FAQ Evolution Global Security Company


Each of PCI SSC’s founding payment brand members (American Express, Discover, JCB International, MasterCard and Visa) currently have their own PCI compliance programs for the protection of their affiliated payment card account data. Entities should contact the payment brands directly for information about their compliance programs. Contact details for the payment brands can be found in How do I contact the payment card brands?

PCI DSS requirements apply wherever account data is stored, processed, or transmitted. While PCI DSS does not explicitly reference the use of VoIP, VoIP traffic that contains cardholder data is in scope for applicable PCI DSS controls, in the same way that other IP network traffic containing cardholder data would be.

The intent of “quarterly” vulnerability scans, as defined in PCI DSS Requirement 11.2, is to have them conducted as close to three months apart as possible, to ensure vulnerabilities are identified and addressed in a timely manner. In order to meet this requirement, an entity is required to complete their internal and external scans, and perform any required remediation, every three months.

No. The only documentation recognized for PCI DSS validation are the official documents from the PCI SSC website. Any other form of certificate or documentation issued for the purposes of illustrating compliance to PCI DSS or any other PCI standard are not authorized or validated, and their use is not acceptable for evidencing compliance. The use of certificates or other non-authorized documentation to validate PCI DSS Requirement 12.8 and/or Requirement 12.9 is also not acceptable.

Any cardholder data that is stored, processed, or transmitted must be protected in accordance with PCI DSS. If faxes are sent or received via modem over a traditional PSTN phone line, these are not considered to be traversing a public network. On the other hand, if a fax is sent or received via the Internet, it is traversing a public network and must be encrypted per PCI DSS Requirement 4.1. Any systems – such as fax servers or workstations – that the cardholder data passes through must be secured according to PCI DSS. Also, any cardholder data on the fax that is electronically stored must comply with PCI DSS Requirement 3.4 to render the cardholder data unreadable. If the fax system is combined with an email system (for example, via a fax-to-email gateway), the emails would also be subject to Requirement 4.2. (Refer to FAQ #1085 Can unencrypted PANs be sent over e-mail, instant messaging, SMS, or chat?)

PCI DSS applies to any primary account number (PAN), including active, expired, or cancelled PAN, except where the organization can provide documentation which confirms that the PAN is inactive or otherwise disabled and no longer poses a fraud risk to the payment system. If, however, the PAN is later reactivated, PCI DSS will again apply.