A significant part of any security framework is the assessment. Different frameworks require different types of assessments, from self-managed diagnostics to extensive and annual third-party audits. PCI DSS is no different, requiring annual compliance validation for all relevant systems. 

The nature of these assessments may vary depending on the company and are beyond the scope of this article. For businesses that undergo full third-party audits, however, you may find your assessor performing a unique practice known as “sampling.” 

You may never even have to consider this practice if you’re not an auditor. But it does help to understand what assessors are looking at. 

Read More

The newest version of PCI DSS (4.0) is out, and companies are asking about the new requirements. Some of these requirements apply to PCI DSS encryption, and while there are changes, many of the standards of 3.2.1 are still the lay of the land. 

Learn more about PCI DSS encryption and how it’s shifting in version 4.0.

Read More

The continual news of state-sponsored hackers attacking U.S. infrastructure has led the general public to better understand that digital security is a critical part of our overall national security. Digital systems aren’t isolated to high-tech companies–instead, cybersecurity touches on almost every aspect of our lives, particularly energy and utility management.

The U.S. government was already ahead of this curve and, starting in the 1990s, began implementing government regulations (in partnership with private companies) to protect the country’s electrical infrastructure. This led to the North America Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) requirements. 

Read More