Why now for this change from PED to PTS?
The new name reflects an expanding standards program that will continue to incorporate other parts of the PIN based payment chain beyond PED and other physical devices. For example in …
Deleted FAQs
FAQs that have been removed from the PCI SSC website or have dead links.
Does P2PE Requirement 2A-2.1 mean that PIN data (which is an element of SAD) must be encrypted by the SRED functions of the PCI-approved POI device? How does this impact PIN Security Requirements for PTS devices processing PINs?
This is a Technical FAQ for P2PE versions 1.x. This is a "normative" FAQ that is considered to be part of the P2PE requirements and shall be considered during a …
What is the purpose of requiring account lockout, per PCI DSS Requirements 8.1.6 and 8.1.7?
The intent of PCI DSS Requirement 8.1.6 and 8.1.7 is to prevent a malicious user from gaining access to users' accounts, by continually trying to guess a user's password over …
Will all participating payment brands in the PCI Security Standards Council recognize a recommendation of compliance from an ASV?
Each individual brand is responsible for accepting a specific recommendation of compliance from an ASV.
Can organizations use alternative password management methods to meet PCI DSS Requirement 8?
The password requirements in PCI DSS include a minimum level of complexity and strength intended to be met by all types of organizations using a range of technologies. PCI SSC …
Does PA-DSS Requirement 3.3.2 apply to passwords used by the payment application to access other systems/applications (e.g. for the payment application to access a third-party database)?
PA-DSS Requirement 3.3.2 applies to all passwords generated or managed by the payment application that are used to authenticate access to the payment application. This requirement is not intended to …
How does using a PA-DSS validated application affect the scope of a merchant's PCI DSS assessment?
Applications which are PA-DSS validated have been assessed by a PA-QSA as meeting all PA-DSS requirements. This means the application, when properly installed and configured, is capable of supporting the …
How do the updated SSL/early TLS migration dates apply to service providers?
The deadline for all entities, including service providers, to migrate away from SSL and insecure versions of TLS is June 30, 2018. In order to support merchants and other customers …
Does a P2PE validated application also need to be validated against PA-DSS?
The P2PE Standard does not require applications solely used in a P2PE solution to be validated to PA-DSS. PA-DSS and P2PE are distinct PCI standards with separate requirements and programs, …
Can a third-party entity that performs P2PE functions on behalf of a P2PE solution provider undergo their own P2PE assessment, rather than undergoing an assessment each time a customer undergoes a P2PE assessment?
This is a Technical FAQ for P2PE versions 1.x. This is a "normative" FAQ that is considered to be part of the P2PE requirements and shall be considered during a …