Today’s blog is going to be a “back to basics” Payment Card Industry (PCI) compliance discussion. When it rains it pours. Lately, I have been subjected to an alarming number of baffling statements by merchants in recent weeks. These are coming from fringe, non Level 1 merchants who don’t have a direct Acquirer breathing down their neck (thankfully!!!). They have all had the same basic tone which is essentially, “I don’t have to be PCI compliant” or “we dance around PCI compliance because we don’t process credit cards via our website” or “we believe PCI doesn’t apply to us because we don’t process credit cards.” Or even more mind-boggling, “We don’t get that many credit cards, so we don’t have to be PCI compliant.” Maybe what they really mean is, “We don’t get that many credit cards so we don’t want to be PCI complaint.” At least that one I can... read more >

Based on my previous post where I suggested performing a physical security risk assessment for your organization, I decided to jot down a quick list of items you may want to consider for your checklist.

This list is not all-inclusive by any means, as each individual location is different. My goal is to create awareness with this list and perhaps draw attention to some areas that are sometimes overlooked.

Environmental/Surroundings:

• Document law enforcement, fire department and hospital locations and contact information

• Document neighboring buildings and contacts for their security staff

• Account for vehicle barriers for entrances

• Ensure landscaping does not provide cover for intruders

• Secure dumpsters with padlocks

• Document building...

I am one of the lucky ones. I am one of the lucky New Yorkers who has had power since Hurricane Sandy hit. But am I lucky?

Thanks to Hurricane Sandy, millions are pretty unlucky. Wait a second. What is wrong with that statement? How can millions of people, all at the same time, be unlucky all at once? If millions could be lucky all at once, all at the same time, then places that depend on luck, like the casino industry for instance, would not exist.

Furthermore, luck is generally defined as a success or failure brought about by chance for a person. Larger groups of people generally aren’t included in the definition. So that makes me wonder; are all those surviving without power, and those stranded due to the flooded subways and tunnels in New Jersey and New York City really unlucky? Am I really lucky? Or, are these disasters inevitable from time to time, with some predictable frequency? The casinos certainly depend on the predictable infrequency of a... read more >

For nine years running, Solutionary has passed the PCI ASV lab test. It's been nine years since we received our first certification – even before PCI was formed and MasterCard used to run the scanning lab under the Site Data Protection (SDP) program.

As PCI forges ahead, we have been busy increasing and expanding our ASV program including a fully PCI-compliant workflow system built into the ActiveGuard® portal. This lets clients manage false positives, undocumented services, special notes and much more. It’s a breeze, seamlessly integrating your interaction with the findings and the Solutionary Operation... read more >

Recently, I was interviewed for an article on the 10 ways companies tend to fail PCI audits (shameless plug:http://www.darkreading.com/security/news/240004877/10-ways-to-fail-a-pci-audit.html). This prompted me to think about PCI from another perspective: What are the hardest PCI requirements to fulfill?

‘Hardest’ can be measured many ways. Some will measure by capital cost necessary to meet a requirement; others will measure by the operational daily cost (fancy way to say manpower) to maintain and perform a certain function. Others will measure ‘hard’ by a mix of the two and may add complexities like training to get people qualified to perform some requisite PCI function (i.e., getting proper Secure Application Coding training etc.). In large part, I would argue that the hardest (note that I am not saying ‘most... read more >