Does the PCI DSS apply to issuers?
PCI DSS applies to any entity that stores, processes, or transmits cardholder data and any such entity is expected to comply with PCI DSS, including issuers. However, each payment card …
Recent FAQ Changes
Do the PCI DSS requirements apply to card manufacturers, embossers, card personalizers, or entities that prepare data for card manufacturing?
Organizations that participate in data preparation, manufacturing, personalizing, and/or and embossing for plastic cards are considered Service Providers for purposes of PCI DSS and should adhere to PCI DSS. However, …
How does PCI DSS apply to individual PCs or workstations?
All system components in the network are considered part of the cardholder data environment unless adequate network segmentation is in place that isolates systems that store, process, or transmit cardholder …
What does one function per server mean?
The intent of the one primary function per server requirement (Requirement 2.2.1 of the PCI DSS) is to ensure that your organization?s system configuration standards and related processes address server …
Does the logging required at PCI DSS Requirements 10.2 and 10.3 mean we have to enable database logging as well?
The intent of the logging requirement is to provide a full record of who did what, when, and how, so that it can be used for investigation in the event …
Which Self-assessment Questionnaire (SAQ) should we complete?
Please refer to the ?Selecting the SAQ and Attestation that Best Apply to Your Organization? section in the PCI DSS SAQ Instructions and Guidelines document for information about the different …
Does Requirement 3.4 apply to mainframes?
Requirement 3.4 of the PCI DSS applies to mainframes that store cardholder data. If the company has legitimate business or technical constraints to meet this or any other requirement, compensating …
Are hashed Primary Account Numbers (PAN) considered cardholder data that must be protected in accordance with PCI DSS?
One-way hashing meets the intent of rendering the PAN unreadable in storage; however the hashing process and results, as well as the system(s) that perform the hashing, would still be …
For ASV scans, what is meant by quarterly?
The intent of the quarterly scans as prescribed in Requirement 11.2 of the PCI DSS is to have them conducted as close to three months or 90 days apart as …
The Attestation of Compliance for Self Assessment Questionnaires B, C, and D asks what Payment Application is in use, and the Payment Application Version - what is meant by a ?payment application??
A payment application is a commercial application that stores, processes, or transmits cardholder data as part of authorization or settlement. A common example of a payment application is the software …