All posts by David Acosta

Qualified Security Assessor (QSA) for PCI DSS, PCI PIN, PCI 3DS, P2PE and PCI TSP. CISSP, CISA, CISM, CRISC, C|EH, C|HFI.

Differences between a PCI SSC standard and a validation program

Compliance with the controls of the PCI SSC standards is governed by two elements that work together: the standard as such and its related validation program. Here we explain their differences. When an entity requires...

/ November 27, 2024

Data inside and outside the scope of PCI DSS

One of the critical tasks in PCI DSS compliance is the identification of scope of compliance. The first step in determining which assets are in or out of that range is identifying the type of data...

/ November 12, 2024

It is not said: "PCI DSS Audit". It should read: ‘PCI DSS Compliance Assessment’

It is very common to hear the terms "PCI DSS Audit" or "PCI DSS Auditor" within the jargon related to PCI DSS standard compliance. The use of this terminology is overcrowded even in Qualified Security Advisors...

/ October 22, 2024

Brief review of the PCI SSC Europe Community Meeting 2024 in Barcelona

This October 2024 the PCI SSC Europe Community Meeting was held in the beautiful city of Barcelona (Spain). In this article we tell you the main topics covered, the changes that are coming in terms of standards of...

/ October 14, 2024

5 key points of the document for the definition of scope and segmentation in modern network architectures

In September 2025, the PCI SSC published a new Information Supplement – PCI DSS Scoping and Segmentation Guidance for Modern Network Architectures. In this article...

/ September 19, 2024

What is PCI DSS?

This new series of articles from PCI Hispano will present an overview of each of the standards currently published by the Payment Card Industry Security Standards Board.

/ August 18, 2024

New version of PCI DSS: 4.0.1

On 11 June 2024 the PCI SSC published version 4.0.1 of the PCI DSS standard, which replaces version 4.0 published in March 2022 This new version contains minor revisions, typographic and formatting corrections and...

/ June 12, 2024

All you need to know about INFI in PCI DSS v4.x (discontinued)

NOTE: On 19 March 2024, the PCI SSC took the decision to discontinue the use of Items Noted for Improvement (INFI) forms, introduced with version 4.0 of the PCI DSS standard. This decision has been made with...

/ March 20, 2024

Triple DES (TDEA) obsolescence and its impact on PCI SSC standards

January 1, 2024 marked a milestone in the history of modern cryptography: The Triple DES algorithm (3DES/TDES or TDEA) was listed as "obsolete" by NIST. This news is part of the efforts of the migration to...

/ March 13, 2024

Recurring, future and TRA controls of PCI DSS v4.0 in Excel format

To ensure the effectiveness and effectiveness of PCI DSS controls over time, some of the standard's controls require periodic (recurring) execution. This recurrence has been established by the PCI SSC in the standard...

/ December 20, 2023

Reminder PCI PIN: Change the key upload process as of January 1, 2024

According to the PCI PTS PIN Security Requirements − Technical FAQs for use with Version 3, as of January 1, 2024, the process of loading keys in...

/ December 14, 2023

PCI DSS v4.0 in Microsoft Excel format

How many times have we needed PCI DSS v4.0 controls organized into a Microsoft Excel file? Surely many. Unfortunately, the PCI SSC only publishes the standard in PDF version, which greatly limits the dynamics in the management of...

/ December 12, 2023

PCI SSC publishes 'Targeted Risk Analysis (TRA) Guidance' for PCI DSS v4.x

In November 2023, the PCI SSC published a new guide to support the activities required in PCI DSS v4.x. On this occasion, it is the PCI DSS v4.x Targeted Risk Analysis Guidance document.

/ November 30, 2023

AWS publishes its PCI DSS v4.0 compliance guide

As part of its efforts to facilitate the implementation of controls of different security standards in its customers' environments, Amazon Web Services (AWS), as a cloud service provider (CSP), published...

/ November 28, 2023

Validity of PCI DSS v3.2.1 compliance reports and assessments

The PCI SSC set 31 March 2024 as the deadline for the withdrawal of PCI DSS version 3.2.1. As of April 1, 2024 the only active and official version of PCI DSS...

/ November 15, 2023