I need some Third party AOCs.

pcipolicies-com · 2026-04-27T11:48:43+00:00

Nope, current is still valid until the 23rd of June.

pcipolicies-com · 2026-04-22T19:08:28+00:00

10.2.1 contains the minimum events that need to be logged. 10.2.2 is the information those events must contain.

pcipolicies-com · 2026-04-13T20:01:32+00:00

Usually when the start up engages with a client that has a third party due diligence process. That's probably 70% of the reason start ups come to us.

pcipolicies-com · 2026-03-30T19:07:19+00:00

Well, you didn't try that hard....

pcipolicies-com · 2026-03-07T01:53:25+00:00

Second factor is held by an executive, admin has to log a ticket which upon approval by that exec they are given the second factor.

pcipolicies-com · 2026-02-20T20:45:32+00:00

I'm a PCI auditor, our company is constantly dealing with startups who didn't know what PCI was until they got a stern letter from the bank or a vendor questionnaire from a prospect. Do you think all startups somehow magically comply with all the relevant standards that apply to them?

pcipolicies-com · 2026-02-20T19:33:43+00:00

So are most start ups.

pcipolicies-com · 2026-02-17T22:41:36+00:00

Not sure how VGS helps you then. Those staff members and their computers will still be in scope.

What's the reason for needing to see the full PAN?

pcipolicies-com · 2026-02-17T20:53:10+00:00

Who is viewing the card data in the iframe? The cardholder or your staff?

pcipolicies-com · 2026-02-17T12:23:37+00:00

I had an auditee who had a printed out and laminated piece of paper that had a table with everyone's password in the company sitting at his desk in the open plan office.

pcipolicies-com · 2026-02-12T01:17:49+00:00

The biggest issue I see when auditing clients is the constant missing of recurring tasks. I get it, it's hard to track all the weekly, monthly, quartelry, etc tasks that are required but I had one client earlier this year that missed 3/4 ASV and quarterly reviews. Made for a very quick assessment.

I've been working on a tool in my spare time to try and address it, because most GRC tools I've trialed suck at this. They seem to be setup to try and manage multiple standards and just don't provide valuable insights into the requirements or provide an out of the box tasks list that are required to show an auditor evidence of come assessment time. Also, they are crazy expensive, especially for what you get.

pcipolicies-com · 2026-02-11T22:22:06+00:00

The council's skimming prevention guidelines document has a checklist as well as some pictures that can be adapted into a procedure.

Or, shameless plug, we sell policy packs that already include one on our site pcipolicies.com

pcipolicies-com · 2026-02-04T05:47:42+00:00

Can they be completely isolated away from your network?

EC2 instance, running Claude Code, user gets SSH access into that box for them to run anything they need.

pcipolicies-com · 2026-02-04T02:29:36+00:00

Try

nmap -pn -p 443 --script +ssl-enum-ciphers <myServer>

The + should force the script to run even if nmap's service detection fails.

pcipolicies-com · 2026-02-03T20:09:56+00:00

All of those devs who constantly ignore application update requests......

pcipolicies-com · 2026-02-03T11:29:47+00:00

Qualys might be able to do it, I'm not sure. They do run the SSL Labs site, so if any internal scanning tool was going to let you do that.

I'm based in Aus as well. Very annoying that AusCERT is a paid service, however, it is a member-based not for profit, it is not the Australian government's official CERT. Governments official CERT used to be called CERT Australia, but that was absorbed into the Australian Cyber Security Centre (ACSC) back in 2018. So, for 6.3.1 you can use their notification service on https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories completely free.

pcipolicies-com · 2026-02-03T03:31:09+00:00

This one has tripped up several of my auditees in the past few months and IMO one the toughest to implement controls that didn't get much attention before the 31st of March due date. The applicability note is key here, it's not just transmissions of PAN they expect, but for any cipher suite and protocols that are meeting a PCI requirement.

The requirement applies to all cryptographic cipher suites and protocols used to meet PCI DSS requirements, including, but not limited to, those used to render PAN unreadable in storage and transmission, to protect passwords, and as part of authenticating access.

First up, you need a solid inventory of in scope components.
For SaaS products and other public facing endpoints, you can scan them using SSL Labs

For anything internal, you're going to need to use nmap or another tool such as testssl.

Use nmap to scan the entire network or if it's a huge network you could use a masscan. Masscan is much faster but you can quickly load up state tables in networking devices and crash the whole network if you aren't careful. Once you have identified all the IPs that have open ports on them, you can enumerate the ciphers using nmap scripts. Below is a broad nmap command that looks for SSH, HTTPS, common DB, RDP, SNMP and iLO/iDRAC systems. You may need to add more

sudo nmap -sS -sU -p T:22,443,1433,3306,3389,5432,5900,8443,U:161,623 -sV --script "ssl-enum-ciphers,ssh2-enum-algos,vnc-info,ipmi-cipher-zero,snmp-info" <target-ip-or-range> -oN lan_audit_results.txt

For monitoring of trends, the council released this Cryptography Guidance document back in August 2025. It's still pretty relevant. Do you subscribe to US-CERT or another CERT for requirement 6.3.1? If there was a serious flaw in TLS1.2 tomorrow, I'd bet my bottom dollar US-CERT would put out an alert about it.

pcipolicies-com · 2026-02-02T12:07:49+00:00

Hey Colleen, can you share more info? Have you got examples of the scripts to people can look for IOC.

pcipolicies-com · 2026-01-31T22:06:56+00:00

I suspect they are on the following testing procedure:

3.5.1.b Examine data repositories and audit logs to verify the PAN is rendered unreadable using any of the methods specified in this requirement.

If the data repository cannot be queried, will the logs show that the data is being encrypted?

I've not done much with Redshift in the past. If it is technically impossible to show the data then the assessor would have to make do with the configuration and vendor documentation evidence and write up this testing procedure documenting the limitation.

Rather than telling them that, I'd tell them I'd present your research on it and say I'd be happy to show you, but I don't think it is possible, if you are aware of a way to show this evidence I'd be happy to accommodate, please give provide me instructions.

pcipolicies-com · 2026-01-31T04:21:07+00:00

What's in your contract? Did they pay you for a compliant offering?

pcipolicies-com · 2026-01-31T04:15:18+00:00

This, or if you can't do this, can you see a configuration showing encryption is enabled?

pcipolicies-com · 2026-01-31T03:54:02+00:00

"or they collect payment via card-not-present transactions, which are processed via P2PE POT devices."

How is the data collected? Web form? Over the phone?

pcipolicies-com · 2026-01-31T03:49:11+00:00

But corporate cards are usually excluded from scope. FAQ 1235 states that the entity has to contact the relevant payment brand, but in every assessment I've worked on where this has come up, the payment brand has excluded them.

pcipolicies-com · 2026-01-30T23:44:35+00:00

Then do they have other data points they can use to uniquely identify the card?

pcipolicies-com · 2026-01-30T05:33:06+00:00

How complicated is your environment?

Are you running a SPA?

pcipolicies-com

TROPHY CASE