Category Archives: PCI Compliance

For businesses using PA-DSS assessed applications the time is near to start considering the new Software Security Framework that the PCI Council that will be mandated soon. (more…)

The California Consumer Privacy Act (CCPA) and more states are shaping data privacy management.

New York City is often referred to as the financial capital of the world; with the state of cybersecurity today and the increasing barrage of threats that financial related institutions must combat on a daily basis, it is no wonder that New York became the first state to take government action to do something about it.  (more…)

THE NEW YORK STATE DEPARTMENT of FINANCIAL SERVICES (DFS) CYBERSECURITY REGULATION 23 NYCRR 500 SECTION 11

by Viviana Wesley PCI QSA, ISO 27001 Auditor – Managing Consultant, Governance & Compliance Services

Cyber security is a moving target.  The technology and policies that kept users, devices and data safe at one time are eventually compromised at some point by the growing skills of cybercriminals and technology itself.  This is one of the reasons security standards such as PCI DSS (Payment Card Industry Data Security Standard) are moving targets as well.  Things never remain stationary in a world that is digitally transforming itself and security standards would not be relevant unless they dynamically changed along with the world. (more…)

By Viviana Wesley, PCI QSA, ISO 27001 Auditor

The process of securing cardholder data is a shared responsibility amongst multiple parties that play a role in the card transaction process. They include merchants, processors, acquirers, backup tape storage facilities, issuers and service providers just to name a few. All of these entities play a part in the far-reaching responsibility of protecting consumer data. The Payment Card Industry Data Security Standard or PCI DSS is the roadmap that they can turn to in order to prevent the compromising of primary account numbers (PAN) and other sensitive consumer credit card information. (more…)

What kind of security assessment do I need? It’s a question we at HALOCK Security Labs hear all the time. Every regulation and information security standard in existence tells us that we must undergo some kind of regular assessment. But the security field has not been consistent in advising what kinds of assessments fit which purpose best. (more…)

As part of its enduring interest in LifeLock, Inc., the Federal Trade Commission issued the following statement on December 17, 2015, “PCI DSS certification is insufficient in and of itself to establish the existence of reasonable security protections … the existence of a PCI DSS certification is an important consideration in, but by no means the end of, our analysis of reasonable security.” This statement might be alarming to the business and security communities, but it’s important to understand their statement in context, and for you to know what to do about it. (more…)

A Merchant’s Guide to PCI SSC Compliance By Morgan Rickel  PMP, QSA

If you are a merchant considering the implementation of a mobile payment acceptance solution, or if you are currently using one, the Payment Card Industry Security Standards Council (PCI SSC) has determined that one of the major risk factors in validating mobile payment acceptance applications with the Payment Application Data Security Standard (PA–DSS) is the environment that the application operates within and the ability of that environment to support the merchant in achieving PCI DSS compliance.  From a PCI perspective, the type of mobile communications device that is selected will have a direct impact on the PA-DSS validation. (more…)