369 FAQ Links Changed
March 28, 2026 — PCI SSC changed the URL format for these FAQs. Content is unchanged.
To whom do the PCI Token Service Provider Security Requirements apply?
What is the difference between 'acquiring tokens', 'issuer tokens', and 'Payment Tokens'?
Which types of tokens are addressed by the PCI SSC tokenization documents?
What is the difference between "multi-factor" authentication and "two-factor" authentication?
Are OEMs and/or hardware/software resellers considered third-party service providers for PCI DSS Requirements 12.8 and 12.9?
How do PCI PTS-approved POI device expiry dates affect a PCI-listed P2PE solution?
What is the Council's guidance on the use of SHA-1?
Where do I direct questions about complying with PCI standards?
Can PCI DSS be used to protect non-payment card data?
How is the payment page determined for SAQ A merchants using iframe?
How do PCI DSS Requirements 2, 6 and 8 apply to SAQ A merchants
How does PCI DSS Appendix A2 apply after the SSL/early TLS migration deadline?
How do the updated SSL/early TLS migration dates apply to service providers?
Can merchants using non-console administrative access be eligible for SAQ B-IP, C-VT, or C?
What is the intent of the SAQ eligibility criteria?
Can a PFI Company perform subsequent PFI investigations for the same entity?
How should QSA assistance with completion of Self-Assessment Questionnaire (SAQs) be documented?
How did Prioritized Approach Tool calculations change for PCI DSS v3.2?
How often must service providers test penetration testing segmentation controls under PCI DSS?
What is meant by "At-Risk Timeframe" and at risk referenced in the Final PFI Report?
Is two-step authentication acceptable for PCI DSS Requirement 8.4?
Where can I find more information about the Assessment Guidance for Non-listed Encryption Solutions (aka NESA)?
Can PFIs provide reports to their clients before sending the report to the affected payment brands?
How does Triple DEA (TDEA) impact ASV Scan results?
Can a PFI Company provide QSA services to an entity after performing a PFI investigation for that entity?
What is the intent of "administrative access" in PCI DSS?
Does a QSA need to be onsite at the client's premises for all aspects of a PCI DSS assessment?
Can PCI SSC revoke a QSA Company's eligibility to participate in the Associate QSA Program due to quality concerns in connection with that program, and not revoke qualification as a QSA Company?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/can-pci-ssc-revoke-a-qsa-company-s-eligibility-to-participate-in-the-associate-qsa-program-due-to-quality-concerns-even-if-the-qsac-is-in-good-standing-as-defined-in-the-qsa-agreement/ to https://www.pcisecuritystandards.org/faqs/1456/
Are Mobile Payments on COTS (MPoC) solutions, Software-based PIN Entry on COTS (SPoC)™ solutions, or Contactless Payments on COTS (CPoC™) solutions eligible for a P2PE Solution approval?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/are-mobile-payments-on-cots-mpoc-solutions-software-based-pin-entry-on-cots-spoc-solutions-or-contactless-payments-on-cots-cpoc-solutions-eligible-for-a-p2pe-solution-approval/ to https://www.pcisecuritystandards.org/faqs/1457/
What date should be used for "Date of Report" in the ROC?
Where should reports be sent when the PFI investigation has concluded there is no evidence of a breach?
What are the security considerations for TLS 1.3?
What does "Window of Payment Card Data Storage" mean in the Final PFI Report template?
Does the use of expired PTS POI devices meet eligibility criteria for SAQ B-IP?
Can organizations use alternative password management methods to meet PCI DSS Requirement 8?
Can organizations use alternative password management methods to meet PCI DSS Requirement 8?
Can I have the same assessor company or individual assessor perform a PCI DSS and PIN Assessment for our organization?
How do PCI PTS-approved HSM expiry dates affect a PCI-listed P2PE Solution or Component?
Are PFIs required to fill out all the fields in the Final PFI Report?
What does "Servicing Markets" on the QSA listing mean?
How can I determine whether a QSA is authorized to perform PCI DSS assessments in all countries that are in scope for my company's PCI DSS assessment?
What is the role of compliance-accepting entities and assessors in determining the applicability of PCI DSS requirements for merchant and service provider PCI DSS assessments?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/what-is-the-role-of-compliance-accepting-entities-and-assessors-in-determining-the-applicability-of-pci-dss-requirements-for-merchant-and-service-provider-pci-dss-assessments/ to https://www.pcisecuritystandards.org/faqs/1473/
Can PCI-listed P2PE v2 components be used as part of a P2PE v3 solution?
Can PCI-listed P2PE v3 components be used as part of a P2PE v2 solution?
Which P2PE Program Guide version do I use?
Are software vendors wishing to undergo validation to the PCI Secure Software Lifecycle (Secure SLC) Standard also required to have payment software listed or in the process of being validated to the PCI Secure Software Standard?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/are-software-vendors-wishing-to-undergo-validation-to-the-pci-secure-software-lifecycle-secure-slc-standard-also-required-to-have-payment-software-listed-or-in-the-process-of-being-validated-to-the-pci-secure-software-standard/ to https://www.pcisecuritystandards.org/faqs/1477/