The Schellman Blog

In June 2023, the Payment Card Industry Security Standards Council (PCI SSC) released a new worksheet entitled “Items Noted for Improvement” (INFI)—while the Council encourages use of this worksheet for assessments based on earlier versions of PCI DSS, organizations undergoing a PCI DSS v4.0 assessment are required to use it.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to protect cardholder data. One of the key (and almost always applicable) requirements of PCI DSS is that organizations must perform internal and external penetration testing for the entire scoped environment—this not only applies to systems that store, process, or transmit cardholder data, but also those that can impact the security of cardholder data.

Among the many changes in the new PCI DSS v4.0 are those regarding requirement 11.4.4, which refers to the remediation of "exploitable vulnerabilities" and "security weaknesses”—though history has more clearly established what is meant by the former, there may be some confusion concerning the latter as organizations continue to make the transition to the new version.

As in nature, many elements function together to support the payment ecosystem, which—as a whole—creates what is our largely digital economy. Of course, due to the sensitivity of the information contained within that ecosystem, some elements are subject to compliance with the PCI DSS security requirements.

In the film classic, Indiana Jones and the Raiders of the Lost Ark, our hero Indy tries to beat the booby trap security in a cave to steal a golden idol. He thinks he’s won when he switches the idol for a similarly sized bag of sand, but then finds he has to navigate flying darts, a dropping wall, and a chasm before he’s through.

It seems like Apple releases a new version of the iPhone every year these days, and despite all the new iterations featuring similar looks, builds, and functions, there’s always that period where everyone has to get used to the new thing.

Banking regulation has always been a bit of a tennis match—a back-and-forth between more regulation, and then less. Before the shift to deregulation starting in the 1980s, banks adhered to state and federal banking laws, as well as narrow lines of business. After years of phased-in deregulation, the pendulum swung back. Now regulatory and industry compliance for banks includes more rules than ever before: privacy laws, federal trade regulations, non-bank industry regulations, and community impact reporting.

If you hadn’t heard, NASA’s Artemis Program—the first endeavor to go back to the moon in 50 years—has stalled a bit. Though the new rocket—known as the Space Launch System—has been in the works for years, even now that it’s out on the pad and seemingly ready, the agency is taking its time to launch. That’s because NASA knows how high the stakes are—there are billions of dollars invested and their reputation as space explorers of the future is on the line.