A significant part of any security framework is the assessment. Different frameworks require different types of assessments, from self-managed diagnostics to extensive and annual third-party audits. PCI DSS is no different, requiring annual compliance validation for all relevant systems. 

The nature of these assessments may vary depending on the company and are beyond the scope of this article. For businesses that undergo full third-party audits, however, you may find your assessor performing a unique practice known as “sampling.” 

You may never even have to consider this practice if you’re not an auditor. But it does help to understand what assessors are looking at. 

Read More

The newest version of PCI DSS (4.0) is out, and companies are asking about the new requirements. Some of these requirements apply to PCI DSS encryption, and while there are changes, many of the standards of 3.2.1 are still the lay of the land. 

Learn more about PCI DSS encryption and how it’s shifting in version 4.0.

Read More

In April 2022, NIST stopped accepting applications for validation certificates for the FIPS 140-2 standard of security in lieu of the updated FIPS 140-3. While many companies are still waiting for their FIPS 140-2 certification (if they got their application in before the April deadline), many are now considering adopting the new 140-3 standard. 

But, to understand the new standard, it’s important to understand the old. FIPS 140-2 has been the NIST standard for cryptography for almost two decades, and its impact will still be felt for years to come. 

Read More