Does a QSA need to be onsite for a PCI DSS assessment?

Posted by Mohan Shamachar on Jul 5, 2018 8:28:20 PM

Keeping cardholder data safe and secure is an important part of your business as well as an agreement with your payment card brands and acquirers in order to accept the credit card based payments. Compromised data has a negative impact on everyone involved. Protecting data can help:

Read More

Topics: risk management, rsi, cybersecurity, PCI, PCI DSS Requirements, PCI Audit, Qualified Security Assessor (QSA)

What is an Approved Scanning Vendor (ASV)?

Posted by RSI Security on Jul 5, 2018 7:56:49 PM

External security vulnerabilities can happen at any merchant level. The PCI Security Standards Council requires companies at all merchant levels to have regular network scans in order to detect possible vulnerabilities before hackers do. These scans are conducted by a PCI certified Approved Scanning Vendor. The following sections will describe what an ASV is and how they work to help companies achieve PCI compliance.

Read More

Topics: risk management, rsi, cybersecurity, PCI, PCI DSS Requirements, Approved Scanning Vendor (ASV)

Restricting physical access to cardholder data (PCI DSS Req. 9)

Posted by RSI Security on Jun 21, 2018 12:45:14 PM

Credit cards hold a remarkable amount of cardholder data.  If that data were to fall into the wrong hands, it could ruin a person’s life.  Now, imagine your company has a database of millions of credit cards that are unique to their cardholder.  If that database were to be remotely breached via a phishing scam or hack, your entire database of payment cards could be stolen in a blink of an eye.  In 2012 alone, attackers posing as legitimate service people substituted the payment devices and subsequently compromised three large retailers.  It was found that 39% of organizations had been breached through insecure remote access (which was the single largest origin of compromise that organizations encountered).

Read More

Topics: risk management, rsi, cybersecurity, PCI, PCI DSS Requirements

What is HIPAA?

Posted by RSI Security on Jun 20, 2018 2:39:16 PM

The Healthcare Insurance Portability and Accountability Act, commonly referred to as HIPAA, was signed into law on August 21, 1996. From the outset HIPAA was begun as a modernization effort towards healthcare records. Up until the mid-1990’s, the vast majority of healthcare records were kept in hard copy. There also were no federal laws regulating the sharing or protection of sensitive health data up until the adoption of HIPAA. HIPAA was conceived at a time when enormous external forces were acting upon all industries including the health sector. The increasing data-driven world was outpacing the rate of change in the healthcare industry, and legislators and healthcare professionals recognized that patientdata needed to be protected, while also remaining accessible to the patient themselves. At the same time, regulators and healthcare professionals recognized that moving forward health records were going toneed to be digitized and stored electronically.

Read More

Topics: risk management, rsi, cybersecurity, HIPAA

Are you ready for GDPR enforcement?

Posted by RSI Security on Jun 20, 2018 2:08:29 PM

The European Union’s new data protection law, the General Data Protection Regulation (GDPR), went into effect on May 25th, 2018. The GDPR is a broad and substantial regulatory change meant to create uniform standards by which users personally identifiable information (PII) is stored, transmitted, and protected against theft. Many companies may be bound by the GDPR and not realize it. As such, they are at risk of being found non-compliant with the GDPR which can incur significant fines. In this article, we’ll outline who is covered by the GDPR and explore the penalties that businesses can incur by being found non-compliant. The GDPR sets a high bar for compliance, and may require businesses to significantly change what types of data they store and how that data is stored. As such, a GDPR risk assessment or GDPR readiness assessment conducted by a qualified security assessor is essential to identifying areas of non-compliance and creating a comprehensive GDPR compliant data management system going forward.

Read More

Topics: risk management, rsi, cybersecurity, GDPR, GDPR Recitals, Risk Assessment

What are GDPR Recitals?

Posted by RSI Security on Jun 20, 2018 12:33:17 PM

The General Data Protection Regulation (GDPR) was recently adopted in the European Union but has far-reaching consequences for businesses operating around the world. The GDPR was crafted and adopted with the intention of creating a durable body of regulations that protect what personal data can be collected from individuals in the EU, how that data is processed, transmitted, and stored. The rollout of the GDPR has confused many businesses that are based outside of the European Union, who may not realize that they fall under the jurisdictional scope of the GDPR. Also confusing is the structure of the regulation, which has been crafted to adhere to standards consistent with the Court Justice of the European Union. In this article, we’ll work to bring some clarity to the discussion regarding the GDPR. In particular, we’ll outline the basics of what the GDPR is, who is covered by it, and whether your company should consider outsourcing your efforts to achieve GDPR compliance.

Read More

Topics: risk management, rsi, cybersecurity, GDPR, GDPR Recitals

How to simplify GDPR with this need to know checklist

Posted by RSI Security on Jun 8, 2018 9:34:00 AM

One of the biggest hot-button topics for consumers, businesses, and governments worldwide is data privacy and security. And the discussion has gotten that much more heated as high profile cases continue to hit the news. But things are set to get a lot more interesting with the introduction of the European Union’s new General Data Protection Regulation (GDPR), which has just recently taken effect.

Read More

Topics: risk management, rsi, cybersecurity, GDPR, Compliance Audits

What is the PCI Security Council?

Posted by RSI Security on Jun 8, 2018 7:12:00 AM

In the world of financial transactions, the acronym PCI is the most common term used and refers to the Payment Card Industry. (The longer version is PCI DSS, or Payment Card Industry Data Security Standard.) The Payment Card Industry Security Standards Council (PCI SSC) was created in 2006. Its goal as a global entity is to help improve the security for every aspect of the financial transaction process. In the past the object for security concerns were mainframe computers that could fill a room. Technology has evolved from those huge mainframes to personal computers, to mobile devices such as smartphones and tablets. The ways hackers threaten an entity’s data have changed as well; but of course, the need for protecting that data has remained unchanged. Keep reading to learn more about the PCI security council and avoiding a credit card data breach.
 

Read More

Topics: risk management, rsi, cybersecurity, PCI, PCI DSS Requirements

Is VoIP in scope for PCI DSS?

Posted by Mohan Shamachar on Jun 5, 2018 12:54:12 PM

Before we delve into understanding Voice over Internet Protocol (VoIP) and data security on VoIP systems, here’s a quick introduction to PCI DSS payment card data security standards.

The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The security standard was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually, either by an external Qualified Security Assessor (QSA) or by a firm specific Internal Security Assessor (ISA) that creates a Report on Compliance for organizations handling large volumes of card payment transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.

Read More

Topics: risk management, rsi, cybersecurity, PCI, PCI DSS Requirements, PCI Audit, VoIP

Does a P2PE validated application also need to be validated against PA-DSS?

Posted by RSI Security on Jun 5, 2018 11:49:50 AM

There were 1,579 data breaches with over 178 million records exposed in 2017 alone. That averages about four data breaches a day for the entire year of 2017.  Let that sink in for a second. That amounts to a nearly 45% overall increase over 2016 figures.  Thankfully, there are ways that you can avoid a data breach, but these figures still lend themselves to have a bit of sticker shock.  One way that companies can protect themselves from payment card data breaches is protecting their cardholder data environment (CDE) via PCI (Payment Card Industry) DSS (Data Security Standard) compliance.  Any organization or merchant that accepts, transmits or stores any cardholder data must comply with PCI DSS.

Read More

Topics: encryption, risk management, rsi, cybersecurity, PCI, PCI DSS Requirements, P2PE

Welcome to RSI Security’s blog! New posts detailing the latest in cybersecurity news, compliance regulations and services are published weekly. Be sure to subscribe and check back often so you can stay up to date on current trends and happenings.

RSI Security is the nation's premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success.

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all