What is the role of the Advisory Board?
The role of the Advisory Board will be to provide strategic and technical guidance to the PCI Security Standards Council, reflecting different stakeholder perspectives. The Advisory Board does not have …
Recent FAQ Changes RSS
Latest changes to PCI SSC frequently asked questions.
What is the definition of "remote access"?
The term "remote access" refers to access to a computer network from a location outside of that network. Examples of remote access include access from the Internet, an "untrusted" network …
Can the full payment card number be printed on the consumer's copy of the receipt?
PCI DSS Requirement 3.3 states that PAN must be masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that …
How does PA-DSS support a merchant's PCI DSS compliance?
The PA-DSS details the requirements a payment application must meet in order to facilitate a customer's PCI DSS compliance. PA-DSS validated payment applications, when implemented in a PCI DSS-compliant environment, …
What is meant by "adequate network segmentation" in the PCI DSS?
At a high level, adequate network segmentation isolates systems that store, process, or transmit cardholder data from those that do not. Network segmentation can be achieved through a number of …
How extensive must background checks be for employees who have access to cardholder data?
In general, it is expected that a company would have a policy and process for background checks, including their own decision process for which background check results would have an …
Does media containing cardholder data (for example, backup tapes or disks) need to be physically labeled as confidential for PCI DSS Requirement 9.6.1?
The objective of PCI DSS Requirement 9.6.1 "Classify media so the sensitivity of the data can be determined," is to ensure that media is controlled and protected against inadvertent or …
How do individuals obtain examination accommodation or adjustments for PCI SSC programs?
Individuals with a physical or mental impairment, or a limitation described as a disability under the Americans with Disabilities Act (ADA) or other applicable law, may request examination accommodations or …
Are OEMs and/or hardware/software resellers considered third-party service providers for PCI DSS Requirements 12.8 and 12.9?
Original equipment manufacturers (OEMs) and equipment resellers may provision equipment initially for the cardholder data environment (CDE), but once the equipment has been provisioned, they may no longer be involved …
What is the purpose of PCI DSS Requirement 8.2.8, which requires users to reauthenticate after 15 minutes of idle time?
The intent of this requirement is to prevent an unauthorized person from using an unattended console/PC to gain access to the user's computer and accounts, and potentially to the company's …