thePCI Portal

Preparing for reopening

Below is guidance from manufacturers and resellers on how to clean and sanitize your point of interaction (POI) devices.  “Wet” covers that are more easily cleaned may seem like a great idea, but everyone else has the same idea and you will find the products backlogged at the moment.   Poster for how to clean…

COVID and Compliance (April 27, 2020)

Compliance assessment activities and regular compliance activities (i.e. penetration tests, employee training, etc) may be disrupted during COVID. Retail locations may be closed, staff may be unavailable. Obviously human safety trumps any PCI DSS compliance concerns.  Merchants and QSAs do have questions about compliance in COVID times. We are still awaiting to hear  from the acquirers…

Data Flow Diagrams

The Report on Compliance suggests that Cardholder data-flow diagrams may also be included as a supplement to the description of how cardholder data is transmitted and/or processed.  Regardless they are great way to communicate and document the CDE and PCI DSS scope. FAQ Article Number 1178 from February 2011 … An important prerequisite to reduce…

Can switches get updates from the internet and remain PCI compliant?

Assessed entity question:  Can switches get updates from the internet, and remain PCI compliant? QSA’s Sarcastic Question: Where else do patches come from?  🙂  I presume you mean the device actively getting updated from the internet. QSA’s Real Questions: What kind of switches do this? What is the exact mechanism? What is the direction of…

Critical Cybersecurity Hygiene project “Patching the Enterprise”

What is the Critical Cybersecurity Hygiene project “Patching the Enterprise”? The objective of this project is to demonstrate a proposed approach for improving enterprise patching practices for general IT systems. Commercial and open source tools will be used to aid with the most challenging aspects of patching, including system characterization and prioritization, patch testing, and…