The PCI Security Standards Council (PCI SSC) released a targeted update to the Payment Card Industry Data Security Standard (PCI DSS) in June 2024. PCI DSS 4.0.1 offers a sigh of relief for compliance professionals, focusing on clarity and addressing industry feedback received since version 4.0 launched in 2022. While not a comprehensive overhaul, this…
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to safeguard sensitive cardholder data. Every few years, the PCI Security Standards Council releases updated standards to reflect the evolving threat landscape. The upcoming version, PCI DSS v4.0, will be in effect by March 31, 2025, and it strengthens protections…
The landscape of credit card fraud is constantly evolving, with criminals devising increasingly sophisticated methods to steal customer financial information. For merchants, these evolving threats pose a significant challenge, demanding a proactive approach to data security. Two particularly concerning methods are credit card skimming and shimmering, both capable of compromising sensitive information and eroding customer…
This article is the third and final installment in our series on PCI DSS version 4.0 requirement 6.3.1, which focuses on the identification and management of vulnerabilities. As one of the most complex and frequently misunderstood PCI DSS requirements, 6.3.1 significantly influences compliance programs, being referenced in ten other requirements. In parts one and two,…
In the context of PCI DSS 4.0, targeted risk assessments involve a systematic and detailed evaluation of potential threats and vulnerabilities related to the processing, storage, or transmission of cardholder data. These assessments aim to identify, measure, and prioritize risks an organization might face, helping define strategies to mitigate them. Unlike previous versions of PCI…
In 2018, Marriott experienced a massive data breach. For years, the hotel chain defended itself by asserting that it had used strong encryption (AES-128) during the breach. However, during an April 10 hearing, Marriott’s attorneys admitted that they had never used AES-128 at the time. Instead, they had employed the less secure Secure Hash Algorithm…
March is upon us and so is the looming PCI DSS 4.0 compliance deadline. In just a few short weeks, the previous PCI Data Security Standard (version 3.2.1) will be officially retired and a multitude of new requirements of PCI DSS 4.0 will need to be implemented. Do you have questions regarding the transition to…
The blog post was written by a friend and former co-worker you may know as the PCI Guru, he discusses a notable change in the Payment Card Industry Data Security Standard (PCI DSS) Report On Compliance (ROC) Reporting Template, specifically in version 4.0. He highlights a shift in the template’s language, emphasizing the need for…
Reposted from PCI Website. Service providers cannot use SAQ eligibility criteria to determine the applicability of PCI DSS requirements for assessments documented in a Report on Compliance. The only acceptable SAQ for service providers is SAQ D for Service Providers. All other SAQs are intended for merchant use only. Merchants with environments that fully meet all…
This article is meant to call out some of the items some companies or people might not understand about the ASV program. Most of the content is directly from the program guide that can be found on the PCI Councils website. This is in no way a full description of the program guide or a…
