369 FAQ Links Changed
March 28, 2026 — PCI SSC changed the URL format for these FAQs. Content is unchanged.
Does the PCI Security Standards Council enforce compliance?
In case of a suspected breach, should the PCI Security Standards Council be contacted directly?
Once my business has been determined to be compliant by a QSA, would I or the QSA need to communicate this fact to the PCI Security Standards Council?
Will all participating payment brands in the PCI Security Standards Council recognize a recommendation of compliance from an ASV?
Do QSAs and ASVs need to send reports of compliance (ROCs) or scanning results to the PCI Security Standards Council directly?
What are the consequences to my business if I do not comply with the PCI DSS?
I want to add input into this process. How do I become a member of the Council?
How can my organization find assistance in completing the Self-Assessment Questionnaire?
Will the PCI Security Standards Council list compliant service providers and/or merchants on its Web site?
If my business was deemed compliant but my system was still breached and payment account data compromised after the fact, what liability would my business incur?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/if-my-business-was-deemed-compliant-but-my-system-was-still-breached-and-payment-account-data-compromised-after-the-fact-what-liability-would-my-business-incur/ to https://www.pcisecuritystandards.org/faqs/1019/
How does PA-DSS support a merchant's PCI DSS compliance?
Do small merchants with limited transaction volumes need comply with PCI DSS?
What are the requirements that have to be satisfied to be in compliance with the PCI Data Security Standard?
Is PCI DSS a global standard?
Can you provide clarification of PCI DSS requirement 10.3.6?
Can you provide clarification for logging/audit trail per PCI DSS requirements 10.2.5 and 10.2.6?
What are system-level objects?
What is the definition of "remote access"?
How can I provide feedback (negative or positive) about my QSA/ASV?
Do hosting providers have responsibility for liabilities/fines?
Does PCI DSS apply to "hot cards," expired, cancelled or invalid payment account numbers?
Does PCI DSS apply to debit cards, debit payments, and debit systems?
Is it required that all of a company's sites, even those located in other countries, must be included in the company's PCI DSS review?
What is the scope of a PCI DSS assessment for a network that is not segmented?
Should cardholder data be encrypted while in memory?
Is frame relay considered a private network and are there any encryption requirements?
Do ISPs that provide only internet connection need to comply with the PCI DSS?
Is MPLS considered a private or public network when transmitting cardholder data?
Will the PCI Security Standards Council "approve" my organization's implementation of compensating controls in my effort to comply with the PCI DSS?
Why now for this change from PED to PTS?
I make ATMs, what do I need to do for PTS?
Can application whitelisting be used to meet PCI DSS Requirement 5?
Can a payment application that implements the same cryptographic keys across multiple installations be PA-DSS compliant?
Can a payment application that uses cryptographic keys hard-coded by the vendor be PA-DSS compliant if they cannot be changed by the customer?
Does the PCI Security Standards Council provide information on security breaches, status of investigations, or PCI DSS compliance status?
Should I complete the Prioritized Approach milestones in sequential order?
How would an identified Denial of Service (DoS) vulnerability affect a company's ability to pass a PCI DSS vulnerability scan from an Approved Scanning Vendor (ASV)?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/how-would-an-identified-denial-of-service-dos-vulnerability-affect-a-company-s-ability-to-pass-a-pci-dss-vulnerability-scan-from-an-approved-scanning-vendor-asv/ to https://www.pcisecuritystandards.org/faqs/1060/
How frequently will the PCI Security Standards Council update the PCI DSS and PA-DSS?
What is meant by a "payment application" in Part 2d of the Attestation of Compliance?
Does SAQ C-VT replace SAQ C?
What is a VT or Virtual Terminal?
How are third-party service providers (TPSPs) expected to demonstrate PCI DSS compliance for TPSP services that meet customers’ PCI DSS requirements or may impact the security of a customer’s cardholder data and/or sensitive authentication data?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/how-are-third-party-service-providers-tpsps-expected-to-demonstrate-pci-dss-compliance-for-tpsp-services-that-meet-customers-pci-dss-requirements-or-may-impact-the-security-of-a-customers-cardholder-data-and-or-sensitive-authentication-data/ to https://www.pcisecuritystandards.org/faqs/1065/