Latest changes to PCI SSC frequently asked questions.
No, phishing-resistant authentication cannot be used without an additional authentication factor to meet Requirements 8.4.1 or 8.4.3 because of the increased risk with these types of access.
Use of …
Yes. Passkeys synced across devices (also called synced passkeys), implemented according to the FIDO2 requirements, are considered phishing-resistant authentication, and may be used as a single authentication factor in place …
After 31 March 2025, superseded requirements should be marked as Not Applicable (N/A) in a Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ).
Three PCI DSS v4.x requirements include …
A provider of third-party scripts is not considered a third-party service provider (TPSP) for PCI DSS Requirements 12.8 and 12.9 as part of an entity’s assessment of the entity’s e-commerce …
PCI DSS Requirement 8.4.2 for multi-factor authentication (MFA) is not mandatory for access to in-scope system components outside of the CDE. If a user’s access to a system component can …
No. PCI DSS Requirements 8.3.9 and 8.3.10.1 do not apply to in-scope system components where multi-factor authentication (MFA) is used.
Requirements 8.3.9 and 8.3.10.1 apply if passwords/passphrases are used …
No.
This FAQ is only intended to clarify the specific SAQ A eligibility criteria called out below. The contents of this FAQ should not be interpreted to impact or contradict any …
A TPSP is expected to provide evidence of compliance with applicable PCI DSS requirements.
If the TPSP undergoes its own PCI DSS assessment, it is expected to provide sufficient …
Compliance questions, including questions about whether it is acceptable to submit a PCI DSS assessment report after that standard's retirement date, should be directed to organizations that manage compliance programs …
