Are digital leased lines considered public or private?
For PCI DSS requirement 4.1, digital leased lines are considered to be private since they are dedicated to the individual customer’s traffic.
Recent FAQ Changes
What is an Attestation of Compliance?
The Attestation of Compliance is the document used to indicate that the appropriate Report on Compliance or Self-assessment Questionnaire has been performed, and to attest to your organization?s compliance status …
Does the council have a mapping between PCI DSS and ISO 27002 (formerly ISO 17799) or other standards?
There is no direct correlation between PCI DSS and ISO 27002. The ISO standards provide a framework for implementing an information security program while PCI DSS provides a baseline of …
Would older operating systems that are no longer supported by the vendor be deemed non-compliant with the PCI DSS?
Systems that use operating systems that are no longer supported with new security patches by the vendor, OEM, or developer are not necessarily out of compliance. Compensating controls could address …
For PCI DSS requirement 3.4.1 for disk encryption, what is the intent of requiring that logical access must be managed independently of native operating access control mechanisms?
The intent of this requirement is to address the acceptability of disk encryption for rendering cardholder data unreadable. Disk encryption encrypts data stored on a computer’s mass storage and automatically …
Does media containing cardholder data (for example, backup tapes or disks) need to be physically labeled as confidential in order to meet PCI DSS Requirement 9.7.1?
The objective of PCI DSS requirement 9.7.1 ?Classify media so the sensitivity of the data can be determined,? is to ensure that media is controlled and protected against inadvertent or …
What happens if I'm using a PA-DSS validated payment application that is breached?
Events such as these should be accounted for in any service contract you sign with a software vendor. The Council requires that approved PA-QSAs carry appropriate liability insurance.
Is there opportunity to provide feedback on the PCI Council's standards?
Entities wishing to have early access and input into the PCI security standards are required to join the Council as a participating organization. Non-Participating Organizations will not have access to …
What is meant by "adequate network segmentation" in the PCI DSS?
Refer to DSS 1.2 section describing network segmentation.
Can unencrypted PANs be sent over end-user messaging technologies like instant messaging or chat?
PCI DSS requirement 4.2 prohibits the sending of unprotected primary account numbers (PANs) via end-user messaging technologies, including e-mail, instant messaging and chat, whether sent internally or over public networks. …