The Truvantis Risk Radar welcomed the PCI Dream Team to the first stop of their 2023 book tour. Their new book is called, “The Definitive Guide to PCI DSS Version 4 ”. The authors have more than 50 years of combined PCI experience. When it comes to PCI DSS, they’ve seen it all, been there, and done that and are sharing their combined knowledge with us to make our PCI journeys easier.
In the final session of our three part interview, the discussion gets heated as we dive deeper into controversial topics surrounding PCI DSS Version 4.
“11.6.1 is a new requirement to deploy a change-and-tamper detection mechanism to alert for unauthorized modifications to the HTTP headers and contents of payment pages as received by the consumer browser. …this is a really big deal and should be considered in conjunction with PCI DSS 6.3.4 regarding script injection in client-side web browsers.”“Generally speaking, the client-side web browser attack surface has been completely overlooked as a threat landscape except by malware authors, the hacking community, social media, and mass marketers.” - The Definitive Guide to PCI DSS Version 4 -pg. 171
“If you get fifty QSAs (Qualified Security Assessor), you'll have at least, five different opinions, all of them valid.” – Ben Rothke on the Truvantis Risk Radar show.
“I know in a number of instances, organizations are probably going to need all of that time in order to get them addressed, particularly the service providers, because service providers are the ones that are going to get hurt the most. The merchants of the world, they've reduced their scope down to almost nothing.” – Jeff Hall
“Our clients tell us stuff that is just insane. And likewise, some of the stuff from the Council is not easily interpreted.”
“One of the big things with Version 4 is the so-called targeted risk analysis, the old wording would say periodically do this. There's more clarification and now people are going to have to do a targeted risk analysis.” – Art Cooper
Listen to the Full Interview
Truvantis® is a security, privacy and compliance consulting organization providing best-in-class services to secure your organization's infrastructure, data, operations and products. We specialize in helping our clients improve their cybersecurity posture by implementing testing, auditing and operating information security programs.
- The Definitive Guide to PCI DSS Version 4’ by Arthur B. Cooper, Jeff Hall, David Mundhenk, Ben Rothke, https://link.springer.com/book/10.1007/978-1-4842-9288-4
- The Truvantis Risk Radar show