How does PCI DSS v4.0 affect an entities website compliance?

PCI DSS is not a new thing, in fact, it has been around since December 2004. As with any security programme it has been regularly updated to ensure it is fit for purpose in the modern day. It’s due another major change moving from its current iteration (3.2.1) to Version 4.0. The latest version is […]

PCI DSS version 4.0 Release Schedule

The PCI SSC has announced that PCI DSS version 4.0 is scheduled for publication at the end of March 2022. A number of our QSA clients have been longing for a peek at the draft version, however I’ve signed my life away under a non-disclosure agreement with the PCI SSC so I’m still obligated to […]

Redundant QSAs: Working Smart, Side-Stepping the Rabbit Hole & Streamlining

Are your QSAs wasting your time (and money)? Your QSA shouldn’t just be ensuring you are PCI DSS compliant. They should be side-stepping the potential rabbit hole, creating a value-added service, and making their roles (sort of) redundant. The result? Control reduction (does 240 to 21 sound acceptable?) The benefit? You save money, time and […]

Time is Running out for E-Commerce Merchants Running Magento Version 1.x

E-Commerce merchants who are still using Magento version 1.x as their on-line shopping cart will soon run out of time to move to a supported version! When Magento version 2.0 was released back in November 2015, E-Commerce merchants and developers were informed that Magento version 1 had a limited shelf life and would become obsolete. The initial end of life date given was November 2018, however push back from developers and merchants alike resulted in a revised end of life date of June 2020. As an experienced Information Security Consultant and PCI QSA one of the

PCI DSS v3.2.1 Regular Tasks

To maintain PCI DSS compliance, there are a number of tasks which must be conducted on a regular basis. I’ve taken the liberty of collating all of these regular tasks into one table. Where the frequency of a task is “regular” or “periodic”, I have made a recommendation based upon my experience as a QSA. Dependant upon the environment and threat landscape, it could be justified for these indeterminate frequencies to shift in either direction. Note that this table assumes a SAQ-D equivalent environment with all PCI DSS controls being in-play. The shape of the regular

Lies, damned lies and PCI DSS compliant E-Commerce hosting and service provision

As a PCI DSS Qualified Security Assessor, I’ve had this conversation far too many times now. Many hosting providers make claims of PCI DSS compliance, however when trying to verify that compliance we are met with obfuscation and frustration. I have seen so many certificates, ASV scan reports, merchant attestations and other documents which service […]