Recent FAQ Changes RSS

Latest changes to PCI SSC frequently asked questions.

❓ FAQ 1447 Deleted 2026-04-19T09:01:29.990028+00:00

How often must service providers test penetration testing segmentation controls under PCI DSS?

PCI DSS Requirement 11.4.6 requires service providers that use segmentation to isolate the cardholder data environment (CDE) from other networks to perform penetration tests on those segmentation controls at least …

❓ FAQ 1447 Link Changed 2026-04-19T08:00:48.020133+00:00

How often must service providers test penetration testing segmentation controls under PCI DSS?

PCI DSS Requirement 11.4.6 requires service providers that use segmentation to isolate the cardholder data environment (CDE) from other networks to perform penetration tests on those segmentation controls at least …

❓ FAQ 1341 Deleted 2026-04-19T01:01:19.831324+00:00

For third parties that undergo P2PE assessments for services they offer on behalf of P2PE solution providers, what is acceptable evidence they can provide to those P2PE solution providers?

This is a Technical FAQ for P2PE versions 1.x. This is a "normative" FAQ that is considered to be part of the P2PE requirements and shall be considered during a …

❓ FAQ 1341 Reinstated 2026-04-19T00:04:31.349591+00:00

For third parties that undergo P2PE assessments for services they offer on behalf of P2PE solution providers, what is acceptable evidence they can provide to those P2PE solution providers?

This is a Technical FAQ for P2PE versions 1.x. This is a "normative" FAQ that is considered to be part of the P2PE requirements and shall be considered during a …

❓ FAQ 1341 Link Changed 2026-04-19T00:04:31.349591+00:00

For third parties that undergo P2PE assessments for services they offer on behalf of P2PE solution providers, what is acceptable evidence they can provide to those P2PE solution providers?

This is a Technical FAQ for P2PE versions 1.x. This is a "normative" FAQ that is considered to be part of the P2PE requirements and shall be considered during a …

❓ FAQ 1348 Deleted 2026-04-08T01:00:10.212348+00:00

For P2PE Requirement 3A-4.2, are POI devices required to be physically secured (e.g., bolted to a counter-top or tethered with a cable) in the merchant environment? How does this requirement apply to handheld/wireless POI devices?

This is a Technical FAQ for P2PE versions 1.x. This is a "normative" FAQ that is considered to be part of the P2PE requirements and shall be considered during a …

❓ FAQ 1348 Reinstated 2026-04-08T00:04:13.374404+00:00

For P2PE Requirement 3A-4.2, are POI devices required to be physically secured (e.g., bolted to a counter-top or tethered with a cable) in the merchant environment? How does this requirement apply to handheld/wireless POI devices?

This is a Technical FAQ for P2PE versions 1.x. This is a "normative" FAQ that is considered to be part of the P2PE requirements and shall be considered during a …

❓ FAQ 1348 Link Changed 2026-04-08T00:04:13.374404+00:00

For P2PE Requirement 3A-4.2, are POI devices required to be physically secured (e.g., bolted to a counter-top or tethered with a cable) in the merchant environment? How does this requirement apply to handheld/wireless POI devices?

This is a Technical FAQ for P2PE versions 1.x. This is a "normative" FAQ that is considered to be part of the P2PE requirements and shall be considered during a …

❓ FAQ 1128 Deleted 2026-03-31T00:03:19.016691+00:00

What happens if I'm using a PA-DSS validated payment application that is breached?

Events such as these should be accounted for in any service contract you sign with a software vendor. The Council requires that approved PA-QSAs carry appropriate liability insurance.

❓ FAQ 1174 Deleted 2026-03-31T00:03:19.016691+00:00

For the list of Validated PA-DSS Applications, what is the difference between Revalidation Date and Expiry Date?

Revalidation Date: Annually, the software vendor is required to revalidate by completing Part 3b of the Attestation of Validation form, confirming that no changes have been made to the application …