Can Every Requirement Be Met With A Compensating Control?
“In theory, theory works.” – Jeff Hall Some years back, the PCI SSC came out at the Community Meeting and stated that every PCI DSS requirement could be addressed by a compensating control worksheet...
View ArticleCan I Use SSAE 18 SOC 2 Reports? Part 1
This is a common question that QSAs encounter from clients. The client has an SSAE 18 Controls at a Service Organization (SOC) report from one of their service providers and they want to know if they...
View ArticleCan I Use SSAE 18 SOC 2 Reports? Part 2
In the last post I discussed what the SOC reports are and what, in general, to look for in a SOC 2/3 report. Now I want to take you through the more detailed analysis of the SOC reporting so that you...
View ArticleThe Requirement 3.2.1 – 3.2.3 Not Applicable Debate
When v3.2 of the ROC Reporting Template came out the QSA/ISA community noticed that requirements 3.2.1 – 3.2.3 could no longer be marked as ‘Not Applicable’. The rationale the Council gave when they...
View ArticleVirtual Payments
Virtual payments are becoming more and more prevalent outside of the insurance industry as companies realize the convenience of paying virtually. As a result, more business-to-business (B2B) purchases...
View ArticleOpen Source
One of the questions we received at the last PCI Dream Team session was: “What about open source for 6.5?” I am sure the person asking wanted to know whether open source payment solutions must comply...
View ArticleOne Last Time On Disaster Recovery
I have written three posts on this topic, yet it still comes up. Disaster Recovery Sites and PCI Disaster Recovery and PCI Business Continuity and PCI Here are the Cliff Notes from those posts. Hot...
View ArticleEmail And PCI Compliance
This is a question we got from the recent PCI Dream Team session. “If you receive emails with CHD and store them for a defined period — does the exchange infrastructure come in to scope? What are the...
View ArticleSins Of The Past
This was a question we got from our last PCI Dream Team session on the Cloud. “Issue – found CVV in historical call recordings that need to be purge/delete. We are not able to purge the entire call...
View ArticleUpdated PAN Truncation FAQ
As part of the holiday giving tradition, the PCI SSC has given us an updated FAQ (#1091) on the subject of PAN truncation and it will likely go down as the most confusing FAQ ever. The FAQ starts out...
View Article
