Blog

PCI DSS Version 4 – Controversial Topics with The PCI Dream Team

August 3, 2023

The Truvantis Risk Radar welcomed the PCI Dream Team to the first stop of their 2023 book tour. Their new book is called, The Definitive Guide to PCI DSS Version 4 ”.  The authors have more than 50 years of combined PCI experience. When it comes to PCI DSS, they’ve seen it all, been there, and done that and are sharing their combined knowledge with us to make our PCI journeys easier. 

In the final session of our three part interview, the discussion gets heated as we dive deeper into controversial topics surrounding PCI DSS Version 4. 

“11.6.1 is a new requirement to deploy a change-and-tamper detection mechanism to alert for unauthorized modifications to the HTTP headers and contents of payment pages as received by the consumer browser. …this is a really big deal and should be considered in conjunction with PCI DSS 6.3.4 regarding script injection in client-side web browsers.”“Generally speaking, the client-side web browser attack surface has been completely overlooked as a threat landscape except by malware authors, the hacking community, social media, and mass marketers.”  - The Definitive Guide to PCI DSS Version 4 -pg. 171

“If you get fifty QSAs (Qualified Security Assessor), you'll have at least, five different opinions, all of them valid.” – Ben Rothke on the Truvantis Risk Radar show. 

“I know in a number of instances, organizations are probably going to need all of that time in order to get them addressed, particularly the service providers, because service providers are the ones that are going to get hurt the most. The merchants of the world, they've reduced their scope down to almost nothing.” – Jeff Hall 

“Our clients tell us stuff that is just insane. And likewise, some of the stuff from the Council is not easily interpreted.”  

“One of the big things with Version 4 is the so-called targeted risk analysis, the old wording would say periodically do this. There's more clarification and now people are going to have to do a targeted risk analysis.” – Art Cooper 

Listen to the Full Interview  

For the full interview please visit The Truvantis Risk Radar YouTube channel or listen to the podcast. 

About Truvantis 

Truvantis® is a security, privacy and compliance consulting organization providing best-in-class services to secure your organization's infrastructure, data, operations and products. We specialize in helping our clients improve their cybersecurity posture by implementing testing, auditing and operating information security programs. 

Contact Us

References:

Related Articles By Topic

PCI DSS

Contact Us
Ask us about planning your PCI DSS 4.0 transition
Schedule a call
Contact Us

Recent Articles

Truvantis - Cybersecurity Maturity - One Size Does Not Fit All
PCI DSS, CIS Controls, Security Program, Privacy, ISO27001
Cybersecurity Maturity - One Size Does Not Fit All – Rick Folkerts

It's common knowledge that enterprise organizations need effective security, privacy and compliance programs to survive and grow. There are a handful of generic best practices but beyond that, cybersecurity programs must be tailored to...

Read more
The Silver Bullet Defense to Ransomware – by Andy Cottrell
Ransomware
The Silver Bullet Defense to Ransomware – by Andy Cottrell

In an era of cost-cutting, downsizing and generally insufficient budgets for everything, we are often asked, what is the one, main thing to do to protect against a ransomware attack? According to Statista, in 2022, there were 493.33 mi...

Read more
Cryptographic Agility – by Jeff Hall (the ’PCI Guru’)
Security Program
Cryptographic Agility – by Jeff Hall (the ’PCI Guru’)

With the advent of quantum computing, a new threat has been added to the information security mix. The threat is today’s secure cryptography may not be secure once quantum computers reach their potential. The threat to cryptography has...

Read more

info@truvantis.com

+1 (415) 422-9844

    © 2022 Truvantis, Inc All Rights Reserved.

    Privacy Policy    Terms of Service