Unsure whether your organisation is a merchant or a service provider under PCI DSS v4.0.1? This is one of the most common areas of confusion. In this guidance, Fiona Howard, PCI DSS QSA at Locked Stack, explains the distinction, why it matters, and what it means for your compliance approach and ongoing obligations.

A practical look at how PCI DSS 12.4.2 moves organisations beyond checklist compliance toward real operational oversight. Fiona Howard, PCI DSS QSA, explains how effective quarterly reviews strengthen governance, validate critical security tasks, and improve resilience across modern environments.

Fiona is a former educator turned cybersecurity specialist and PCI DSS Qualified Security Assessor (QSA) at Locked Stack. She focuses on aligning human-centric security strategies with regulatory frameworks like PCI DSS. During assessments, security awareness training is often a recurring topic—and one of the most challenging areas for organisations to get right.

A focused guide on creating clear, accurate, and maintainable PCI DSS scoping documentation. Fiona Howard, PCI DSS QSA, explains how to define and record in-scope systems, boundaries, and data flows in a way that supports assessments and simplifies ongoing reviews. Essential reading for organisations preparing PCI DSS v4.0.1 documentation or strengthening existing scope records.

It has been a year since the Digital Operational Resilience Act (DORA) came into effect, yet many organisations are still clarifying how it applies in practice. In this guidance, Fiona Howard, cybersecurity specialist at Locked Stack, outlines what DORA is designed to achieve, who it applies to, and why it matters for financial entities and the technology providers that support them.