Latest changes to PCI SSC frequently asked questions.
There is a distinct difference in terms of payment acceptance between Direct Post & iFrames/redirects, which is why there are different SAQs. In a Direct Post implementation, the merchant website …
A payment application is required to restrict administrative access and access to cardholder data to authenticated (Requirement 3.1.4), authorized (Requirement 3.1) users. Where users authenticate to the payment application using …
PA-DSS Requirement 3.3.2 applies to all passwords generated or managed by the payment application that are used to authenticate access to the payment application. This requirement is not intended to …
Yes; PA-DSS v3.0 requires that a strong, one-way cryptographic algorithm with a unique input variable be used to render all payment application passwords unreadable during storage. This meets the intent …
PCI SSC does not require that an entity's assessor go onsite to the entity's service providers and retest PCI DSS requirements that have already been validated and are covered under …
If the consumer is also the cardholder and is using the device solely for his/her own cardholder data entry, and the application can only be used by that cardholder using …
Service providers include business entities that are not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This includes organizations …
PCI DSS applies to all primary account numbers (PANs) that represent PCI SSC’s founding payment brands (American Express, Discover, JCB, MasterCard, or Visa). Whether a one-time PAN is in scope …
To be eligible for SAQ A, all elements of the payment pages must only originate from PCI DSS compliant service provider(s), and no single element of a payment page can …
The way that criminals attempt to hijack card data from e-commerce transactions depends on the way that the merchant’s website accepts cardholder data, the difficulty of gaining access to the …
