Blog

PCI DSS

Five Ways to Reduce the Cost of PCI DSS Compliance

If your company stores, processes, or transmits cardholder data, you need PCI DSS compliance. According to the Verizon 2020 Payment Security Report, within the financial and insurance industries, 30% of breaches were caused by web application attacks, primarily driven by

Read More

PCI DSS

How to Be Prepared for PCI DSS v4 in 2022

Discussions about PCI DSS v4 became all the rage with the release of the first Request for Comments (RFC) back in 2019, and those discussions have continued. Businesses want to know what impact v4 will have on their current PCI programs and PCI DSS

Read More

PCI DSS, Security Program, Privacy

Cybersecurity Threat Landscape 2022, Nine Things You Should Know

In 2021 cybersecurity professionals faced the same vulnerabilities and attacks as decades before, just more nefarious, persistent, and far-reaching. Ransomware is everywhere, critical infrastructure is vulnerable, and security teams struggle with

Read More

PCI DSS, CISO, vCISO, Penetration Testing, HIPAA, Security Program, Risk Assessment, Red Teaming

The 0-day in the Room Nobody is Talking About: Scope

Scope is an important shaping tool that, when leveraged properly, can help enhance engagement outcomes during penetration testing, red team and other security operations. Like any tool, however, when used incorrectly it can have devastating

Read More

PCI DSS

PCI DSS Version 4.0: Preparing for the Future

The first quarter of the year 2022 should be an exciting time for everyone working with PCI DSS. The PCI Security Standards Council is scheduled to release first a “Stakeholder Preview” of the long-awaited PCI DSS v4.0, and then, presumably some

Read More

PCI DSS

Timely Update of Risk Assessment and Incident Response for PCI DSS

The PCI DSS compliance model depends on risk assessment and mitigation. The testing instructions for PCI DSS published by the PCI Security Standards Council for QSA’s tell us to look for evidence of documentation being updated as a result of lessons

Read More

PCI DSS

Requirements for Written Policies and Procedures for PCI DSS Compliance

I often come across clients whose documentation is missing a policy or a procedure that PCI DSS requires. “That will never happen here” or “We don’t have any workflow that could cause us to need that procedure,” they say. This may be true today, but

Read More

PCI DSS

Common Key Controls Tested in PCI DSS Assessments

As a company interested or required to become PCI DSS compliant, there is a list of key controls you must have in place, and appropriate evidence to be to be retained to provide the PCI DSS assessors during the testing period. Being able to easily

Read More

PCI DSS, SOC2, vCISO, Penetration Testing, HIPAA, CIS Controls, Security Program, Risk Assessment, Privacy, CCPA, ISO27001

Do you have APIs? How do you test them?

Application Program Interfaces (APIs) have changed in nature in recent years and are increasingly (and sometimes inadvertently) being made available to users of web services, the “Apps” (applications) on mobile devices, and internally for the web

Read More

PCI DSS, vCISO, Security Program

What does a PCI DSS Compliance Program Look Like?

You receive a letter from your bank: “Congratulations, you just passed 2.5M credit card impressions in the last 12 months.” (Break out the Champagne). “We noticed we don’t have a PCI DSS AOC for you, would you kindly upload it to our portal?”

Read More