Envoy Data provides products and solutions that will meet your agency and clients needs to become SOX/PCI compliant.
Sarbanes-Oxley: The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation enacted to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. The act is administered by the Securities and Exchange Commission (SEC), which sets deadlines for compliance and publishes rules on requirements. Sarbanes-Oxley is not a set of business practices and does not specify how a business should store records; rather, it defines which records are to be stored and for how long.
PCI Compliance: No business is ever completely secure, but companies can mitigate their risk and make it much harder and more resource intensive for anyone to breach their defenses. Becoming PCI DSS (Data Security Standard) compliant provides baseline security and is a great first step. But it is critical to implement both the spirit and the letter of the standard.
The payment card industry (PCI) denotes the debit, credit, prepaid, e-purse, ATM, and POS cards and associated businesses.
- MFA – It Is All In The ImplementationI have been challenged over the last few weeks over requirement 8.3.1 along with the implications of the Council’s latest Information Supplement on multi-factor authentication (MFA). Requirement 8.3.1 does not go into effect until February 1, 2018, but there are a lot of organizations trying to get a jump on it. As a result I […]
- Business Continuity And PCIThis topic came up this past week in a conversation. I had to go to the PCI DSS v3.2 and check to make sure what was being discussed was accurate. The discussion was around requirement 12.10.1 which says: “Create the incident response plan to be implemented in the event of system breach. Ensure the plan […]
- Service Provider AOCs and Section 2gIt is becoming obvious that there are a lot of QSAs out there did not get the message when v3 of the PCI DSS came out and the new AOC for service providers was introduced. This has been a big topic at the last few community meetings as well and recently became a big topic […]
- Stripe Questions Come BackI have had a couple of readers ask this question, so I thought it was time to go back and take a look at it again. It has been since 2013 that I first brought up Stripe as a potential compliance scoping issue. The question being posed is: “How can Stripe claim on its Web […]
- Why We Should Be Concerned About The Verifone BreachOn March 7 Brian Krebs broke the news that Verifone, one of the largest card terminal manufacturers, has suffered a breach. The next day Verifone told the world that the breach was no big deal. No big deal right? Probably not and here is my rationale. For those of you unfamiliar with Verifone, Verifone is […]
- Verifone Investigating BreachJust a quick note to everyone since this could affect a lot of merchants and service providers. Brian Krebs is reporting that Verifone is investigating a possible breach of their systems. More on it here.
- The Council Gets A ClueLate this week the PCI Security Standards Council issued a new information supplement titled ‘Multi-Factor Authentication’ after the brew-ha-ha that occurred last fall at the Community Meeting in Las Vegas. For once, the Council has issued an excellent reference regarding the issues of multi-factor authentication (MFA). Although I still have a couple of minor bones […]
- Getting Ready For 8.3.1I have had some interesting meetings with clients lately regarding PCI DSS requirement 8.3.1 and multi-factor authentication (MFA). Requirement 8.3.1 is a best practice until January 31, 2018, but organizations are trying for once to get a jump on it. As a refresher, the requirement states: “Incorporate multi-factor authentication for all non-console access into the […]
- An Update On Multi-Factor AuthenticationIn the November 2016 Assessor Newsletter there is an update to the Council’s statements at the 2016 Community Meeting’s QSA Forum discussion regarding multi-factor authentication (MFA). “We had a moment of excitement at the North America Community Meeting in September when we responded to a question in the Assessor Session about MFA. As several of […]
- The Council Speaks On A Number Of TopicsThe Council had a Webinar session for QSAs and ISAs on Thursday, December 15. It was a great session, but at only an hour, there were a lot of questions that went unanswered. The following were the more notable discussion topics. Not Tested The Council got the message and they are working on new wording […]