Can VLANS be used for network segmentation?
In general, implementing adequate network segmentation can reduce the scope of the PCI DSS assessment if it isolates systems that store, process, or transmit cardholder data from other systems. While …
Recent FAQ Changes
What is the definition of "remote access"?
PCI DSS requirement 8.3 is intended to apply to users that have remote access to the network, where that remote access could lead to access to the cardholder data environment. …
I?m a small merchant who has limited payment card transaction volume. Do I need to be compliant with PCI DSS? If so, what is the deadline?
All merchants, whether small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment …
Who are the founders of the PCI Security Standards Council?
The founders of the PCI Security Standards Council are American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa Inc.
What is the role of the Advisory Board?
The role of the Advisory Board will be to provide strategic and technical guidance to the PCI Security Standards Council, reflecting different stakeholder perspectives. The Advisory Board does not have …
How does PA-DSS support a merchant?s PCI DSS compliance?
Traditional PCI DSS compliance may not apply to payment application vendors since most vendors do not store, process, or transmit cardholder data. However, because these payment applications are used by …
How does an organization maintain compliance when a standard changes?
To minimize changes to the standards, the PCI Security Standards Council (PCI SSC) has established a lifecycle approach for PCI DSS and PA-DSS, where major version changes to the standards …
Can you provide clarification on the user passwords referenced in PCI DSS 8.5?
PCI DSS requirement 8.5 requires all user passwords be securely managed. These requirements apply to all non-consumer users (not the cardholder) and administrators, not to credentials supplied by applications or …
Can you define "Inactive User" as used in PCI DSS requirement 8.5.5?
An inactive user is one whose account has not been used in over 90 days. Note that section 8.5 requirements only apply to “non-consumer users” or those individuals that access …
What is the definition of "merchant"?
For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC …