Cryptographic key management methods: fixed key, MK/SK and DUKPT
When symmetric cryptographic keys are used for the protection of stored or transmitted data, it is necessary to establish certain protocols for their loading, transmission, rotation or blocking. In the standards of the PCI SSC (mainly PCI PIN and P2PE), when the data...
Differences between a PCI SSC standard and a validation program
Compliance with the controls of the PCI SSC standards is governed by two elements that work together: the standard as such and its related validation program. Here we explain their differences. When an entity requires...
Data inside and outside the scope of PCI DSS
One of the critical tasks in PCI DSS compliance is the identification of scope of compliance. The first step in determining which assets are in or out of that range is identifying the type of data...
It is not said: "PCI DSS Audit". It should read: ‘PCI DSS Compliance Assessment’
It is very common to hear the terms "PCI DSS Audit" or "PCI DSS Auditor" within the jargon related to PCI DSS standard compliance. The use of this terminology is overcrowded even in Qualified Security Advisors...
Brief review of the PCI SSC Europe Community Meeting 2024 in Barcelona
This October 2024 the PCI SSC Europe Community Meeting was held in the beautiful city of Barcelona (Spain). In this article we tell you the main topics covered, the changes that are coming in terms of standards of...
5 key points of the document for the definition of scope and segmentation in modern network architectures
In September 2025, the PCI SSC published a new Information Supplement – PCI DSS Scoping and Segmentation Guidance for Modern Network Architectures. In this article...
New version of PCI DSS: 4.0.1
On 11 June 2024 the PCI SSC published version 4.0.1 of the PCI DSS standard, which replaces version 4.0 published in March 2022 This new version contains minor revisions, typographic and formatting corrections and...
All you need to know about INFI in PCI DSS v4.x (discontinued)
NOTE: On 19 March 2024, the PCI SSC took the decision to discontinue the use of Items Noted for Improvement (INFI) forms, introduced with version 4.0 of the PCI DSS standard. This decision has been made with...
Triple DES (TDEA) obsolescence and its impact on PCI SSC standards
January 1, 2024 marked a milestone in the history of modern cryptography: The Triple DES algorithm (3DES/TDES or TDEA) was listed as "obsolete" by NIST. This news is part of the efforts of the migration to...
Reminder PCI PIN: Change the key upload process as of January 1, 2024
According to the PCI PTS PIN Security Requirements − Technical FAQs for use with Version 3, as of January 1, 2024, the process of loading keys in...
PCI SSC publishes 'Targeted Risk Analysis (TRA) Guidance' for PCI DSS v4.x
In November 2023, the PCI SSC published a new guide to support the activities required in PCI DSS v4.x. On this occasion, it is the PCI DSS v4.x Targeted Risk Analysis Guidance document.
AWS publishes its PCI DSS v4.0 compliance guide
As part of its efforts to facilitate the implementation of controls of different security standards in its customers' environments, Amazon Web Services (AWS), as a cloud service provider (CSP), published...
Validity of PCI DSS v3.2.1 compliance reports and assessments
The PCI SSC set 31 March 2024 as the deadline for the withdrawal of PCI DSS version 3.2.1. As of April 1, 2024 the only active and official version of PCI DSS...
Visa reports that its PIN security programme ended on 1 October 2023
In a decision that has taken the entire payment media ecosystem by surprise, Visa announced that its Visa PIN Security Program ended on October 1, 2023. In a brief statement...
EN 
ES