How to Define Your Cardholder Data Environment (CDE) Under PCI DSS
by Patrick Hughes on June 28, 2026 at 1:30 PM
Before an organization can implement Payment Card Industry Data Security Standard (PCI DSS) controls, it must answer a foundational question: what is in scope? The answer lies in the definition of the Cardholder Data Environment (CDE). Get it wrong, and everything built on top of it i …
Plan of Action and Milestones (POA&M): A CMMC Level 2 Essential
by Jake Dwares on June 27, 2026 at 11:00 AM
Every CMMC Level 2 compliance program involves two documents that work in tandem: the System Security Plan (SSP) and the Plan of Action and Milestones (POA&M). The SSP describes how practices are implemented. The POA&M documents what is not yet implemented and what the organiz …
Your CMMC SSP Is Not Just a Checkbox: How to Build One That Works
by Derek Boczenowski on June 26, 2026 at 1:24 PM
The System Security Plan (SSP) is the cornerstone document of any CMMC Level 2 compliance program. Yet it is also one of the most underdeveloped artifacts assessors encounter. Organizations preparing for a C3PAO assessment frequently arrive with an SSP that describes their environment …
When to Hire a PCI Compliance Consultant (and What They Actually Do)
by Patrick Hughes on June 25, 2026 at 4:17 PM
If your business stores, processes, or transmits cardholder data, PCI DSS compliance isn't optional. But knowing that you need to comply is a very different thing from knowing how to actually get there. Somewhere between your first self-assessment questionnaire and your first failed s …
PCI DSS Compensating Controls: When & How to Use Them
by Kelly O’Brien on June 17, 2026 at 4:42 PM
Every organization that stores, processes, or transmits payment card data eventually runs into the same wall. The Payment Card Industry Data Security Standard (PCI DSS) sets a clear bar, but a legacy system, a vendor limitation, or a business reality can make a specific requirement im …
What the 2026 Verizon DBIR Means for Your SOC 2 Compliance Program
by Rachel Hughes on June 10, 2026 at 3:55 PM
The 2026 Verizon Data Breach Investigations Report (DBIR) recently dropped. Vulnerability exploitation is officially the #1 breach vector at 31%. It is now the #1 way attackers are getting in, surpassing credential abuse, which dropped from 22% down to just 13% as an initial access me …
.webp?width=2169&height=526&name=Compass%20regular%20transparent%20website%20(1).webp)
-1.webp?width=2169&height=620&name=Compass%20regular%20transparent%20website%20smaller%20(1)-1.webp)
%20Under%20PCI%20DSS.jpg)


.jpg)

