header
header
header

Summing It Up

Keeping you ahead of the curve with timely news & updates.


PCI DSS 3.2 Req 6.4.6 - Views on Updating PCI DSS Compliance Programs Upon Significant Changes to a Cardholder Data Environment

If you are classified as a merchant or service provider, anytime you make a significant change to your cardholder data environment, you are required to ensure that all relevant PCI DSS requirements have been applied to that change. This means adding an extra step of analyzing any PCI DSS requirements that apply to that change and documenting how you've ensured that those requirements have been applied like updating network diagrams or data flow diagrams.

Click to see a short video on PCI DSS 3.2’s Section 6.4.6 requirements

PCI DSS 3.2 Req. 6.4.6

 

Freed Maxick 6.4.6 Guidance   

PCI DSS is a rolling and perpetual standard which requires organizations to approach any chances to their environment with compliance considerations in mind. Any significant changes to the PCI CDE (Cardholder Data Environment) may require additional scrutiny on the creation of documentation or reviews of system configurations.

 

PCI DSS Resources 

For additional insights and guidance on 6.4.6 compliance and other PCI DSS requirements, read our blog post and get a downloadable overview of all recent updates and revisions.

Freed Maxick services for PCI DSS Compliance can be found here. If you wish for a more detailed discussion of your organization’s situations and needs, contact us or call me at 716.847.2651

View full article

PCI DSS 3.2 Req 8.3.1 - Views on Multi-Factor Authentication

If you're classified as a service provider or merchant, you're required to implement multi-factor authentication for any non-console administrative access into your cardholder data environment . There are multiple ways this can be accomplished, and you should consult with your QSA about the most appropriate way for you and your company to make it happen.

Click to see a short video on PCI DSS 3.2’s Section 8.3.1 requirements

PCI DSS 3.2: Req. 8.3.1

 

Freed Maxick 8.3.1 Guidance   

Multi-factor authentication is a means to confirm a user’s claimed identity through knowledge, something they and only they know as well as possession, something they and only they have. MFA creates a defense mechanism which makes it more difficult for hackers or unauthorized users to access system resources.

 

PCI DSS Resources 

To receive more insights and guidance on 8.3.1 compliance and other PCI DSS requirements, read our blog post and get a downloadable overview of all recent updates and revisions.

Freed Maxick services for PCI DSS Compliance can be found here. If you wish for a more detailed discussion of your organization’s situations and needs, contact us or call me at 716.847.2651

View full article

PCI DSS 3.2 Req 10.8 and 10.8.1 - The Process for Detecting, Reporting, and Responding to Failures in Security Mechanisms

If you're classified as a service provider you need to implement policies and procedures, and response mechanisms for addressing any failures in critical security mechanisms including firewalls, intrusion detection systems, intrusion prevention systems, and antivirus file integrity management systems.

Click to see a short video on PCI DSS 3.2’s Section 10.8 and 10.8.1 requirements

PCI DSS Req. 10.8 and 10.8.1

 

Freed Maxick 10.8 / 10.8.1 Guidance   

Policies and procedures should be reviewed and updated in the event of process changes and should accurately reflect the organization’s current PCI environment. Detection mechanisms should be configured appropriately to alert trained and qualified personnel in the event of critical security control failure. 

Critical security control failures should be responded to as soon as possible. Any lag time in response or remediation can lead to unauthorized control of system resources, data leakage, or the installation of malicious software. It is necessary that documentation is prepared to support security failure response from an employee and system level perspective.

 

PCI DSS Resources 

To receive more insights and guidance on 10.8 and 10.8.1 compliance and other PCI DSS requirements, read our blog post and get a downloadable overview of all recent updates and revisions.

Freed Maxick services for PCI DSS Compliance can be found here. If you wish for a more detailed discussion of your organization’s situations and needs, contact us or call me at 716.847.2651.

 

View full article

PCI DSS 3.2 Req 11.3.4.1 - Views on Semi-annual Penetration Testing

If you are a service provider that uses network segmentation to reduce the overall scope of your PCI DSS assessment, what was formerly an annual requirement to obtain a penetration test is now a semi-annual requirement meaning it must be done every six months.  Make sure to reach out to your QSA to ensure that you are compliant with this timing requirement. 

Click to see a short video on PCI DSS 3.2’s Section 11.4.3.1 requirements 

PCI DSS 3.2 Req. 11.3.4.1

 

Freed Maxick 11.3.4.1 Guidance   

Organizations should schedule penetration tests in advance to meeting the timing restriction of this requirement. An experienced and qualified penetration tester independent of the organizational unit should be consulted to perform this assessment to validate and confirm the scope of the cardholder data environment

 

PCI DSS Resources 

For more guidance on 11.4.3.1 compliance and other PCI DSS requirements, read our blog post that includes a downloadable overview of all recent updates and revisions.

Freed Maxick services for PCI DSS Compliance can be found here, but for a more detailed discussion of your organization’s situations and needs, contact us or call me at 716.847.2651.

View full article

PCI DSS 3.2 Req 12.4.1 - Views on Establishing Responsibility for the Protection of Cardholder Data

If you're classified as a service provider, you are required to formally establish the overall responsibility for PCI compliance and the protection of cardholder data. Your PCI DSS Charter should be approved by executive management at least annually and anytime that there are major changes to your organization.

Click to see a short video on PCI DSS 3.2’s Section 12.4.1 requirements.

 

 

 

Freed Maxick 12.4.1 Guidance   

Establishing authority and responsibility for a PCI program within an organizational is an essential step in maintaining compliance. Aligning strategy with explicit requirements allows for increased level of cybersecurity and protection of sensitive customer data. Executive management’s role in PCI compliance promotes a more holistic approach to data security

 

PCI DSS Resources 

For more guidance on 12.4.1 compliance and other PCI DSS requirements, read our blog post that includes a downloadable overview of all recent updates and revisions.

An overview of Freed Maxick services for PCI DSS Compliance can be found here, and for a more detailed discussion of your organization’s situations and needs, contact us here or call me at 716.847.2651.

View full article

PCI DSS 3.2 Req 12.11 and 12.11.1 - Views on Performing Quarterly Reviews and Maintaining Documentation of Quarterly Review Process

If you're classified as a service provider, you are required to implement a process for internal quarterly review of critical security procedures to ensure those procedures are operating effectively. You also need to perform and maintain documentation of the quarterly review process.

Click to see a short video on PCI DSS 3.2’s Section 12.11 and 12.11.1 requirements. 

 

 

Freed Maxick 12.11 and 12.11.1 Guidance   

Quarterly reviews of PCI procedures help to promote accountability within the organization. It is essential to document the results of all quarterly reviews and train employees to be familiar with specific PCI requirements. Retaining appropriate documentation and evidence of quarterly reviews helps to support the completion of required PCI DSS procedures.

 

Our PCI DSS Resources 

For more guidance on this issue and other PCI DSS requirements, read our blog post on new requirements for 2018, and see an overview of Freed Maxick PCI DSS Compliance services here. 

For a more detailed discussion of your organization’s situations and needs, contact us here or call me at 716.847.2651.

 

View full article

PCI DSS 3.2 Req 3.5.1 - Views on Documented Cryptographic Architecture

If you're classified as a service provider, you're required to maintain a documented description of your cryptographic architecture including any cryptographic algorithms security protocols and keys, including the keys specific to usage expiration date and strength

Click to see a short video on PCI DSS 3.2’s Section 3.5.1 requirement.

 

Freed Maxick 3.5.1 Guidance   

Relative to documented cryptographic architecture, our recommendation is that organizations who are subject to PCI DSS compliance should take proactive steps to maintain an up to date listing of cryptographic tools being utilized to protect cardholder data.

 

PCI DSS Resources 

For more guidance on this issue and other PCI DSS requirements, read our blog post on new requirements for 2018 that includes a downloadable overview of all recent updates and revisions.

 

An overview of Freed Maxick services for PCI DSS Compliance can be found here. For a more detailed discussion of your organization’s situations and needs, contact us here or call me at 716.847.2651.

……………………………………………………

 

View full article

How Cyber Threats are Targeting Online Businesses

Online business is the new "Main Street" of America. According to the U.S. Chamber of Commerce, 74% of small businesses have a website online; many of these solely conduct business through their website. With an uptick of devices that increases social media presence (i.e. the smart phone, tablets, apps); businesses are able to conduct more of their daily activities online than ever before. This drive to do business or maintain a website online does not just apply to corporations, but to entrepreneurs looking to start or grow their business online.

While companies large and small are increasing their online business, larger companies have the capability to improve their defenses and resilience against cyber threats, leaving the small companies ripe for the picking for cyber criminals. Theft of digital information has become the most commonly reported fraud. Whether a business is utilizing, or thinking of utilizing cloud computing or just using email and maintaining a website, cyber-security should be part of the plan. It is a business’s responsibility for creating a culture of security that will enhance business and consumer confidence.

In order for businesses to stay a step ahead of cyber criminals these steps should be taken to increase security:

  • Train your employees in security principles- establishing basic practices and policies for online use, such as creating strong passwords, appropriate internet use, and rules on how to handle and protect customer information and vital data.

  • Protect computers, networks from cyber attacks- “cleaning” computers is one of the most vital things you can do to help prevent cyber attacks. For example having security software, web browser, and operating systems are the best defense against malware, viruses or other online threats.

  • Provide a firewall for your computer- a firewall is a set of related programs that prevents outsiders from accessing data on private network information. This includes ensuring that if an employee is working from home that their home system has firewall protection. One of the most common mistakes is downloading firewall programs but not “enabling” them; essentially “turning them on”.

  • Secure Wi-Fi networks- make sure that any Wi-Fi networks you have for your business is secure, encrypted and hidden. You can hide information by setting up your wireless access point or router so that it doesn’t broadcast a network name, and password protect access to the router.

  • Limit employee access to data- do not provide any one employee to all data systems. Employees should only be given access to the specific data systems that they need to perform their jobs, and should not be able to install any software without permission.

describe the imagePCI Compliance is also a big part of being secure online. PCI DSS is the Security Standards Council that was put into place to ensure that businesses storing, transmitting, and processing payment card data, are not putting their customers or their business at risk of data theft or fraud. The PCI DSS has four levels of compliance, with number one set as the highest level. The level that your business requires depends on:

  1. The volume of transactions you process, and

  2. How you process them.

Cyber-security is a team sport. Taking actions that will better protect both vital data and your business operations will have positive consequences for the security of all businesses, communities and the country. Computers and networks are interconnected through cyberspace; that means that both public and private sectors share responsibility.

Freed Maxick CPAs
Freed Maxick’s tax team and enterprise risk management team want to make sure that your online business is secure. Our firm is registered with the Payment Card Industry Security Standards Council, LLP (PCI SSC) and has Qualified Security Assessor’s certified by the Council to validate an entity’s adherence to the PCI DSS.  Contact us and connect with our experts.

 

 

View full article