Balancing Security and Compliance: A Key Discussion on Vulnerability Management

Three of our QSAs are currently attending the PCI Security Standards Council 2025 Europe Community Meeting in Amsterdam, soaking up discussions on all things PCI. One of the standout topics from the sessions on the first day, centred around vulnerability management, penetration testing, and maintaining effective security in a compliance-driven world.

When Compliance Clashes with Real-World Security

A particularly engaging debate emerged around a familiar pain point in the industry, the tension between compliance requirements and actual security best practices.

Merchants raised a valid concern: why must businesses with robust, multi-layered defences relax or even temporarily disable them just so an Approved Scanning Vendor (ASV) can complete an external scan?

It’s a question that highlights a long-standing challenge- compliance assessments don’t always align with the security measures organisations actually use to protect themselves.

For example, companies that have implemented Web Application Firewalls (WAFs), reverse proxies, or strong network segmentation often find themselves modifying or bypassing these very controls simply to allow scanners to reach an external IP address.

Evolving the Framework: Security and Compliance Can Coexist

The takeaway from the discussion was clear: the industry needs compliance frameworks that evolve with modern security architectures - not ones that inadvertently force businesses to choose between being secure and being compliant.

As technology stacks become more complex, it’s increasingly important that standards bodies recognise these changes and adapt their testing and validation methods accordingly.

Conference Impressions: Smaller, but Still Insightful

Interestingly, this year’s conference felt noticeably smaller than previous editions, particularly during the Assessor Session, which is typically one of the busiest. Attendance seemed lower, though that may have been down to the sheer size of the room (large enough to fit a few football pitches).

The first day’s agenda was also lighter than usual, as many attendees arrive late on Tuesday and save their energy for the more in-depth sessions typically held on Wednesday.

Spotlight on Vendors and Requirements

Most vendors in the Showcase area were focused on providing solutions to meet PCI DSS requirements 6.4.3 and 11.6.1. Interestingly, these controls are no longer mandatory for SAQ A assessments, but this change doesn’t seem to have translated into the lower pricing that some expected.

Networking: Still the Best Part

As always, one of the major benefits of attending the PCI SSC community meetings is the networking- connecting with other assessors, peers, and industry professionals remains one of the most valuable aspects of the event.

Assessor Session Takeaways

• New guidance documents released that will shed light/ add clarity on Authentication and Anti-Phishing access control requirements.

• No new ROC template updates for the foreseeable future, which is good for QSA companies compared to the 2+ revisions we have had over the last year.

• One key takeaway is that we need to be very careful about being critical on LinkedIn about this conference or the SSC, it could come back to bite us in the arse.