Never Rest on Your Laurels

Almost four years ago the Payment Card Industry Data Security Standard (PCI DSS) version 3.2 was introduced and has only received a minor revision to version 3.2.1 since. Add to that, some companies have been assessed by the same assessors for years on end and both the assessed and assessors could become complacent feeling they know …

Guidance to Remain PCI Compliant After Making Changes to Your IT Infrastructure

One of the most avoidable PCI failures we see time and again is significant change follow-up. What happens is you make a change to your infrastructure, resume processing, and move on with the newly changed environment in the new configuration. Months later, your Qualified Security Assessor (QSA) walks in and asks, “Did you perform due …

PCI DSS – Frequently Asked Questions

So, you’re working on your first Self-Assessment Questionnaire (SAQ) and you get stuck. Up until this point, it’s gone pretty well; you talked to your acquiring bank, downloaded the right form they told you to, and you have the right people pulled together from your company to answer the requirements, but you’re stuck. Where do …

PCI-DSS version 4.0: Impacts to an Organization

The next version of the PCI-DSS is a long time coming. The majority of current PCI controls in version 3.2.1 are 10-years or older. Year-to-year the standard itself has changed very little and version 3.0, released in 2015, has minimally changed in the last 5 years. The PCI-DSS v4.0 was released to PCI SSC stakeholders …

Guidance for PCI Assessments During COVID-19

One of the challenges of information security and compliance is dealing with evolving requirements. The current pandemic with Covid-19 has further added complexity to how we operate and maintain secure payment systems. Not only do we have technical and administrative controls to manage and maintain but we also must address public health and safety concerns …