This is a great read for anyone dealing with the complexity associated with PCI compliance and how to navigate from “finding” to “control in place”. Enjoy!
It is always good to receive clarification from the PCI Council and these minor changes are both relevant and timely. Enjoy!
This is a great, straight-forward explanation of the Merchant Levels associated with PCI DSS. Thanks to the team at Tripwire for sharing. Everyone should have this information internalized or readily available for discussion when supporting customers or internal resources that process branded credit/debit cards.
This is an excellent review and well worth the read. Much confusion exists for those navigating the PCI DSS, and many truly do not understand the difference between a vulnerability scan and a penetration test.
I have tweeted a link to this article previously, but it worthwhile and bears repeating. Jeff Man has done an excellent job recapping both the changes found in DSS 3.2 but also the timing implications. This is required reading for everyone striving to maintain compliance as a merchant or service provider.
The PCI DSS process is about to get more complicated and compliance is going to be harder to obtain – and frankly that’s a good thing. Moving compliance efforts closer to real security efforts benefits the protection of data. Making compliance something to obtain, and not simply purchase, will create ownership and buy-in in the compliance process. Buy-in often leads to understanding which in turn can lead to valuing the effort and target outcome.
I look forward to seeing a few more teeth added to the PCI DSS, even if it takes the creation of a little kicking and screaming by the FTC.
This is additional sound wisdom from Jeff Man at Tenable. You can never test security too much. I realize that many of us live in worlds with resource constraints, but you should always schedule and dedicate resources to testing and validation.