PCI DSS

Requirements for Written Policies and Procedures for PCI DSS Compliance

I often come across clients whose documentation is missing a policy or a procedure that PCI DSS requires. “That will never happen here” or “We don’t have any workflow that could cause us to need that procedure,” they say. This may be true today, but when someone new comes along

Read More

PCI DSS

Common Key Controls Tested in PCI DSS Assessments

As a company interested or required to become PCI DSS compliant, there is a list of key controls you must have in place, and appropriate evidence to be to be retained to provide the PCI DSS assessors during the testing period. Being able to easily

Read More

PCI DSS, SOC2, vCISO, Penetration Testing, HIPAA, CIS Controls, Security Program, Risk Assessment, Privacy, CCPA, ISO27001

Do you have APIs? How do you test them?

Application Program Interfaces (APIs) have changed in nature in recent years and are increasingly (and sometimes inadvertently) being made available to users of web services, the “Apps” (applications) on mobile devices, and internally for the web

Read More

PCI DSS, vCISO, Security Program

What does a PCI DSS Compliance Program Look Like?

You receive a letter from your bank: “Congratulations, you just passed 2.5M credit card impressions in the last 12 months.” (Break out the Champagne). “We noticed we don’t have a PCI DSS AOC for you, would you kindly upload it to our portal?”

Read More

PCI DSS, Security Program, Privacy

Destroying Data Securely

In the days of Solid-State Disks (SSD), RAID10 disk drive arrays, databases taking snapshots of data, automated backups, and active-active data mirroring; how does one reliably and securely destroy data?

Read More

PCI DSS, Privacy

TokenEx and Truvantis: A Combined Solution for Uncompromising Security

Modern organizations must collect and store sensitive personal and payment data to process payments, compile analytics, and enable users to get the most out of their digital experiences. However, the systems and processes necessary to protect these

Read More

PCI DSS, CISO, vCISO

Use a vCISO to Achieve and Maintain PCI DSS Compliance

PCI is a strong security Framework. If you are a business owner, you have probably heard about the PCI DSS (Payment Card Industry Data Security Standard). All organizations that store, process, or transmit payment card transactions must adhere to

Read More

PCI DSS

Content Security Policy (CSP) HTML Headers

A number of years ago I was trying to renew my subscription to a well-known antivirus tool and found that there were 37 different URLs invoked on the checkout page, including two with .cn TLDs. Needless to say, the renewal didn’t happen.

Read More

PCI DSS

PCI DSS Training Requirements

The PCI DSS standard ostensibly only has a few training requirements which, in my experience, most organizations do a good job of keeping up with. However, there are some not-so-obvious teams which get regularly overlooked with regard to training.

Read More

PCI DSS, vCISO, Penetration Testing, Security Program

What is “Internal Penetration testing” for PCI DSS requirement 11.3

Introduction PCI DSS requires Internal, External Penetration testing, and Segmentation testing. But these terms are not crisply defined. In fact, “internal” is used elsewhere in the standard (for example internal vulnerability scanning) where it

Read More