Envoy Data provides products and solutions that will meet your agency and clients needs to become SOX/PCI compliant.
Sarbanes-Oxley: The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation enacted to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. The act is administered by the Securities and Exchange Commission (SEC), which sets deadlines for compliance and publishes rules on requirements. Sarbanes-Oxley is not a set of business practices and does not specify how a business should store records; rather, it defines which records are to be stored and for how long.
PCI Compliance: No business is ever completely secure, but companies can mitigate their risk and make it much harder and more resource intensive for anyone to breach their defenses. Becoming PCI DSS (Data Security Standard) compliant provides baseline security and is a great first step. But it is critical to implement both the spirit and the letter of the standard.
The payment card industry (PCI) denotes the debit, credit, prepaid, e-purse, ATM, and POS cards and associated businesses.
- NESA – Guidance In Search Of A ProblemOn Thursday, June 29, the PCI SSC held their quarterly Assessor update webinar. One of the more interesting discussions was on the topic of the non-listed encryption solution assessment or NESA. For those unfamiliar with NESA, it is an attempt by the Council to have all end-to-end encryption (E2EE) solutions such as First Data’s TransArmor […]
- We Need A Change To 2.3.bI just wanted to give everyone a “heads up” about some guidance we recently received from the PCI SSC regarding jump boxes or out-of-band (OOB) system management solutions and the use of insecure protocols such as SNMPv1/2 and Telnet. But did everyone know that this solution also requires a compensating control worksheet (CCW)? For years […]
- What Is The Secret?If you are a P2PE-QSA, you have likely seen the documentation required to do a Non-Listed Encryption Solution Assessment (NESA). While the P2PE assessment work program (on which the NESA is based) is available to everyone, apparently the Council feels that only P2PE-QSAs have a right to see the new NESA documentation. Why? My assumption […]
- Answering Some Dream Team QuestionsAfter our PCI Dream Team event on May 17, I thought I would take some questions that do not require long and involved answers and publish them in this post. FYI – I have edited and spell checked these, so they likely do not look like you entered them but they should convey your questions […]
- Thank You To EveryoneWe had a great session yesterday with lots of great questions. We appreciate all of you that were able to attend and submitted questions both through the blog and when we were online. For those that could not attend, the session was recorded so you can play it back on BrightTalk. The session went the full […]
- Talk To The PCI Guru LiveActually, you will get to talk to FOUR PCI Gurus this coming week. Bring us your hardest PCI questions. Follow this link and register for our PCI Dream Team discussion on May 17 (depending on your time zone). I hope to “see” you there. It should be a great time.
- The Five Stages Of PCIHad a meeting with a prospect recently that is bound and determined to avoid PCI compliance yet still will accept payment cards. My response? Good luck with that! You would think after 15 years of PCI (and actually even longer) that people would understand that PCI compliance is a fact of life. But I continue […]
- MFA – It Is All In The ImplementationI have been challenged over the last few weeks over requirement 8.3.1 along with the implications of the Council’s latest Information Supplement on multi-factor authentication (MFA). Requirement 8.3.1 does not go into effect until February 1, 2018, but there are a lot of organizations trying to get a jump on it. As a result I […]
- Business Continuity And PCIThis topic came up this past week in a conversation. I had to go to the PCI DSS v3.2 and check to make sure what was being discussed was accurate. The discussion was around requirement 12.10.1 which says: “Create the incident response plan to be implemented in the event of system breach. Ensure the plan […]
- Service Provider AOCs and Section 2gIt is becoming obvious that there are a lot of QSAs out there did not get the message when v3 of the PCI DSS came out and the new AOC for service providers was introduced. This has been a big topic at the last few community meetings as well and recently became a big topic […]