5 Key Concepts of the New PCI SSC Authentication Guide
At the end of August 2025, the PCI SSC published two new guides (informational supplements) related to authentication and cryptography. Although these documents do not change the applicability and/or enforceability of the related PCI SSC controls, they do...
Hardware Security Module (HSM): What is it and what is it for?
One of the main problems arising from the use of cryptography for the protection of sensitive data during its storage and transmission is the complexity in the management of the life cycle of encryption keys (generation, storage,...
What are the advantages and disadvantages of the periodic rotation of the QSA advisor or company?
In order to ensure optimal levels of quality in assessments of compliance with PCI SSC standards, it is highly recommended (and sometimes mandatory) to implement a periodic rotation of the advisor or QSA company. But which ones...
Vulnerability management in PCI DSS: Connecting all related controls
Vulnerability management is one of the most exhausting tasks in a PCI DSS environment, since it is necessary to periodically monitor the publication of notifications by manufacturers, review the reports of the scans and tests of...
PCI SSC PIN Listing Program: Everything you need to know
In May 2025, the PCI SSC announced the publication of a list of entities that meet the PCI PIN standard. This list – unlike the previous lists which were managed by the payment brands themselves, ...
Cryptographic hash with key: fundamentals and characteristics
One of the significant improvements that the PCI DSS standard incorporated in its version 4.0 was the use of keyed cryptographic hash functions (keyed cryptographic hash) as a replacement for traditional hash functions (non-keyed hash) that, until...
Can certificates or diplomas be used to demonstrate PCI DSS compliance?
Continuing our campaign for the good use of terms in the field of PCI, this time we analyze the use of the concept of "certification" and the issuance of certificates or diplomas after the formal evaluation, with the...
Compensatory checks: What are they and when are they used?
Unlike other security standards, the PCI DSS standard allows for some flexibility in the implementation of your controls. If there are technical or administrative restrictions that do not allow to implement a control "as is" as requested in the standard,...
What follows after the entry into force of future PCI DSS v4 controls?
Due to the complexity of its implementation, the PCI DSS v4 standard established a grace period for the implementation of certain security controls. That period expired on 31 March 2025. What follows after this date?...
Artificial Intelligence (AI) in PCI assessments: A look at the new PCI SSC guide
In March 2025, the PCI SSC published a new guide that will completely change the process of evaluating controls of its standards, allowing the controlled use of Artificial Intelligence (AI) technologies to support QSA advisors: Payment...
New information supplement: Security on payment pages and prevention of e-skimming
The PCI SSC has published a new Information Supplement aimed at security in payment pages and prevention of e-skimming attacks as a guide for the implementation of controls 6.4.3 and 11.6.1 of PCI DSS v4.0.
The two sides of the authenticated scans (PCI DSS req. 11.3.1.2)
Another of the relevant changes in PCI DSS version 4.0 was the evolution of internal vulnerability scans from a network-based approach (PCI DSS v3.2.1) to an authenticated approach, which allows full visibility of the...
Implementation of controls against e-skimming (PCI DSS req. 6.4.3 and 11.6.1)
One of the star controls that PCI DSS version 4.0 incorporated was protection against e-skimming attacks through requirements 6.4.3 and 11.6.1. This control was the response of the PCI SSC to the massification of...
Changes in SAQ A of PCI DSS v4.0.1
As part of efforts to achieve security and compliance balance, the PCI SSC announced on January 30, 2025 that controls related to the security of payment pages (6.4.3 and 11.6.1) will be removed from the...
EN 
ES