thePCI Portal

Category: PCI DSS

COVID and Compliance (April 27, 2020)

Compliance assessment activities and regular compliance activities (i.e. penetration tests, employee training, etc) may be disrupted during COVID. Retail locations may be closed, staff may be unavailable. Obviously human safety trumps any PCI DSS compliance concerns.  Merchants and QSAs do have questions about compliance in COVID times. We are still awaiting to hear  from the acquirers…

Can switches get updates from the internet and remain PCI compliant?

Assessed entity question:  Can switches get updates from the internet, and remain PCI compliant? QSA’s Sarcastic Question: Where else do patches come from?  🙂  I presume you mean the device actively getting updated from the internet. QSA’s Real Questions: What kind of switches do this? What is the exact mechanism? What is the direction of…

Functionality testing to verify that the change does not adversely impact the security of the system

What are Assessor’s thoughts on requirement 6.4.5.3? 6.4.5.3 Functionality testing to verify that the change does not adversely impact the security of the system. 6.4.5.3.a For each sampled change, verify that functionality testing is performed to verify that the change does not adversely impact the security of the system. Thorough testing should be performed to…

eye on PCI v4

full speed ahead on PCI v4

April 30, 2020:  Assessor Newsletter When will PCI DSS v4.0 will be released? The final version of PCI DSS v4.0 is currently expected in mid-2021. PCI DSS v3.2.1 will remain active for 2 years after PCI DSS v4.0 is released to allow organizations time to transition to the new version. While PCI DSS v4.0 is…

Vulnerability scans are not for req 6.1

Requirement 6.1 is my favourite PCI DSS requirement!  No fancy tools required.  No specialized knowledge.  It can be largely executed by a person on the helpdesk.    And the impact to the overall security posture organization can be huge.  More than that expensive network appliance.  More than that fancy SIEM.  More than that overpriced vulnerability…

PCI compliance and big P Politics

What is behind MPI’s decision to stop the acceptance of preauthorized credit card payments? Politics? Lobbyists? Pressure from the broker association? Lucrative broker commission payments? Maybe according to the Winnipeg Free Press. Saving money?  Apparently, but the savings are coming from the reduced scope of PCI DSS compliance by eliminating cardholder data storage (according to CBC reporting). …

The upcoming revision to the data security standard, version 4

The Council has a blog post about the upcoming revision to the data security standard, version 4. While talking about version 4, the council has specifically identified the following industry feedback related to the DSS: Authentication, specifically consideration for the NIST MFA/password guidance Broader applicability for encrypting cardholder data on trusted networks Monitoring requirements to…