Category: General content
General content related to PCI SSC standards
Compensatory checks and personalised approach: What are they and when are they used?
Unlike other security standards, the PCI DSS standard allows for some flexibility in the implementation of your controls. If there are technical or administrative restrictions that prevent the implementation of a control "as is" as requested in the standard, the...
Changes in PCI PTS HSM v5.0: Who do they affect and what does it mean for the future of payments?
On May 18, 2026, the PCI SSC released version 5.0 of the PCI PTS HSM standard (or simply PCI HSM). This standard includes numerous changes that may affect, directly or indirectly, compliance with other PCI standards.
DNS: The blind spot of PCI DSS
If you thought that, by implementing all PCI DSS controls, you were going to be invulnerable against cyberattacks, you may need to review your strategy. There are certain technical areas that are not covered by that standard and that need to be reviewed...
What is known about PCI DSS v5.0?
Version 4.0 of PCI DSS was released in March 2022. The PCI Security Standards Council is already actively working on version 5.0. What is known about this new version? Ray Kurzweil's Law of Accelerated Yields...
Transparent Data Encryption (TDE): ‘compliance’ vs. ‘security’
Transparent Data Encryption (TDE) is a technology that protects sensitive data in databases during storage (data-at-rest). However, its use must be restricted to very specific scenarios, outside of which the level of protection that...
The reality of PCI SSF: What Sellers, Entities (and Advisors) Keep Ignoring
This is the first article in a series dedicated to breaking down the PCI Software Security Framework (SSF). In future deliveries, we will delve into technical details and specific use cases, but today we start with the foundations. In the security ecosystem...
Do you process card data and don't want to get complicated with PCI DSS compliance reports? So you can get an exemption
The security of payment card data is not the same as it was 10 or 15 years ago. The massification of EMV chips and contactless transactions, the use of tokenization, the implementation of P2PE controls and...
The Importance of Encryption Modes in Cryptography
When using encryption, a robust algorithm and an acceptable key length is not enough. There are two other very important parameters that are often forgotten: Encryption mode and initialization vector parameterization (Initialization Vector, IV). These...
Differences between Vulnerability Scans and Penetration Tests in PCI DSS
As part of regular security status monitoring activities, the PCI DSS standard requires a series of technical assessments to identify potential security issues in compliance and compliance assets early.
Guide to understanding the types of tokens and their use
One of the key controls of the PCI DSS v4.0 standard is requirement 3.5. It lists a number of techniques for protecting the PAN (Primary Account Number) when it should be stored, if there is any business justification. The...
VCC (Virtual Credit Cards) and PCI DSS
Probably one of the most recurrent doubts during the identification of the scope (scope) of PCI DSS of an entity that uses Virtual Credit Cards (VCCs) is whether or not these types of cards are in scope. But what are they...
5 Key Concepts of the New PCI SSC Authentication Guide
At the end of August 2025, the PCI SSC published two new guides (informational supplements) related to authentication and cryptography. Although these documents do not change the applicability and/or enforceability of the related PCI SSC controls, they do...
What are the advantages and disadvantages of the periodic rotation of the QSA advisor or company?
In order to ensure optimal levels of quality in assessments of compliance with PCI SSC standards, it is highly recommended (and sometimes mandatory) to implement a periodic rotation of the advisor or QSA company. But which ones...
Vulnerability management in PCI DSS: Connecting all related controls
Vulnerability management is one of the most exhausting tasks in a PCI DSS environment, since it is necessary to periodically monitor the publication of notifications by manufacturers, review the reports of the scans and tests of...
