Governance & Risk Management

PCI SSC Updates SAQ A: Removal of Key E-Commerce Security Requirements & New Eligibility Criteria

The PCI Security Standards Council (PCI SSC) has made significant updates to Self-Assessment Questionnaire type A (SAQ A) as part of PCI DSS v4.0.1. These changes impact e-commerce merchants who outsource payment processing and previously relied on the SAQ A for compliance validation.

The latest modifications include:

  • Removal of PCI DSS Requirements 6.4.3, 11.6.1, and 12.3.1 from SAQ A.
  • New eligibility criteria requiring merchants to confirm (more…)

What Legislation Protects Against Deepfakes and Synthetic Media?

 

A Deep Look at Legislation

Deepfake legislation in the U.S. is advancing swiftly to combat the rising risks associated with synthetic media, addressing critical areas such as cybersecurity, privacy, election integrity, and intellectual property. Federal and state lawmakers are enacting and refining laws to curb the misuse of deepfake technology, focusing on issues like fraud, defamation, election manipulation, and non-consensual explicit content. These evolving regulations aim (more…)

What is the PCI DSS v4.0.1 Requirement for PoLP?

Least Privilege Takes Center Stage in PCI DSS Update

In today’s digital landscape, organizations recognize that completely preventing cyberattacks is nearly impossible. As a result, the principle of least privilege (PoLP) has become a cornerstone of modern cybersecurity strategies. By restricting user account permissions to the minimum required for specific tasks, PoLP minimizes the potential damage from breaches, unauthorized access, and insider threats.

 

What is the PCI (more…)

What is the PCI DSS v4 Authenticated Scanning Mandate?

Preparing for PCI DSS 4.0.1: The Authenticated Scanning Mandate

As organizations prepare for PCI DSS v4.0.1 enforcement on March 31, 2025, Requirement 11.3.1.2 introduces a critical update: the mandate for authenticated internal vulnerability scans. This new requirement addresses limitations in previous versions by requiring deeper, more accurate assessments of internal vulnerabilities.

 

What are the Key Points of Requirement 11.3.1.2?

  1. Authenticated Access: Internal scans must use privileged credentials.
  2. (more…)

Is Your Organization Prepared for PCI DSS Automation?

By Viviana Wesley, PCI QSA, ISO 27001 Auditor, CISM – Principal Consultant, Governance, Compliance and Engineering Services and Jason Maiden, CISSP, PMP, PCI QSA, ISO 27001 Lead Auditor – Managing Consultant

Gearing Up for PCI DSS Automation

Automation is revolutionizing industries across the board, and payment card compliance is no exception. PCI DSS v4’s Requirement 10.4.1.1 reflects this shift, mandating the use of (more…)

Unpacking the New PCI DSS v4.x Password Standards

By Jason Maiden, CISSP, PMP, PCI QSA, ISO 27001 Lead Auditor – Managing Consultant

The Payment Card Industry Data Security Standard (PCI DSS) v4.x introduced several new and enhanced security requirements, many of which became effective on March 31, 2024. However, the clock is ticking on additional future-dated requirements set to take effect on March 31, 2025. Among these, a significant portion pertains to (more…)

FutureCon, Chicago Cybersecurity Conference 2025

Chicago Cybersecurity Conference

HALOCK and Reasonable Risk at FutureCon explore risk management and security approaches to address evolving cyber threats. Enjoy breakfast and lunch while connecting with colleagues and industry executives. Our partner discusses risk governance and management.

View the presentation

 

 

 

How Executives Make Informed Cyber Decisions

September 19, 2024, at 1:00 P.M. CST

Non-technical executives can truly own cybersecurity when their companies measure, monitor, and manage cybersecurity risk like other parts of their business.

The SEC is only the latest regulator to expect non-technical executives to take ownership of cybersecurity risk management. Regulators argue that when companies pose risks to others those risks needs to be managed, whether they come from business practices, (more…)

CAMP IT: Techniques to Evolve Risk Governance and Comply with SEC Cybersecurity Rule

CAMP IT: Enterprise Risk / Security Management

In today’s highly regulatory environment it is essential that you have a clear understanding of risk across the enterprise. A risk management framework can bring visibility to key business and compliance risks and enable a company to make decisions on where to prioritize its limited resources. It is through a risk management framework that real (more…)

Go to Top