When looking at the key success criteria for any PCI compliance programme, there is no disputing the importance attached to accurately scoping the cardholder data environment (CDE). Within this blog, we are not going to delve into the murky depths of why a network component may be in or out-of-scope (thank goodness I hear you say), […]
Vulnerability assessment – Penetration testing, can things go wrong? There seems to be a market trend to offer a vulnerability assessment and package it as a penetration testing exercise. Both are security controls in ISO/IEC 27001: 2013 Annex A and both have distinct purpose and deliverables. In addition, they both feature quite heavily within the […]
Benefits of PCI DSS Compliance In recent blogs, we have focused on how best to ensure you comply with the PCI Data Security Standard. However, this week we will look at what the benefits are of achieving and maintaining compliance….aside from meeting your contractual obligations! As a rule, all organisations that store, process or […]
Policies, Procedures and Evidence While it’s one of the areas that IT and security departments find challenging, documentation (and compliant evidence) is what makes for a happy and satisfied PCI Qualified Security Assessor (QSA), and, more importantly, a successful PCI compliance audit! Successful compliance programmes invariably depend on the accurate and consistent recording of events and the […]
As a Payment Card Industry Qualified Security Assessor (PCI QSA) company, we are often asked by organisations which process card payments what are main pitfalls to avoid in complying with the Payment Card Industry Data Security Standard (PCI DSS). Well, here’s our top five (5) pitfalls to avoid if your organisation is looking achieve or […]
There’s no getting away from the fact that preparing for a PCI DSS ROC can be a bit of a trial, and particularly for those who are experiencing their first visit from a QSA. Like most trials, the good news is that future visits do get easier as your infrastructure gets up to spec. That […]
In our last blog we addressed merchants, so this time we turn to service providers. A service provider is defined as a ‘business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security […]
We are often asked, both by those new to PCI DSS and those who have been involved for a while, what is the difference between a merchant and a service provider, what are the ‘levels’ and what do they really mean? Are the levels based on individual transactions, overall value or by card brand? And […]
Section 8.2.4 of the PCI DSS v3.2.1 specifies that passwords must be changed at least once every 90 days. In our day-to-day PCI DSS consultancy work, we are frequently asked whether there is any flexibility in extending the period when passwords need to be changed and whether ‘compensating controls’ can be used. The argument often […]
