should be marked as Not Applicable (N/A) in a Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ).
Three PCI DSS v4.x requirements include …
A provider of third-party scripts is not considered a third-party service provider (TPSP) for PCI DSS Requirements 12.8 and 12.9 as part of an entity’s assessment of the entity’s e-commerce …
PCI DSS Requirement 8.4.2 for multi-factor authentication (MFA) is not mandatory for access to in-scope system components outside of the CDE. If a user’s access to a system component can …
No. PCI DSS Requirements 8.3.9 and 8.3.10.1 do not apply to in-scope system components where multi-factor authentication (MFA) is used.
Requirements 8.3.9 and 8.3.10.1 apply if passwords/passphrases are used …
No.
This FAQ is only intended to clarify the specific SAQ A eligibility criteria called out below. The contents of this FAQ should not be interpreted to impact or contradict any …
A TPSP is expected to provide evidence of compliance with applicable PCI DSS requirements.
If the TPSP undergoes its own PCI DSS assessment, it is expected to provide sufficient …
Compliance questions, including questions about whether it is acceptable to submit a PCI DSS assessment report after that standard's retirement date, should be directed to organizations that manage compliance programs …
The current version of PCI DSS can be found in the PCI SSC Document Library. All retired versions are also available as archived documents in the Document Library.
Compliance …
Updates to PCI DSS are intended to address evolving threats in the payments ecosystem, therefore, entities are strongly encouraged to complete their transition to the most current PCI DSS version, …
