What is known about PCI DSS v5.0?
Version 4.0 of PCI DSS was released in March 2022. The PCI Security Standards Council is already actively working on version 5.0. What is known about this new version? Ray Kurzweil's Law of Accelerated Yields...
Two-year extension for PCI PTS HSM v3
After having us on edge for a few months, the PCI Security Standards Council (PCI SSC) has extended the expiration periods of devices validated in PCI HSM as follows: Extends the period of device validation in...
What is PCI 3DS?
This article presents a brief description of the PCI 3DS standard, aimed at protecting card-not-present e-commerce transactions through robust cardholder authentication. Introduction The Payment Card Industry Standard...
Transparent Data Encryption (TDE): ‘compliance’ vs. ‘security’
Transparent Data Encryption (TDE) is a technology that protects sensitive data in databases during storage (data-at-rest). However, its use must be restricted to very specific scenarios, outside of which the level of protection that...
The expiration date of PCI HSM version 3.x is approaching (30 April 2026), what will happen to the affected devices?
April 30, 2026 is the stipulated date for the expiration of cryptographic devices validated according to PCI HSM version 3.x. If you do not have defined your migration strategy, this article interests you. NOTE: The PCI SSC has...
What is PCI SSF/PCI Secure SLC/PCI S3?
This new article presents a brief introduction to the Payment Card Industry Software Security Framework (PCI SSF), which replaced the PA-DSS (Payment Applications Data Security Standard) standard in October 2022. Introduction One...
PCI SSC Standards Ecosystem (updated January 2026)
The PCI Security Standards Council (PCI SSC) has developed multiple security standards that define specific security requirements oriented towards the protection of each of the areas related to the security of payment card data,...
The reality of PCI SSF: What Sellers, Entities (and Advisors) Keep Ignoring
This is the first article in a series dedicated to breaking down the PCI Software Security Framework (SSF). In future deliveries, we will delve into technical details and specific use cases, but today we start with the foundations. In the security ecosystem...
Do you process card data and don't want to get complicated with PCI DSS compliance reports? So you can get an exemption
The security of payment card data is not the same as it was 10 or 15 years ago. The massification of EMV chips and contactless transactions, the use of tokenization, the implementation of P2PE controls and...
The Importance of Encryption Modes in Cryptography
When using encryption, a robust algorithm and an acceptable key length is not enough. There are two other very important parameters that are often forgotten: Encryption mode and initialization vector parameterization (Initialization Vector, IV). These...
Differences between Vulnerability Scans and Penetration Tests in PCI DSS
As part of regular security status monitoring activities, the PCI DSS standard requires a series of technical assessments to identify potential security issues in compliance and compliance assets early.
Visa's AIS program no longer includes level 4 for merchants
Visa's Account Information Security (AIS) program has undergone major changes, modifying merchant classification criteria to report compliance with the PCI DSS standard. This program defines the applicable requirements based on the...
Guide to understanding the types of tokens and their use
One of the key controls of the PCI DSS v4.0 standard is requirement 3.5. It lists a number of techniques for protecting the PAN (Primary Account Number) when it should be stored, if there is any business justification. The...
VCC (Virtual Credit Cards) and PCI DSS
Probably one of the most recurrent doubts during the identification of the scope (scope) of PCI DSS of an entity that uses Virtual Credit Cards (VCCs) is whether or not these types of cards are in scope. But what are they...
EN 
ES