On March 10, 2026, AppsFlyer’s JavaScript SDK was compromised in an active supply chain attack. If you run an ecommerce site and that script loads on your payment pages, you’ve potentially been serving malicious code to every customer who checked out over the past 72+ hours. No changes to your codebase required. No alerts from your WAF. No red flags on your server logs.
This is actively happening.
And for anyone who’s been wondering why the PCI Security Standards Council added requirements 6.4.3 and 11.6.1 to PCI DSS 4.0.1, this is your answer.
A reality check on why running your environment through Vanta, Drata, Secureframe,Delve, or a SaaS app doesn’t make you PCI-DSS compliant, and why enterprises should be asking harder questions about their vendors.
PCI DSS v4.x wasn’t written with AI in mind, but the framework is more adaptable than it gets credit for. Here’s where the standard holds up, where there’s room to grow, and how the PCI SSC is already engaging with AI through initiatives like The AI Exchange.
After nearly 20 years of operation, the PCI Security Standards Council published its first annual report. It is a surprisingly revealing look at where payment security is headed, from product family restructuring and standards consolidation to AI guidance and global expansion.
Overview # The PCI DSS Toolkit is a collection of read-only scripts that help sysadmins export configuration evidence from network devices, cloud environments, and operating systems for PCI DSS assessor review. Scripts connect to devices or APIs, export configuration data, and save it locally. No changes are made to any system.
juancarlosmunera/pci-tools PCI Tools and Scripts for assessors and sysadmins to aid both in evidence collection and evidence review.
When we talk about PCI DSS compliance, the conversation tends to stay clinical. Scoping exercises. Network diagrams. Encryption at rest. But compliance doesn’t exist in a vacuum. It exists because there’s a thriving, industrialized criminal economy on the other end waiting to monetize every gap you leave open.
Rapid7 published a detailed piece of research this month that every QSA, security engineer, and compliance leader should read: their analysis of the carding-as-a-service (CaaS) ecosystem and the underground dump shops that power it. Having spent years on the assessor side of PCI, I want to connect what Rapid7 found directly back to what it means for your cardholder data environment and your scoping decisions.
If you’ve spent any time on LinkedIn or at a cybersecurity conference in the last couple of years, you’ve seen the headlines. “Quantum computing will break all encryption.” “Your data is already at risk.” “The cryptographic apocalypse is coming.”
It makes for great conference talks and even better vendor marketing. But here’s the thing: encryption has always been broken. And every single time, we’ve replaced it with something stronger. The lifecycle of cryptographic algorithms isn’t a flaw in the system; it is the system. So why would quantum computing be any different?
A questions I hear often is: “How do we manage PCI Compliance for containers when they’re destroyed and recreated constantly?”
It’s a legitimate concern. In this post I write about file integrity monitoring when containerization is used (i.e. Docker, Kubernetes, etc) Traditional FIM tools were built for static servers that run for months or years. But containers? They live for minutes, hours, maybe days.
The PCI-DSS standard doesn’t give you a pass just because you’re using modern infrastructure. Requirement 11.5.2 still applies, you still need to detect unauthorized file modifications. The approach just looks completely different.
PCI-DSS 11.5.2 - Guidance and Full Technical Deep Dive # (On-Prem, Hybrid, and Native) # I remember sitting in my first PCI assessment years ago, watching a QSA flip through pages of documentation. When we got to Requirement 11.5.2, file integrity monitoring, the conversation hit a wall. The requirement seemed straightforward on paper, but translating it into a hybrid environment with on-prem servers, AWS workloads, and network appliances? That’s where the real work begins.
The Invisible Game Within the Game # Yesterday, while millions watched the Patriots and Seahawks battle for championship glory at Levi’s Stadium, another high-stakes game played out in milliseconds beneath the surface. This game processed $20.2 billion in transactions with 99.99% reliability, involved seven different players per transaction, and executed each play in under 200 milliseconds.
Welcome to the payment card ecosystem’s Super Bowl,where 213.1 million Americans participated, spending an average of $94.77 each, and where the stakes are measured not in yards gained, but in billions of dollars secured.