Envoy Data provides products and solutions that will meet your agency and clients needs to become SOX/PCI compliant.
Sarbanes-Oxley: The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation enacted to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. The act is administered by the Securities and Exchange Commission (SEC), which sets deadlines for compliance and publishes rules on requirements. Sarbanes-Oxley is not a set of business practices and does not specify how a business should store records; rather, it defines which records are to be stored and for how long.
PCI Compliance: No business is ever completely secure, but companies can mitigate their risk and make it much harder and more resource intensive for anyone to breach their defenses. Becoming PCI DSS (Data Security Standard) compliant provides baseline security and is a great first step. But it is critical to implement both the spirit and the letter of the standard.
The payment card industry (PCI) denotes the debit, credit, prepaid, e-purse, ATM, and POS cards and associated businesses.
- Service Provider AOCs and Section 2gIt is becoming obvious that there are a lot of QSAs out there did not get the message when v3 of the PCI DSS came out and the new AOC for service providers was introduced. This has been a big topic at the last few community meetings as well and recently became a big topic […]
- Stripe Questions Come BackI have had a couple of readers ask this question, so I thought it was time to go back and take a look at it again. It has been since 2013 that I first brought up Stripe as a potential compliance scoping issue. The question being posed is: “How can Stripe claim on its Web […]
- Why We Should Be Concerned About The Verifone BreachOn March 7 Brian Krebs broke the news that Verifone, one of the largest card terminal manufacturers, has suffered a breach. The next day Verifone told the world that the breach was no big deal. No big deal right? Probably not and here is my rationale. For those of you unfamiliar with Verifone, Verifone is […]
- Verifone Investigating BreachJust a quick note to everyone since this could affect a lot of merchants and service providers. Brian Krebs is reporting that Verifone is investigating a possible breach of their systems. More on it here.
- The Council Gets A ClueLate this week the PCI Security Standards Council issued a new information supplement titled ‘Multi-Factor Authentication’ after the brew-ha-ha that occurred last fall at the Community Meeting in Las Vegas. For once, the Council has issued an excellent reference regarding the issues of multi-factor authentication (MFA). Although I still have a couple of minor bones […]
- Getting Ready For 8.3.1I have had some interesting meetings with clients lately regarding PCI DSS requirement 8.3.1 and multi-factor authentication (MFA). Requirement 8.3.1 is a best practice until January 31, 2018, but organizations are trying for once to get a jump on it. As a refresher, the requirement states: “Incorporate multi-factor authentication for all non-console access into the […]
- An Update On Multi-Factor AuthenticationIn the November 2016 Assessor Newsletter there is an update to the Council’s statements at the 2016 Community Meeting’s QSA Forum discussion regarding multi-factor authentication (MFA). “We had a moment of excitement at the North America Community Meeting in September when we responded to a question in the Assessor Session about MFA. As several of […]
- The Council Speaks On A Number Of TopicsThe Council had a Webinar session for QSAs and ISAs on Thursday, December 15. It was a great session, but at only an hour, there were a lot of questions that went unanswered. The following were the more notable discussion topics. Not Tested The Council got the message and they are working on new wording […]
- The Council Releases Draft Scope And Network Segmentation Information SupplementQuietly on Friday, December 9, 2016, the PCI SSC released the draft Information Supplement titled ‘Guidance for PCI DSS Scoping and Network Segmentation’. As with all Information Supplements, the information documented in these does not replace any of the requirements in the PCI standards. These documents contain only guidance and suggestions as to how organizations […]
- Not Tested ClarificationIn the November 2016 Assessor Newsletter from the PCI SSC, there is a clarification on what ‘Not Tested’ actually means and implies. I am sure this will really get some service providers whipped up as it will create some issues with work they perform on behalf of their customers. The following is taken directly from […]