Frequently Asked Questions

< Back to search page

Does Requirement 3.4 apply to mainframes?

FAQ Response

Requirement 3.4 of the PCI DSS applies to mainframes that store cardholder data. If the company has legitimate business or technical constraints to meet this or any other requirement, compensating controls may be applied. Compensating controls must be commensurate with additional risk imposed by not adhering to the original requirement. Please refer to Appendices B and C of the PCI DSS for more information on the use of compensating controls.

March 2009
Article Number 1093