Category: PCI DSS
Articles related to the PCI DSS standard
DNS: The blind spot of PCI DSS
If you thought that, by implementing all PCI DSS controls, you were going to be invulnerable against cyberattacks, you may need to review your strategy. There are certain technical areas that are not covered by that standard and that need to be reviewed...
Transparent Data Encryption (TDE): ‘compliance’ vs. ‘security’
Transparent Data Encryption (TDE) is a technology that protects sensitive data in databases during storage (data-at-rest). However, its use must be restricted to very specific scenarios, outside of which the level of protection that...
Differences between Vulnerability Scans and Penetration Tests in PCI DSS
As part of regular security status monitoring activities, the PCI DSS standard requires a series of technical assessments to identify potential security issues in compliance and compliance assets early.
Guide to understanding the types of tokens and their use
One of the key controls of the PCI DSS v4.0 standard is requirement 3.5. It lists a number of techniques for protecting the PAN (Primary Account Number) when it should be stored, if there is any business justification. The...
VCC (Virtual Credit Cards) and PCI DSS
Probably one of the most recurrent doubts during the identification of the scope (scope) of PCI DSS of an entity that uses Virtual Credit Cards (VCCs) is whether or not these types of cards are in scope. But what are they...
What are the advantages and disadvantages of the periodic rotation of the QSA advisor or company?
In order to ensure optimal levels of quality in assessments of compliance with PCI SSC standards, it is highly recommended (and sometimes mandatory) to implement a periodic rotation of the advisor or QSA company. But which ones...
Vulnerability management in PCI DSS: Connecting all related controls
Vulnerability management is one of the most exhausting tasks in a PCI DSS environment, since it is necessary to periodically monitor the publication of notifications by manufacturers, review the reports of the scans and tests of...
Can certificates or diplomas be used to demonstrate PCI DSS compliance?
Continuing our campaign for the good use of terms in the field of PCI, this time we analyze the use of the concept of "certification" and the issuance of certificates or diplomas after the formal evaluation, with the...
What follows after the entry into force of future PCI DSS v4 controls?
Due to the complexity of its implementation, the PCI DSS v4 standard established a grace period for the implementation of certain security controls. That period expired on 31 March 2025. What follows after this date?...
New information supplement: Security on payment pages and prevention of e-skimming
The PCI SSC has published a new Information Supplement aimed at security in payment pages and prevention of e-skimming attacks as a guide for the implementation of controls 6.4.3 and 11.6.1 of PCI DSS v4.0.
The two sides of the authenticated scans (PCI DSS req. 11.3.1.2)
Another of the relevant changes in PCI DSS version 4.0 was the evolution of internal vulnerability scans from a network-based approach (PCI DSS v3.2.1) to an authenticated approach, which allows full visibility of the...
Implementation of controls against e-skimming (PCI DSS req. 6.4.3 and 11.6.1)
One of the star controls that PCI DSS version 4.0 incorporated was protection against e-skimming attacks through requirements 6.4.3 and 11.6.1. This control was the response of the PCI SSC to the massification of...
Changes in SAQ A of PCI DSS v4.0.1
As part of efforts to achieve security and compliance balance, the PCI SSC announced on January 30, 2025 that controls related to the security of payment pages (6.4.3 and 11.6.1) will be removed from the...
Data inside and outside the scope of PCI DSS
One of the critical tasks in PCI DSS compliance is the identification of scope of compliance. The first step in determining which assets are in or out of that range is identifying the type of data...
5 key points of the document for the definition of scope and segmentation in modern network architectures
In September 2025, the PCI SSC published a new Information Supplement – PCI DSS Scoping and Segmentation Guidance for Modern Network Architectures. In this article...
