Are you Keeping an Inventory of Cipher Suites and Certificates for the New PCI DSS?
We recently discussed the required cataloging of your organization’s software for the future PCI DSS v4. While maintaining inventories is not a novel concept for digital organizations, PCI DSS v4.0.1 introduces several new inventory requirements that many organizations may not currently have in place:
Documented Cipher Suite Inventory
No doubt at some point you have rummaged through a drawer and found an old key or two and wondered if you may still (more…)
The Silent Threat: How PCI DSS 4.0.1 Tackles Service Account Vulnerabilities
While organizations rightly prioritize protecting employee accounts from cybersecurity threats, particularly those with elevated privileges, service accounts too often receive less attention despite their critical nature. Service accounts operate silently in the background, running critical business applications and services that are essential for operations.
The importance of securing service accounts is now formally recognized in PCI DSS v4.0.1, which introduces new requirements taking effect March 31, (more…)
Satisfying the SAQ-A Eligibility Criteria Update
Are You Outsourcing eCommerce?
Our recent article PCI SSC Updates SAQ A: Removal of Key E-Commerce Security Requirements & New Eligibility Criteria outlined significant requirement updates – who this affects and next steps. These requirements are still part of PCI DSS v4.0.1 and the March 31, 2025 deadline. However, SAQ type A merchants are no longer required to validate compliance with them, as long as (more…)
The New PCI DSS v4.0.1 Software Catalog Mandate: Are You Ready?
Some of the 51 future dated requirements of the new PCI DSS v4.0.1 that become effective on March 31, 2025, are related to inventory management. Let’s start by talking about software. In the digital era, software has become the fundamental engine powering organizational operations, and your organization undoubtedly relies on a variety of software applications to conduct business, many of which are bespoke or (more…)
PCI SSC Updates SAQ A: Removal of Key E-Commerce Security Requirements & New Eligibility Criteria
The PCI Security Standards Council (PCI SSC) has made significant updates to Self-Assessment Questionnaire type A (SAQ A) as part of PCI DSS v4.0.1. These changes impact e-commerce merchants who outsource payment processing and previously relied on the SAQ A for compliance validation.
The latest modifications include:
- Removal of PCI DSS Requirements 6.4.3, 11.6.1, and 12.3.1 from SAQ A.
- New eligibility criteria requiring merchants to confirm (more…)
What is the PCI DSS v4.0.1 Requirement for PoLP?
Least Privilege Takes Center Stage in PCI DSS Update
In today’s digital landscape, organizations recognize that completely preventing cyberattacks is nearly impossible. As a result, the principle of least privilege (PoLP) has become a cornerstone of modern cybersecurity strategies. By restricting user account permissions to the minimum required for specific tasks, PoLP minimizes the potential damage from breaches, unauthorized access, and insider threats.
What is the PCI (more…)
What is the PCI DSS v4 Authenticated Scanning Mandate?
Preparing for PCI DSS 4.0.1: The Authenticated Scanning Mandate
As organizations prepare for PCI DSS v4.0.1 enforcement on March 31, 2025, Requirement 11.3.1.2 introduces a critical update: the mandate for authenticated internal vulnerability scans. This new requirement addresses limitations in previous versions by requiring deeper, more accurate assessments of internal vulnerabilities.
What are the Key Points of Requirement 11.3.1.2?
- Authenticated Access: Internal scans must use privileged credentials.
Is Your Organization Prepared for PCI DSS Automation?
By Viviana Wesley, PCI QSA, ISO 27001 Auditor, CISM – Principal Consultant, Governance, Compliance and Engineering Services and Jason Maiden, CISSP, PMP, PCI QSA, ISO 27001 Lead Auditor – Managing Consultant
Gearing Up for PCI DSS Automation
Automation is revolutionizing industries across the board, and payment card compliance is no exception. PCI DSS v4’s Requirement 10.4.1.1 reflects this shift, mandating the use of (more…)
Unpacking the New PCI DSS v4.x Password Standards
By Jason Maiden, CISSP, PMP, PCI QSA, ISO 27001 Lead Auditor – Managing Consultant
The Payment Card Industry Data Security Standard (PCI DSS) v4.x introduced several new and enhanced security requirements, many of which became effective on March 31, 2024. However, the clock is ticking on additional future-dated requirements set to take effect on March 31, 2025. Among these, a significant portion pertains to (more…)
