What is PCI DSS compliance and why is it important?
In an age where we in a lot of countries can declare that cash is no longer king, ensuring the secure handling of cardholder data has become increasingly important. A critical part in this has been the establishment of PCI DSS. So, what is PCI DSS compliance and how does the security standard protect card […]
The importance of being transparent in PCI DSS
Let’s talk importance of being open and transparent, especially during the GAP analysis. GAP analysis as a pre-audit It is very important for an entity starting its compliance process to perform a GAP analysis towards the standard. Such an analysis provides a sort of pre-audit to highlight the gaps (therefore GAP analysis) such an entity […]
The scoping exercise: the foundation for PCI DSS compliance
When you start a PCI DSS compliance project, scoping is what some of us QSAs use to call “requirement zero”. The more complex your processes and systems for storing, transmitting and/or processing cardholder data are, the harder it will be to achieve and maintain compliance. This explains why reducing the PCI DSS scope represents such […]
How security measures keep the scare away 👻
Facebook. Flipboard. Fortnite. All three have had security breaches in 2019 leaking hundreds of millions of customers data to hackers. Downright frightful. The spookiest part? It’s not the first time for some of these companies, and it all could have been avoided witch 🧙is the whole point. When was the last time your organization ensured […]
Security/privacy by design and software development
In this post we will explain the concept of security/privacy by design with regards to software development, the GDPR and the PCI DSS. Security by design in PCI DSS In the PCI DSS requirement 6.3, one of the sub requirements state: Develop internal and external software applications (including web-based administrative access to applications) securely, incorporating […]
PCI-DSS vs ISO 27001
If your organization is considering initiating a compliance process, it is very likely that for some PCI DSS immediately comes to mind and for others it might be ISO 27001. The objective for both standards is to secure and manage company information, but they do so in different ways and to different extents. But, the […]
Are you protecting your client data securely enough?
Understanding Levels of PCI DSS Compliance With our Ultimate Guide to PCI DSS Cloud Hosting we delve into the significance of protecting your client data and why it’s critical for businesses to be PCI DSS certified. But how rigorous is the certification process? If you’re a small to medium sized business do you have to […]
Penetration Testing Guidelines and Best Practices – Part 1
What does PCI DSS say about penetration testing? PDI DSS does provide some guidelines to penetration testing. What the PCI standard explicitly mandates about penetration testing is illustrated in Requirement 11.3, requiring organizations to perform annual penetration tests that would mainly: While the composition of the network layer tests is left to the discretion of the […]
Can tokenization reduce PCI DSS audit scope?
In a not recent, but still valid Gartner report, Using Tokenization to Reduce PCI compliance Requirements, it was found that large merchants with an average of 100,000 customer accounts potentially store cardholder data in 10-20 different locations in-house. Since the PCI standard mandates that every system in the Cardholder Data Environment (CDE) must be audited, […]
The Basics of Penetration Testing in PCI DSS
What is penetration testing? A penetration test could be described as a simulated but realistic cyber attack action that aims to determine how deep an attacker would be able to penetrate into a well-defined target environment. The main benefit of such an effort would be to allow the assessed entity, which owns the environment, to […]