Can I extend PCI to make it my privacy protection scheme?

Andy Grove (CEO of Intel) once said, “Privacy is one of the biggest problems in this new electronic age.” And while that sounds appropriate today with directives like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), he also said, “Only the paranoid survive,” which is how many cybersecurity personnel feel …

Remote Working: Adapting Payment Security to the New Norm

​Alexander Norell writes that in the period of lockdown more businesses are operating remotely. Employees of banks and call centres are now handling more sensitive data remotely and it is likely to be the new norm. How can they ensure the data is protected? With remote working now the new norm and with many businesses …

E-Commerce: Balancing Speed to Market and Payment Security

With COVID-19 we are seeing a shift from bricks and mortar to e-commerce, particularly in the retail sector – James Reynolds takes a look at what companies can do to ensure they are PCI compliant and online payments are protected. As companies look at how they will continue to trade during the pandemic, many are …

Remote Assessments: How to Maintain Compliance in a Crisis

Alexander Norell helps us address – Are remote assessments proving effective? What can companies do to ensure the lockdown is not impacting PCI progress? Remote assessments are likely to be the norm for many months as the global economy starts to get back on its feet and the Payment Card Industry Security Standards Council (PCI …

The Road to Becoming a Qualified Security Assessor

After spending over 30 years in IT, with a great deal of time spent in security, I find myself with more than a few credentials closer to this end of my career than when I first started. One of my greater accomplishments is my certification as a Payment Card Industry Security Standards Council (PCI SSC) …

PCI DSS – Frequently Asked Questions

So, you’re working on your first Self-Assessment Questionnaire (SAQ) and you get stuck. Up until this point, it’s gone pretty well; you talked to your acquiring bank, downloaded the right form they told you to, and you have the right people pulled together from your company to answer the requirements, but you’re stuck. Where do …

How to do HTTPS… the right way

With secure HTTP — aka HTTPS (the “S” is short for “secure”) — swiftly becoming universal on the Internet, it is important to know how to configure HTTPS for your website the right way. The payoff for properly securing your website has many benefits, a few of which are: Secure transmission of sensitive information. HTTPS …

How will the Magento 1.x EOL affect PCI-DSS compliance?

In 2007, Magento was first released as a powerful and easy to use e-commerce platform that rapidly gained traction amongst online merchants. Magento won awards and was eventually sold by eBay to Adobe for $1.68B USD in 2018. Today, Magento powers 12% of all ecommerce sites worldwide, with about 239,000 active sites using Magento 1.x. …

Apply Critical Thinking to Security and Compliance

Recently I came across a case where a company had encouraged their clients to apply for their services via a written form, which included fields for credit card information to pay for those services. The clients were encouraged to return the forms via email in a PDF format. The company in question was undergoing a PCI DSS …

COVID-19: A Changing Threat Landscape for Acquirers and Merchants

SecureTrust has been fielding a lot of feedback from our acquirer community regarding the changes and new challenges to their businesses resulting from the COVID-19 pandemic. The most urgent of these challenges is the sharp rise in attacks from criminal organizations taking advantage of business shutdowns. It is very important to maintain vigilance in cybersecurity …

PCI-DSS version 4.0: Impacts to an Organization

The next version of the PCI-DSS is a long time coming. The majority of current PCI controls in version 3.2.1 are 10-years or older. Year-to-year the standard itself has changed very little and version 3.0, released in 2015, has minimally changed in the last 5 years. The PCI-DSS v4.0 was released to PCI SSC stakeholders …

Guidance for PCI Assessments During COVID-19

One of the challenges of information security and compliance is dealing with evolving requirements. The current pandemic with Covid-19 has further added complexity to how we operate and maintain secure payment systems. Not only do we have technical and administrative controls to manage and maintain but we also must address public health and safety concerns …

The Difference Between Risk and Compliance and the Important Connection Organizations Must Understand

There are a lot of misconceptions about risk and compliance. The assumptions from organizations are that if you’re compliant, you’re automatically able to combat potential risks. On the flip side there is a similarly incorrect assumption that if you’re risk program is already in place, your organization is already compliant by default. First, what is …

The PCI Charter

Experience time and again has shown that successful PCI DSS efforts, both internal self-assessments and external assessments, have a point person or team within the organization who drives for project completion and organizational compliance. A key stakeholder interaction between that point person or team, what we will call the project manager, and the overall project …

Acquirers beware – Your merchants may be cashing in on this COVID-19 scheme

All of the recent attention to the COVID-19 global pandemic has produced a strong demand for consumer products that can protect consumers from infection. When there is a new threat of this nature, we expect an increase in bad actors looking to cash in. The COVID-19 pandemic is no exception to this rule, and people …

PCI Isn’t Risk Based – And Other PCI Myths Debunked

If I were king, I would command my PCI Council minions to re-order the 12 requirements of the PCI DSS. Case in point – I’m convinced, after 15 years as a PCI assessor and consultant, the risk assessment should be the first step on the path to PCI compliance. Yet, the risk assessment doesn’t appear …

The California Consumer Privacy Act is Evolving

Thanks to those who attended our webinar on CCPA! If you missed the webinar, click here to view or keep reading for a recap! CCPA is the acronym used to describe the California Consumer Privacy Act. To read the full text of the law, and see the latest updates, the best resource is the California …

Clarifying Quarterly External Scans

Over the years I’ve worked with many clients who seem to have a strong security and compliance program. The client provides many of the key documents required for compliance; documentation for their penetration testing, risk assessments, policies and procedures. Everything seems to be going smoothly but there’s a delay while waiting for their external Approved …

PCI Isn’t Risk-based! (and other PCI myths)

As an infosec practitioner and QSA, I’ve been deeply involved in PCI since its inception. As a former educator (I taught high school social studies for eight years), I believe in the reductionist method for teaching complex subjects. In these articles I will combine my experience to deconstruct many of the problems – typically rooted …