Recent FAQ Changes RSS

PCI DSS does not define minimum or maximum times for how long cardholder data may be stored. PCI DSS Requirement 3.2.1 specifies that a data retention and disposal policy must …

PCI DSS Requirement 10.4.1 defines several events and system types that require daily log reviews, but Requirement 10.4.2 allows the organization to determine the log review frequency for all other …

No, PCI DSS Requirement 9.5 does not require devices to be fixed in place or physically attached to a surface. Requirement 9.5 and its three sub-requirements address three areas of …

Yes. Using strong cryptography to hash the password meets the intent of the PCI DSS Requirement 8.3.2, which requires that all authentication factors be rendered unreadable during transmission and storage …

PCI DSS requirements apply to all system components, unless it has been verified that a requirement is not applicable for a particular system. Decisions about the applicability of PCI DSS …

Masking is addressed in PCI DSS Requirement 3.4.1, whereas truncation is one of several options specified to meet PCI DSS Requirement 3.5.1.

Requirement 3.4.1 relates to the protection of …

PCI DSS Requirement 4.2 and its sub requirements state that transmission of cardholder data over an open or public network must be secured using strong cryptography and security protocols.

…

For PCI DSS, account data consists of cardholder data (CHD) and sensitive authentication data (SAD). With respect to SAD, PCI DSS Requirement 3.3.1 prohibits storage of SAD after authorization, even …

PCI DSS requirement 3.4.1 requires that the PAN be masked when it is displayed (for example, on screens, logs, reports, receipts), unless the viewing party has a specific business need …