Compliance Abuse: When Compliance Frameworks are Misapplied

Introduction Here at TrustedSec, we help our clients achieve and maintain compliance with a variety of Information Security and privacy frameworks. We often receive requests for compliance assistance with frameworks that don’t make sense when considering the type of organization making the request. We always seek to understand our clients’ needs before proposing an engagement,…

The post Compliance Abuse: When Compliance Frameworks are Misapplied appeared first on TrustedSec.

Continue reading Compliance Abuse: When Compliance Frameworks are Misapplied

Reducing Merchant Scope to Ease the Compliance Burden

Merchants should spend more time doing what they are good at—i.e., selling and merchandising—versus trying to keep up with validating and maintaining PCI compliance. How can this be accomplished? Using either an end-to-end encryption (E2EE) or point-to-point encryption (P2PE) solution for each point-of-sale (POS) system eliminates some of the complex hoops that merchants are required…

The post Reducing Merchant Scope to Ease the Compliance Burden appeared first on TrustedSec.

Continue reading Reducing Merchant Scope to Ease the Compliance Burden

Strength Training With Transport Cryptology: Part 2

In part 1 of this blog series, we explored objective standards for evaluating application cipher suites using the National Institute of Standards and Technology (NIST) standard. Reviewing that is not required to continue here. For those of us lucky enough to apply cryptology within a Payment Card Industry (PCI) context, this part is for you….

The post Strength Training With Transport Cryptology: Part 2 appeared first on TrustedSec.

Continue reading Strength Training With Transport Cryptology: Part 2

Strength Training With Transport Cryptology: Part 1

I have a pretty good gig. I get to see the unique security approaches of dozens of companies every year. Sometimes the things we discuss come up so frequently, they should probably be shared…anonymously, of course. Frequently, folks are tasked with fixing insecure transport security. This is often due to test results from: Introducing new…

The post Strength Training With Transport Cryptology: Part 1 appeared first on TrustedSec.

Continue reading Strength Training With Transport Cryptology: Part 1

How I Retained My QSA Certification

In 2019, the Payment Card Industry (PCI) Security Standards Council (SSC) modified the Qualification Requirements for Qualified Security Assessor (QSA) employees. Prior to the modification, the requirements stipulated that QSA employees must hold either an Information Security certification or an audit certification, but now QSA employees must have a minimum of two (2) industry certifications:…

The post How I Retained My QSA Certification appeared first on TrustedSec.

Continue reading How I Retained My QSA Certification

Making EDR Work for PCI

The Endpoint Detection & Response (EDR) and Advanced Threat Protection (ATP) marketplace is abuzz with products that blur the lines of personal firewall, host-based intrusion detection system (IDS) and intrusion prevention system (IPS), anti-virus, system logging, and file integrity monitoring (FIM). These solutions are centrally managed from your web browser and include advanced dashboards for…

The post Making EDR Work for PCI appeared first on TrustedSec.

Continue reading Making EDR Work for PCI

Payment Card Industry (PCI) – Recurring Requirements Require Attention!

There are certain items contained within the 12 PCI requirements that have to be performed based on defined frequencies. In my experience, companies sometimes struggle with adhering to some if not all of these items. There are a number of reasons that this might happen, whether it’s related to employee turnover, unfamiliarity with the items,…

The post Payment Card Industry (PCI) – Recurring Requirements Require Attention! appeared first on TrustedSec.

Continue reading Payment Card Industry (PCI) – Recurring Requirements Require Attention!

Big Changes in Store for PCI DSS v4.0, and More!

This week I attended the PCI North American Community Meeting. If you are in the payment security space and haven’t been to a community meeting, I would recommend that you put this on your conference schedule. It’s great to connect with like-minded individuals, including card brands, banks, large customers, vendors, and yes, assessors – both internal (ISAs)…

The post Big Changes in Store for PCI DSS v4.0, and More! appeared first on TrustedSec.

Continue reading Big Changes in Store for PCI DSS v4.0, and More!

PCI Requirements 101

Having completed several PCI-DSS (Payment Card Industry – Data Security Standard) Reports on Compliance (RoCs) over the past couple of years, I have noticed a consistent pattern on the items needed for the 12 requirements. I have found that there are three basic components to most if not all PCI requirements: Documentation (Policies, Standards, and…

The post PCI Requirements 101 appeared first on TrustedSec.

Continue reading PCI Requirements 101