PCI Data Security Standards (PCI DSS) is a set of standards developed and maintained by the PCI SSC and were designed for the security of the cardholder data environments that process, store, or transmit account data.

Frequently Asked Questions

  • PCI
  • What's PCI DSS?

    PCI Data Security Standards (PCI DSS) is a set of standards developed and maintained by the PCI SSC and were designed for the security of the cardholder data environments that process, store, or transmit account data. This also includes systems that could affect the security of the cardholder data environment. These standards are referred to as requirements and apply to all entities involved in payment card processing including merchants, processors, acquirers, issuers, and service providers as well as all other entities that store, process, or transmit cardholder data and/or sensitive authentication data. PCI DSS compliance validation is required every 12 months.

  • When will PCI DSS v4.0 be released?

    PCI SSC is now targeting a Q1 2022 publication date for PCI DSS v4.0. This timeline supports the inclusion of an additional request for comments (RFC) for the community to provide feedback on the PCI DSS v4.0 draft validation documents.

  • When will the Self-Assessment Questionnaires (SAQs) be updated?
    Training for QSAs and ISAs to be able to support PCI DSS v4.0 is targeted for June 2022.
  • How much time will organizations have to implement v4.0 once it is published?

    To support this transition, PCI DSS v3.2.1 will remain active for 18 months once all PCI DSS v4.0 materials—that is, the standard, supporting documents (including SAQs, ROCs, and AOCs), training, and program updates—are released.

    This transition period allows organizations time to become familiar with the changes in v4.0, update their reporting templates and forms, and plan for and implement changes to meet updated requirements. Upon completion of the transition period, PCI DSS v3.2.1 will be retired and v4.0 will become the only active version of the standard.

  • I’d like to participate in the next PCI DSS v4.0 RFC. How can I participate?

    Any organization can become a Participating Organization. In addition to providing feedback on draft PCI Security Standards, the benefits of becoming a Participating Organization include the ability to propose, vote for and participate in Special Interest Groups, attend annual PCI SSC Community meetings with two complimentary passes, and demonstrate to your customers and business partners your commitment to payment security. Read more about the full benefits and how to become a PO here. (https://www.pcisecuritystandards.org/get_involved/participating_organizations)

  • What can our organization do now to prepare for PCI DSS v4.0?

    While PCI DSS v4.0 is under development, we encourage all entities to remain diligent and maintain their PCI DSS v3.2.1 security controls. Not only will this help ensure continued security, but this will facilitate the transition to PCI DSS v4.0.

    Organizations that have had access to early drafts are strongly urged to wait until the final version of PCI DSS v4.0 is released before trying to implement any new or updated requirements. The RFC versions are draft only, and the standard will be different in the final released version.

  • Why does payment security matter?
    • Security of cardholder data affects everyone • A breach or theft of cardholder data can trigger large financial loss • Compromised cardholder data can impact the entire payment ecosystem • Following PCI Standards will improve cardholder data security and help reduce fraud
  • Who Follows PCI Standards?

    Compliance with the PCI Data Security Standard and other applicable PCI Standards may be necessary for entities that store, process or transmit cardholder data. PCI Standards are for entities accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions.

  • Who’s in Charge of Compliance?

    Compliance and enforcement of PCI Standards is the role of the payment brands and acquiring banks, not the PCI SSC. Each of PCI SSC’s participating payment brand members currently has their own PCI compliance programs for the protection of their affiliated payment card account data. Entities should contact the payment brands directly for information about their compliance programs.

  • What is the difference between masking and truncation?

    Masking is not synonymous with truncation and these terms cannot be used interchangeably. Masking refers to the concealment of certain digits during display or printing, even when the entire PAN is stored on a system. This is different from truncation, in which the truncated digits are removed and cannot be retrieved within the system. Masked PAN could be “unmasked”, but there is no "un-truncation" without recreating the PAN from another source.






    Payment Card Industry (PCI) Awareness training is for anyone interested in learning more about PCI – especially people working for organizations that must comply with PCI Data Security Standard (PCI DSS). By promoting employee awareness of security, organizations can improve their security posture and reduce risk to cardholder data.

    Read more






    “‘Complying with the complex PCI-DSS…”

    Complying with the complex PCI-DSS can be quite simple through a tactic called descoping. The PCI-DSS considers any person, system, or piece of technology that touches cardholder data (CHD) as in scope. To simplify compliance, companies should look for opportunities to remove these entities from PCI-DSS scope (descoping) by ensuring...

    Read more


    Titania Nipper

    Nipper can automate the assessment of 49 of the 56 testing procedures of the PCI DSS requirements that relate to core network devices - highlighting where you can save valuable time when determining PCI compliance.

    Read more

    Welcome Back!

    Login to your account below

    Retrieve your password

    Please enter your username or email address to reset your password.

    Add New Playlist