Recent Updates
The latest changes across all tracked PCI resources.
Vulnerability Management Infographic
Can SAQ eligibility criteria be used as a guide for determining applicability of PCI DSS requirements for merchant assessments documented in a Report on Compliance?
Service providers cannot use SAQ eligibility criteria to determine applicability of PCI DSS requirements for assessments documented in a Report on Compliance (ROC). The only acceptable SAQ for service providers β¦
PIN Attestation of Compliance (AOC)
Updated version published, replaces version from
QPA Program Guide
Updated version published, replaces version from
Is phishing-resistant authentication alone acceptable as multi-factor authentication for PCI DSS Requirements 8.4.1 and 8.4.3?
No, phishing-resistant authentication cannot be used without an additional authentication factor to meet Requirements 8.4.1 or 8.4.3 because of the increased risk with these types of access.
Use of β¦
Are passkeys synced across devices, implemented according to the FIDO2 requirements, acceptable for use as phishing-resistant authentication to meet PCI DSS Requirement 8.4.2?
Yes. Passkeys synced across devices (also called synced passkeys), implemented according to the FIDO2 requirements, are considered phishing-resistant authentication, and may be used as a single authentication factor in place β¦
SAQ Instructions and Guidelines
Updated version published, replaces version from
Guidance for PCI DSS Requirements 6.4.3 and 11.6.1
How should PCI DSS v4.x requirements noted as superseded by another requirement be reported after 31 March 2025?
After 31 March 2025, superseded requirements should be marked as Not Applicable (N/A) in a Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ).
Three PCI DSS v4.x requirements include β¦
Are providers of third-party scripts for e-commerce environments considered third-party service providers for PCI DSS Requirements 12.8 and 12.9?
A provider of third-party scripts is not considered a third-party service provider (TPSP) for PCI DSS Requirements 12.8 and 12.9 as part of an entityβs assessment of the entityβs e-commerce β¦
Why do requirements 8.3.9 and 8.3.10.1 focus on passwords/passphrases used for single-factor authentication, when multi-factor authentication is required for all access into the CDE?
PCI DSS Requirement 8.4.2 for multi-factor authentication (MFA) is not mandatory for access to in-scope system components outside of the CDE. If a userβs access to a system component can β¦
Do PCI DSS Requirements 8.3.9 and 8.3.10.1 apply to all system components?
No. PCI DSS Requirements 8.3.9 and 8.3.10.1 do not apply to in-scope system components where multi-factor authentication (MFA) is used.
Requirements 8.3.9 and 8.3.10.1 apply if passwords/passphrases are used β¦
QPA Qualification Requirements
Updated version published, replaces version from
Is the cardholder in scope for PCI DSS?
No.Β