Recent FAQ Changes

❓ FAQ 1602 New 2026-02-03T17:56:23+00:00

Should entities with enterprise or internal service providers, used to provide internal services to other corporate entities, conduct separate PCI DSS assessments of these service providers or include them as part of each corporate entity’s PCI DSS assessment?

Assessed entities have the discretion to either have enterprise functions assessed separately as an internal service provider or include those functions in each individual corporate entity’s PCI DSS assessment. Regardless …

❓ FAQ 1223 Deleted 2026-01-21T15:01:10.141934+00:00

Does PCI DSS, PA-DSS, or PTS apply to ATMs?

PCI DSS applies to entities involved in payment card processing or that otherwise store, process, or transmit cardholder data; the Payment Application Data Security Standard (PA-DSS) applies to payment applications …

❓ FAQ 1052 Deleted 2026-01-21T15:01:10.141934+00:00

Can a payment application that implements the same cryptographic keys across multiple installations be PA-DSS compliant?

No. If cryptographic keys are provided by the application vendor as part of the application, the keys must be unique to each customer or installation. An application that requires the …

❓ FAQ 1053 Deleted 2026-01-21T15:01:10.141934+00:00

Can a payment application that uses cryptographic keys hard-coded by the vendor be PA-DSS compliant if they cannot be changed by the customer?

No. In order to meet PA-DSS and PCI DSS requirements, the payment application must facilitate the customers' ability to perform key changes periodically and as required by the customer in …

❓ FAQ 1041 Deleted 2026-01-21T15:01:10.141934+00:00

What is the scope of a PCI DSS assessment for a network that is not segmented?

Without proper network segmentation to isolate the systems that store, process or transmit cardholder data from those that do not, all system components in that network are considered part of …

❓ FAQ 1196 Deleted 2026-01-21T15:01:10.141934+00:00

If I am deemed PCI DSS compliant today by one of the payment card brands, will the other brands in the PCI Security Standards Council recognize this designation of compliance and if so, what information must be put forth to achieve such recognition?

Since the individual payment brands are responsible for their own PCI DSS compliance programs, organizations should follow each brand's specific compliance processes and procedures.

❓ FAQ 1040 Deleted 2026-01-21T14:03:10.147292+00:00

Is it required that all of a company's sites, even those located in other countries, must be included in the company's PCI DSS review?

The PCI DSS is a global standard and is applicable to all entities that process, transmit or store cardholder data regardless of geographic location. Each payment brand manages their PCI …

❓ FAQ 1435 Updated 2026-01-21T10:54:20+00:00

Recent FAQ Changes RSS