controlgap.com

Posts by:

David Gamey

AOC, pci, PCI 4.0, Supply Chain, third-party

The Art of Reading a PCI Attestation of Compliance (AoC)

PCI Attestations of Compliance (AoCs) provide organizations with a tool that helps with the all-important aspects of third-party due diligence.  Yet many organizations don’t pay enough attention to the details of the AoCs they rely upon. AoCs are critical when engaging with and monitoring third-parties for PCI compliance. Running an effective compliance program requires at a minimum that you:

  • Collect current AoCs from your third party service providers
  • Understand the details of the AoC and how they impact you.

Waiting for your annual assessment to discover errors and omissions in these documents may result in delays, changes to your PCI DSS scope, and/or additional assessment activities. In turn this can lead to additional costs, and even non-compliance. This article will help you better understand AoCs and how they support your compliance journey.

David Gamey
Read More
pci, UnionPay, JCB, bin, VISA, MasterCard, truncation

8-Digit BINs and the Great PCI Truncation Reset | pci,blog | Control Gap

David Gamey
Read More
pci, humour, Non-compliance lessons

Non-Compliance Lesson No. 3: Don't upgrade or patch your old stuff

PCI DSS can be hard and not preparing for it just makes things harder. Following this advice is guaranteed to make it both more exciting and painful.

  • Don’t upgrade your end-of-life software, it’s fine. After all it’s not like you won’t be able to upgrade overnight when a zero-day gets published. Besides the vendor's sure to provide a patch.
  • Don’t patch those pesky middle and high-risk items on internal networks. It’s not like an intruder will try and move laterally through your network.
  • Ignore those network and security appliances. You didn’t install the OS and who ever heard of firmware vulnerabilities.
  • You’re only doing this for a PCI checkbox, your assessor may not notice, and it isn’t like you should be worried about ransomware.
  • Sleep better at night, it's run fine for years and just look at all the time, money, and effort you saved.
David Gamey
Read More
pci, humour, Non-compliance lessons

Non-Compliance Lesson No. 2: Outsource your payments/security and don't read the fine print | blog,pci,humour | Control Gap

PCI DSS can be hard and not preparing for it just makes things harder. Following this advice is guaranteed to make it both more exciting and painful.

  • Assume you can outsource your accountability for security and compliance.
  • Assume your service provider does everything for you and don't confirm your responsibilities.
  • Change service providers to save money.
  • Act surprised when your assessor asks you for your scans, pen-tests, code reviews, patching records, etc.
  • Exercise your right to audit clause (if you have one) and include your service providers inside your annual assessment at your cost.
  • Due diligence and preparation are just too boring.
David Gamey
Read More
pci, cryptography, quantum

Quantum Cryptography for Risk Managers or Shor, Grover, and the Crypto-Apocalypse | blog,pci,cryptography,quantum | Control Gap

According to some, quantum cryptography will revolutionize cryptography, kill our current ciphers, and reveal all our secrets. But if you're a risk manager, you're likely turned-off by claims of an impending crypto-apocalypse. You want to get past the hyperbole to something you can work with. You will want to know how likely this is, how to sort out facts from spin, what kinds of resources are available, how long you've got to prepare, and what preparation and planning do you need to do. You need to understand that quantum isn't just one thing, one risk, or the only risk. Join us as we break it all down for you.

David Gamey
Read More
TLS, Hashing, pci, cryptography, TDES

Why Organizations Need to Become Crypto-Agile and What that Means | blog,pci,cryptography | Control Gap

Cryptographic change is a reality. Since 2006, we have seen the sunset of WEP, SSLv2, RSA-1024, SSLv3 and early TLS. We know that Triple DES and other 64-bit blocked ciphers are on the way out. RSA will likely follow, and our current pre-quantum public key cryptosystems will eventually become deprecated. These changes have impact and require widespread coordination. Old software and hardware will need to be upgraded or replaced. It will require time, effort, money, and pro-active management. Simply reacting will be risky, painful, and expensive. Industry needs to learn from past changes so that organizations can be ready. Most importantly, we need to do better than we have done in the past. But how?

David Gamey
Read More
pci, Credit cards

Don’t Tie Yourself in Knots Thinking you can Store Payment Card Verification Codes/Values

Card Not Present Security Codes/Values are the 3 and 4 digit printed numbers on your payment cards used to verify card-not-present transactions. PCI DSS has been crystal clear for many years that payment Card Verification Codes/Values are Sensitive Authentication Data (SAD) and can't be stored after transaction authorization except by card Issuers. Specifically PCI says:

David Gamey
Read More