Framework Guidance

Information on various compliance frameworks and their requirements.

Search

FAQs: PCI DSS: scope, evidence, and common scenarios

This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

Evidence and requirements

Can a PCI-listed P2PE solution significantly reduce the number of PCI DSS requirements applicable to a merchant’s cardholder data environment?

  • Yes, a PCI-listed P2PE solution can significantly reduce the number of PCI DSS requirements applicable to a merchant’s cardholder data environment.

Do Information Supplements supersede, replace, or extend PCI DSS or any of its requirements?

  • No, Information Supplements do not supersede, replace, or extend PCI DSS or any of its requirements.

Do PCI DSS requirements apply to entities with environments that do not store, process, or transmit account data?

  • Some PCI DSS requirements may also apply to entities with environments that do not store, process, or transmit account data  for example, entities that outsource payment operations or management of their cardholder data environment (CDE).

Does a TPSP need to be PCI DSS compliant for its customer to meet Requirement 12.8?

  • Therefore, a TPSP does not need to be PCI DSS compliant for its customer to meet Requirement 12.8.

Does PCI DSS include requirements that specifically refer to account data, cardholder data, and sensitive authentication data?

  • Yes, PCI DSS includes requirements that specifically refer to account data, cardholder data, and sensitive authentication data.

Does PCI DSS Requirement 6 fully apply to bespoke and custom software that has not been developed and maintained in accordance with one of PCI SSC’s Software Security Framework standards?

  • Yes, PCI DSS Requirement 6 fully applies to bespoke and custom software that has not been developed and maintained in accordance with one of PCI SSC’s Software Security Framework standards.

Does Requirement 12.8 specify that the customer’s TPSPs must be PCI DSS compliant?

  • Requirement 12.8 does not specify that the customer’s TPSPs must be PCI DSS compliant, only that the customer monitors their compliance status as specified in the requirement.

Does Requirement 3.4.1 supersede stricter requirements in place for displays of cardholder data?

  • This requirement does not supersede stricter requirements in place for displays of cardholder data— for example, legal or payment brand requirements for point-of-sale (POS) receipts.

Does the written agreement with a TPSP have to include the exact wording provided in the PCI DSS requirement?

  • The agreement does not have to include the exact wording provided in this requirement.

Even if a multi-tenant service provider meets the requirements, who is still responsible for complying with PCI DSS requirements?

  • Even though a multi-tenant service provider may meet these requirements, each customer is still responsible to comply with the PCI DSS requirements that are applicable to its environment and validate compliance as applicable.

Even if an entity does not store, process, or transmit PAN, do some PCI DSS requirements may still apply?

  • Yes, even if an entity does not store, process, or transmit PAN, some PCI DSS requirements may still apply.

For a customer that is looking for evidence of PCI DSS compliance for requirements that a TPSP meets on a customer’s behalf or where the service provided can impact the security of the customer’s cardholder data and/or sensitive authentication data, is the TPSP’s presence on a payment brand’s list of PCI DSS compliant service providers sufficient evidence that the applicable PCI DSS requirements for that TPSP were included in the assessment?

  • No, the TPSP’s presence on a payment brand’s list of PCI DSS compliant service providers is not sufficient evidence that the applicable PCI DSS requirements for that TPSP were included in the assessment.

For a customer that is monitoring a TPSP’s compliance status in accordance with Requirement 12.8, may the TPSP’s presence on a payment brand’s list of PCI DSS compliant service providers be sufficient evidence of the TPSP’s compliance status?

  • Yes, the TPSP’s presence on a payment brand’s list of PCI DSS compliant service providers may be sufficient evidence of the TPSP’s compliance status if it is clear from the list that the services applicable to the customer were covered by the TPSP’s PCI DSS assessment.

How many principal PCI DSS requirements are there?

  • There are 12 principal PCI DSS requirements.

How often should hardware and software technologies be reviewed to confirm whether they continue to meet the organization’s PCI DSS requirements?

  • t least once every 12 months.

How will bespoke and custom software that has been developed and maintained in accordance with one of PCI SSC’s Software Security Framework standards support an entity in meeting PCI DSS Requirement 6?

  • Bespoke and custom software that has been developed and maintained in accordance with one of PCI SSC’s Software Security Framework standards (the Secure Software Standard or the Secure SLC standard) will support an entity in meeting PCI DSS Requirement 6.

If an entity stores, processes, or transmits PAN, what exists to which PCI DSS requirements will apply?

  • If an entity stores, processes, or transmits PAN, then a CDE exists to which PCI DSS requirements will apply.

If cardholder data is only present on physical media (for example paper), which requirements will be applicable?

  • If cardholder data is only present on physical media (for example paper), requirements relating to the security and disposal of physical media in Requirement 9 will be applicable.

If the entity can impact the security of cardholder data and/or sensitive authentication data because the security of an entity’s infrastructure can affect how cardholder data is processed (for example, via a web server that controls the generation of a payment form or page) which requirements will be applicable?

  • Some requirements will be applicable.

Is encryption of cardholder data with strong cryptography an acceptable method of rendering the data unreadable according to PCI DSS Requirement 3.5?

  • Yes, encryption of cardholder data with strong cryptography is an acceptable method of rendering the data unreadable according to PCI DSS Requirement 3.5.

re specific references within requirements to account data, cardholder data, or sensitive authentication data purposeful?

  • Yes, specific references within requirements to account data, cardholder data, or sensitive authentication data are purposeful, and the requirements apply specifically to the type of data that is referenced.

Regardless of whether a PCI DSS requirement is automated or manual, what is important for BAU processes?

  • Regardless of whether a PCI DSS requirement is automated or manual, it is important for BAU processes to detect anomalies, and alert and report so that responsible individuals address the situation in a timely manner.

To what does PCI DSS requirements apply?

  • PCI DSS requirements apply to: The cardholder data environment (CDE), which is comprised of: System components, people, and processes that store, process, or transmit cardholder data and/or sensitive authentication data, and, System components that may not store, process, or transmit CHD/SAD but have unrestricted connectivity to system components that store, process, or transmit CHD/SAD. AND System components, people, and processes that could impact the security of cardholder data and/or sensitive authentication data.

To whom do PCI DSS requirements apply?

  • PCI DSS requirements apply to entities with environments where account data (cardholder data and/or sensitive authentication data) is stored, processed, or transmitted, and entities with environments that can impact the security of cardholder data and/or sensitive authentication data.

What appendices contain additional PCI DSS requirements?

  • ppendix A1, Appendix A2, and Appendix A3 contain additional PCI DSS requirements.

What are some examples of PCI DSS requirements that should be verified during a change management process?

  • Network diagrams are updated to reflect changes, systems are configured per configuration standards, systems are protected with required controls, sensitive authentication data is not stored, and new systems are included in the quarterly vulnerability scanning process.

What are some PCI DSS requirements intended to act as?

  • Some PCI DSS requirements are intended to act as BAU processes by monitoring security controls to ensure their effectiveness on an ongoing basis.

What are the 12 principal PCI DSS requirements?

  • The 12 principal PCI DSS requirements are: 1. Install and Maintain Network Security Controls. 2. Apply Secure Configurations to All System Components. 3. Protect Stored Account Data. 4. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks. 5. Protect All Systems and Networks from Malicious Software. 6. Develop and Maintain Secure Systems and Software. 7. Restrict Access to System Components and Cardholder Data by Business Need to Know. 8. Identify Users and Authenticate Access to System Components. 9. Restrict Physical Access to Cardholder Data. 10. Log and Monitor All Access to System Components and Cardholder Data. 11. Test Security of Systems and Networks Regularly. 12. Support Information Security with Organizational Policies and Programs.

What do the following s of the Payment Card Industry Data Security Standard Requirements and Testing Procedures document provide?

  • The following s provide detailed guidelines and best practices to assist entities to prepare for, conduct, and report the results of a PCI DSS assessment.

What does PCI DSS Requirement 6 define?

  • Requirements for the development and maintenance of secure systems and software.

What does the customized approach to meeting a PCI DSS requirement allow entities to do?

  • The customized approach to meeting a PCI DSS requirement allows entities to define the controls used to meet a given requirement’s stated Customized Approach Objective in a way that does not strictly follow the defined requirement.

What does the Payment Card Industry Data Security Standard Requirements and Testing Procedures document consist of?

  • This document consists of the 12 PCI DSS principal requirements, detailed security requirements, corresponding testing procedures, and other information pertinent to each requirement.

What happens if any of the requirements contained in the PCI DSS standard conflict with country, state, or local laws?

  • If any of the requirements contained in this standard conflict with country, state, or local laws, the country, state, or local law will apply.

What happens if the TPSP does not meet the applicable PCI DSS requirements?

  • If the TPSP does not meet those applicable PCI DSS requirements, then those requirements are also “not in place” for the entity.

What is the first requirement of the PCI DSS?

  • The first requirement is to install and maintain network security controls.

What is the requirement for audit logs regarding individual user access to cardholder data?

  • Audit logs capture all individual user access to cardholder data.

What is the requirement for audit logs regarding system components and cardholder data?

  • Audit logs are enabled and active for all system components and cardholder data.

What is the second requirement of the PCI DSS?

  • The second requirement is to apply secure configurations to all system components.

What is the third requirement of the PCI DSS?

  • The third requirement is to protect stored account data.

What must a targeted risk analysis include for each PCI DSS requirement met with the customized approach?

  • targeted risk analysis must be performed for each PCI DSS requirement that the entity meets with the customized approach, to include documented evidence detailing each element specified in Appendix D: Customized Approach, approval of documented evidence by senior management, and performance of the targeted analysis of risk at least once every 12 months.

What must an entity do if they have an agreement with a TPSP for meeting PCI DSS requirements on behalf of the entity?

  • Where an entity has an agreement with a TPSP for meeting PCI DSS requirements on behalf of the entity (for example, via a firewall service), the entity must work with the TPSP to make sure the applicable PCI DSS requirements are met.

What should be examined to verify processes are defined for granting user access to query repositories of stored cardholder data, in accordance with Requirement 7.2.6?

  • Policies and procedures and interviews with personnel.

What should be in place for any technologies that have been determined to no longer meet the organization’s PCI DSS requirements?

  • plan to remediate the technology, up to and including replacement of the technology, as appropriate.

When a TPSP provides a service that meets a PCI DSS requirement(s) on the customer’s behalf or where that service may impact the security of the customer’s cardholder data and/or sensitive authentication data, what is it important that customers and TPSPs clearly identify and understand?

  • The services and system components included in the scope of the TPSP’s PCI DSS assessment, The specific PCI DSS requirements and sub-requirements covered by the TPSP’s PCI DSS assessment, Any requirements that are the responsibility of the TPSP’s customers to include in their own PCI DSS assessments, and Any PCI DSS requirements for which the responsibility is shared between the TPSP and its customers.

Where are the additional PCI DSS requirements for different types of entities located?

  • The additional PCI DSS requirements for different types of entities are located in Appendix A.

Where can I find more information about PCI DSS requirements for multi-tenant service providers?

  • Refer to Appendix A1: Additional PCI DSS Requirements for Multi-Tenant Service Providers.

Where do the PCI DSS requirements and testing procedures begin in the document?

  • The PCI DSS requirements and testing procedures begin on page 43.

Which entities have additional PCI DSS requirements?

  • Multi-Tenant Service Providers and Entities using SSL/Early TLS for Card-Present POS POI Terminal Connections have additional PCI DSS requirements.

Which PCI DSS requirements are directly affected by the use of SSL/early TLS?

  • The PCI DSS requirements directly affected are Requirement 2.2.5, Requirement 2.2.7, and Requirement 4.2.1.

Who is responsible for ensuring those software vendors develop the software according to PCI DSS Requirement 6?

  • Entities that use software vendors to develop bespoke or custom software that could impact the security of their cardholder data and/or sensitive authentication data are responsible for ensuring those software vendors develop the software according to PCI DSS Requirement 6.

Who retains responsibility for ensuring that patches and updates are installed in accordance with PCI DSS requirements?

  • The entity.

Who retains responsibility for ensuring that software and other changes to system components are implemented into its production environment in accordance with PCI DSS requirements?

  • The entity.

Why is it important to understand which PCI DSS requirements and sub-requirements TPSPs have agreed to meet?

  • It is important that the entity understands which PCI DSS requirements and sub-requirements its TPSPs have agreed to meet, which requirements are shared between the TPSP and the entity, and for those that are shared, specifics about how the requirements are shared and which entity is responsible for meeting each sub-requirement.

PCI DSS general

```text What is the Payment Card Industry Data Security Standard (PCI DSS) designed to do?

  • The PCI DSS was developed to encourage and enhance payment account data security and facilitate the broad adoption of consistent data security measures globally.

Are we able to help companies get PCI if they don't hold CC data? For example, a warehouse company that has no software and ships out consumables?

  • Typically, PCI compliance is required based on customer demand, even without holding or processing cardholder data. If the scope is only related to warehouse physical security, Secureframe may not be a good fit. It's recommended to clarify what is expected from customers regarding PCI scope.

Besides environments with payment account data, what else can PCI DSS be used to protect?

  • PCI DSS can also be used to protect against threats and secure other elements in the payment ecosystem.

Does it completely remove the applicability of PCI DSS in the merchant environment?

  • However, it does not completely remove the applicability of PCI DSS in the merchant environment.

Does the use of a PCI DSS compliant TPSP make an entity PCI DSS compliant?

  • No, the use of a PCI DSS compliant TPSP does not make an entity PCI DSS compliant, nor does it remove the entity’s responsibility for its own PCI DSS compliance.

Does the use of validated payment software by itself make an entity PCI DSS compliant?

  • While the use of validated payment software supports the security of an entity’s CDE, the use of such software does not by itself make an entity PCI DSS compliant.

How are hard-copy materials with cardholder data destroyed when no longer needed for business or legal reasons?

  • Materials are cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed, and materials are stored in secure storage containers prior to destruction.

How can PCI DSS be enhanced?

  • PCI DSS may be enhanced by additional controls and practices to further mitigate risks, and to incorporate local, regional, and sector laws and regulations.

How do I determine scoping for PCI DSS compliance?

  • For PCI DSS scoping, determine if you're a merchant or service provider. Identify if wireless or physical environments (e.g., offices, retail locations) are in scope. Check whether you store cardholder data. Each of these factors affects which PCI DSS requirements are applicable in your environment.

How is all media with cardholder data classified?

  • ll media with cardholder data is classified in accordance with the sensitivity of the data.

How is electronic media with cardholder data destroyed when no longer needed for business or legal reasons?

  • The electronic media is destroyed, or the cardholder data is rendered unrecoverable so that it cannot be reconstructed.

How is media with cardholder data sent outside the facility secured?

  • Media sent outside the facility is logged, sent by secured courier or other delivery method that can be accurately tracked, and offsite tracking logs include details about media location.

How often are inventories of electronic media with cardholder data conducted?

  • Inventories of electronic media with cardholder data are conducted at least once every 12 months.

How often are Security Awareness and Secure Code trainings updated, and can we provide written attestation for auditors (e.g., PCI)?

  • Secureframe provides Security Awareness and Secure Code training content that organizations can assign to employees as part of their compliance program. There is no fixed or mandated update frequency for these trainings.

    It is the organization’s responsibility to periodically review their training content and determine whether it remains appropriate and sufficient for their risk profile, regulatory requirements, and audit scope (including PCI DSS).

    If the organization determines that the current training content remains relevant and effective year over year, they may formally document and attest that:

    The training content was reviewed

    It remains sufficient and applicable

    No updates were required during that period

    This written internal attestation is typically acceptable for auditors, including during PCI audits, provided it aligns with the organization’s policies and risk assessment practices.

How often is the security of the offline media backup location(s) with cardholder data reviewed?

  • The security of the offline media backup location(s) with cardholder data is reviewed at least once every 12 months.

If the TPSP does not undergo its own PCI DSS assessment and therefore does not have an AOC, what is the TPSP expected to provide?

  • The TPSP is expected to provide specific evidence related to the applicable PCI DSS requirements, so that the customer (or its assessor) is able to confirm that the TPSP is meeting those PCI DSS requirements.

If the TPSP has an PCI DSS AOC, what is it expected to do?

  • If the TPSP has an PCI DSS AOC, it is expected to provide it to customers upon request.

If the TPSP undergoes its own PCI DSS assessment, what is it expected to provide to its customers?

  • If the TPSP undergoes its own PCI DSS assessment, it is expected to provide sufficient evidence to its customers to verify that the scope of the TPSP’s PCI DSS assessment covered the services applicable to the customer, and that the relevant PCI DSS requirements were examined and determined to be in place.

Is a Terms of Service required for PCI-DSS?

  • No. PCI DSS does not require a Terms of Service. It focuses on protecting cardholder data, not legal customer agreements. Terms of Service may be applicable to other frameworks like SOC 2 or GDPR.

Is Secureframe an approved scanning vendor (ASV) for PCI DSS?

  • No, Secureframe is not an Approved Scanning Vendor (ASV) for PCI DSS. We recommend working with one of our vulnerability scanning partners for ASV scans. For a referral, please reach out to partnerships@secureframe.com.

We have a potential workload for a client that would include passing Credit Card numbers/data between two secure endpoints (separate APIs/Databases). However, we are not processing transactions, per se, with any banks or payment services. I'm wondering if we would even need to be PCI certified?

  • If you process store or transmit cardholder data you need to be PCI compliant.

What are Application and System Accounts, according to the PCI DSS Glossary of Terms?

  • lso referred to as “service accounts.” Accounts that execute processes or perform tasks on a computer system or in an application.

What are cardholder data and sensitive authentication data considered as?

  • Cardholder data and sensitive authentication data are considered account data.

What are Compensating Controls, according to the PCI DSS Glossary of Terms?

  • See PCI DSS Appendices B and C.

What are Critical Systems, according to the PCI DSS Glossary of Terms?

  • system or technology that is deemed by the entity to be of particular importance.

What are examples of non-cloud accounts in PCI?

  • Local or system-level accounts on internal servers, workstations, or on-premise appliances (e.g., firewalls, routers). These differ from cloud-identity-managed accounts (e.g., Okta or Azure AD).

What are individuals with PCI DSS compliance responsibilities expected to receive?

  • Individuals with PCI DSS compliance responsibilities should receive specialized training that, in addition to a general awareness of information security, focuses on specific security s, skills, processes, or methodologies that must be followed for those individuals to perform their compliance responsibilities effectively.

What are Issuing Services, according to the PCI DSS Glossary of Terms?

  • Examples of issuing services include but are not limited to authorization and card personalization.

What are Least Privileges, according to the PCI DSS Glossary of Terms?

  • The minimum level of privileges necessary to perform the roles and responsibilities of the job function.

What are Network Security Controls (NSC), according to the PCI DSS Glossary of Terms?

  • Firewalls and other network security technologies that act as network policy enforcement points.

What are Payment Cards, according to the PCI DSS Glossary of Terms?

  • For purposes of PCI DSS, any payment card form factor that bears the logo of any PCI SSC Participating Payment Brand.

What are Payment Page Scripts, according to the PCI DSS Glossary of Terms?

  • ny programming language commands or instructions on a payment page that are processed and/or interpreted by a consumer’s browser, including commands or instructions that interact with a page’s document object model.

What are some examples of how PCI DSS should be incorporated into BAU activities?

  • Assigning overall responsibility and accountability for PCI DSS compliance to an individual or team, Developing performance metrics to measure the effectiveness of security initiatives and continuous monitoring of security controls, Reviewing logged data more frequently to gain insights to trends or behaviors that may not be obvious with only monitoring, Ensuring that all failures in security controls are detected and responded to promptly, Reviewing changes that could introduce security risks to the environment prior to completing the change, Reviewing the impact to PCI DSS scope and requirements upon changes to organizational structure, Reviewing external connections and third-party access periodically, For entities that use third parties for software development, periodically confirming that those software development activities continue to comply with software development requirements in Requirement 6, Performing periodic reviews to confirm that PCI DSS requirements continue to be in place and personnel follow established processes, Establishing communication with all impacted parties, both external and internal, about newly identified threats and changes to the organization structure, and Reviewing hardware and software technologies at least once every 12 months to confirm that they continue to be supported by the vendor and can meet the entity’s security requirements, including PCI DSS.

What can a record of all individual access to cardholder data identify?

  • record of all individual access to cardholder data can identify which accounts may have been compromised or misused.

What can entities use to document PCI DSS responsibilities?

  • Entities can document these responsibilities via a matrix that identifies all applicable PCI DSS requirements and indicates for each requirement whether the entity or TPSP is responsible for meeting that requirement or whether it is a shared responsibility.

What can regular reviews of technologies that impact or influence PCI DSS controls assist with?

  • Purchasing, usage, and deployment strategies.

What can result from the display of full PAN on computer screens, payment card receipts, paper reports, etc.?

  • The display of full PAN on computer screens, payment card receipts, paper reports, etc. can result in this data being obtained by unauthorized individuals and used fraudulently.

What do software vendors to which PCI DSS may be applicable include?

  • Software vendors to which PCI DSS may be applicable include those offering payment services, as well as cloud service providers offering payment terminals in the cloud, software as a service (SaaS), e-commerce in the cloud, and other cloud payment services.

What do the PCI SSC secure software programs include?

  • The PCI SSC secure software programs include listings of payment software and software vendors that have been validated as meeting the applicable PCI SSC Software Standards.

What does Account Data consist of, according to the PCI DSS Glossary of Terms?

  • Account data consists of cardholder data and/or sensitive authentication data.

What does Application include, according to the PCI DSS Glossary of Terms?

  • Includes all purchased, custom, and bespoke software programs or groups of programs, including both internal and external (for example, web) applications.

What does Cardholder Data (CHD) consist of, according to the PCI DSS Glossary of Terms?

  • t a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code.

What does cardholder data include?

  • Cardholder Data includes: Primary Account Number (PAN), Cardholder Name, Expiration Date, and Service Code.

What does executive management assignment of PCI DSS compliance responsibilities ensure?

  • Executive management assignment of PCI DSS compliance responsibilities ensures executive- level visibility into the PCI DSS compliance program and allows for the opportunity to ask appropriate questions to determine the effectiveness of the program and influence strategic priorities.

What does knowing the PCI DSS compliance status of all engaged TPSPs provide?

  • Knowing the PCI DSS compliance status of all engaged TPSPs provides assurance and awareness about whether they comply with the requirements applicable to the services they offer to the organization.

What does PCI DSS comprise?

  • PCI DSS comprises a minimum set of requirements for protecting account data.

What does PCI DSS provide?

  • PCI DSS provides a baseline of technical and operational requirements designed to protect account data.

What does software that is PCI SSC validated and listed provide?

  • Software that is PCI SSC validated and listed provides assurance that the software has been developed using secure practices and has met a defined set of software security requirements.

What does the agreement between an entity and a TPSP include regarding PCI DSS responsibilities?

  • The agreement may include the applicable PCI DSS requirements to be maintained as part of the provided service.

What does the formal definition of specific PCI DSS compliance roles and responsibilities help to ensure?

  • The formal definition of specific PCI DSS compliance roles and responsibilities helps to ensure accountability and monitoring of ongoing PCI DSS compliance efforts.

What does use of a PCI DSS compliant TPSP not do?

  • Use of a PCI DSS compliant TPSP does not make a customer PCI DSS compliant, nor does it remove the customer’s responsibility for its own PCI DSS compliance.

What happens if PCI-listed payment software has been customized?

  • If PCI-listed payment software has been customized, a more in-depth review will be required during the PCI DSS assessment because the software may no longer be representative of the version that was originally validated.

What if this is the customer’s first PCI assessment?

  • For the first PCI assessment, only a single internal vulnerability scan and ASV scan are required, as long as the most recent scan is passing and there is a process in place for quarterly scanning moving forward.

What is a Card Skimmer, according to the PCI DSS Glossary of Terms?

  • physical device, often attached to a legitimate card-reading device, designed to illegitimately capture and/or store the information from a payment card.

What is a Cardholder, according to the PCI DSS Glossary of Terms?

  • Customer to which a payment card is issued, or any individual authorized to use the payment card.

What is a Consumer, according to the PCI DSS Glossary of Terms?

  • Individual cardholder purchasing goods, services, or both.

What is a Cryptographic Algorithm, according to the PCI DSS Glossary of Terms?

  • lso referred to as “encryption algorithm.” A clearly specified reversible mathematical process used for transforming cleartext data to encrypted data, and vice versa.

What is a Cryptographic Key, according to the PCI DSS Glossary of Terms?

  • parameter used in conjunction with a cryptographic algorithm that is used for operations such as: Transforming cleartext data into ciphertext data, Transforming ciphertext data into cleartext data, A digital signature computed from data, Verifying a digital signature computed from data, An authentication code computed from data, or An exchange agreement of a shared secret.

What is a Data-Flow Diagram, according to the PCI DSS Glossary of Terms?

  • diagram showing how and where data flows through an entity’s applications, systems, networks, and to/from external parties.

What is a Default Account, according to the PCI DSS Glossary of Terms?

  • Login account predefined in a system, application, or device to permit initial access when system is first put into service.

What is a Default Password, according to the PCI DSS Glossary of Terms?

  • Password on system administration, user, or service accounts predefined in a system, application, or device; usually associated with default account.

What is a Firewall, according to the PCI DSS Glossary of Terms?

  • Hardware and/or software technology that protects network resources from unauthorized access.

What is a Key Custodian, according to the PCI DSS Glossary of Terms?

  • role where a person(s) is entrusted with, and responsible for, performing key management duties involving secret and/or private keys, key shares, or key components on behalf of an entity.

What is a Key Management System, according to the PCI DSS Glossary of Terms?

  • combination of hardware and software that provides an integrated approach for generating, distributing, and/or managing cryptographic keys for devices and applications.

What is a Legal Exception, according to the PCI DSS Glossary of Terms?

  • legal restriction due to a local or regional law, regulation, or regulatory requirement, where meeting a PCI DSS requirement would violate that law, regulation, or regulatory requirement.

What is a Log, according to the PCI DSS Glossary of Terms?

  • See Audit Log.

What is a Merchant, according to the PCI DSS Glossary of Terms?

  • For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any PCI SSC Participating Payment Brand as payment for goods and/or services.

What is a Multi-Tenant Service Provider, according to the PCI DSS Glossary of Terms?

  • type of Third-Party Service Provider that offers various shared services to merchants and other service providers, where customers share system resources (such as physical or virtual servers), infrastructure, applications (including Software as a Service (SaaS)), and/or databases.

What is a Network Connection, according to the PCI DSS Glossary of Terms?

  • logical, physical, or virtual communication path between devices that allows the transmission and reception of network layer packets.

What is a Network Diagram, according to the PCI DSS Glossary of Terms?

  • diagram showing system components and connections within a networked environment.

What is a Participating Payment Brand, according to the PCI DSS Glossary of Terms?

  • lso referred to as “payment brand.” A payment card brand that, as of the time in question, is then formally admitted as (or an affiliate of) a member of PCI SSC pursuant to its governing documents.

What is a Password / Passphrase, according to the PCI DSS Glossary of Terms?

  • string of characters that serve as an authentication factor for a user or account.

What is a Patch, according to the PCI DSS Glossary of Terms?

  • Update to existing software to add function or to correct a defect.

What is a Payment Brand, according to the PCI DSS Glossary of Terms?

  • n organization with branded payment cards or other payment card form factors.

What is a Payment Card Form Factor, according to the PCI DSS Glossary of Terms?

  • Includes physical payment cards as well as devices with functionality that emulates a payment card to initiate a payment transaction.

What is a Payment Channel, according to the PCI DSS Glossary of Terms?

  • Methods used by merchants to accept payments from customers.

What is a Payment Page, according to the PCI DSS Glossary of Terms?

  • web-based user interface containing one or more form elements intended to capture account data from a consumer or submit captured account data, for purposes of processing and authorizing payment transactions.

What is a PIN Block, according to the PCI DSS Glossary of Terms?

  • block of data used to encapsulate a PIN during processing.

What is a Point of Sale System (POS), according to the PCI DSS Glossary of Terms?

  • Hardware and software used by merchants to accept payments from customers.

What is a Privileged User, according to the PCI DSS Glossary of Terms?

  • ny user account with greater than basic access privileges.

What is Administrative Access, according to the PCI DSS Glossary of Terms?

  • Elevated or increased privileges granted to an account for that account to manage systems, networks, and/or applications.

What is AES, according to the PCI DSS Glossary of Terms?

  • cronym for “Advanced Encryption Standard.”

What is an account, according to the PCI DSS Glossary of Terms?

  • lso referred to as “user ID,” “account ID,” or “application ID.” Used to identify an individual or process on a computer system.

What is an Acquirer, according to the PCI DSS Glossary of Terms?

  • lso referred to as “merchant bank,” “acquiring bank,” or “acquiring financial institution.” Entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer.

What is an Audit Log, according to the PCI DSS Glossary of Terms?

  • lso referred to as “audit trail.” Chronological record of system activities.

What is an E-commerce (web) Redirection Server, according to the PCI DSS Glossary of Terms?

  • server that redirects a customer browser from a merchant’s website to a different location for payment processing during an ecommerce transaction.

What is an Encryption Algorithm, according to the PCI DSS Glossary of Terms?

  • See Cryptographic Algorithm.

What is an Issuer, according to the PCI DSS Glossary of Terms?

  • lso referred to as “issuing bank” or “issuing financial institution.” Entity that issues payment cards or performs, facilitates, or supports issuing services, including but not limited to issuing banks and issuing processors.

What is ANSI, according to the PCI DSS Glossary of Terms?

  • cronym for “American National Standards Institute.”

What is Anti-Malware, according to the PCI DSS Glossary of Terms?

  • Software that is designed to detect, and remove, block, or contain various forms of malicious software.

What is AOC, according to the PCI DSS Glossary of Terms?

  • cronym for “Attestation of Compliance.” The AOC is the official PCI SSC form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in a Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC).

What is ASV, according to the PCI DSS Glossary of Terms?

  • cronym for “Approved Scanning Vendor.” Company approved by the PCI SSC to conduct external vulnerability scanning services.

What is Authentication Credential, according to the PCI DSS Glossary of Terms?

  • Combination of the user ID or account ID plus the authentication factor(s) used to authenticate an individual, device, or process.

What is Authentication Factor, according to the PCI DSS Glossary of Terms?

  • The element used to prove or verify the identity of an individual or process on a computer system.

What is Authentication, according to the PCI DSS Glossary of Terms?

  • Process of verifying identity of an individual, device, or process.

What is Authorization, according to the PCI DSS Glossary of Terms?

  • In the context of access control, authorization is the granting of access or other rights to a user, program, or process.

What is BAU, according to the PCI DSS Glossary of Terms?

  • cronym for “Business as Usual.”

What is Bespoke and Custom Software, according to the PCI DSS Glossary of Terms?

  • Bespoke software is developed for the entity by a third party on the entity’s behalf and per the entity’s specifications. Custom software is developed by the entity for its own use.

What is Card Verification Code, according to the PCI DSS Glossary of Terms?

  • lso referred to as Card Validation Code or Value, or Card Security Code. For PCI DSS purposes, it is the three- or four-digit value printed on the front or back of a payment card.

What is CERT, according to the PCI DSS Glossary of Terms?

  • cronym for “Computer Emergency Response Team.”

What is Change Control, according to the PCI DSS Glossary of Terms?

  • Processes and procedures to review, test, and approve changes to systems and software for impact before implementation.

What is CIS, according to the PCI DSS Glossary of Terms?

  • cronym for “Center for Internet Security.”

What is Cleartext Data, according to the PCI DSS Glossary of Terms?

  • Unencrypted data.

What is Column-Level Database Encryption, according to the PCI DSS Glossary of Terms?

  • Technique or technology (either software or hardware) for encrypting contents of a specific column in a database versus the full contents of the entire database.

What is Commercial Off-the-Shelf (COTS), according to the PCI DSS Glossary of Terms?

  • Description of products that are stock items not specifically customized or designed for a specific customer or user and are readily available for use.

What is Compromise, according to the PCI DSS Glossary of Terms?

  • lso referred to as “data compromise” or “data breach.” Intrusion into a computer system where unauthorized disclosure/theft, modification, or destruction of cardholder data is suspected.

What is Console, according to the PCI DSS Glossary of Terms?

  • Directly connected screen and/or keyboard which permits access and control of a server, mainframe computer, or other system type.

What is Cryptographic Key Generation, according to the PCI DSS Glossary of Terms?

  • Key generation is one of the functions within key management.

What is Cryptographic Key Management, according to the PCI DSS Glossary of Terms?

  • The set of processes and mechanisms which support cryptographic key establishment and maintenance, including replacing older keys with new keys as necessary.

What is Cryptoperiod, according to the PCI DSS Glossary of Terms?

  • The time span during which a cryptographic key can be used for its defined purpose.

What is Customized Approach, according to the PCI DSS Glossary of Terms?

  • See PCI DSS 8 Approaches for Implementing and Validating PCI DSS.

What is CVSS, according to the PCI DSS Glossary of Terms?

  • cronym for “Common Vulnerability Scoring System.”

What is Defined Approach, according to the PCI DSS Glossary of Terms?

  • See PCI DSS 8 Approaches for Implementing and Validating PCI DSS.

What is Disk Encryption, according to the PCI DSS Glossary of Terms?

  • Technique or technology (either software or hardware) for encrypting all stored data on a device (for example, a hard disk or flash drive).

What is DMZ, according to the PCI DSS Glossary of Terms?

  • bbreviation for “demilitarized zone.” Physical or logical sub-network that provides an additional layer of security to an organization’s internal private network.

What is DNS, according to the PCI DSS Glossary of Terms?

  • cronym for “Domain Name System.”

What is Dual Control, according to the PCI DSS Glossary of Terms?

  • Process of using two or more separate entities (usually persons) operating in concert to protect sensitive functions or information.

What is ECC, according to the PCI DSS Glossary of Terms?

  • cronym for “Elliptic Curve Cryptography.”

What is Encryption, according to the PCI DSS Glossary of Terms?

  • The (reversible) transformation of data by a cryptographic algorithm to produce cipher text, i.e., to hide the information content of the data.

What is Entity, according to the PCI DSS Glossary of Terms?

  • In the context of a PCI DSS assessment, a term used to represent the corporation, organization, or business which is undergoing an assessment.

What is File Integrity Monitoring (FIM), according to the PCI DSS Glossary of Terms?

  • change-detection solution that checks for changes, additions, and deletions to critical files, and notifies when such changes are detected.

What is File-Level Encryption, according to the PCI DSS Glossary of Terms?

  • Technique or technology (either software or hardware) for encrypting the full contents of specific files.

What is Forensics, according to the PCI DSS Glossary of Terms?

  • lso referred to as “computer forensics.” As it relates to information security, the application of investigative tools and analysis techniques to gather evidence from computer resources to determine the cause of data compromises.

What is FTP, according to the PCI DSS Glossary of Terms?

  • cronym for “File Transfer Protocol.” Network protocol used to transfer data from one computer to another through a public network such as the Internet.

What is Hashing, according to the PCI DSS Glossary of Terms?

  • method to protect data that converts data into a fixed-length message digest.

What is HSM, according to the PCI DSS Glossary of Terms?

  • cronym for “hardware security module” or “host security module.” A physically and logically protected hardware device that provides a secure set of cryptographic services, used for cryptographic key-management functions and/or the decryption of account data.

What is IDS, according to the PCI DSS Glossary of Terms?

  • cronym for “intrusion-detection system.”

What is Index Token, according to the PCI DSS Glossary of Terms?

  • random value from a table of random values that corresponds to a given PAN.

What is Interactive Login, according to the PCI DSS Glossary of Terms?

  • The process of an individual providing authentication credentials to directly log into an application or system account.

What is IPS, according to the PCI DSS Glossary of Terms?

  • cronym for “intrusion prevention system.”

What is ISO, according to the PCI DSS Glossary of Terms?

  • cronym for “International Organization for Standardization.”

What is Keyed Cryptographic Hash, according to the PCI DSS Glossary of Terms?

  • hashing function that incorporates a randomly generated secret key to provide brute force attack resistance and secret authentication integrity.

What is LAN, according to the PCI DSS Glossary of Terms?

  • cronym for “local area network.”

What is LDAP, according to the PCI DSS Glossary of Terms?

  • cronym for “Lightweight Directory Access Protocol.”

What is Logical Access Control, according to the PCI DSS Glossary of Terms?

  • Mechanisms that limit the availability of information or information-processing resources only to authorized persons or applications.

What is MAC, according to the PCI DSS Glossary of Terms?

  • In cryptography, an acronym for “message authentication code.”

What is Magnetic-Stripe Data, according to the PCI DSS Glossary of Terms?

  • See Track Data.

What is maintained for all electronic media with cardholder data?

  • Inventory logs of all electronic media with cardholder data are maintained.

What is Masking, according to the PCI DSS Glossary of Terms?

  • Method of concealing a segment of PAN when displayed or printed.

What is Media, according to the PCI DSS Glossary of Terms?

  • Physical material, including but not limited to, electronic storage devices, removable electronic media, and paper reports.

What is MO/TO, according to the PCI DSS Glossary of Terms?

  • cronym for “Mail-Order/Telephone-Order.”

What is Multi-Factor Authentication, according to the PCI DSS Glossary of Terms?

  • Method of authenticating a user whereby at least two factors are verified.

What is NAC, according to the PCI DSS Glossary of Terms?

  • cronym for “Network Access Control.”

What is NAT, according to the PCI DSS Glossary of Terms?

  • cronym for “Network Address Translation.”

What is NIST, according to the PCI DSS Glossary of Terms?

  • cronym for “National Institute of Standards and Technology.”

What is Non-Console Access, according to the PCI DSS Glossary of Terms?

  • Logical access to a system component that occurs over a network interface rather than via a direct, physical connection to the system component.

What is NTP, according to the PCI DSS Glossary of Terms?

  • cronym for “Network Time Protocol.”

What is Organizational Independence, according to the PCI DSS Glossary of Terms?

  • n organizational structure that ensures there is no conflict of interest between the person or department performing the activity and the person or department assessing the activity.

What is OWASP, according to the PCI DSS Glossary of Terms?

  • cronym for “Open Web Application Security Project.”

What is PAN, according to the PCI DSS Glossary of Terms?

  • cronym for “primary account number.” Unique payment card number (credit, debit, or prepaid cards, etc.) that identifies the issuer and the cardholder account.

What is PCI DSS, according to the PCI DSS Glossary of Terms?

  • cronym for “Payment Card Industry Data Security Standard.”

What is PCI Sensitive Authentication Data?

  • Sensitive Authentication Data includes the full magnetic stripe data, CAV2, CVC2, CVV2, CID, PINs, and PIN blocks.

What is Phishing Resistant Authentication, according to the PCI DSS Glossary of Terms?

  • uthentication designed to prevent the disclosure and use of authentication secrets to any party that is not the legitimate system to which the user is attempting to authenticate.

What is Physical Access Control, according to the PCI DSS Glossary of Terms?

  • Mechanisms that limit the access to a physical space or environment to only authorized persons.

What is PIN, according to the PCI DSS Glossary of Terms?

  • cronym for “personal identification number.”

What is POI, according to the PCI DSS Glossary of Terms?

  • cronym for “Point of Interaction,” the initial point where data is read from a card.

What is QIR, according to the PCI DSS Glossary of Terms?

  • cronym for “Qualified Integrator or Reseller.”

What is the defining factor for cardholder data?

  • The primary account number (PAN) is the defining factor for cardholder data.

What is the expectation if a TPSP has a PCI DSS Attestation of Compliance (AOC)?

  • If a TPSP has a PCI DSS Attestation of Compliance (AOC), the expectation is that the TPSP should provide that to customers upon request to demonstrate their PCI DSS compliance status.

What is the first step in preparing for a PCI DSS assessment?

  • The first step in preparing for a PCI DSS assessment is for the entity to accurately determine the scope of the review.

What is the objective regarding direct unfiltered query access to cardholder data repositories?

  • Direct unfiltered (ad hoc) query access to cardholder data repositories is prohibited, unless performed by an authorized administrator.

What is the PCI SSC Software Security Framework (SSF)?

  • PCI SSC supports the use of secure payment software within cardholder data environments (CDE) via the Software Security Framework (SSF), which consists of the Secure Software Standard and the Secure Software Lifecycle (Secure SLC) Standard.

What is the potential consequence if the entity and TPSP do not have a shared understanding of PCI DSS responsibilities?

  • Without this shared understanding, it is inevitable that the entity and the TPSP will assume a given PCI DSS sub-requirement is the responsibility of the other party, and therefore that sub- requirement may not be addressed at all.

What is the purpose of reviewing the impact of organizational structure changes on PCI DSS?

  • To ensure controls are in place and active when there are changes to an organization’s structure and management, as these changes could have negative effects on existing controls and frameworks.

What is the version of the Payment Card Industry Data Security Standard document provided?

  • The version of the Payment Card Industry Data Security Standard document is v4.0.1.

What kind of documents can be found in the PCI SSC document library?

  • The document library includes PCI DSS Summary of Changes, PCI DSS Quick Reference Guide, Information Supplements and Guidelines, Prioritized Approach for PCI DSS, Report on Compliance (ROC) Reporting Template and Reporting Instructions, Self-Assessment Questionnaires (SAQs) and SAQ Instructions and Guidelines, and Attestations of Compliance (AOCs).

What options does a TPSP have if they did not undergo a PCI DSS assessment?

  • If the TPSP did not undergo a PCI DSS assessment, it may be able to provide other sufficient evidence to demonstrate that it has met the applicable requirements without undergoing a formal compliance validation. For example, the TPSP can provide specific evidence to the entity’s assessor so the assessor can confirm applicable requirements are met. Alternatively, the TPSP can elect to undergo multiple on-demand assessments by each of its customers’ assessors, with each assessment targeted to confirm that applicable requirements are met.

What options does an entity have if they receive unsolicited cardholder data via an insecure communication channel?

  • In this situation, the entity can choose to either include the channel in the scope of their CDE and secure it according to PCI DSS or delete the cardholder data and implement measures to prevent the channel from being used for cardholder data.

What should a formal PCI DSS compliance program include?

  • formal PCI DSS compliance program is in place that includes definition of activities for maintaining and monitoring overall PCI DSS compliance, including business-as-usual activities; annual PCI DSS assessment processes; processes for the continuous validation of PCI DSS requirements; and a process for performing business-impact analysis to determine potential PCI DSS impacts for strategic business decisions.

What should be done with all media with cardholder data?

  • ll media with cardholder data is physically secured.

What should be done with POI devices that capture payment card data?

  • POI devices that capture payment card data via direct physical interaction with the payment card form factor are protected from tampering and unauthorized substitution.

What should be examined to verify that all individual user access to cardholder data is logged?

  • Examine audit log configurations and log data to verify that all individual user access to cardholder data is logged.

What should be examined to verify that all users are assigned a unique ID for access to system components and cardholder data?

  • Interviews with responsible personnel.

What should entities contact organizations that manage compliance programs (such as payment brands and acquirers) for?

  • Entities should contact these organizations for more details.

What should granting access to repositories of cardholder data follow?

  • The same process as all other granted access, meaning that it is based on roles, with only the privileges assigned to each user that are needed to perform their job functions.

What should I include when scoping PCI DSS?

  • Identify if you're a merchant or service provider, whether cardholder data is stored, whether wireless is in scope, and if there are physical locations.

What should PCI DSS compliance roles and responsibilities be specifically defined and formally assigned to?

  • PCI DSS compliance roles and responsibilities are specifically defined and formally assigned to one or more personnel, including managing PCI DSS business-as-usual activities, managing annual PCI DSS assessments, managing continuous validation of PCI DSS requirements, and managing business-impact analysis to determine potential PCI DSS impacts for strategic business decisions.

What should responsibility be established by executive management for regarding PCI DSS compliance?

  • Responsibility is established by executive management for the protection of account data and a PCI DSS compliance program that includes overall accountability for maintaining PCI DSS compliance, defining a charter for a PCI DSS compliance program, and providing updates to executive management and board of directors on PCI DSS compliance initiatives and issues, including remediation activities, at least once every 12 months.

What should the entity’s PCI DSS assessment include?

  • The entity’s PCI DSS assessment should include verification that the software is properly configured and securely implemented to support applicable PCI DSS requirements.

What type of data would qualify as PCI cardholder data?

  • Cardholder data includes the full Primary Account Number (PAN), cardholder name, expiration date, and service code. Only the full PAN qualifies; the first 6 or last 4 digits do not.

What will secure payment software implemented in a PCI DSS compliant environment help minimize?

  • Secure payment software implemented in a PCI DSS compliant environment will help minimize the potential for security breaches leading to compromises of account data and fraud.

When Cardholder Data and/or Sensitive Authentication Data is Accidentally Received via an Unintended Channel, what can the entity choose to do?

  • Include the channel in the scope of their CDE and secure it according to PCI DSS or Securely delete the data and implement measures to prevent the channel from being used in the future for sending such data.

When does PCI attestation expire?

  • PCI attestation expires after one year. Companies typically undergo PCI assessments annually to maintain compliance.

When may PCI DSS apply to a payment software vendor?

  • PCI DSS may apply to a payment software vendor if the vendor is also a service provider that stores, processes, or transmits account data, or has access to their customers’ account data—for example, in the role of a payment service provider or via remote access to a customer environment.

When was the Payment Card Industry Data Security Standard v4.0.1 published?

  • The Payment Card Industry Data Security Standard v4.0.1 was published in June 2024.

Where are offline media backups with cardholder data stored?

  • Offline media backups with cardholder data are stored in a secure location.

Where can definitions of PCI DSS terms be found?

  • Refer to [Appendix G](https://example.com/Appendix G) for definitions of PCI DSS terms.

    Relevant links:
    - https://example.com/Appendix

Where can I find additional resources to assist with PCI DSS assessments and validations?

  • The PCI Security Standards Council (PCI SSC) website ([Link from PDF](https://www.pcisecuritystandards.org/)) provides additional resources.

    Relevant links:
    - https://www.pcisecuritystandards.org/))
    - https://www.pcisecuritystandards.org/

Where can I find definitions of PCI DSS terms?

  • Refer to Appendix G for definitions of PCI DSS terms.

Where can I find guidance documents and information supplements for PCI DSS?

  • Refer to the Document Library at [Link from PDF](https://www.pcisecuritystandards.org/) for information about these and other resources.

    Relevant links:
    - https://www.pcisecuritystandards.org/)
    - https://www.pcisecuritystandards.org/

Where can information about the use of PCI SSC-validated software and software vendors be found?

  • See Relationship between PCI DSS and PCI SSC Software Standards (No valid URL provided) on page 7 for information about the use of PCI SSC-validated software and software vendors, and how use of PCI SSC’s software standards may help with meeting controls in Requirement 6.

Who approves all media with cardholder data that is moved outside the facility?

  • Management approves all media with cardholder data that is moved outside the facility (including when media is distributed to individuals).

Who are TPSPs responsible for demonstrating their PCI DSS compliance to?

  • TPSPs are responsible for demonstrating their PCI DSS compliance as requested by organizations that manage compliance programs (for example, payment brands and acquirers).

Who decides whether an entity is required to comply with or validate their compliance to PCI DSS?

  • Whether any entity is required to comply with or validate their compliance to PCI DSS is at the discretion of those organizations that manage compliance programs (such as payment brands and acquirers).

Who is PCI DSS intended for?

  • PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data and/or sensitive authentication data.

Who owns the copyright for the Payment Card Industry Data Security Standard v4.0.1?

  • The PCI Security Standards Council, LLC owns the copyright for the Payment Card Industry Data Security Standard v4.0.1.

Who should get PCI certified?

  • Merchants and service providers who store, process, or transmit cardholder data, or those who can impact the security of their customers' cardholder data.

Who should I contact for any additional criteria regarding PCI DSS compliance?

  • Contact those organizations that manage compliance programs (such as payment brands and acquirers) for any additional criteria.

Why should user access to query repositories of cardholder data be restricted?

  • The misuse of query access to repositories of cardholder data has been a regular cause of data breaches.

SAQ and self-assessment

Can Secureframe help generate my PCI DSS SAQ report (e.g., SAQ-D, SAQ-A, SAQ C-VT)?

  • Secureframe can assist with helping you meet all the requirements, but Secureframe does not generate SAQ reports.

    Customers must download the appropriate SAQ template directly from the PCI Security Standards Council website and complete it independently.

If a customer uses Stripe, does the customer need PCI? SAQ A or A-EP?

  • Yes, but depending on the services utilized, they can significantly de-scope the PCI engagement. If using a full redirect or iframe to send the customer to Stripe, the PCI requirements will be minimal (see SAQ-A). If they host the form for cardholder data, they must ensure the security of the hosted form and underlying infrastructure (see SAQ-A-EP).

Scope and cardholder data

Can administrative access to the CDE be obtained by using a single authentication factor?

  • No, administrative access to the CDE cannot be obtained by the use of a single authentication factor.

ccording to what PCI DSS Requirement must the assessed entity confirm the accuracy of their PCI DSS scope?

  • The assessed entity must confirm the accuracy of their PCI DSS scope according to PCI DSS Requirement 12.5.2.

How do I determine which PCI DSS requirements are out of scope?

  • If you don’t store cardholder data or use wireless/physical locations, certain requirements like Requirement 3 and 9 may be out of scope. Determining PCI Scope is ideal early and our Customer Success Team is happy to assist here.

How does the entity confirm the accuracy of their PCI DSS scope?

  • By identifying all locations and flows of account data, and identifying all systems that are connected to or, if compromised, could impact the CDE (for example, authentication servers, remote access servers, logging servers) to ensure they are included in the PCI DSS scope.

How is individual physical access to sensitive areas within the CDE monitored?

  • Individual physical access to sensitive areas within the CDE is monitored with either video cameras or physical access control mechanisms (or both).

How often should PCI DSS scope be documented and confirmed for accuracy?

  • PCI DSS scope is documented and confirmed for accuracy at least once every three months and upon significant changes to the in- scope environment.

How often should PCI DSS scope be documented and confirmed?

  • PCI DSS scope should be documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment.

If an internal network is out of scope for PCI DSS, how must it be treated?

  • If a network is out of scope for PCI DSS, that network must be considered untrusted for PCI DSS.

If cardholder name, service code, and/or expiration date are stored, processed, or transmitted with the PAN, or are otherwise present in the CDE, how must they be protected?

  • They must be protected in accordance with the PCI DSS requirements applicable to cardholder data.

If remote access is to a part of the entity’s network that is properly segmented from the CDE, is MFA required for remote access to that part of the network?

  • No, MFA for remote access to that part of the network is not required.

If wireless technology is used to store, process, or transmit account data, or if a wireless local area network (WLAN) is part of or connected to the CDE, what applies and must be performed?

  • The PCI DSS requirements and testing procedures for securing wireless environments apply and must be performed.

Is encryption alone sufficient to render the cardholder data out of scope for PCI DSS?

  • However, encryption alone is generally insufficient to render the cardholder data out of scope for PCI DSS and does not remove the need for PCI DSS in that environment.

Is segmentation (or isolation) of the CDE from the remainder of an entity’s network a PCI DSS requirement?

  • No, segmentation (or isolation) of the CDE from the remainder of an entity’s network is not a PCI DSS requirement.

s a service provider, how often should PCI DSS scope be documented and confirmed?

  • PCI DSS scope should be documented and confirmed by the entity at least once every six months and upon significant change to the in-scope environment.

To be considered out of scope for PCI DSS, how must a system component be segmented?

  • To be considered out of scope for PCI DSS, a system component must be properly segmented (isolated) from the CDE, such that the out-of-scope system component could not impact the security of cardholder data and/or sensitive authentication data, even if that component was compromised.

What actions should be taken upon the detection of cleartext PAN outside the CDE?

  • Determining what to do with the data, determining how the data ended up outside the CDE, remediating data leaks or process gaps, identifying the source of the data, and identifying whether any track data is stored with the PANs.

What are each in scope for PCI DSS?

  • Systems performing encryption and/or decryption of cardholder data, and systems performing key management functions, Encrypted cardholder data that is not isolated from the encryption and decryption and key management processes, Encrypted cardholder data that is present on a system or media that also contains the decryption key, Encrypted cardholder data that is present in the same environment as the decryption key, and Encrypted cardholder data that is accessible to an entity that also has access to the decryption key.

What are some examples of changes to organizational structure that should trigger a review of PCI DSS scope and applicability of controls?

  • Company mergers or acquisitions, and significant changes or reassignments of personnel with responsibility for security control.

What are the minimum steps for an entity to confirm the accuracy of their PCI DSS scope?

  • The minimum steps for an entity to confirm the accuracy of their PCI DSS scope are specified in PCI DSS Requirement 12.5.2.

What brings devices into scope for PCI DSS?

  • Storing or relocating PAN onto local hard drives, removable electronic media, and other storage devices brings these devices into scope for PCI DSS.

What can have a significant impact on PCI DSS scope?

  • Changes to systems or networks can have a significant impact on PCI DSS scope.

What code repositories are in scope for PCI DSS assessments?

  • Code repositories that store application code, system configurations, or other configuration data that can impact the security of cardholder data and/or sensitive authentication data are in scope for PCI DSS assessments.

What could a customer's CDE include in a cloud-based infrastructure?

  • In a cloud-based infrastructure, such as an infrastructure as a service (IaaS) offering, the customers’ CDE may include virtual network devices and virtual servers that are configured and managed by the customers, including operating systems, files, memory, etc.

What does frequent validation of PCI DSS scope help to ensure?

  • Frequent validation of PCI DSS scope helps to ensure PCI DSS scope remains up to date and aligned with changing business objectives, and therefore that security controls are protecting all appropriate system components.

What helps ensure that malware residing in both static and dynamic elements of the CDE is addressed?

  • Using a combination of periodic scans (scheduled and on-demand) and active, real-time (on-access) scanning helps ensure that malware residing in both static and dynamic elements of the CDE is addressed.

What is an important prerequisite to reduce the scope of the CDE?

  • n important prerequisite to reduce the scope of the CDE is a clear understanding of business needs and processes related to the storage, processing, and transmission of account data.

What is CDE, according to the PCI DSS Glossary of Terms?

  • cronym for “Cardholder Data Environment.” The CDE is comprised of: The system components, people, and processes that store, process, or transmit cardholder data and/or sensitive authentication data, and, System components that may not store, process, or transmit CHD/SAD but have unrestricted connectivity to system components that store, process, or transmit CHD/SAD.

What is in scope for PCI?

  • PCI only cares about cardholder data, such as the full PAN account number, expiration date, CVV, etc. Any place where that data is stored or systems connected to it, like a network linked to this data, are in scope. For example, an ecommerce merchant who redirects to an iframe for card entry—everything interacting with those systems is in scope.

What is the cardholder data environment (CDE)?

  • The cardholder data environment (CDE) is an example of a more sensitive area within an entity’s network.

What is the impact of an intrusion into the CDE related to time?

  • The impact of an intrusion into the CDE is, in many ways, a factor of the time that an attacker has in the environment before being detected.

What is the purpose of having documented response procedures for when cleartext PAN is found outside the CDE?

  • To help identify the necessary remediation actions and prevent future leaks.

What is the purpose of implementing security controls on computing devices that connect to both untrusted networks and the CDE?

  • Use of security controls such as host-based controls, network-based security controls, or hardware helps to protect devices from Internet-based attacks, which could use the device to gain access to the organization’s systems and data when the device reconnects to the network.

What is the purpose of using mechanisms to detect and prevent unauthorized PAN from leaving the CDE?

  • To detect and prevent situations that may lead to data loss.

What is the requirement for MFA regarding remote access and CDE connections?

  • If an individual first connects to the entity’s network via remote access, and then later initiates a connection into the CDE from within the network, the individual would authenticate using MFA twice.

What is the risk of using live PANs outside of protected CDEs?

  • It provides malicious individuals with the opportunity to gain unauthorized access to cardholder data.

What must be confirmed before expired payment card PANs are excluded from PCI DSS scope?

  • It is the responsibility of the entity to confirm that PANs are not live, meaning that they are unable to conduct payment transactions or pose fraud risk to the payment system.

What procedures are implemented for authorizing and managing visitor access to the CDE?

  • Visitors are authorized before entering, visitors are escorted at all times, visitors are clearly identified and given a badge or other identification that expires, and visitor badges or other identification visibly distinguishes visitors from personnel.

What should all traffic inbound to the CDE be evaluated for?

  • ll traffic inbound to the CDE, regardless of where it originates, should be evaluated to ensure it follows established, authorized rules.

What should all traffic outbound from the CDE be evaluated for?

  • ll traffic outbound from the CDE, regardless of the destination, should be evaluated to ensure it follows established, authorized rules.

What should analysis be performed if PAN was found outside the CDE?

  • If PAN was found outside the CDE, analysis should be performed to 1) determine whether it was saved independently of other data or with sensitive authentication data, 2) identify the source of the data, and 3) identify the control gaps that resulted in the data being outside the CDE.

What should be determined if PAN is found outside the CDE?

  • Whether it was saved independently of other data or with sensitive authentication data, the source of the data, and the control gaps that resulted in the data being outside the CDE.

What should be included in response procedures for the detection of cleartext PAN outside the CDE?

  • Procedures for the prompt investigation of alerts by responsible personnel and procedures for remediating data leaks or process gaps.

What should entities consider addressing in their incident response plans regarding compromises of data within the CDE?

  • Entities should consider how to address all compromises of data within the CDE in their incident response plans, including compromises to account data, wireless encryption keys, encryption keys used for transmission and storage or account data or cardholder data, etc.

What should entities consider when PAN is found outside the CDE?

  • Whether contributory factors, such as business processes, user behavior, improper system configurations, etc., caused the PAN to be stored in an unexpected location.

What should mechanisms for detecting and preventing cleartext PAN from leaving the CDE be configured to do?

  • ctively running, configured to detect and prevent cleartext PAN leaving the CDE, and generating audit logs and alerts upon detection of cleartext PAN leaving the CDE.

What should NSCs do between all wireless networks and the CDE?

  • NSCs are installed between all wireless networks and the CDE, regardless of whether the wireless network is a CDE, such that all wireless traffic from wireless networks into the CDE is denied by default and only wireless traffic with an authorized business purpose is allowed into the CDE.

What should response procedures include for the detection of attempts to remove cleartext PAN from the CDE?

  • Procedures for the prompt investigation of alerts by responsible personnel and procedures for remediating data leaks or process gaps.

What should TPSPs provide to their customers to verify the scope of their PCI DSS assessment?

  • TPSPs should provide sufficient evidence to their customers to verify that the scope of the TPSP’s PCI DSS assessment covered the services applicable to the customer and that the relevant PCI DSS requirements were examined and determined to be in place.

What should wireless networks transmitting PAN or connected to the CDE use?

  • Wireless networks transmitting PAN or connected to the CDE use industry best practices to implement strong cryptography for authentication and transmission.

What software is in scope for an entity’s PCI DSS assessment?

  • ll bespoke and custom software that stores, processes, or transmits account data, or that could impact the security of cardholder data and/or sensitive authentication data, is in scope for an entity’s PCI DSS assessment.

What will enable an organization to define the scope of its environment and implement PCI DSS requirements accurately and efficiently?

  • Maintaining a current list of all system components will enable an organization to define the scope of its environment and implement PCI DSS requirements accurately and efficiently.

When a TPSP provides services that are intended to meet or facilitate meeting a customer’s PCI DSS requirements or that may impact the security of a customer’s cardholder data and/or sensitive authentication data, what are in scope for the customer’s PCI DSS assessments?

  • These requirements are in scope for the customer’s PCI DSS assessments.

When the TPSP provides a service that meets a PCI DSS requirement(s) on the customer’s behalf or where that service may impact the security of the customer’s cardholder data and/or sensitive authentication data, what is in scope for the customer’s assessment?

  • Then those requirements are in scope for the customer’s assessment and the compliance of that service will impact the customer’s PCI DSS compliance.

Where can I find additional guidance for PCI DSS Scoping and Network Segmentation?

  • Refer to [Information Supplement: Guidance for PCI DSS Scoping and Network Segmentation](https://pcisecuritystandards.org/) for additional guidance.

    Relevant links:
    - https://pcisecuritystandards.org/)
    - https://pcisecuritystandards.org/

Where can I find additional guidance on PCI DSS scoping and network segmentation?

  • For additional guidance, refer to Information Supplement: Guidance for PCI DSS Scoping and Network Segmentation.

Where can MFA for access into the CDE be implemented?

  • MFA for access into the CDE can be implemented at the network or system/application level.

Who is considered in scope for PCI? (Employee count)

  • Any personnel capable of interacting with or impacting the cardholder data or cardholder data environment. It is possible that not all employees at the organization are in scope.

Who needs to implement MFA for all remote access originating from outside the entity’s network that could access or impact the CDE?

  • MFA is implemented for all remote access originating from outside the entity’s network that could access or impact the CDE.

Who needs to implement MFA for non-console access into the CDE?

  • MFA is implemented for all non-console access into the CDE for personnel with administrative access.

Why is the entity’s environment still in scope for PCI DSS?

  • The entity’s environment is still in scope for PCI DSS due to the presence of cardholder data.

Additional customer questions

What can help identify where data needs to be protected?

  • Understanding how sensitive data is handled by the application—including when stored, transmitted, and in memory—can help identify where data needs to be protected.

If segmentation is used to reduce the scope of the PCI DSS assessment, what must the assessor verify?

  • If segmentation is used to reduce the scope of the PCI DSS assessment, the assessor must verify that the segmentation is adequate to reduce the scope of the assessment.

Is this annual confirmation of PCI DSS scope the same as the scoping confirmation performed by the entity’s assessor during the assessment?

  • No, this activity is not the same, nor is it intended to be replaced by, the scoping confirmation performed by the entity’s assessor during the assessment.

What does the assessor validate for each PCI DSS assessment?

  • For each PCI DSS assessment, the assessor validates that the entity accurately defined and documented the scope of the assessment.

What is a Payment Processor, according to the PCI DSS Glossary of Terms?

  • Sometimes referred to as “payment gateway” or “payment service provider (PSP).” Entity engaged by a merchant or other entity to handle payment card transactions on their behalf.

What must the assessor confirm when validating the use of software developed and maintained by a Secure SLC Qualified Vendor to meet PCI DSS Requirement 6.2 and support the Customized Approach for Requirements 6.3 and 6.5?

  • The software vendor has a current listing on the PCI SSC List of Secure SLC Qualified Vendors, the software was developed and is being maintained using software lifecycle management practices that were assessed as part of the software vendor’s validation, and the entity is following the implementation guidance provided by the Secure SLC Qualified Vendor.

What must the assessor confirm when validating the use of software developed and maintained in accordance with the Secure SLC Standard to meet PCI DSS Requirement 6.2 and support customized approach for Requirements 6.3 and 6.5?

  • The software lifecycle management practices were assessed by a Secure SLC Assessor and confirmed to meet all Secure SLC Standard requirements with the results documented in a Secure SLC Report on Compliance (ROC) and Secure SLC Attestation of Compliance (AOC), the software was developed and maintained using the software lifecycle management practices covered by the Secure SLC assessment, and a full Secure SLC assessment of the software lifecycle management practices was completed within the previous 36 months.

What must the assessor confirm when validating the use of software developed and maintained in accordance with the Secure Software Standard to meet PCI DSS Requirement 6.2.4 and support customized approach for Requirements 6.3 and 6.5?

  • The secure software assessment was conducted by a Secure Software Assessor and confirmed to meet all requirements in the Secure Software Standard with the results documented in a Secure Software Report on Validation (ROV) and Secure Software Attestation of Validation (AOV), the software was developed and is being maintained using the software lifecycle management practices that were covered by the Secure Software assessment, and a full Secure Software assessment was completed within the previous 36 months.

What are the requirements for roles and responsibilities for performing activities in Requirement 10?

  • Roles and responsibilities for performing activities in Requirement 10 are documented, assigned, and understood.

What elements are required for roles and responsibilities for performing activities in Requirement 5?

  • Roles and responsibilities for performing activities in Requirement 5 are documented, assigned, and understood.

What elements are required for roles and responsibilities for performing activities in Requirement 6?

  • Roles and responsibilities for performing activities in Requirement 6 are documented, assigned, and understood.

What should be done with roles and responsibilities for performing activities in Requirement 9?

  • Roles and responsibilities for performing activities in Requirement 9 are documented, assigned, and understood.

What should be examined to verify that descriptions of roles and responsibilities for performing activities in Requirement 10 are documented and assigned?

  • Examine documentation to verify that descriptions of roles and responsibilities for performing activities in Requirement 10 are documented and assigned.

What should be examined to verify that descriptions of roles and responsibilities for performing activities in Requirement 8 are documented and assigned?

  • Documentation.

What happens if an entity includes a TPSP’s/payment processor’s embedded payment page/form on its webpage?

  • The entity should expect the TPSP/payment processor to provide evidence that the TPSP/payment processor is meeting this requirement, in accordance with the TPSP’s/payment processor’s PCI DSS assessment and Requirement 12.9.

What is expected of the entity and its assessor when using a customized approach?

  • They agree that the customized control(s) fully meets the customized approach objective, the assessor fully understands the customized control, and the entity understands the derived testing the assessor will perform.

What must the assessor performing an assessment of customized controls do?

  • Review the entity’s controls matrix(es), targeted risk analysis, and evidence of control effectiveness, derive and document the appropriate testing procedures needed to conduct thorough testing of each customized control, and test each customized control to determine whether the entity’s implementation meets the requirement’s Customized Approach Objective and results in an “in place” finding for the requirement.

What should be examined to verify that access to system components and cardholder data can be uniquely identified and associated with individuals?

  • Audit logs and other evidence.

What should be examined to verify that the hashing method results in keyed cryptographic hashes of the entire PAN, with associated key management processes and procedures?

  • Examine documentation about the hashing method used to render PAN unreadable, including the vendor, type of system/process, and the encryption algorithms (as applicable)

What will the Secure SLC Assessor document the results of the assessment in?

  • Secure SLC Report on Compliance (ROC) and a Secure SLC Attestation of Compliance (AOC).

Who is responsible for scripts in a TPSP’s/payment processor’s embedded payment page/form?

  • Scripts in the TPSP’s/payment processor’s embedded payment page/form are the responsibility of the TPSP/payment processor to manage in accordance with this requirement.

Where can I find instructions on how to document the required evidence for the customized approach?

  • See Appendix D : Customized Approach for instructions on how to document the required evidence for the customized approach.

Related to

Was this article helpful?

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.