FAQs that have been removed from the PCI SSC website or have dead links.
New application validations and High Impact Changes using PA-DSS 2.0 are no longer accepted. Low Impact and No Impact Changes to listed applications that were previously validated using PA-DSS 2.0 …
The Expiry Date for PA-DSS Validated Payment Applications is the date by which a vendor must have the application reassessed against the current PA-DSS requirements in order for the application …
New validations and High Impact Changes using PA-DSS v3.1 will be accepted until 31 August 2016. Low Impact and No Impact Changes to listed applications that were previously validated to …
Fees for validation services are set independently by the PA-QSAs.
PCI DSS Requirement 8 addresses secure authentication requirements and requires that all passwords and other authentication credentials be securely managed. These requirements apply to all non-consumer users and administrators. The …
Payment Application Qualified Security Assessors (PA-QSAs) are qualified by the Council to validate payment applications for compliance to PA-DSS. A list of PA-QSAs is available on the Council website. A …
Yes, a payment application designed to store both hashed and truncated PAN is required to have additional controls to prevent their correlation, as noted in PA-DSS Requirement 2.3. This is …
Yes; PA-DSS v3.0 requires that a strong, one-way cryptographic algorithm with a unique input variable be used to render all payment application passwords unreadable during storage. This meets the intent …
A payment application is required to restrict administrative access and access to cardholder data to authenticated (Requirement 3.1.4), authorized (Requirement 3.1) users. Where users authenticate to the payment application using …
With regard to issuers or companies that support issuing services such as third party processors (TPPs), and other issuing type processors, it is recognized that such entities may have a …
