PCI Watch - Tracking changes across the Payment Card Industry

❓ PCI SSC FAQs FAQ #1266 Updated 2023-03-13T23:57:00+00:00

If an entity is in the middle of a PCI DSS assessment when a new version of the standard is released — should the assessment be started again using the new version?

Entities should always contact their acquirer or the payment brands directly for information about their compliance programs and reporting requirements. Contact details for the payment brands can be found in …

❓ PCI SSC FAQs FAQ #1564 New 2023-03-13T23:42:00+00:00

How does an entity report the results of a PCI DSS assessment for new requirements that are noted in PCI DSS as best practices until a future date?

Where a future-dated requirement has not yet been implemented by an entity and the Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) is completed prior to the effective date of …

❓ PCI SSC FAQs FAQ #1565 New 2023-03-13T23:42:00+00:00

Does an entity's PCI DSS assessment result expire when the standard against which the entity was assessed is retired?

No. The period for which an entity's PCI DSS assessment result is valid does not change if the standard against which the entity was assessed has been retired. However, how …

❓ PCI SSC FAQs FAQ #1566 New 2023-03-13T23:41:00+00:00

Can a Qualified Security Assessor (QSA) ask an auditor from the same company (for example, one conducting a SOC 2 or SOC 3 audit) to collect evidence for a PCI DSS assessment?

Yes. However, regardless of how the QSA obtains evidence to support a PCI DSS assessment, the QSA conducting the PCI DSS assessment has the ultimate responsibility for their client's assessment …

❓ PCI SSC FAQs FAQ #1567 New 2023-03-13T23:40:00+00:00

Can a Qualified Security Assessor (QSA) rely on the results from non PCI DSS assessment (for example, a SOC 2 or SOC 3 audit) for a PCI DSS assessment?

No, due to the variability of scope coverage and assessor validation procedures, a QSA cannot rely on reports from other attestation engagements (like SOC 2 or SOC 3) for a …

❓ PCI SSC FAQs FAQ #1473 Updated 2023-03-13T22:31:00+00:00

What is the role of compliance-accepting entities and assessors in determining the applicability of PCI DSS requirements for merchant and service provider PCI DSS assessments?

Compliance-accepting entities (typically, payment brands and acquirers) are responsible for determining the PCI DSS validation and reporting methods of their merchants and service providers, including how compliance is to be …

❓ PCI SSC FAQs FAQ #1563 New 2023-03-13T00:00:00+00:00

What should an entity do if its PCI DSS v3.2.1 assessment will not be complete prior to that standard?s retirement date of 31 March 2024?

Compliance questions, including questions about whether it is acceptable to submit a PCI DSS v3.2.1 assessment report after that standard’s retirement date of 31 March 2024, should be directed to …

❓ PCI SSC FAQs FAQ #1328 Updated 2023-03-13T00:00:00+00:00

Which version of PCI DSS should an entity use?

The current version of PCI DSS is v4.0. PCI DSS v3.2.1 is also valid through 31 March 2024, after which that version will be retired.After 31 March 2024, PCI DSS …

📣 PCI SSC Communications Blog New 2023-03-13T00:00:00+00:00

Coffee with the Council Podcast: Help Elect the Council’s Next Board of Advisors

Hello and welcome to Coffee with the Council. I’m Alicia Malone, Senior Manager of Public Relations at the PCI Security Standards Council. This month, we begin the election phase …

📣 PCI SSC Communications Blog New 2023-02-21T00:00:00+00:00

New Video Series: Questions with the Council

In this new video series, Emma Sutcliffe, SVP Standards, answers the payment industry’s questions about PCI DSS v4.0. Questions include:

What are the first steps organizations should …

📣 PCI SSC Communications Industry Bulletin New 2023-02-17T15:20:07+00:00

Special Interest …

📣 PCI SSC Communications Industry Bulletin New 2023-01-27T15:51:45+00:00

Recent Updates RSS

If an entity is in the middle of a PCI DSS assessment when a new version of the standard is released — should the assessment be started again using the new version?

How does an entity report the results of a PCI DSS assessment for new requirements that are noted in PCI DSS as best practices until a future date?

Does an entity's PCI DSS assessment result expire when the standard against which the entity was assessed is retired?

Can a Qualified Security Assessor (QSA) ask an auditor from the same company (for example, one conducting a SOC 2 or SOC 3 audit) to collect evidence for a PCI DSS assessment?

Can a Qualified Security Assessor (QSA) rely on the results from non PCI DSS assessment (for example, a SOC 2 or SOC 3 audit) for a PCI DSS assessment?

What is the role of compliance-accepting entities and assessors in determining the applicability of PCI DSS requirements for merchant and service provider PCI DSS assessments?

What should an entity do if its PCI DSS v3.2.1 assessment will not be complete prior to that standard?s retirement date of 31 March 2024?

Which version of PCI DSS should an entity use?

Coffee with the Council Podcast: Help Elect the Council’s Next Board of Advisors

New Video Series: Questions with the Council

PCI Security Standards Council Bulletin: Updated Version of Mobile Payments on COTS (MPoC) to Address Errata

Can a service provider redact information in the PCI DSS Attestation of Compliance before providing it to customers?

Coffee with the Council Podcast: What’s New at the Council in 2023 Featuring Lance Johnson

Vote Now for the 2023 Special Interest Group Project

PCI Security Standards Council Bulletin: PTS POI Modular Security Requirements v6.2 Published