369 FAQ Links Changed
March 28, 2026 — PCI SSC changed the URL format for these FAQs. Content is unchanged.
Who can use SAQ P2PE?
In P2PE, how do "hybrid" decryption environments differ from "hardware" decryption environments?
In P2PE Hardware/Hybrid solutions, what is a Host System?
Are there any restrictions on the form-factor that can be used for HSMs in P2PE solutions?
What is the process to use previously-deployed POI devices in a PCI P2PE Solution?
Do all PCI DSS requirements apply to every system component?
Does hashing of passwords meet the intent of PCI DSS Requirement 8.3.2?
What is the intent of PCI DSS requirement 10?
Can I report on my Prioritized Approach progress instead of producing a Report on Compliance or Attestation of Compliance?
Does PCI SSC endorse specific products to meet PCI DSS requirements?
Does a P2PE validated application also need to be validated against PA-DSS?
Will PA-DSS validated applications continue to be Acceptable for New Deployments if they run on an unsupported operating system?
What are the Card Production Logical and Physical Security Requirements?
Can I combine sections from different versions of the PCI DSS?`
If an entity is in the middle of a PCI DSS assessment when a new version of the standard is released — should the assessment be started again using the new version?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/if-an-entity-is-in-the-middle-of-a-pci-dss-assessment-when-a-new-version-of-the-standard-is-released-should-the-assessment-be-started-again-using-the-new-version/ to https://www.pcisecuritystandards.org/faqs/1266/
When can I start using version 3.0 of the SAQs?
How do the requirements in PCI DSS version 3 that are "best practices" until June 30th 2015 impact my PCI DSS assessment?
Can I combine sections from different versions of the PA-DSS?
Are merchants required to meet PCI DSS Requirement 12.9?
Are PA-DSS applications considered valid if installed on an operating system that is not included in the payment application listing?
How does using a PA-DSS validated application affect the scope of a merchant's PCI DSS assessment?
Can card verification codes be stored for card-on-file or recurring transactions?
Are point-of-interaction devices required to be physically secured (for example, with a cable or tether) to prevent removal or substitution to meet PCI DSS Requirement 9.5?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/are-point-of-interaction-devices-required-to-be-physically-secured-for-example-with-a-cable-or-tether-to-prevent-removal-or-substitution-to-meet-pci-dss-requirement-9-5/ to https://www.pcisecuritystandards.org/faqs/1281/
Can an entity be PCI DSS compliant if they use a third-party service provider (TPSP) that is validated to a previous version of PCI DSS?
How do PCI standards apply to organizations that develop software that runs on a consumer's device (for example, a smartphone, tablet, or laptop) and is used to accept payment card data?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/how-do-pci-standards-apply-to-organizations-that-develop-software-that-runs-on-a-consumer-s-device-for-example-a-smartphone-tablet-or-laptop-and-is-used-to-accept-payment-card-data/ to https://www.pcisecuritystandards.org/faqs/1283/
Are acquirers considered service providers for the purpose of PCI DSS Requirements 12.8 and 12.9?
Does PCI DSS apply to one-time or single-use PANs?
Does PCI DSS apply to virtual (electronic-only) PANs?
Does PA-DSS Requirement 3.3.2 apply to passwords used by the payment application to access other systems/applications (e.g. for the payment application to access a third-party database)?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/Does-PA-DSS-Requirement-3-3-2-apply-to-passwords-used-by-the-payment-application-to-access-other-systems-applications-e-g-for-the-payment-application-to-access-a-third-party-database to https://www.pcisecuritystandards.org/faqs/1288/
If an entity uses a third-party service provider (TPSP) that has been validated as PCI DSS compliant, is the entity's assessor required to go onsite to the TPSP's location and retest the PCI DSS requirements?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/if-an-entity-uses-a-third-party-service-provider-tpsp-that-has-been-validated-as-pci-dss-compliant-is-the-entity-s-assessor-required-to-go-onsite-to-the-tpsp-s-location-and-retest-the-pci-dss-requirem/ to https://www.pcisecuritystandards.org/faqs/1290/
Why is SAQ A-EP used for Direct Post while SAQ A is used for iFrame or URL redirect?
Why is there a different approach for Direct Post implementations than for iFrame and URL redirect – what are the technical differences and how do they impact the security of e-commerce transactions?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/why-is-there-a-different-approach-for-direct-post-implementations-than-for-iframe-and-url-redirect-what-are-the-technical-differences-and-how-do-they-impact-the-security-of-e-commerce-transactions/ to https://www.pcisecuritystandards.org/faqs/1292/
If a merchant's e-commerce implementation meets the criteria that all elements of payment pages originate from a PCI DSS compliant service provider, is the merchant eligible to complete SAQ A or SAQ A-EP?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/if-a-merchant-s-e-commerce-implementation-meets-the-criteria-that-all-elements-of-payment-pages-originate-from-a-pci-dss-compliant-service-provider-is-the-merchant-eligible-to-complete-saq-a-or-saq-a-ep/ to https://www.pcisecuritystandards.org/faqs/1293/