Frequently Asked Questions

< Back to search page

Can PCI DSS be used to protect non-payment card data?

FAQ Response

PCI DSS provides a solid baseline of security requirements that can be used to protect non-payment card data. However, entities should consult with the applicable regulatory body and/or the data owner, as appropriate, to understand the suitability of using PCI DSS requirements to protect the data in question.

August 2016
Article Number 1437

Does a QSA need to be onsite at the client’s premises for all aspects of a PCI DSS assessment?

If a merchant develops an application that runs on a consumer’s device (e.g. smartphone, tablet, or laptop) that is used to accept payment card data, what are the merchant’s obligations regarding PCI DSS and PA-DSS for that application?

What are acceptable formats for truncation of primary account numbers?

What is the role of acquirers and assessors in determining the applicability of PCI DSS requirements for a merchant’s PCI DSS assessment?

Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for onsite assessments?

Frequently Asked Questions

Can PCI DSS be used to protect non-payment card data?

Related Articles