For P2PE solutions, can you use PCI approved POI devices with SRED, where the PTS listing indicates "Non CTLS"?
| This is a "normative" FAQ - It is considered to be part of the P2PE requirements and shall be considered during a … |
Deleted FAQs
FAQs that have been removed from the PCI SSC website or have dead links.
Why does the PCI P2PE standard require SRED for PCI approved Point-of-Interaction (POI) devices?
This is a Technical FAQ for P2PE versions 1.x. This is a "normative" FAQ that is considered to be part of the P2PE requirements and shall be considered during a …
If I am deemed PCI DSS compliant today by one of the payment card brands, will the other brands in the PCI Security Standards Council recognize this designation of compliance and if so, what information must be put forth to achieve such recognition?
Since the individual payment brands are responsible for their own PCI DSS compliance programs, organizations should follow each brand's specific compliance processes and procedures.
What is the intent of PCI DSS requirement 10?
The intent of PCI DSS requirement 10 is to ensure organizations have the necessary logs in place to provide an accurate and unaltered record of what has taken place within …
What are secure methods for a merchant to transport a terminal to meet requirements specified in P2PE Requirement 3A-2.4 and the P2PE Instruction Manual?for example, if a merchant has to return a POI device to their vendor for repair?
This is a Technical FAQ for P2PE versions 1.x. This is a "normative" FAQ that is considered to be part of the P2PE requirements and shall be considered during a …
How often must service providers test penetration testing segmentation controls under PCI DSS?
PCI DSS Requirement 11.4.6 requires service providers that use segmentation to isolate the cardholder data environment (CDE) from other networks to perform penetration tests on those segmentation controls at least …
For third parties that undergo P2PE assessments for services they offer on behalf of P2PE solution providers, what is acceptable evidence they can provide to those P2PE solution providers?
This is a Technical FAQ for P2PE versions 1.x. This is a "normative" FAQ that is considered to be part of the P2PE requirements and shall be considered during a …
For P2PE Requirement 3A-4.2, are POI devices required to be physically secured (e.g., bolted to a counter-top or tethered with a cable) in the merchant environment? How does this requirement apply to handheld/wireless POI devices?
This is a Technical FAQ for P2PE versions 1.x. This is a "normative" FAQ that is considered to be part of the P2PE requirements and shall be considered during a …
For the list of Validated PA-DSS Applications, what is the difference between Revalidation Date and Expiry Date?
Revalidation Date: Annually, the software vendor is required to revalidate by completing Part 3b of the Attestation of Validation form, confirming that no changes have been made to the application …
Are there any plans to standardize the reporting requirements (reports) for the PCI DSS, PA-DSS, ASV, QSA and PTS programs that are sent to each of the payment brands?
The PCI Security Standards Council (PCI SSC) mission is to develop, maintain and build awareness around the standards and supporting programs. Additionally, the PCI SSC strives to ensure that implementing …