What is the difference between masking and truncation?
Masking is addressed in PCI DSS Requirement 3.4.1, whereas truncation is one of several options specified to meet PCI DSS Requirement 3.5.1.
Requirement 3.4.1 relates to the protection of …
Recent FAQ Changes
Is it permissible to use self-decrypting files for encryption to send cardholder data?
PCI DSS Requirement 4.2 and its sub requirements state that transmission of cardholder data over an open or public network must be secured using strong cryptography and security protocols.
…
For PCI DSS, can sensitive account data be stored before authorization?
For PCI DSS, account data consists of cardholder data (CHD) and sensitive authentication data (SAD). With respect to SAD, PCI DSS Requirement 3.3.1 prohibits storage of SAD after authorization, even …
Can the full payment card number be displayed within a browser window?
PCI DSS requirement 3.4.1 requires that the PAN be masked when it is displayed (for example, on screens, logs, reports, receipts), unless the viewing party has a specific business need …
Are Approved Scanning Vendors and Qualified Security Assessors considered third-party service providers for PCI DSS Requirements 12.8 and 12.9?
No, Approved Scanning Vendors (ASVs) and Qualified Security Assessors (QSAs) are not considered third-party service providers (TPSPs) for purposes of PCI DSS Requirements 12.8 and 12.9, if an ASV or …
Can a compensating control be used for requirements with a periodic or defined frequency, where an entity did not perform the activity within the required timeframe?
No.
Several PCI DSS requirements specify that a security activity is to be performed periodically or at a defined frequency. If an entity fails to perform the control on …
How often must service providers test penetration testing segmentation controls under PCI DSS?
PCI DSS Requirement 11.4.6 requires service providers that use segmentation to isolate the cardholder data environment (CDE) from other networks to perform penetration tests on those segmentation controls at least …
Are merchants allowed to request card-verification codes/values from cardholders?
Yes. Card verification codes/values (e.g., CVV2, CVC2, CID, or CAV2) are commonly requested during card-not-present (CNP) transactions such as e-commerce or mail order/telephone order (MOTO) to help verify that the …
What is the maximum period of time that cardholder data can be stored?
PCI DSS does not define a specific maximum or minimum length of time for which cardholder data can be stored. PCI DSS Requirement 3.2.1 requires entities to implement data retention …
How can an entity ensure that hashed and truncated versions cannot be correlated?
PCI DSS Requirement 3.5.1 states that if hashed and truncated versions of the same PAN, or different truncation formats, are present in the environment, additional controls must be implemented to …