The PCI Charter

Experience time and again has shown that successful PCI DSS efforts, both internal self-assessments and external assessments, have a point person or team within the organization who drives for project completion and organizational compliance. A key stakeholder interaction between that point person or team, what we will call the project manager, and the overall project …

Acquirers beware – Your merchants may be cashing in on this COVID-19 scheme

All of the recent attention to the COVID-19 global pandemic has produced a strong demand for consumer products that can protect consumers from infection. When there is a new threat of this nature, we expect an increase in bad actors looking to cash in. The COVID-19 pandemic is no exception to this rule, and people …

PCI Isn’t Risk Based – And Other PCI Myths Debunked

If I were king, I would command my PCI Council minions to re-order the 12 requirements of the PCI DSS. Case in point – I’m convinced, after 15 years as a PCI assessor and consultant, the risk assessment should be the first step on the path to PCI compliance. Yet, the risk assessment doesn’t appear …

The California Consumer Privacy Act is Evolving

Thanks to those who attended our webinar on CCPA! If you missed the webinar, click here to view or keep reading for a recap! CCPA is the acronym used to describe the California Consumer Privacy Act. To read the full text of the law, and see the latest updates, the best resource is the California …

Clarifying Quarterly External Scans

Over the years I’ve worked with many clients who seem to have a strong security and compliance program. The client provides many of the key documents required for compliance; documentation for their penetration testing, risk assessments, policies and procedures. Everything seems to be going smoothly but there’s a delay while waiting for their external Approved …

PCI Isn’t Risk-based! (and other PCI myths)

As an infosec practitioner and QSA, I’ve been deeply involved in PCI since its inception. As a former educator (I taught high school social studies for eight years), I believe in the reductionist method for teaching complex subjects. In these articles I will combine my experience to deconstruct many of the problems – typically rooted …

Windows 7 support is ending. Are you prepared?

Our old friend Windows 7 is facing retirement on January 14 with the end of extended support. What does this mean for you? If you’re still running Windows 7, then you’re going to have issues in several areas such as PCI, NIST, HIPAA, and GLBA to name a few. In nearly every framework, standard, and …

Will It Take a Breach for You to Take the Next Maturity Step?

Everyone (er, almost everyone) has had the experience of growing up – maturing if you will. You likely had people teach you and thoughtfully impart to you some knowledge. And, if you’re like me, you didn’t always pay attention. I had to make mistakes for myself to learn. When it comes to compliance and risk, …

Mobile Security: Think Twice Before You Throw Out That Mobile Device

We tend to focus on protecting mobile devices while we are actively using them, but we often forget what to do with them at the end of their lifecycle. Before you throw out your old mobile device there are a few steps you should to take ensure good housekeeping. Others are necessary under many compliance …