Vulnerability management programs – what are they?

A key, critical part of your security posture is identification and management of vulnerabilities throughout your network. Everybody knows to do it, but the how part is what can be confusing. PCI DSS 6.1 requires you to identify new vulnerabilities, including trusted outside sources, and to assign a risk ranking to the ones identified. PCI …

Guiding merchants toward the SAQ-A light

E-commerce merchants who have close relationships with their acquiring banks, credit card brands and Qualified Security Assessor (QSA) can considerably reduce their level of effort when it comes to selecting the right Payment Card Industry (PCI DSS) compliance reporting method. Because less work is always better, e-commerce merchants who handle card-not-present payments and outsource the …

Data Privacy and the California Consumer Privacy Act

In 2018, the California Consumer Privacy Act (CCPA) was signed into law and went into effect last January. The final draft of the regulation was submitted to the California Attorney General in June 2020. Originally, the CCPA would be enforceable starting July 1, 2020, but due to the COVID-19 pandemic, the California Office of Administrative …

Card Brands Demand Merchant Risk Compliance

Merchant security monitoring is a key factor for any organization processing credit card data. So how many transactions can any acquirer or financial institution safely handle in a day? We tend to see in the marketplace hundreds of thousands of transactions being processed per second. And that is most likely only one rack in the …

Never Rest on Your Laurels

Almost four years ago the Payment Card Industry Data Security Standard (PCI DSS) version 3.2 was introduced and has only received a minor revision to version 3.2.1 since. Add to that, some companies have been assessed by the same assessors for years on end and both the assessed and assessors could become complacent feeling they know …

Penetration Testing of Segmentation Controls for PCI DSS

Recently I came across a penetration testing report (supplied as evidence for Payment Card Industry Data Security Standard (PCI DSS) compliance) that made a series of assumptions based on the company’s risk assessment as to whether segmentation controls (separating the cardholder data environment (CDE) from out-of-scope networks) should be tested or not. Requirement 11.3.4 of PCI …

Guidance to Remain PCI Compliant After Making Changes to Your IT Infrastructure

One of the most avoidable PCI failures we see time and again is significant change follow-up. What happens is you make a change to your infrastructure, resume processing, and move on with the newly changed environment in the new configuration. Months later, your Qualified Security Assessor (QSA) walks in and asks, “Did you perform due …

Can I extend PCI to make it my privacy protection scheme?

Andy Grove (CEO of Intel) once said, “Privacy is one of the biggest problems in this new electronic age.” And while that sounds appropriate today with directives like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), he also said, “Only the paranoid survive,” which is how many cybersecurity personnel feel …

Remote Working: Adapting Payment Security to the New Norm

​Alexander Norell writes that in the period of lockdown more businesses are operating remotely. Employees of banks and call centres are now handling more sensitive data remotely and it is likely to be the new norm. How can they ensure the data is protected? With remote working now the new norm and with many businesses …

E-Commerce: Balancing Speed to Market and Payment Security

With COVID-19 we are seeing a shift from bricks and mortar to e-commerce, particularly in the retail sector – James Reynolds takes a look at what companies can do to ensure they are PCI compliant and online payments are protected. As companies look at how they will continue to trade during the pandemic, many are …

Remote Assessments: How to Maintain Compliance in a Crisis

Alexander Norell helps us address – Are remote assessments proving effective? What can companies do to ensure the lockdown is not impacting PCI progress? Remote assessments are likely to be the norm for many months as the global economy starts to get back on its feet and the Payment Card Industry Security Standards Council (PCI …

The Road to Becoming a Qualified Security Assessor

After spending over 30 years in IT, with a great deal of time spent in security, I find myself with more than a few credentials closer to this end of my career than when I first started. One of my greater accomplishments is my certification as a Payment Card Industry Security Standards Council (PCI SSC) …

PCI DSS – Frequently Asked Questions

So, you’re working on your first Self-Assessment Questionnaire (SAQ) and you get stuck. Up until this point, it’s gone pretty well; you talked to your acquiring bank, downloaded the right form they told you to, and you have the right people pulled together from your company to answer the requirements, but you’re stuck. Where do …

How to do HTTPS… the right way

With secure HTTP — aka HTTPS (the “S” is short for “secure”) — swiftly becoming universal on the Internet, it is important to know how to configure HTTPS for your website the right way. The payoff for properly securing your website has many benefits, a few of which are: Secure transmission of sensitive information. HTTPS …

How will the Magento 1.x EOL affect PCI-DSS compliance?

In 2007, Magento was first released as a powerful and easy to use e-commerce platform that rapidly gained traction amongst online merchants. Magento won awards and was eventually sold by eBay to Adobe for $1.68B USD in 2018. Today, Magento powers 12% of all ecommerce sites worldwide, with about 239,000 active sites using Magento 1.x. …

Apply Critical Thinking to Security and Compliance

Recently I came across a case where a company had encouraged their clients to apply for their services via a written form, which included fields for credit card information to pay for those services. The clients were encouraged to return the forms via email in a PDF format. The company in question was undergoing a PCI DSS …

COVID-19: A Changing Threat Landscape for Acquirers and Merchants

SecureTrust has been fielding a lot of feedback from our acquirer community regarding the changes and new challenges to their businesses resulting from the COVID-19 pandemic. The most urgent of these challenges is the sharp rise in attacks from criminal organizations taking advantage of business shutdowns. It is very important to maintain vigilance in cybersecurity …