nabu | Cybersecurity & PCI DSS Compliance Blog

All Posts
Cybersecurity
Compliance
Privacy

PCI DSS Penetration Testing: Beyond Automation

PCI DSS v4.x Requirement 11.4: Manual vs. Automated Penetration Testing (PT) PCI-assessed organisations, including payment providers and merchants, often ask what role AI-based and automated tools should play in penetration testing. Put more bluntly: if these tools can run tests, is there still a need for a human expert to conduct them? This article explains why PCI DSS penetration testing still requires manual expertise, especially when validating real attack paths into the

Compliance

Mar 112 min read

Mobile application connected to APIs and server infrastructure for PCI DSS ASV scan scope

ASV Scans for Mobile Applications

ASV scanning (PCI DSS Requirement 11.3.2) is also needed for mobile application environments that include publicly accessible backend systems or APIs connected to the payment flow: “All publicly accessible applications — including backend systems that mobile apps communicate with — must undergo ASV scans.” Why ASV scanning is required Requirement 11.3.2 (PCI DSS v4.0.1) mandates: External vulnerability scans are to be performed at least once every three months … on all exter

Compliance

Jul 30, 20252 min read

WAF shield representing web application firewall protection for PCI DSS scans

Whitelisting an ASV Scanner IP in WAF for PCI DSS Compliance

Organizations handling cardholder data must comply with PCI DSS (Payment Card Industry Data Security Standard), including regular external vulnerability scans under Requirement 11.3.2. These scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV) and must not be blocked or altered by security controls such as a Web Application Firewall (WAF). A misconfigured WAF can prevent an ASV scanner from accessing the Cardholder Data Environment (CDE) and the server calling

Compliance

Apr 21, 20253 min read

HSTS shield connected to HTTPS browser and Cloudflare for PCI DSS scan readiness

Setting Up HSTS in Cloudflare for PCI DSS Scans

One of the more common vulnerabilities found during an ASV scan is the lack of HSTS (HTTP Strict Transport Security). This is not necessarily limited to your application server; HSTS should be set up on all internet-facing hosts that provide a path to, or are part of, the cardholder data environment (CDE). This includes the Web Application Firewall (WAF), and one of the most common WAF platforms is Cloudflare (Cloudflare™ is a registered trademark of Cloudflare, Inc.). A comm

Cybersecurity

Apr 20, 20252 min read

HSTS shield with HTTPS browser and PCI DSS approved scan checklist

HSTS and PCI DSS Approved Scans

What is HSTS? HSTS (HTTP Strict Transport Security) is a web security policy mechanism that helps websites enforce secure connections by requiring browsers to only interact with them over HTTPS, preventing insecure HTTP connections. Why HSTS matters for HTTPS security? HSTS protects users from certain types of attacks, such as man-in-the-middle (MITM) attacks and SSL stripping, which attempt to downgrade HTTPS connections to unencrypted HTTP. Once a website enables HSTS, the

Compliance

Mar 31, 20253 min read

PCI DSS Requirement 11.3.2 ASV scan for e-commerce systems

PCI DSS Requirement 11.3.2 and ASV Scans for E-Commerce Merchants

As part of PCI DSS v4.0.1, Requirement 11.3.2 covers external vulnerability scans performed by a PCI SSC Approved Scanning Vendor (ASV). For e-commerce merchants, these ASV scans help assess internet-facing systems for vulnerabilities that could compromise the security of cardholder data. This requirement is crucial to maintaining PCI DSS compliance and protecting sensitive information in a digital environment, especially where public-facing websites, payment-related systems,

Cybersecurity

Dec 23, 20244 min read

Targeted Risk Analysis in PCI DSS: Understanding Requirement 12.3.2

In the context of PCI DSS (Payment Card Industry Data Security Standard), Requirement 12.3.2 addresses targeted risk analysis for requirements that an organisation meets through the Customized Approach. This analysis helps businesses document how their customized controls meet PCI DSS security objectives while addressing risks that may be specific to their environment. This is particularly important for organisations using the Customized Approach instead of the standard Defin

Compliance

Dec 23, 20244 min read

AWS CloudHSM and PCI DSS Requirement 3 Explained

In today’s digital landscape, the protection of sensitive data is crucial, especially in the payment card industry. AWS Hardware Security Modules (HSMs), including AWS CloudHSM, are commonly used for key encryption, providing a secure, compliance-focused solution to protect sensitive data, including cardholder data. This is a critical aspect for businesses seeking to achieve PCI DSS compliance. What is key encryption and why does key management matter? Key encryption involves

Cybersecurity

Dec 23, 20244 min read

Cybersecurity

Compliance

Privacy

Cybersecurity
& PCI DSS Compliance Blog

Practical guidance on PCI DSS, ASV scanning, encryption, HSTS and cybersecurity compliance

PCI DSS Penetration Testing: Beyond Automation

PCI DSS Penetration Testing: Beyond Automation

ASV Scans for Mobile Applications

Whitelisting an ASV Scanner IP in WAF for PCI DSS Compliance

Setting Up HSTS in Cloudflare for PCI DSS Scans

PCI DSS Penetration Testing: Beyond Automation

ASV Scans for Mobile Applications

Whitelisting an ASV Scanner IP in WAF for PCI DSS Compliance

Setting Up HSTS in Cloudflare for PCI DSS Scans

HSTS and PCI DSS Approved Scans

PCI DSS Requirement 11.3.2 and ASV Scans for E-Commerce Merchants

Targeted Risk Analysis in PCI DSS: Understanding Requirement 12.3.2

AWS CloudHSM and PCI DSS Requirement 3 Explained

No Results Found...

PCI DSS Penetration Testing: Beyond Automation

ASV Scans for Mobile Applications

Whitelisting an ASV Scanner IP in WAF for PCI DSS Compliance

Setting Up HSTS in Cloudflare for PCI DSS Scans

HSTS and PCI DSS Approved Scans

PCI DSS Requirement 11.3.2 and ASV Scans for E-Commerce Merchants

Targeted Risk Analysis in PCI DSS: Understanding Requirement 12.3.2

AWS CloudHSM and PCI DSS Requirement 3 Explained

Subscribe Today