Are digital leased lines considered public or private?
For PCI DSS requirement 4.1, digital leased lines are considered to be private since they are dedicated to the individual customer’s traffic.
Recent FAQ Changes RSS
Latest changes to PCI SSC frequently asked questions.
Can you provide clarification on the user passwords referenced in PCI DSS 8.5?
PCI DSS requirement 8.5 requires all user passwords be securely managed. These requirements apply to all non-consumer users (not the cardholder) and administrators, not to credentials supplied by applications or …
Can you define "Inactive User" as used in PCI DSS requirement 8.5.5?
An inactive user is one whose account has not been used in over 90 days. Note that section 8.5 requirements only apply to “non-consumer users” or those individuals that access …
How should a hosting provider demonstrate PCI DSS compliance (as part of their client's assessment or in their own separate assessment)?
Per the Scope of Assessment section of the PCI DSS Requirements and Security Assessment Procedures, there are two options for hosting providers and other third party providers to validate compliance:
…How would an identified Denial of Service (DoS) vulnerability affect a company's ability to pass a PCI DSS vulnerability scan from an Approved Scanning Vendor (ASV)?
While some ASVs may report DoS vulnerabilities as relatively high risks, the PCI SSC has clearly instructed ASVs to not consider this vulnerability when determining compliance of the ASV scan …
Should cardholder data be encrypted while in memory?
If the cardholder data is stored in non-persistent memory (e.g. RAM), encryption of cardholder data is not required. However, proper controls must be in place to ensure that memory maintains …
What is the scope of a PCI DSS assessment for a network that is not segmented?
Without proper network segmentation to isolate the systems that store, process or transmit cardholder data from those that do not, all system components in that network are considered part of …
Is it required that all of a company?s sites, even those located in other countries, must be included in the company?s PCI DSS review?
The PCI DSS is a global standard and is applicable to all entities that process, transmit or store cardholder data regardless of geographic location. Each payment brand manages their PCI …
Does PCI DSS apply to debit cards, debit payments, and debit systems?
Any payment card (credit, debit, prepaid, stored value, gift or chip) bearing the logo of one of the PCI Security Standards Council?s five founding payment brands is required to be …
Does PCI DSS apply to "hot cards," fraudulent or invalid card numbers, or cancelled cards?
If the issuer confirms the cards are inactive or disabled, the PANs (Primary Account Numbers) no longer pose fraud risk to the payment system. The PCI DSS would not apply …