Introduction to Targeted Risk Analysis (TRA) in PCI DSS 4.0

The Payment Card Industry Security Standards Council (PCI SSC) recently released a new document guiding targeted risk analysis. This approach to security is a cornerstone of the PCI DSS 4.0 update, and yet, for many businesses, this is something new that they may need help understanding.  This article will discuss Targeted Risk Analysis, its role… Read More

PCI DSS 4.0 Timeline: The Eleventh Requirement and System Testing

System security is one task of many in organizations focused on compliance, one that requires continuous monitoring and diligence to ensure its success. One of the more critical aspects of compliance requirements like PCI DSS 4.0 is ongoing testing of system and network components.  What does that process look like for companies in the payment… Read More

Timeline for PCI DSS 4.0: The Tenth Requirement and System Monitoring

As we move through the requirements for PCI DSS 4.0, we’re coming up to the double digits, which means some more advanced expectations. Namely, the tenth requirement focuses on system logging and monitoring for systems containing cardholder data.  The maintenance of audit logs is about more than automatically recording data about system events. Your system… Read More

Timeline for PCI DSS 4.0: The Ninth Requirement and Physical Access Security

When thinking about cybersecurity, many stakeholders outside the industry will rarely consider the physical systems supporting digital information. And yet, almost any security framework worth its salt will have some provision for securing physical systems and environments. PCI DSS 4.0 is no different, and the ninth requirement is dedicated to just this topic. This article… Read More

Timeline for PCI DSS 4.0: The Eighth Requirement and Strong Authentication

Moving through the requirements of PCI DSS 4.0, we’re well over halfway through. During this journey, we’ve touched on cryptography, security and perimeter management, network security, authorization, and other critical security considerations. Now, we come up against the authentication and identity management problem with the eighth requirement.  Authentication isn’t simply about passwords and CAPTCHAs, however.… Read More

Timeline for PCI DSS 4.0: The Seventh Requirement and System Access

As we work through the requirements of PCI DSS, we’ve run into several calls for securing data against “unauthorized users.” Operationally, this makes sense–cardholder data should be protected against use or viewing by people that don’t have a reason to do so. However, any effective IT security system must have a method to ensure that… Read More

Timeline for PCI DSS 4.0: The Sixth Requirement and Maintaining Secure Systems

Software, whether a locale installation or a web application, carries the risk of attack. While phishing and other social engineering attacks are some of the most common forms of a system breach, hackers still go for open vulnerabilities in software, whether due to bugs or misconfigured settings. That’s why the sixth requirement of the PCI… Read More

Timeline for PCI DSS 4.0: The Fifth Requirement and Malicious Software

Malware is an ever-present, if sometimes forgotten, threat to our IT systems. We tend to think that anti-malware and other security measures have effectively blocked out the threats of old worms and viruses. The real threat is against network and application security. However, hackers always look to launch malware into compromised systems to listen, learn,… Read More

Timeline for PCI DSS 4.0: The Fourth Requirement and In-Transit Encryption

As we move through the requirements of PCI DSS 4.0, we’ve reached the point where the standard specifies what it means to protect data as it moves through and outside of private and public networks.  Encryption seems like a no-brainer, but in many cases, organizations have no idea how to manage their encryption approach properly.… Read More

Timeline for PCI DSS 4.0: The Third Requirement and Protecting Stored Data

While having only 12 requirements might make PCI DSS seem like a simple standard, each requirement is incredibly important and, if you aren’t paying attention, can specify practices you aren’t implementing. In the case of the third requirement, this could mean that you’re not actually protecting the most critical data that is in your possession–that… Read More

Three Examples of PCI DSS Non-Compliance and What You Can Learn from Them

The public and private sectors have been increasingly under assault by hackers looking to take information–whether for espionage, blackmail, or profit. And while some of the past few years’ high-profile government and industrial attacks have been at the center of many cybersecurity stories, the reality is that hacks in the retail and consumer spaces have… Read More

Timeline for PCI DSS 4.0: The First Requirement and Best Practices for Network Security Controls

PCI DSS compliance is verifying that your systems, those that handle personal and cardholder information, meet all the expectations of the 12 requirements of the standard. These requirements describe security and privacy controls to protect against modern threats and vulnerabilities and call for both attention to implementing controls and maintaining long-term best practices.  The best… Read More

What Is Sampling in PCI DSS Assessment?

A significant part of any security framework is the assessment. Different frameworks require different types of assessments, from self-managed diagnostics to extensive and annual third-party audits. PCI DSS is no different, requiring annual compliance validation for all relevant systems.  The nature of these assessments may vary depending on the company and are beyond the scope… Read More

PCI DSS and Customized Approach Validation

With the new PCI DSS 4.0 updates now public, payment processors and security experts are examining some of the latest changes. One of the changes we’ve noticed (and one that will most likely make a massive difference for assessments) is the inclusion of customized approaches to PCI DSS assessment. This evolution of compensating controls in… Read More