Nettitude Blog

Version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS) was released at the end of March 2022. At the time of writing, we now have less than one year until the previous version, 3.2.1, is retired and can no longer be used for new assessments.

If you've ever taken a credit card as payment for anything, then you've probably heard of the Payment Card Industry Data Security Standard (PCI DSS). This defines a set of requirements for merchants and service providers to protect their customers' payment card data. The importance of PCI DSS lies in the fact that it helps to protect sensitive data which could have huge ramifications should it fall into the wrong hands. This includes information such as credit card numbers, names, addresses, and other personally identifiable information.

A social engineering attack refers to any type of attack where deception, manipulation or coercion is used to elicit information or access from a person for their own purposes. Social engineering refers to any technique used by a threat actor that focuses on people and process, rather than on technology. The most common form of social engineering attack is a phishing email that tricks victims into giving up personal information such as passwords and credit card details. Phishing often masquerades as an official corporate email from an organisation's CEO or another trusted person within the company.

The Security Excellence Awards 2023, hosted by Computing, are a prestigious event that recognises outstanding achievements in cybersecurity. These awards celebrate individuals and companies that have demonstrated excellence, including the Rising Star category, which highlights emerging talents in the industry. This category shines a spotlight on individuals who have shown exceptional skills, dedication, and innovation in their roles and have the potential to become future leaders in the cybersecurity field.

We are delighted that among the nominees for the Rising Star category are two Nettitude colleagues Matthew Saunders and Chloe Sharp. Learn more about Matthew and Chloe below.

When it comes to cybersecurity, one of the most important things you can do is test your system for vulnerabilities. Cybersecurity testing ensures you have all the necessary security measures in place and that they are functioning correctly. There are many ways to test the security of a system. Some are more thorough than others, and some take longer to complete. 

Despite the numerous messaging apps available, email remains the most used method of formal communication. This is because email is still associated with professionalism. However, as emails are preferred among businesses, this also makes them an ideal target for cybercriminals. 

Most data breaches occur for an economic reason—the attacker hopes to profit from the information they gain access to. Emails contain a lot of personal information already and can also be used to access other vital systems. This makes them an ideal entry point for hackers with varying motives.

As the world becomes increasingly interconnected, businesses must take steps to secure their data and protect their application programming interface (API). API security is vital for two reasons. First, APIs provide access to sensitive data, making them a prime target for attacks. Second, APIs can be used to launch attacks on other systems, making them a critical part of any security strategy. To protect your business, it is essential to implement robust API security measures. 

When performing a penetration test, most companies focus on traditional methods with limited knowledge about the targeted system. In fact, if you are dealing with software or programming at a deeper level, there may be threats or vulnerabilities in the code that your team is not aware of. This is where a code review as a service comes in.

In essence, a code review is where every part of a program’s code is analysed to make sure there are no risks of vulnerability that someone else can take advantage of. It also ensures that any confidential information is hidden, which is a vital aspect of cybersecurity. 

Let’s take a closer look at the benefits of a code review as a service.

Many organisations accepting card payments see SAQ A as the target operating model, as this has the most effect on reducing the PCI DSS requirements with which an organisation must comply. It does not come without risks though, as the third-party service providers you have engaged with must always maintain their compliance to support yours.

So, what remains the same, and what has changed with the arrival of PCI DSS v4.0? The first blog of this series explained the core format changes for all the SAQs, here we turn to the specifics around SAQ A.

The PCI Security Standards Council (SSC) published PCI DSS v4.0 on the 31st March 2022. The combined efforts by the SSC, payments brands, participating agents, and QSA the community have yielded a significant overhaul that promises to provide a framework for securing payment card information in the future.

There has since been a lot of activity surrounding the release, which gives rise to a problem. With such an overhaul, people are suffering from information overload and are unable to find a starting point for their organisations. Nettitude will break down what the changes mean and what a merchant or service provider needs to migrate, starting with a series of blogs discussing changes to self-assessment questionnaires allowing you to quickly start forming your plan to move to PCI DSS v4.0.