Can I extend PCI to make it my privacy protection scheme?

Andy Grove (CEO of Intel) once said, “Privacy is one of the biggest problems in this new electronic age.” And while that sounds appropriate today with directives like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), he also said, “Only the paranoid survive,” which is how many cybersecurity personnel feel …

Apply Critical Thinking to Security and Compliance

Recently I came across a case where a company had encouraged their clients to apply for their services via a written form, which included fields for credit card information to pay for those services. The clients were encouraged to return the forms via email in a PDF format. The company in question was undergoing a PCI DSS …

Guidance for PCI Assessments During COVID-19

One of the challenges of information security and compliance is dealing with evolving requirements. The current pandemic with Covid-19 has further added complexity to how we operate and maintain secure payment systems. Not only do we have technical and administrative controls to manage and maintain but we also must address public health and safety concerns …

The PCI Charter

Experience time and again has shown that successful PCI DSS efforts, both internal self-assessments and external assessments, have a point person or team within the organization who drives for project completion and organizational compliance. A key stakeholder interaction between that point person or team, what we will call the project manager, and the overall project …

PCI Isn’t Risk Based – And Other PCI Myths Debunked

If I were king, I would command my PCI Council minions to re-order the 12 requirements of the PCI DSS. Case in point – I’m convinced, after 15 years as a PCI assessor and consultant, the risk assessment should be the first step on the path to PCI compliance. Yet, the risk assessment doesn’t appear …

Clarifying Quarterly External Scans

Over the years I’ve worked with many clients who seem to have a strong security and compliance program. The client provides many of the key documents required for compliance; documentation for their penetration testing, risk assessments, policies and procedures. Everything seems to be going smoothly but there’s a delay while waiting for their external Approved …

PCI Isn’t Risk-based! (and other PCI myths)

As an infosec practitioner and QSA, I’ve been deeply involved in PCI since its inception. As a former educator (I taught high school social studies for eight years), I believe in the reductionist method for teaching complex subjects. In these articles I will combine my experience to deconstruct many of the problems – typically rooted …