The Payment Card Industry Data Security Standard (PCI DSS) version 4.0 has established a formal requirement for a documented scoping exercise as outlined in PCI 12.5.2. This essential step, which must be completed prior to the Qualified Security Assessor (QSA) commencing their evaluation, ensures that the scope of the Cardholder Data Environment (CDE) is accurately…
Source: PCI Security Standards Council, “Guidance for PCI DSS Requirements 6.4.3 and 11.6.1,” Version 1.0, March 2025. Purpose: To provide supplemental information and guidance to merchants and third-party service providers (TPSPs) on meeting PCI DSS Requirements 6.4.3 and 11.6.1, which address the growing threat of e-skimming attacks on e-commerce payment pages. This document does not…
In a significant move aimed at simplifying compliance requirements and streamlining merchant classifications, Visa has recently announced the consolidation of its Merchant Levels 3 and 4 into a single category, now referred to as Level 3. This change is part of Visa’s ongoing efforts to adapt to the evolving payment landscape and make compliance more…
I believe that scan interference is one of the primary issues that many customers and ASV providers don’t understand. This post is to help everyone understand what it is and how to remediate it during an ASV scan. To ensure reliable scanning, the ASV scan solution must operate without interference from active protection systems. Here,…
Two encryption methods stand out when securing payment card data: Point-to-Point Encryption (P2PE) and End-to-End Encryption (E2EE). Both methods aim to protect sensitive information, yet they vary significantly in their implementation, validation processes, and ability to limit exposure. It is essential for businesses to grasp these distinctions in order to improve security and uphold PCI…
As the world of cybersecurity changes, businesses and assessors are exploring exciting new technologies to stay in line with industry standards. Integrating Artificial Intelligence (AI) into Payment Card Industry (PCI) assessments is one innovation. The new guidelines from the PCI Security Standards Council (PCI SSC) provide a clear and secure way to weave AI into…
The Payment Card Industry Data Security Standard (PCI DSS) has established rigorous requirements to safeguard sensitive cardholder data and ensure the security of payment systems globally. Among these standards is the PCI Approved Scanning Vendor (ASV) Program, which is vital in identifying and addressing vulnerabilities in external-facing systems. This blog explores the PCI ASV Program,…
With several new PCI DSS v4.0.1 requirements set to take effect on April 1, 2025, two requirements—4.2.1.1 and 12.3.3—have generated significant attention and questions. Let’s begin by reviewing the text of these requirements: The Relationship Between 4.2.1.1 and 12.3.3 Requirement 12.3.3 is a broad, comprehensive requirement encompassing all cryptographic use cases, including those covered under…
The movement of money from physical to digital has revolutionized how we bank and shop. However, this shift has also attracted criminals, replacing traditional heists with sophisticated digital thefts. Data is as valuable as money in today’s economy, making nearly every business a potential target for digital skimming attacks. From customer lists and payroll information…
The PCI Security Standards Council (PCI SSC) has introduced significant changes to the Self-Assessment Questionnaire A (SAQ-A), effective March 31, 2025. These updates redefine merchant eligibility criteria and compliance expectations, prompting important discussions within the PCI community about their implications for merchants, service providers (SPs), and qualified security assessors (QSAs). Overview of Changes The updates to SAQ-A…
