What is the maximum period of time that cardholder data can be stored?
PCI DSS does not define minimum or maximum times for how long cardholder data may be stored. PCI DSS Requirement 3.2.1 specifies that a data retention and disposal policy must …
Recent Updates
The latest changes across all tracked PCI resources.
To which devices does PCI DSS Requirement 10.4.2 apply?
PCI DSS Requirement 10.4.1 defines several events and system types that require daily log reviews, but Requirement 10.4.2 allows the organization to determine the log review frequency for all other …
Are point-of-interaction devices required to be physically secured (for example, with a cable or tether) to prevent removal or substitution to meet PCI DSS Requirement 9.5?
No, PCI DSS Requirement 9.5 does not require devices to be fixed in place or physically attached to a surface. Requirement 9.5 and its three sub-requirements address three areas of …
Does hashing of passwords meet the intent of PCI DSS Requirement 8.3.2?
Yes. Using strong cryptography to hash the password meets the intent of the PCI DSS Requirement 8.3.2, which requires that all authentication factors be rendered unreadable during transmission and storage …
Do all PCI DSS requirements apply to every system component?
PCI DSS requirements apply to all system components, unless it has been verified that a requirement is not applicable for a particular system. Decisions about the applicability of PCI DSS …
What is the difference between masking and truncation?
Masking is addressed in PCI DSS Requirement 3.4.1, whereas truncation is one of several options specified to meet PCI DSS Requirement 3.5.1.
Requirement 3.4.1 relates to the protection of …
Is it permissible to use self-decrypting files for encryption to send cardholder data?
PCI DSS Requirement 4.2 and its sub requirements state that transmission of cardholder data over an open or public network must be secured using strong cryptography and security protocols.
…
For PCI DSS, can sensitive account data be stored before authorization?
For PCI DSS, account data consists of cardholder data (CHD) and sensitive authentication data (SAD). With respect to SAD, PCI DSS Requirement 3.3.1 prohibits storage of SAD after authorization, even …
Can the full payment card number be displayed within a browser window?
PCI DSS requirement 3.4.1 requires that the PAN be masked when it is displayed (for example, on screens, logs, reports, receipts), unless the viewing party has a specific business need …
Are Approved Scanning Vendors and Qualified Security Assessors considered third-party service providers for PCI DSS Requirements 12.8 and 12.9?
No, Approved Scanning Vendors (ASVs) and Qualified Security Assessors (QSAs) are not considered third-party service providers (TPSPs) for purposes of PCI DSS Requirements 12.8 and 12.9, if an ASV or …
Can a compensating control be used for requirements with a periodic or defined frequency, where an entity did not perform the activity within the required timeframe?
No.
Several PCI DSS requirements specify that a security activity is to be performed periodically or at a defined frequency. If an entity fails to perform the control on …
How often must service providers test penetration testing segmentation controls under PCI DSS?
PCI DSS Requirement 11.4.6 requires service providers that use segmentation to isolate the cardholder data environment (CDE) from other networks to perform penetration tests on those segmentation controls at least …
Are merchants allowed to request card-verification codes/values from cardholders?
Yes. Card verification codes/values (e.g., CVV2, CVC2, CID, or CAV2) are commonly requested during card-not-present (CNP) transactions such as e-commerce or mail order/telephone order (MOTO) to help verify that the …
What is the maximum period of time that cardholder data can be stored?
PCI DSS does not define a specific maximum or minimum length of time for which cardholder data can be stored. PCI DSS Requirement 3.2.1 requires entities to implement data retention …
How can an entity ensure that hashed and truncated versions cannot be correlated?
PCI DSS Requirement 3.5.1 states that if hashed and truncated versions of the same PAN, or different truncation formats, are present in the environment, additional controls must be implemented to …