The blog post was written by a friend and former co-worker you may know as the PCI Guru, he discusses a notable change in the Payment Card Industry Data Security Standard (PCI DSS) Report On Compliance (ROC) Reporting Template, specifically in version 4.0. He highlights a shift in the template’s language, emphasizing the need for…
Reposted from PCI Website. Service providers cannot use SAQ eligibility criteria to determine the applicability of PCI DSS requirements for assessments documented in a Report on Compliance. The only acceptable SAQ for service providers is SAQ D for Service Providers. All other SAQs are intended for merchant use only. Merchants with environments that fully meet all…
This article is meant to call out some of the items some companies or people might not understand about the ASV program. Most of the content is directly from the program guide that can be found on the PCI Councils website. This is in no way a full description of the program guide or a…
I get asked all the time what periodic or significant change means in PCI. Here is a breakdown of what the PCI DSS means for each. Timeframes in PCI DSS Descriptions and Examples Daily Every day of the year (not only on business days). Weekly At least once every seven days. Monthly At least once …
Before I begin I want to clarify one important item, only your processor(s), acquiring bank(s), and/or card brand(s) can give you a definitive answer regarding your merchant level. I originally published this article in 2020 but I have updated with the latest level information and included UnionPay. Compliance with PCI DSS is crucial for any…
In today’s dynamic, multi-vendor network environments, usually having tens or hundreds of firewalls running thousands of rules, a manual security audit was performed which now borders on the impossible. Firewall administrators must rely on their own experience and skills to manually perform the audit process to decide if a given firewall rule should or should…
