369 FAQ Links Changed
March 28, 2026 — PCI SSC changed the URL format for these FAQs. Content is unchanged.
Are P2PE Products (P2PE Solutions, P2PE Components, P2PE Applications) on the P2PE Expired Listings still considered "validated" per the P2PE Program Guide?
If a P2PE Solution is on PCI's list of Point-to-Point Encryption Solutions with Expired Validations, does the solution meet the eligibility criteria for SAQ P2PE?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/if-a-p2pe-solution-is-on-pci-s-list-of-point-to-point-encryption-solutions-with-expired-validations-does-the-solution-meet-the-eligibility-criteria-for-saq-p2pe/ to https://www.pcisecuritystandards.org/faqs/1483/
If a P2PE Solution is shown as red or orange on PCI's list of Validated P2PE Solutions, does the solution meet the eligibility criteria for SAQ P2PE?
What is the meaning of 'initial PCI DSS assessment'?
Can the "Compliant but with Legal exception" option in the AOC be used to identify where a testing procedure could not be performed due to a legal constraint?
Can a 3DS entity outsource the hosting and management of its HSMs to a third-party service provider?
What types of 3DS components are in scope for Requirement P2-7 in the PCI 3DS Core Security Standard?
Is an EMVCo Letter of Approval required prior to conducting a PCI 3DS Assessment?
Can a PCI 3DS Assessment result in a finding of "Compliant" if some requirements are not tested?
Does PCI DSS define which versions of TLS must be used?
How can an entity meet PCI DSS requirements for PAN masking and truncation if it has migrated to 8-digit BINs?
What is the PCI 3DS (3D Secure) Core Security Standard?
For personnel working from home, is the work-from-home environment considered a "sensitive area" for PCI DSS Requirement 9?
Is an assessor required to visit work-from-home environments to determine if personnel are meeting PCI DSS requirements?
Are entities expected to do onsite audits of personnel work-from-home environments?
For PCI DSS, why is storage of sensitive authentication data (SAD) after authorization not permitted even when there are no primary account numbers (PANs) in an environment?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/for-pci-dss-why-is-storage-of-sensitive-authentication-data-sad-after-authorization-not-permitted-even-when-there-are-no-primary-account-numbers-pans-in-an-environment/ to https://www.pcisecuritystandards.org/faqs/1533/
What is a compliance-accepting entity?
Are remote assessments permitted for PCI DSS?
What is the process to initiate a software evaluation to the PCI Secure Software Standard?
Who is qualified to perform assessments to the PCI Secure Software Standard?
What software is eligible for validation to the PCI Secure Software Standard?
When must validated payment software be revalidated?
What is the process for PCI Secure SLC Qualification?
Who is qualified to perform assessments to the PCI Secure SLC Standard?
Does PCI SSC provide a list of software vendors whose software development process(es) have been validated to the Secure SLC Standard?
Are there prerequisite PCI SSC program requirements to meet before qualifying as an SSF Assessor Company?
Can multiple changes for a Secure Software listing be submitted within a single change submission?
Are currently listed PA-DSS payment applications required to be revalidated using the Secure Software Standard?
Are Secure Software Assessors or Secure Software Lifecycle Assessors required to report Continuing Professional Education (CPE) credits to PCI SSC?
Is software-as-a-service (SaaS) eligible for Secure Software Standard validation and listing?
What is a PCI SSC Participating Payment Brand?
What impact does the inclusion of UnionPay in PCI DSS documents have on an entity's PCI DSS assessment?
Is a QSA Employee that designs, develops, or implements specific controls for a customer also permitted to assess those same controls?
What should an entity do if its PCI DSS assessment will not be complete prior to that standard's retirement date?
How does an entity report the results of a PCI DSS assessment for new requirements that are noted in PCI DSS as best practices until a future date?
Does an entity's PCI DSS assessment result expire when the standard against which the entity was assessed is retired?
Can a Qualified Security Assessor (QSA) ask an auditor from the same company (for example, one conducting a SOC 2 or SOC 3 audit) to collect evidence for a PCI DSS assessment?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/can-a-qualified-security-assessor-qsa-ask-an-auditor-from-the-same-company-for-example-one-conducting-a-soc-2-or-soc-3-audit-to-collect-evidence-for-a-pci-dss-assessment/ to https://www.pcisecuritystandards.org/faqs/1566/
Can a Qualified Security Assessor (QSA) rely on the results from non PCI DSS assessment (for example, a SOC 2 or SOC 3 audit) for a PCI DSS assessment?
Is the PCI DSS Attestation of Compliance intended to be shared?
Is sampling allowed in PCI DSS v4.0?
Does TDEA meet the requirements of "strong cryptography" as defined in PCI DSS?
Is the expectation that any PFI investigation initiated must result in a PFI Final Report?
Can a compensating control be used for requirements with a periodic or defined frequency, where an entity did not perform the activity within the required timeframe?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/can-a-compensating-control-be-used-for-requirements-with-a-periodic-or-defined-frequency-where-an-entity-did-not-perform-the-activity-within-the-required-timeframe/ to https://www.pcisecuritystandards.org/faqs/1572/
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is used to accept payment account data, can the organization store card verification codes for those consumers?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/if-an-organization-provides-software-or-functionality-that-runs-on-a-consumer-s-device-for-example-smartphones-tablets-or-laptops-and-is-used-to-accept-payment-account-data-can-the-organization-store-card-verification-codes-for-those-consumers/ to https://www.pcisecuritystandards.org/faqs/1574/
Does PCI SSC consider guidance from other standards organizations when making updates to PCI standards?
What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
What does “console access” mean for PCI DSS Requirements 8.4.1 and 8.4.2?
Can service providers use eligibility criteria from a merchant Self-Assessment Questionnaire (SAQ) to determine applicable PCI DSS requirements for the service provider’s assessment?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/can-service-providers-use-eligibility-criteria-from-a-merchant-self-assessment-questionnaire-saq-to-determine-applicable-pci-dss-requirements-for-the-service-providers-assessment/ to https://www.pcisecuritystandards.org/faqs/1578/