We’ve regularly written about maintaining security and compliance with third-party vendors. While vendors and managed service providers are a crucial part of digital economies, it’s up to the client businesses to ensure they work with vendors that meet their needs. Following previous discussions of third-party vendor security under standards like SOC 2 and HIPAA, we’re… Read More
Understanding GDPR in the Financial Sector
When considering security and finance, we typically consider regulations like PCI DSS, SOX, or FINRA. But if you’re a company doing business in Europe, there’s another framework you need to consider–GDPR. This set of regulations not only governs the exchange of consumer data but also has a massive impact on how financial organizations navigate commerce… Read More
Introduction to Targeted Risk Analysis (TRA) in PCI DSS 4.0
The Payment Card Industry Security Standards Council (PCI SSC) recently released a new document guiding targeted risk analysis. This approach to security is a cornerstone of the PCI DSS 4.0 update, and yet, for many businesses, this is something new that they may need help understanding. This article will discuss Targeted Risk Analysis, its role… Read More
Implementing SOC 2 Requirements for Cloud Environments
SOC 2 compliance provides a structured approach to ensuring data security, availability, and processing integrity, among other aspects. This article will dive into the specifics of SOC 2 and its impact on cloud security, shedding light on the technical controls, best practices, and the vital role of third-party attestations in bolstering trust between service providers… Read More
An Introduction to PCI DSS’s Secure Software Life Cycle
Digital payments are, for the most part, the norm for commerce in the modern world. From swiping credit cards, tapping phones, or using credit card information in digital storefronts, a lot of payment information is moving through digital networks… and potentially insecure technologies. This is why credit card networks created the PCI DSS standard to… Read More
Timeline for PCI DSS 4.0: The Twelfth Requirement, Policies, and Programs
So, after a long journey, we’ve arrived at the twelfth and final requirement for PCI DSS 4.0. Last but certainly not least, this requirement emphasizes the need for creating, documenting, and implementing organization-wide security and compliance policies.
PCI DSS 4.0 Timeline: The Eleventh Requirement and System Testing
System security is one task of many in organizations focused on compliance, one that requires continuous monitoring and diligence to ensure its success. One of the more critical aspects of compliance requirements like PCI DSS 4.0 is ongoing testing of system and network components. What does that process look like for companies in the payment… Read More
Timeline for PCI DSS 4.0: The Tenth Requirement and System Monitoring
As we move through the requirements for PCI DSS 4.0, we’re coming up to the double digits, which means some more advanced expectations. Namely, the tenth requirement focuses on system logging and monitoring for systems containing cardholder data. The maintenance of audit logs is about more than automatically recording data about system events. Your system… Read More
Timeline for PCI DSS 4.0: The Ninth Requirement and Physical Access Security
When thinking about cybersecurity, many stakeholders outside the industry will rarely consider the physical systems supporting digital information. And yet, almost any security framework worth its salt will have some provision for securing physical systems and environments. PCI DSS 4.0 is no different, and the ninth requirement is dedicated to just this topic. This article… Read More
What Is Authentication in the Retail and Finance Industry?
In the financial industry, fraud is a natural and ever-present challenge. Digital banking and international finance have only compounded this problem, and anti-money laundering and fraud laws in the U.S. have evolved to address these issues. In modern times, the overlap of identity management, authentication, and identity assurance has led to more comprehensive forms of… Read More
Timeline for PCI DSS 4.0: The Seventh Requirement and System Access
As we work through the requirements of PCI DSS, we’ve run into several calls for securing data against “unauthorized users.” Operationally, this makes sense–cardholder data should be protected against use or viewing by people that don’t have a reason to do so. However, any effective IT security system must have a method to ensure that… Read More
Timeline for PCI DSS 4.0: The Sixth Requirement and Maintaining Secure Systems
Software, whether a locale installation or a web application, carries the risk of attack. While phishing and other social engineering attacks are some of the most common forms of a system breach, hackers still go for open vulnerabilities in software, whether due to bugs or misconfigured settings. That’s why the sixth requirement of the PCI… Read More
Timeline for PCI DSS 4.0: The Fifth Requirement and Malicious Software
Malware is an ever-present, if sometimes forgotten, threat to our IT systems. We tend to think that anti-malware and other security measures have effectively blocked out the threats of old worms and viruses. The real threat is against network and application security. However, hackers always look to launch malware into compromised systems to listen, learn,… Read More
Timeline for PCI DSS 4.0: The Fourth Requirement and In-Transit Encryption
As we move through the requirements of PCI DSS 4.0, we’ve reached the point where the standard specifies what it means to protect data as it moves through and outside of private and public networks. Encryption seems like a no-brainer, but in many cases, organizations have no idea how to manage their encryption approach properly.… Read More
Timeline for PCI DSS 4.0: The Third Requirement and Protecting Stored Data
While having only 12 requirements might make PCI DSS seem like a simple standard, each requirement is incredibly important and, if you aren’t paying attention, can specify practices you aren’t implementing. In the case of the third requirement, this could mean that you’re not actually protecting the most critical data that is in your possession–that… Read More
Protecting PAN According to PCI DSS Rules
It’s crucial that any company handling consumer cardholder information, including card numbers, protect that information from any and every unauthorized user. The PCI Security Standards Council has determined that to promote security and usability, it’s not enough to secure a system perimeter and encrypt data. Instead, companies have to approach data obfuscation through a series… Read More
Three Examples of PCI DSS Non-Compliance and What You Can Learn from Them
The public and private sectors have been increasingly under assault by hackers looking to take information–whether for espionage, blackmail, or profit. And while some of the past few years’ high-profile government and industrial attacks have been at the center of many cybersecurity stories, the reality is that hacks in the retail and consumer spaces have… Read More
Timeline for PCI DSS 4.0: The First Requirement and Best Practices for Network Security Controls
PCI DSS compliance is verifying that your systems, those that handle personal and cardholder information, meet all the expectations of the 12 requirements of the standard. These requirements describe security and privacy controls to protect against modern threats and vulnerabilities and call for both attention to implementing controls and maintaining long-term best practices. The best… Read More
Timeline for PCI DSS 4.0 Compliance – First Steps
As we’ve been writing, PCI DSS 4.0 is upon us. We’ve discussed some of the broader changes around the newer versions, but we have yet to dig deeper into the timeline for version 4.0. This article will discuss the preliminary steps you can take to prepare for the update. With a focus on understanding your… Read More
What Are PCI DSS Future-Dated Requirements?
The good news? PCI DSS 4.0 is out, but the adoption schedule for the new standard is quite generous. The better news? The PCI Security Council has decided to implement a tiered approach to adoption. The first will finalize when the previous version (3.2.1) is officially retired in 2024. The second, known as the “future… Read More
What Is Sampling in PCI DSS Assessment?
A significant part of any security framework is the assessment. Different frameworks require different types of assessments, from self-managed diagnostics to extensive and annual third-party audits. PCI DSS is no different, requiring annual compliance validation for all relevant systems. The nature of these assessments may vary depending on the company and are beyond the scope… Read More
PCI DSS and Customized Approach Validation
With the new PCI DSS 4.0 updates now public, payment processors and security experts are examining some of the latest changes. One of the changes we’ve noticed (and one that will most likely make a massive difference for assessments) is the inclusion of customized approaches to PCI DSS assessment. This evolution of compensating controls in… Read More
What Are Encryption Requirements for PCI DSS?
The newest version of PCI DSS (4.0) is out, and companies are asking about the new requirements. Some of these requirements apply to PCI DSS encryption, and while there are changes, many of the standards of 3.2.1 are still the lay of the land. Learn more about PCI DSS encryption and how it’s shifting in… Read More
What’s New in PCI DSS 4.0?
On March 31, 2022, the Payment Card Industry (PCI) Security Standards Council released version 4.0 of the Data Security Standard (DSS), updating what has been a long-running standard that needed some refreshing based on the newest technologies on the market. The increased focus on eCommerce and reliance on mobile devices has introduced several major security… Read More