The latest changes across all tracked PCI resources.
Individuals with a physical or mental impairment, or a limitation described as a disability under the Americans with Disabilities Act (ADA) or other applicable law, may request examination accommodations or …
Original equipment manufacturers (OEMs) and equipment resellers may provision equipment initially for the cardholder data environment (CDE), but once the equipment has been provisioned, they may no longer be involved …
The intent of this requirement is to prevent an unauthorized person from using an unattended console/PC to gain access to the user's computer and accounts, and potentially to the company's …
Any evidence reviewed as part of a PCI DSS assessment, where the assessor deems it to be valid when it is reviewed, remains valid for that assessment and does not …
The PCI Security Standards Council (PCI SSC) maintains a robust evaluation and qualification program for approved security assessors and scanning vendors. Information on becoming a qualified assessor or scan vendor …
All service providers are expected to meet PCI DSS requirements as applicable to the services offered to their customers. In addition, PCI DSS Appendix A1: Additional PCI DSS Requirements for …
The term “two-factor” was replaced with the term “multi-factor” in several requirements in PCI DSS v3.2 (Requirements 8.3, 8.3.1, 8.3.2, and 8.5.1). The intent of this change was to use …
PCI DSS is the standard for merchants and service providers to protect cardholder data. The PA-DSS and PTS device security requirements support the overall implementation of PCI DSS by allowing …
The intent of this requirement is to address the acceptability of disk encryption for rendering cardholder data unreadable. Disk encryption encrypts data stored on a computer’s mass storage and automatically …
No. PCI SSC does not require that an entity's assessor go onsite to the entity's TPSP and retest PCI DSS requirements that have already been covered in the TPSP's current …
No. There are no PCI DSS requirements that apply to manual imprinters (also known as “zip-zap” and “knuckle-buster” machines). They are not card reading devices as defined in Requirement 9.9, …
The PA-DSS details the requirements a payment application must meet in order to facilitate a customer’s PCI DSS compliance. PA-DSS validated payment applications, when implemented in a PCI DSS-compliant environment, …
No. PCI DSS Requirement 4.2.2. prohibits the sending of unprotected primary account numbers (PANs) via end-user messaging technologies, whether sent internally or over public networks. E-mail, instant messaging, SMS, and …
PCI DSS does not prevent the use of end-user technologies (such as email, SMS, chat, etc.) to request or receive cardholder data. However, if an end-user messaging technology is used …
Any cardholder data that is stored, processed, or transmitted must be protected in accordance with PCI DSS. If faxes are sent or received via modem over a traditional PSTN phone …