369 FAQ Links Changed
March 28, 2026 — PCI SSC changed the URL format for these FAQs. Content is unchanged.
Are call center environments considered "sensitive areas" for PCI DSS Requirement 9.1.1?
What should a merchant do if cardholder data is accidentally received via an unintended channel?
What effect does the use of a PCI-listed P2PE solution have on a merchant's PCI DSS validation?
What is a P2PE solution provider?
What is a point-to-point encryption (P2PE) solution?
What is the Point-to-Point Encryption (P2PE) Standard?
Can merchants use encryption solutions not listed on the PCI Council's website to reduce their PCI DSS validation effort?
Is a "P2PE Assessor" required for a merchant's PCI DSS assessment if the merchant uses a Council-listed P2PE solution?
Is the PCI P2PE Standard applicable for merchants that have developed/implemented their own encryption solution?
Are P2PE solution providers required to have their solutions validated and listed by the Council?
Which PCI PTS point-of-interaction (POI) devices can be used in a validated P2PE solution?
Can PCI PED 1.x devices receive SRED validation and be used in a P2PE solution?
What assurances does the Council provide regarding the quality of organizations assessing my systems for compliance with the PCI standards?
What are the Council's requirements for QSA and ASV Companies to maintain a Quality Assurance (QA) manual?
How does the Prioritized Approach work?
Is the Prioritized Approach mandatory?
Does the Prioritized Approach replace the PCI DSS?
For the list of Validated PA-DSS Applications, what is the difference between Revalidation Date and Expiry Date?
If a merchant is using a payment application listed as 'acceptable only for pre-existing deployments', is the merchant allowed to install more copies of the application?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/if-a-merchant-is-using-a-payment-application-listed-as-acceptable-only-for-pre-existing-deployments-is-the-merchant-allowed-to-install-more-copies-of-the-application/ to https://www.pcisecuritystandards.org/faqs/1175/
How does an organization maintain compliance when a standard changes?
How does my company become a qualified assessor (QSA, PA-QSA, QSA (P2PE), PA-QSA (P2PE)), or Approved Scanning Vendor (ASV)?
How do I reduce the scope of a PCI DSS assessment?
How can I check whether a payment application is PA-DSS validated?
Is it acceptable to make minor changes to a PA-DSS validated application and retain the existing version number?
The PA-DSS Program Guide says application version numbers may consist of a combination of fixed and variable alphanumeric characters. What does this mean?
What is the difference between a Validated Payment Application which is shown on the PCI SSC website as ""Acceptable for New Deployments"" and one which is shown as 'Acceptable only for Pre-Existing Deployments'?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/what-is-the-difference-between-a-validated-payment-application-which-is-shown-on-the-pci-ssc-website-as-acceptable-for-new-deployments-and-one-which-is-shown-as-acceptable-only-for-pre-existing-deployments/ to https://www.pcisecuritystandards.org/faqs/1195/
If I am deemed PCI DSS compliant today by one of the payment card brands, will the other brands in the PCI Security Standards Council recognize this designation of compliance and if so, what information must be put forth to achieve such recognition?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/if-i-am-deemed-pci-dss-compliant-today-by-one-of-the-payment-card-brands-will-the-other-brands-in-the-pci-security-standards-council-recognize-this-designation-of-compliance-and-if-so-what-information-must-be-put-forth-to-achieve-such-recognition/ to https://www.pcisecuritystandards.org/faqs/1196/
What is the Payment Card Industry Data Security Standard (PCI DSS)?
Are audio/voice recordings permitted to contain sensitive authentication data?
To whom should media inquiries or requests for interviews about the PCI Security Standard Council be directed?
What is the involvement of the PCI SSC on the compliance validation processes for PCI DSS assessments and scan reports?
Are there any plans to standardize the reporting requirements (reports) for the PCI DSS, PA-DSS, ASV, QSA and PTS programs that are sent to each of the payment brands?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/are-there-any-plans-to-standardize-the-reporting-requirements-reports-for-the-pci-dss-pa-dss-asv-qsa-and-pts-programs-that-are-sent-to-each-of-the-payment-brands/ to https://www.pcisecuritystandards.org/faqs/1213/
Which PCI standards apply to card manufacturers, embossers, card personalizers, or entities that prepare data for card manufacturing?
What is a PCI DSS Self-Assessment Questionnaire?
Does the PCI DSS apply to acquirers?
Does the PCI DSS apply to issuers?
Are compliance certificates recognized for PCI DSS validation?
To which types of service providers does PCI DSS Appendix A1 for Multi-Tenant Service Providers apply?
Does cardholder name, expiration date, etc. need to be rendered unreadable if stored in conjunction with the PAN (Primary Account Number)?
Does PCI DSS, PA-DSS, or PTS apply to ATMs?
What does "one function per server" mean?
What is the relationship between the PCI Data Security Standard and the Payment Application Data Security Standard and PTS Device Security Requirements?
What is the role of the Advisory Board?
Who are the founders of the PCI Security Standards Council?
Will the PCI Security Standards Council approve and list vendors for participation in forensics investigations?
What is SAQ C-VT?
How does encrypted cardholder data impact PCI DSS scope for third-party service providers?
I have had an external vulnerability scan completed by an ASV – does this mean I am PCI DSS compliant?
If a merchant or service provider has internal corporate credit cards used by employees for company purchases like travel or office supplies, are these corporate cards considered "in scope" for PCI DSS?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/if-a-merchant-or-service-provider-has-internal-corporate-credit-cards-used-by-employees-for-company-purchases-like-travel-or-office-supplies-are-these-corporate-cards-considered-in-scope-for-pci-dss/ to https://www.pcisecuritystandards.org/faqs/1235/