controlgap.com

Securing PAN Using Keyed Cryptographic Hashing in PCI DSS v4.0.1

As companies rely more on cloud services, cybersecurity frameworks like System and Organization Controls have become essential for establishing trust between service providers and their customers. But what exactly is SOC 2, and how would a business meet compliance? 

We review the different types of reports and the requirements for SOC 2 compliance. Whether in FinTech, SaaS, or any other business that handles sensitive customer data, understanding the importance of SOC 2 compliance will help you stay secure and competitive. 

Security Standards (PCI DSS) are vital in establishing baseline security measures for financial industry professionals who face challenges safeguarding sensitive information. However, organizations must understand that compliance with these standards does not equate to comprehensive security. Continue reading to better understand the foundations of offensive security and the importance of proactive measures beyond mere compliance to achieve a mature security posture in the financial industry.

Control Gap's Robert Spivak had a follow up session with David Goodale from www.merchant-accounts.ca to talk about some of the major impacts that PCI 4.0 will have on ecommerce merchants. David posed many good questions during the open discussion, that his viewers and merchants are curious about when they need to not only be PCI compliant, but how to achieve compliance with PCI DSS 4.0. 

PCI Attestations of Compliance (AoCs) provide organizations with a tool that helps with the all-important aspects of third-party due diligence.  Yet many organizations don’t pay enough attention to the details of the AoCs they rely upon. AoCs are critical when engaging with and monitoring third-parties for PCI compliance. Running an effective compliance program requires at a minimum that you:

• Collect current AoCs from your third party service providers
• Understand the details of the AoC and how they impact you.

Waiting for your annual assessment to discover errors and omissions in these documents may result in delays, changes to your PCI DSS scope, and/or additional assessment activities. In turn this can lead to additional costs, and even non-compliance. This article will help you better understand AoCs and how they support your compliance journey.

Welcome to This Week’s [in]Security. PCI and payments: HSM FAQs. DSSv4 DESV, Payment pages. Skimmers. New breaches: City of PII, Flagstar, credentials. New Ransomware: pretenses, Greens, Automotive. Major outages: Cloudflare. Follow-ups & Fall-out: 25B for sale. Privacy: T-mobile, Brave, Health data. Laws & Regs - Canada: more C-11, Vaccine lawsuits. US: cyber, war-on-crypto, trackers, crypto & AML, DCMA, platform liability, trademarks. World: Clearview. Standards: NSA & NIST. Defense - Training & events: WEIS, RSA & ToB. MFA, Tools & Techniques, Supply chains, Netsec search, IoT, Powershell, Device verification. Vulnerabilities - Advisories: ICS. Patching: Chrome, Oracle. Other: Passwords, Acrobat, Azure, Hertzbleed, NTLM, Mega, Safari, IoT, Daycare apps. Other: Crypto-research: Cybercrime - Trends & Enforcement. Nation States and mercenaries. Other Risks: No-Code, 5G v Starlink, Ai. Microsoft. Disinformation, Health, Safety, Environment, Economy. Russia v. Ukraine. Innovation and more.

Welcome to This Week’s [in]Security. Non-Compliance Lesson, DSSv4 related, Skimmers, Other Payments. New breaches: 7 breachers per capita, Shields & Yuma Healthcare, Telegram, Palermo. Major outages. Privacy: Twitter, Bluetooth & Wi-Fi, Student spyware. Laws & Regs - Canada: CBSA phone searches, C-11, Crypto regs, Right to disconnect, cigarettes. US: right-to-repair, breach reporting. World: hacking-back, platform liability, message scanning. NSO in court, USB-C. Standards: HTTP RFCs, 5 NIST drafts. Defense - Cyber-skills, Tools & Techniques. Vulnerabilities - Zerodays, Follina, Apple CPUs, Dogwalk, DiagCab. Patching: Chrome, Gitlab. Other: Cloud middleware, U-Boot, Tesla, PyPl/keep. Crypto-research: SSH, Boomerang. Cybercrime - Trends: Follina, Conti, Symbiote, Cracked Ccleaner. Crime & Enforcement: Crypto-thefts, SSNDOB shutdown, 41 phishes. Nation States and mercenaries. Other Risks - General: AI, CitizenLab, Car insurance, Health, Safety, Environment, Disinformation, Economy. Russia v. Ukraine. Innovation and more.

Welcome to This Week’s [in]Security. PCI and payments: PCI updates: Brazil. Skimmers. Payments: New breaches: Nuclear documents, Brexit, GM, Colleges, Toronto. Follow-ups & Fall-out: MGM Resorts, GitHub, NPM. Privacy: DuckDuck, Facial tech, data safety. Laws & Regs - Canada: C-11. US: Disclosure, Twitter, Content moderation, Zuckerberg, Trolls. World: Clearview AI, Privacy Shield, Borderless data, Platform liability. Defense - Tools & Techniques, Vulnerabilities, Advisories: CISA. Zerodays, Patching: Vmware, Zoom. Other: AWS key theft or research? Containers, Forging Australian digital IDs, Phishing infosec. Vulnerability research: Controlling touchscreens remotely, Pre-hijacking accounts, manipulating ML. Crypto-research: RSA, AES. Cybercrime: Trends: Crime & Enforcement: Nation States and mercenaries. Other. Other Risks: General: Health, Safety, Environment, Disinformation, Russia v. Ukraine. Innovation and more.