PCI Watch

❓ PCI SSC FAQs FAQ #1308 Updated 2025-06-11T14:58:15+00:00

How can an entity ensure that hashed and truncated versions cannot be correlated?

PCI DSS Requirement 3.5.1 states that if hashed and truncated versions of the same PAN, or different truncation formats, are present in the environment, additional controls must be implemented to …

❓ PCI SSC FAQs FAQ #1281 Updated 2025-06-11T14:57:47+00:00

Are point-of-interaction devices required to be physically secured (for example, with a cable or tether) to prevent removal or substitution to meet PCI DSS Requirement 9.5?

No. PCI DSS does not require that point-of-interaction (POI) devices be physically attached or fixed in place. However, Requirements under Requirement 9.5.1 require controls to detect and prevent tampering or …

❓ PCI SSC FAQs FAQ #1234 Updated 2025-06-11T14:57:26+00:00

I have had an external vulnerability scan completed by an ASV – does this mean I am PCI DSS compliant?

PCI DSS Requirement 11.3.2.1 addresses the need for quarterly external vulnerability scans to be performed by a PCI SSC Approved Scanning Vendor (ASV). The ASV will produce a scan report …

❓ PCI SSC FAQs FAQ #1222 Updated 2025-06-11T14:57:12+00:00

Does cardholder name, expiration date, etc. need to be rendered unreadable if stored in conjunction with the PAN (Primary Account Number)?

No. Only the Primary Account Number (PAN) must be rendered unreadable when it is stored, in accordance with Requirement 3.5.1. Other elements of cardholder data, such as cardholder name, expiration …

❓ PCI SSC FAQs FAQ #1210 Updated 2025-06-11T14:56:01+00:00

Are audio/voice recordings permitted to contain sensitive authentication data?

PCI DSS Requirement 3.3.1 prohibits storage of sensitive authentication data (SAD), including card validation codes and values, after authorization even if the data is encrypted. Storage of card validation codes …

❓ PCI SSC FAQs FAQ #1093 Updated 2025-06-11T14:55:00+00:00

Do PCI DSS requirements for protecting stored cardholder data apply to mainframes?

Yes. PCI DSS Requirement 3.5.1 applies to mainframes that store cardholder data. If a company has legitimate business or technical constraints in meeting this or any other requirement, compensating controls …

❓ PCI SSC FAQs FAQ #1092 Updated 2025-06-11T14:54:59+00:00

Does PCI DSS apply to merchants who outsource all payment processing operations and never store, process or transmit cardholder data?

Yes. PCI DSS is intended for any entity that stores, processes, or transmits cardholder data — regardless of whether these activities are conducted directly or by a third-party service provider.

…

📘 PCI SSC Document Library PTS Updated 2025-06-10T07:00:00+00:00

PTS HSM Technical Frequently Asked Questions

Updated version published, replaces version from 2025-06-10T07:00:00+00:00

📘 PCI SSC Document Library PTS Updated 2025-05-29T07:00:00+00:00

Point of Interaction (POI) Modular Security Requirements Summary of Changes

Updated version published, replaces version from 2023-01-27T08:00:00+00:00

📘 PCI SSC Document Library PTS Updated 2025-05-29T07:00:00+00:00

Point of Interaction (POI)

Updated version published, replaces version from 2023-01-27T08:00:00+00:00

📘 PCI SSC Document Library PTS Updated 2025-05-29T07:00:00+00:00

Point of Interaction (POI) Modular Security Requirements

Updated version published, replaces version from 2023-01-27T08:00:00+00:00

❓ PCI SSC FAQs FAQ #1597 New 2025-05-28T09:17:10+00:00

What are the expectations for entities when assigning risk rankings to vulnerabilities and resolving or addressing those vulnerabilities?

There are several PCI DSS requirements that govern vulnerability management and reference related timeframes. These requirements are described under the general topics of 1) identifying and risk ranking vulnerabilities, and …

📘 PCI SSC Document Library Software Security Updated 2025-05-28T07:00:00+00:00

Recent Updates

How can an entity ensure that hashed and truncated versions cannot be correlated?

Are point-of-interaction devices required to be physically secured (for example, with a cable or tether) to prevent removal or substitution to meet PCI DSS Requirement 9.5?

I have had an external vulnerability scan completed by an ASV – does this mean I am PCI DSS compliant?

Does cardholder name, expiration date, etc. need to be rendered unreadable if stored in conjunction with the PAN (Primary Account Number)?

Are audio/voice recordings permitted to contain sensitive authentication data?

Do PCI DSS requirements for protecting stored cardholder data apply to mainframes?

Does PCI DSS apply to merchants who outsource all payment processing operations and never store, process or transmit cardholder data?

PTS HSM Technical Frequently Asked Questions

Point of Interaction (POI) Modular Security Requirements Summary of Changes

Point of Interaction (POI)

Point of Interaction (POI) Modular Security Requirements

What are the expectations for entities when assigning risk rankings to vulnerabilities and resolving or addressing those vulnerabilities?

Secure Software v1.x Technical FAQs

Secure Software v1.x Technical FAQs

Secure Software v1.x Technical FAQs