How to Define Your Cardholder Data Environment (CDE) Under PCI DSS
by Patrick Hughes on June 28, 2026 at 1:30 PM
Before an organization can implement Payment Card Industry Data Security Standard (PCI DSS) controls, it must answer a foundational question: what is in scope? The answer lies in the definition of the Cardholder Data Environment (CDE). Get it wrong, and everything built on top of it i …
When to Hire a PCI Compliance Consultant (and What They Actually Do)
by Patrick Hughes on June 25, 2026 at 4:17 PM
If your business stores, processes, or transmits cardholder data, PCI DSS compliance isn't optional. But knowing that you need to comply is a very different thing from knowing how to actually get there. Somewhere between your first self-assessment questionnaire and your first failed s …
PCI DSS Compensating Controls: When & How to Use Them
by Kelly O’Brien on June 17, 2026 at 4:42 PM
Every organization that stores, processes, or transmits payment card data eventually runs into the same wall. The Payment Card Industry Data Security Standard (PCI DSS) sets a clear bar, but a legacy system, a vendor limitation, or a business reality can make a specific requirement im …
Maintaining Targeted Risk Analysis (TRAs) for PCI DSS Compliance
by Kelly O’Brien on May 19, 2026 at 10:50 AM
Every organization that processes, stores, or transmits cardholder data is required to protect it. That much is well understood. What is less understood, and where many organizations quietly fall short, is how they justify specific risk-based decisions inside their compliance program. …
PCI Compliance for Small Business: A QSA's Field Guide to PCI DSS
by Derek Boczenowski on May 14, 2026 at 3:32 PM
If you run a small business that accepts credit cards, the words "PCI compliance" probably land somewhere between mildly stressful and outright intimidating. I get it. I have spent years walking small merchants through the Payment Card Industry Data Security Standard (PCI DSS), and th …
PCI DSS Penetration Testing: A Practical Compliance Guide
by Derek Boczenowski on April 30, 2026 at 3:23 PM
Here is a conversation we have more often than we would like to admit. We are on a call with an organization that processes payment cards, and we ask how they are tracking against PCI DSS. The response comes back fast and confident: "Oh, we are good. We have an ASV doing our quarterly …
.webp?width=2169&height=526&name=Compass%20regular%20transparent%20website%20(1).webp)
-1.webp?width=2169&height=620&name=Compass%20regular%20transparent%20website%20smaller%20(1)-1.webp)
%20Under%20PCI%20DSS.jpg)
.jpg)

%20for%20PCI%20DSS%20Compliance.jpg)

