Secure Your Terminals


Merchants with EFTPOS terminals have a set of requirements specific to card-present transaction security. That's because card-skimming can happen anywhere, and it even happens in New Zealand! In this article, we want to help you understand how to protect the devices that your customers interact with to pay you. Know Your Devices PCI requires [...]

Secure Your Terminals2020-03-18T11:51:11+13:00

Automated Pen-testing and PCI DSS: A QSA Perspective


Automated penetration testing (pen-testing) is an up-and-coming approach that aims to address the issues businesses face with more traditional approaches to pen-testing, which relies almost completely on the skill and experience of pen-testers and the budget and timeframes applied to the pen-testing engagement. […]

Automated Pen-testing and PCI DSS: A QSA Perspective2020-06-02T12:34:52+13:00

Penetration Testing and Vulnerability Scanning, What’s the Difference?


Two of the terms that frequently get misused (and often are interchanged) are vulnerability scanning and penetration testing. These two items are different and meet different parts of the PCI requirement. In fact, these terms get confused so often that the PCI SSC even published information on the differences between them. In this article we [...]

Penetration Testing and Vulnerability Scanning, What’s the Difference?2020-03-18T13:04:03+13:00

What Do I Need to Scan to be Compliant?


The Payment Card Industry Data Security Standard (PCI DSS) requires several types of scanning to be completed. This article provides an overview of the types of scanning, frequency for scans, and what it typically applies to in the environment. The table below provides a summary of this. Edit [...]

What Do I Need to Scan to be Compliant?2020-05-14T12:30:57+13:00

My Service Provider Isn’t Compliant, Now What?


Currently, there is no requirement to use a PCI compliant service provider (although the card brands and banks may require you to do so). If you are outsourcing some of your compliance responsibilities to a third-party, you need to understand what this means for your own PCI DSS compliance. If you use a service provider [...]

My Service Provider Isn’t Compliant, Now What?2020-03-18T12:00:39+13:00

Diagram Your Processes


When you think of PCI DSS, you probably don’t automatically think of drawing diagrams. But diagrams are vital to understanding your scope, understanding your environment, and are two of the PCI requirements that may apply to you. PCI DSS requires three types of diagrams: High-level network diagrams. Detailed network diagrams. Cardholder data flow diagrams. In [...]

Diagram Your Processes2020-03-18T11:54:35+13:00

What’s My PCI Scope?


The word “scope” gets used a lot when you’re talking about PCI DSS. But it is also often misunderstood. This article provides some basic information about scope and how to start understanding what is in-scope for PCI DSS. Who is Responsible for Scoping? Both you and your QSA need to be able to understand the [...]

What’s My PCI Scope?2020-03-18T11:55:01+13:00

What Makes a Change Significant?


One of the most frequent questions we get is what the term “Significant Change” means for PCI. In this article we try to demystify this term a little and help you understand the various ways that the term is used in PCI DSS. What is Significant Change? The PCI SSC says that a significant change [...]

What Makes a Change Significant?2020-03-18T11:56:35+13:00

PCI By the Numbers 2019


Every year, Verizon publishes a report on PCI DSS and the key findings from the year. 2019 was no different. One of the most interesting findings of this report is how few organisations have a programme in place to measure the maturity of the PCI compliance program. Approximately 60% of organisations that were surveyed did [...]

PCI By the Numbers 20192020-03-16T10:02:14+13:00