The PCI Software Security Framework was introduced by the PCI SSC last year to improve the security of card payment software. Under this framework there are two separate standards: Secure Software Lifecycle Standard – companies operating a secure SDLC validated against the standard Secure Software Standard – software validated against the standard The first assessment…
Category: Blog
Does PCI DSS apply the same everywhere?
Different countries have significantly different rules around financial products. So are there any big differences in the PCI DSS standard in different places? Executive Summary: PCI DSS is the same standard globally, but how you apply it may have some differences from place to place. Read on for the details. As a standard, PCI DSS…
Open Source Payment HSM Simulators
Most card payments software products are proprietary solutions, developed either in-house or to be sold commercially. Because of this there isn’t much out in the open source world to help you develop your own custom solution. However, there are a few libraries out there that are worth a mention, particularly for simulating and testing HSM…
Choosing Open Source Software for PCI DSS
I’m researching a longer article on some specific software solutions. It caused me to realize that there’s value in creating a checklist of what to look for when trawling github for open source software to use with your payments platform. In doing so, I think I can make a couple of safe assumptions: If you…
PCI Dream Team Episode List [Updated]
Most PCI Dream Team events are available for public viewing on BrightTalk, but they don’t currently have a dedicated channel. A list all known events which are available for free viewing are posted below, for easy reference. Note that these events are in reverse order by time. The most recent, and potentially relevant, are at…
2020: The year in PCI DSS Compliance
This has been a very strange year overall. The effects of COVID-19 caused both massive disruption, and have the potential to cast a long shadow. However, for those of us in the payments space business has continued, and there have been milestones in the PCI world. Remote Assessments Perhaps the biggest direct impact to PCI…
Happy First Anniversary to me!
It’s a full year since I registered pcijourney.com, and what a year it’s been. At that time, there were some people in the world who’d heard of COVID-19, but most people were oblivious. Certainly I had no idea what was coming for us. The year of COVID really changed what I was doing, and what…
When does PCI DSS v4.0 take effect?
Version 4.0 of the PCI DSS is currently in draft status, and has not yet been finalized. Because of this, nobody knows for sure exactly when the new standard will take effect, as it’s still subject to change. What we do know is that when the final version of the new standard is released, it…
PCI DSS 4.0 RFC – second draft
Version 4.0 of the PCI DSS has been a long time coming, and still won’t be here for a while yet. The PCI Council is actively engaging with the community to develop the new version of the standard through their RFC – Request For Comments – process. Unfortunately, you won’t see much if anything discussed…
Which PCI DSS SAQ do I use?
If you’re looking to use a PCI DSS SAQ, this implies you’re eligible to assess your PCI DSS compliance using a Self Assessment Questionnaire. Can I use a PCI SAQ? Eligibility for this is determined by the card brands themselves, rather than the PCI Security Standards Council. This is ultimately determined by what level the…
