Article Blog Image

PCI DSS 4.0.1 Update

Assessments

PCI DSS 4.0.1 is public as of June 11, 2024, about two years and three months after the initial release of PCI DSS 4.0. Minor updates like this after such a major overhaul is expected, especially as all of you get your hands on the documents and start using them in assessments.

The update, which is available in the PCI Security Standards Document Library, contains mostly cosmetic changes that further align language introduced in...

Article Blog Image

iFrames and PCI DSS 4.0 (including SAQ A)

Assessments

PCI DSS compliance dates are fast approaching, and we are a little more than a year away from the SAQ A iFrame changes that many merchants and service providers will need to deal with. iFrames used to be the primary escape hatch that companies would use to avoid bringing vast parts of their websites into scope for PCI DSS, but this has now changed.

In our example, let’s assume the parent site is store.com, and...

Article Blog Image

Get Ready for your PCI DSS 4.0 Gap Assessment

Assessments

It’s that time of the year (or at least it was) when we earnestly weigh pushing tasks to next year, with a focus on what might be coming across our task lists. And perhaps you are looking at that PCI DSS 4.0 gap assessment as something to get done prior to 2024 budgeting season.

Early in the year might be the best time to do this gap assessment. If your QSA or consulting firm is...

Article Blog Image

The Bob Loblaw Log Blog

Requirement 10

Logs provide an important role in the security of your environment. They are a recording what happened and a method to recreate events that led to a security incident. That’s if you capture all of them, if you protect their integrity, and if you are looking for the right things. These common pitfalls affect the ability to monitor your environment and meet PCI requirements.

Capturing all the Logs (10.2.1)

Many times during the annual...

Article Blog Image

Starbucks & PCI

Alternative Payments

Chapter 19 of our book goes through a number of fun topics, including alternative payment schemes, emerging technologies, and a prediction or two on where we see things going and how you can prepare for these changes. There are a couple that we wanted to expand on here in a blog especially with respect to your obligations with PCI DSS compliance.

In 2013, Branden authored a blog post that got a ton of attention....

Article Blog Image

Truncation is a Friend

Truncation

We felt like the echos just kept getting louder in the book. You don’t have to secure what you don’t store, which means your scope is reduced with a solid truncation strategy. In fact, truncation is the next best thing to secure destruction when it comes to scope reduction and PCI DSS.

When Branden worked for a large bank, this was the strategy he chose to employ in the areas subject to PCI DSS. In...