Compass IT Compliance Blog

How to Define Your Cardholder Data Environment (CDE) Under PCI DSS

How to Define Your Cardholder Data Environment (CDE) Under PCI DSS

Before an organization can implement Payment Card Industry Data Security Standard (PCI DSS) controls, it must answer a foundational question: what is in scope? The answer lies in the definition of the Cardholder Data Environment (CDE). Get it wrong, and everything built on top of it i …

Read Story

Plan of Action and Milestones (POA&M): A CMMC Level 2 Essential

Plan of Action and Milestones POA&M - A CMMC Level 2 Essential

Every CMMC Level 2 compliance program involves two documents that work in tandem: the System Security Plan (SSP) and the Plan of Action and Milestones (POA&M). The SSP describes how practices are implemented. The POA&M documents what is not yet implemented and what the organiz …

Read Story

Your CMMC SSP Is Not Just a Checkbox: How to Build One That Works

Your CMMC SSP Is Not Just a Checkbox How to Build One That Works

The System Security Plan (SSP) is the cornerstone document of any CMMC Level 2 compliance program. Yet it is also one of the most underdeveloped artifacts assessors encounter. Organizations preparing for a C3PAO assessment frequently arrive with an SSP that describes their environment …

Read Story

When to Hire a PCI Compliance Consultant (and What They Actually Do)

When to Hire a PCI Compliance Consultant (and What They Actually Do)

If your business stores, processes, or transmits cardholder data, PCI DSS compliance isn't optional. But knowing that you need to comply is a very different thing from knowing how to actually get there. Somewhere between your first self-assessment questionnaire and your first failed s …

Read Story

PCI DSS Compensating Controls: When & How to Use Them

PCI DSS Compensating Controls - When and How to Use Them

Every organization that stores, processes, or transmits payment card data eventually runs into the same wall. The Payment Card Industry Data Security Standard (PCI DSS) sets a clear bar, but a legacy system, a vendor limitation, or a business reality can make a specific requirement im …

Read Story

What the 2026 Verizon DBIR Means for Your SOC 2 Compliance Program

What the 2026 Verizon DBIR Means for Your SOC 2 Compliance Program

The 2026 Verizon Data Breach Investigations Report (DBIR) recently dropped. Vulnerability exploitation is officially the #1 breach vector at 31%. It is now the #1 way attackers are getting in, surpassing credential abuse, which dropped from 22% down to just 13% as an initial access me …

Read Story

Subscribe by email