Categories ArchivesPCI

PCI DSS 4.0 Released plus BOOK DETAILS! standard

It’s been nearly six years since we had a major release of PCI DSS, and March 31, 2022 was the day that the final version of PCI DSS 4.0 released. For those that had access to the last discussion draft (released early this year), there are virtually no changes from that (with the exception of refining Requirement 9.4.1 and inserting 9.4.1.1). But don’t go changing your assessment processes yet! PCI DSS 3.2.1 won’t sunset until March 31, 2024 (see page 36). This means, you have to START your last PCI DSS 3.2.1 assessment BEFORE March 31, 2024 (better if you complete by then), and then you have a year to prep for the base PCI DSS 4.0 until the extended ...

Continue Reading

PCI Council Loses $600K in Revenue, PO Population on the Decline standard

Last year I released a blog post and a GitHub repository with some code to calculate how much money the PCI Council brings in annually, with an estimation of lifetime revenue. There are some MAJOR assumptions in there that can swing the revenue in either direction. And, of course, there are already new programs that the Council will happily charge for that have been released since my initial commit (3DS Assessors, 25 of those with each individual consultant paying $1,400 per exam). I’ll work on that soon. I was meeting with some industry people this week and thought I’d check up on the old numbers to give the package a refresh. As it turns out, the number of Participating Organizations ...

Continue Reading

Why PCI DSS 4.0 Needs to be a Complete Rewrite standard

The last month has been tough for our coastal regions and based on what forecasts show for the rest of the season, we’re not out of the woods. If you have not donated to those affected by these massive storms, please consider doing so today. The group that received my donations this time around is Direct Relief, but there are plenty to choose from. Thankfully, the Council canceled the Community meeting due to Irma (albeit, probably two days too late). It was the right decision. Hopefully, the vendors who have spent money with the Council will get some kind of relief for this year. Given that the conference didn’t happen, there was a missed opportunity to discuss the future of PCI ...

Continue Reading

Orfei Steps Down standard

In a rather surprise announcement, admittedly from a guy who is farther and farther removed from the PCI DSS ecosystem with each passing day, The PCI Council announced that Steven Orfei is stepping down as GM. His tenure was rather brief, in comparison to Russo, but it’s a thankless job that probably gets even more thankless every passing day. I wonder who will be next to steer the ship? Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Equifax is only half the problem, your SSN needs a redesign! Should you be a PCI Participating Organization?

Continue Reading

Should you be a PCI Participating Organization? standard

What does it cost to be a PO? As if this writing it costs US$3,750 annually (originally US$2,000), For most companies, $3,750 per year is a drop in the bucket. Originally, the big benefit of being a PO was getting involved in the shaping of the Standard when the program was launched. Big changes meant huge benefits from collaboration as firms were dramatically overhauling their technology stack to comply with PCI DSS. The Standard was new, generated lots of questions, and early adopters needed collaboration. PO Benefits Review Let’s take a look at the current benefits on the PCI Council’s website. […] the opportunity for advance review of standards and supporting materials before release, with the opportunity to provide comments directly to the ...

Continue Reading

Is All Good News REALLY Good News? standard

Have you noticed that there has not been too much (well, really any) bad press around the PCI ecosystem lately? Perhaps everything is great! Doesn’t seem like we’ve had the same string of retail breaches that we saw in 2014 (which lead to this piece of research), even though 2016 was bad (good?) in general for cybercrime. A quick data dump from PrivacyRights.org says there are around 100 related to cards since 2016, but some appear to be duplicates (Wendy’s is reported multiple times). Of course, we found out about more problems at IHG last week. Seems like big security bloggers still talk about breaches, but we don’t see the same questions around PCI DSS that we did in 2014-2015. Individuals certified or ...

Continue Reading

The PCI Council’s Revenue Generation Capability standard

The other day I was thinking about all the programs that the Council currently maintains and I wondered if it was possible to see how much money the Council actually brings in every year. I mean, every year seems to see more programs with more fee collection opportunities for the Council, but had anyone ever added all that up? So I got to researching. I started with the usual sources: LexisNexis, Hoovers, Dun & Bradstreet, and found very little information. Only one report by Dun & Bradstreet, who is notoriously inaccurate when dealing with privately held firms, of around $3.7M in 2016. Then I headed over to the IRS’s website to see if the Council had ever filed a form ...

Continue Reading

Why I am Skipping the PCI Community Meeting standard

I know, you guys have given me crap for so long. “Suuuure you are going to skip this year. Whatever, Brando, see you in X city at  happy hour.” This has been the discussion over the last few years, and every year I have made my way to the city in question going back to the initial meeting in Toronto, 2007. This will be the first year I will miss. For me, it comes down to two things: content and how the hard questions go unanswered. Content: I looked at the agenda this year. For new people to PCI DSS, there are quite a few great sessions to attend. If you have more than one year experience and perhaps have ...

Continue Reading

The Beginning of the End, No PCI DSS 4.0 in 2016 standard

Taking a cue from infosec luminary Bill Brenner, how about some mood music? Browsing Twitter last night brought me to this tweet about PCI DSS in 2016. Anybody else notice that the new redesign for the @PCISSC website is conspicuously missing the current lifecycle status #noversion4 — James Adamson (@jameskadamson) February 25, 2016 Indeed, earlier this month the Council posted a blog that revealed that PCI DSS 3.2 was the next version of the Standard, and would be the only release in 2016. I’ve previewed the proposed changes in 3.2, and I think this is a good approach for the Council this year. We can continue to debate the efficacy of the standard ad nauseam, but unless we’re going to ...

Continue Reading

We Should Question Bold Claims that PCI Is “Highly Effective” standard

For my first real post of 2016, let’s deconstruct a quote from an article published by eWeek about PCI DSS and 2016. The quote in question is from Jeremy King, International Director for the Council. “The PCI DSS is a mature standard that has proven highly effective wherever it is adopted and used.” The rest of the quotes fall along the messaging guidelines that you hear from the Council (although this appears to be more of a pitch related to the logging SIG), but this one stuck out for me. It reads like something that wants to be true versus something that actually is true. In the Council’s defense, they will readily cite that no fully PCI DSS compliant merchant has ever been breached. ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!