Being a responsible corporate citizen and member of the local community is at the core of Control Gap’s daily operations. We believe in making work a rewarding experience by incorporating fun team events within our corporate culture, and supporting cause-related and local organizations.

Blog

WP_Query Object ( [query] => Array ( [post_type] => post [post_status] => publish [cat] => 14, 134, 1 [orderby] => date [order] => desc [posts_per_page] => 3 [paged] => 2 [ignore_sticky_posts] => 1 ) [query_vars] => Array ( [post_type] => post [post_status] => publish [cat] => 14 [orderby] => date [order] => DESC [posts_per_page] => 3 [paged] => 2 [ignore_sticky_posts] => 1 [error] => [m] => [p] => 0 [post_parent] => [subpost] => [subpost_id] => [attachment] => [attachment_id] => 0 [name] => [static] => [pagename] => [page_id] => 0 [second] => [minute] => [hour] => [day] => 0 [monthnum] => 0 [year] => 0 [w] => 0 [category_name] => charity [tag] => [tag_id] => [author] => [author_name] => [feed] => [tb] => [meta_key] => [meta_value] => [preview] => [s] => [sentence] => [title] => [fields] => [menu_order] => [embed] => [category__in] => Array ( ) [category__not_in] => Array ( ) [category__and] => Array ( ) [post__in] => Array ( ) [post__not_in] => Array ( ) [post_name__in] => Array ( ) [tag__in] => Array ( ) [tag__not_in] => Array ( ) [tag__and] => Array ( ) [tag_slug__in] => Array ( ) [tag_slug__and] => Array ( ) [post_parent__in] => Array ( ) [post_parent__not_in] => Array ( ) [author__in] => Array ( ) [author__not_in] => Array ( ) [update_post_term_cache] => 1 [suppress_filters] => [cache_results] => [lazy_load_term_meta] => 1 [update_post_meta_cache] => 1 [nopaging] => [comments_per_page] => 50 [no_found_rows] => ) [tax_query] => WP_Tax_Query Object ( [queries] => Array ( [0] => Array ( [taxonomy] => category [terms] => Array ( [0] => 14 [1] => 134 [2] => 1 ) [field] => term_id [operator] => IN [include_children] => 1 ) ) [relation] => AND [table_aliases:protected] => Array ( [0] => wpcm_term_relationships ) [queried_terms] => Array ( [category] => Array ( [terms] => Array ( [0] => 14 [1] => 134 [2] => 1 ) [field] => term_id ) ) [primary_table] => wpcm_posts [primary_id_column] => ID ) [meta_query] => WP_Meta_Query Object ( [queries] => Array ( ) [relation] => [meta_table] => [meta_id_column] => [primary_table] => [primary_id_column] => [table_aliases:protected] => Array ( ) [clauses:protected] => Array ( ) [has_or_relation:protected] => ) [date_query] => [request] => SELECT SQL_CALC_FOUND_ROWS wpcm_posts.ID FROM wpcm_posts LEFT JOIN wpcm_term_relationships ON (wpcm_posts.ID = wpcm_term_relationships.object_id) WHERE 1=1 AND ( wpcm_term_relationships.term_taxonomy_id IN (1,14,134) ) AND wpcm_posts.post_type = 'post' AND ((wpcm_posts.post_status = 'publish')) GROUP BY wpcm_posts.ID ORDER BY wpcm_posts.menu_order, wpcm_posts.post_date DESC LIMIT 3, 3 [posts] => Array ( [0] => WP_Post Object ( [ID] => 1673 [post_author] => 2 [post_date] => 2018-03-20 14:43:11 [post_date_gmt] => 2018-03-20 14:43:11 [post_content] => We've been following security and breaches for a long time and they have been getting unquestionably worse. While mega-credit card breaches seem to have been falling off lately, other industries like healthcare, research analytics, and financial services have quickly taken their place. Last year was a record breaker for vulnerabilities and data breaches. We thought that Equifax was about as bad as it could get short of an all-out cyber-war. In light of recent events, that opinion now looks optimistic.

What Could Eclipse Equifax?

The big news that has emerged over the weekend and on Monday, March 19th is a breach or theft of data from Facebook by Strategic Communications Laboratories and Cambridge Analytica.  It's not so much the scale of the breaches as Equifax is currently about 3 times larger. It is the very nature and exploitation of the breach/theft. If the reporting on this is accurate, this is far more disturbing than the neglect and apparent incompetence that led to the Equifax breach. The reporting not only hints at neglect and disinterest but carries strong suggestions of criminal activity.  Currently, Facebook is aggressively investigating the incident and Cambridge have denied these claims. What is certain at this point is that both Facebook and Cambridge need to do some serious explaining.  It's not just that Cambridge took the data but also that Facebook appears to have known and been less than forthcoming about what they knew. There will be multiple inquiries and investigations in many countries. There will also be lawsuits and possibly criminal trials; as well as calls to put limits on tech companies or possibly break them up. Lastly, even if Facebook naively trusted a researcher who lied and cheated, there will be demands for changes. Another thing that is certain is that Cambridge Analytica's role in the Brexit vote will raise questions in the UK. Their association with the Trump campaign in the 2016 US elections and connections to political figures like Steve Bannon, a one-time VP with Cambridge, and Donald Trump will further intrigue and add fuel to the already fragmented US political scene. Reporting indicates the Muller investigation will also be looking into Cambridge. Finally, investigative journalists in the UK went undercover and have video of Cambridge executives talking about setting up opponents to look like they're corrupt or involved with prostitutes and leaking videos on the Internet. Cambridge is denying it, claiming it was a setup and that they were lured into a "hypothetical discussion." Taken together and if accurate, Cambridge may have gone far beyond just targeting election ads. They may have actively manipulated and deceived the public. They may possibly be real "fake news." Based on what has been reported to date, if accurate, we'd be surprised if Cambridge Analytica can survive as a company. Facebook too may be wounded even if it is too large to be killed. Even if the US doesn't take action against Facebook, other jurisdictions can.  Several states with breach disclosure laws may act and the EU already has a tense relationship with Facebook. One thing that is certain is that there is a lot more to this story and we will be hearing about it for a long time to come. What follows is a summary of news articles which should get you started.  Keeping up on this will surely challenge everyone given the rate of new articles that keep appearing.

What Has Been Reported?

Cambridge Analytica, Strategic Communications Laboratories, and SCL Elections (all related) used a personality app to profile approximately 270K Facebook Users, using a further "loophole" they were able to gather information on another 50M users without asking for any consent, these were in turn used to generate over 30M psychographic profiles.  The company has further been denying this for years. Facebook denies this was a breach, confirms that Cambridge stole it's data, and shuts out the whistle-blower, Strategic Communication Laboratories, and Cambridge Analytica

Some background

Not to be confused with ...

  [post_title] => Equifax Move Over, Here Comes The Cambridge Analytica and Facebook Scandal! [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => cambridge-analytica-facebook-scandal [to_ping] => [pinged] => [post_modified] => 2018-03-20 14:45:39 [post_modified_gmt] => 2018-03-20 14:45:39 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=1673 [menu_order] => 45 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [1] => WP_Post Object ( [ID] => 1621 [post_author] => 2 [post_date] => 2018-02-22 15:03:29 [post_date_gmt] => 2018-02-22 15:03:29 [post_content] => Executives and managers in organizations preparing for their first onsite PCI security assessment may feel confident that having passed a SOX audit will make passing a PCI audit relatively easy. And while it’s true that it can make passing PCI easier, there can often be significant and expensive gaps between complying with the two frameworks.

SOX and PCI Have Different Programs, Objectives and Methods

Perhaps it's human nature to confuse these very different programs. That certainly seems to be what we've seen in the industry. Without question, SOX and PCI require strenuous effort to achieve compliance and complete audits; however, we find that the gaps can be so significant which is often unexpected and surprising. Understanding why, requires a slightly deeper look as there are several reasons why SOX and PCI don’t align:
  • The most significant reason is that while both standards focus on protecting information and both deal with best practices, their fundamental objectives are quite different. Both are reactions to control failures that began more than a decade ago. SOX to Enron et al and PCI to Egghead, Card Systems, TJX, Hartland, Target, Home Depot, and many others. SOX is really all about accuracy and integrity for the purpose of supporting audited financial statements. PCI is about preventing payment card account data breaches. Consequently, SOX is concerned with who changed what, whereas, PCI is ultimately more concerned with who saw cardholder data.
  • PCI is far more prescriptive and detailed than SOX. Management and auditors have more flexibility in their choice and tuning of best practices adopted in a SOX world. SOX controls often come up short when viewed through a PCI lens.
  • PCI scope and applicability are often broader than under SOX. PCI scope extends across the entirety of unbounded networks and connected systems. As such it tends to consume entire corporate networks and all connected systems. While there is no requirement for internal segregation of systems under PCI, in many cases achieving full compliance without segregation is impossible in practice. SOX simply allows more flexibility and selectivity than PCI.
  • SOX controls are based upon well-established criteria for determining materiality. PCI has no similar built-in concept. The underlying regulations are written without regard to transaction/account volumes or risk. While the application of PCI under the payment brand regulations does include concepts of risk based on transaction/account volumes and payment channels, the lack of a materiality concept can be challenging in low risk situations.
Similarly, PCI and ISO/IEC 27001 also don't completely align and many gaps can arise if the ISO Information Security Management System (ISMS) doesn't specifically consider PCI DSS control requirements.

13 Years On and PCI DSS Is Still A Challenge

With PCI DSS entering into its 13th year, a fair question to ask would be "why are organizations still finding PCI challenging?" One reason is that PCI DSS validation isn't one size fits all :
  • The only organizations fully assessed (i.e. completing a Report on Compliance) under PCI DSS are the largest merchants and service providers (by transaction/account volumes), those unfortunate to have suffered a data breach, and any that voluntarily assess.
  • Smaller organizations are expected to be fully compliant but are measured using a lighter weight validation process (i.e. a Self-Assessment Questionnaire) that leaves out much of the detail and rigor of a full assessment.
  • Issuers of credit cards, often large banks, are also expected to be fully compliant but have been so far exempt from the mandatory formal annual validation required of those accepting credit cards.
The main reasons are that business and technology changes within the organization can be a significant factor contributing to the ongoing challenge. These almost always result in a PCI DSS scope change:
  • Business changes such as mergers, acquisitions, and new lines of business can introduce non-compliant elements.
  • Business changes that exploit new technologies (e.g. mobile applications, pay at the door) that will need to be compliant.
  • Business growth can lead to increased account/transaction volumes that can cross the threshold requiring a full assessment.
  • Previously unidentified cardholder data processes and flows such as Shadow IT going through their first assessment.
  • Technology changes (e.g. telephony) within the business can dramatically impact an organizations compliance footprint.
  • Contractual and other business requirements from customers (where the business is a service provider).
  • Inadequate due diligence on validating a solution, a service provider or other third party.
  • Businesses also need to be prepared for future mandated DSS requirements which are added to address new threats and feedback from breaches.
We believe we've covered the major reasons above; however, other factors such as staff changes, training, and even assessor changes can also create their own challenges. We hope that this provides some insight into why many organizations and some large players are still struggling with PCI DSS to this day. We also hope that you will find our learn more resources valuable.

Learn More

__________________________________________________________________________________________________________________ Becoming PCI Compliant can be difficult, so why not let Control Gap guide you. We are the largest dedicated PCI compliance company in Canada. Contact us today and learn more about how we can help you: Get PCI Compliant. Stay PCI Compliant. [post_title] => PCI DSS May Require Pulling Up Your SOX (or ISO) [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => sox-vs-pci-compliance [to_ping] => [pinged] => https://controlgap.com/blog/connected-to-pci/ https://controlgap.com/blog/call-centers-pci-compliance/ https://controlgap.com/blog/pci-compliance-footprints/ [post_modified] => 2018-05-02 02:33:57 [post_modified_gmt] => 2018-05-02 02:33:57 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=1621 [menu_order] => 50 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 1625 [post_author] => 2 [post_date] => 2018-01-10 10:07:08 [post_date_gmt] => 2018-01-10 10:07:08 [post_content] => PCI DSS v3.2 is due for an update this year - but what will that look like? In this article, we peer into our crystal ball to make some predictions ...

What Will The New DSS Bring?

Q: The updated DSS will need a new version number, so will that be:  4.0,  3.3, or 3.2.1?
A: The PCI Council indicated in 2017 that they expect that the next update to the DSS will not be a major overhaul. We've also seen indications that there will likely be changes that go beyond just baking in future dated requirements.  We expect a new DSS published before the end of Q3 2018 and it will be version 3.3.
Q: What about SSL and early TLS?
A: The transition period ending June 30, 2018 will not be extended. The exemption for POI devices that can show they remain safe to use will remain for the foreseeable future. As PCI PTS and PA-DSS have not allowed this exemption for some time there may be clarification that this is intended for legacy devices (i.e. pre-existing deployments).
Q: What about Multi-factor Authentication requirements?
A: The current MFA requirements dated January 31, 2018 will be baked into the new DSS. This was supported by recently released guidance on MFA (see PCI below). So we don't expect major changes here. Some minor clarifications are possible and we wouldn't be surprised to see FAQs emerge (e.g. strong vs. weak MFA).
Q: What about the other January 31, 2018 requirements?
A: The requirements to ensure that all entities include PCI DSS controls in all new or updated systems; as well as, the additional documentation and procedures required of service providers will be baked into the new version. Possibly these will be accompanied by some clarifications.
Q: How soon will the new DSS come into effect?
A: We expect that the new DSS will be designed to come into effect very quickly after publication. In order to facilitate this, we expect that any significant changes will be future dated to allow for orderly transition.
Q: How will PCI align with the new NIST password complexity guidance?
A: We would expect the new DSS will handle this in an evolutionary manner retaining backward compatibility and using "equivalent or better strength" interpretations. We'd like to see adjustments that wouldn't require the use of compensating controls (see NIST below).
Q: How will  the DSS align with the updated OWASP 2017 top 10 list?
A: While OWASP and PCI don't always stay in perfect alignment, this generally should not be a problem as PCI is intended to align with current industry best practices (note on 6.5) and has a backstop rule (6.5.6). The back stop requirement mandates that "high severity" vulnerabilities must be corrected.  However, there has been some recent drift which includes a couple of significant changes (see OWASP below).  We expect there is a reasonable chance of PCI DSS clarifications and possibly some future-dated requirements to bring these closer together.  The following have no direct correlation in (6.5.x) and we think that there may be some adjustment to better align with A4, A8, and A9.  From a best practice perspective, it may be time to ensure that code reviews look for logging deficiencies (A10).
  • A4:2017 XML External Entities (XXE)
  • A8:2017 Insecure Deserialization
  • A9:2017 (and 2013) Using Components with Known Vulnerabilities
  • A10:2017 Insufficient Logging & Monitoring
Q: Will any of the requirements that apply only to service providers be applied to merchants?
A: Several Business as Usual (BAU) requirements, such as validating that executive management has established responsibility for an internal PCI DSS compliance program (12.4.1) and  that processes are being followed throughout the year (12.11), may be considered for expansion to merchants. Again, we would expect these to be future dated and possibly with different frequency (e.g. semi-annually vs quarterly).
Q: Will any of the Designated Entity Supplemental Validation (DESV) requirements make it into the core of the DSS?
A: We expect that the bulk of the DESV requirements will remain in Appendix A3.
Q: How will the DSS address industry changes, such as the new 8-digit BINs?
A: The rules for truncation will remain the same; however, there may be clarifications added to account for the fact that in some cases full 8-digit BINs may be considered cardholder data requiring protection (e.g. encryption). See BIN truncation below)
Q: Will the new DSS deprecate 64-bit-block ciphers like 3-DES and Blowfish?
A: PCI tends to avoid specifying algorithms within the DSS and relies instead on the use of "strong cryptography" and the use of supporting documents.  However, the problem with 64-bit-block is similar to the SSL and early TLS problem with a similar mix of use cases and migration challenges (see Sweet32 below).  We anticipate that a solution similar to Appendix A2 and the SSL/early TLS migration with long future dates may be included in the next DSS.
Q: Will the new DSS deprecate SHA-1?
A: The DSS relies upon the definition of strong cryptography in the official PCI DSS Glossary and FAQs (see SHA-1 below and PCI FAQ).  We expect this will be addressed within the Glossary.
Q: Will there be requirements for new security technologies like white-listing, code-signing, or Data Loss Prevention?
A: We don't anticipate the council will require the addition of new technologies into the DSS.  They will continue to be used as examples in guidance and by organizations needing formal compensating controls.
Q: Will the DSS directly address newer technologies such as cloud and containers?
A: These are not generally addressed directly by the DSS but through separate guidance such as the 2013 Cloud guidance.  At this time, there is no scheduled update for Cloud or Container technologies.  If your organization is interested, you may want to contact the PCI Special Interest Group team.
Q: Will there be further clarifications to the e-commerce applicability scenarios used in SAQ A and A-EP and the supporting IFRAME/URL-redirection FAQs?
A: The current criteria for distinguishing these use cases continues to cause confusion in cases such as scripted IFRAMEs. While we don't expect the DSS to directly address this, we do expect that further clarifications in the form of FAQs are likely.  While there is a potential for some future dated requirements such as confirming the same origin policy is in force, we expect that additional SAQ eligibility requirements, or increasing the compliance footprint used for the simplest redirection use cases are more likely.
Q: Will there be further changes to segmentation and isolation requirements/guidance?
A: We don't anticipate any major changes in the DSS requirements or current scoping guidance a around segmentation and isolation. While there is always the potential for clarifications or minor updates through FAQs, we view this as mature and stable. (see "Connected-to" below and Scoping below)
Q: Will PCI DSS continue to challenge organizations?
A: That much won't change.

Learn More

PCI Publications and Guidance

Industry Best Practice

Insight Articles

_______________________________________________________________ Becoming PCI Compliant can be difficult, so why not let Control Gap guide you. We are the largest dedicated PCI compliance company in Canada. Contact us today and learn more about how we can help you: Get PCI Compliant. Stay PCI Compliant. [post_title] => 17 Predictions About the Next Version of PCI DSS [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => predictions-next-version-pci-dss [to_ping] => [pinged] => https://controlgap.com/blog/connected-to-pci/ https://controlgap.com/blog/sha-1-is-dead/ https://controlgap.com/blog/nist-moves-on-sweet32/ https://controlgap.com/blog/pci-truncation-rules-clarified/ https://controlgap.com/blog/call-centers-pci-compliance/ [post_modified] => 2018-08-20 23:16:45 [post_modified_gmt] => 2018-08-20 23:16:45 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=1625 [menu_order] => 57 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 3 [current_post] => -1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 1673 [post_author] => 2 [post_date] => 2018-03-20 14:43:11 [post_date_gmt] => 2018-03-20 14:43:11 [post_content] => We've been following security and breaches for a long time and they have been getting unquestionably worse. While mega-credit card breaches seem to have been falling off lately, other industries like healthcare, research analytics, and financial services have quickly taken their place. Last year was a record breaker for vulnerabilities and data breaches. We thought that Equifax was about as bad as it could get short of an all-out cyber-war. In light of recent events, that opinion now looks optimistic.

What Could Eclipse Equifax?

The big news that has emerged over the weekend and on Monday, March 19th is a breach or theft of data from Facebook by Strategic Communications Laboratories and Cambridge Analytica.  It's not so much the scale of the breaches as Equifax is currently about 3 times larger. It is the very nature and exploitation of the breach/theft. If the reporting on this is accurate, this is far more disturbing than the neglect and apparent incompetence that led to the Equifax breach. The reporting not only hints at neglect and disinterest but carries strong suggestions of criminal activity.  Currently, Facebook is aggressively investigating the incident and Cambridge have denied these claims. What is certain at this point is that both Facebook and Cambridge need to do some serious explaining.  It's not just that Cambridge took the data but also that Facebook appears to have known and been less than forthcoming about what they knew. There will be multiple inquiries and investigations in many countries. There will also be lawsuits and possibly criminal trials; as well as calls to put limits on tech companies or possibly break them up. Lastly, even if Facebook naively trusted a researcher who lied and cheated, there will be demands for changes. Another thing that is certain is that Cambridge Analytica's role in the Brexit vote will raise questions in the UK. Their association with the Trump campaign in the 2016 US elections and connections to political figures like Steve Bannon, a one-time VP with Cambridge, and Donald Trump will further intrigue and add fuel to the already fragmented US political scene. Reporting indicates the Muller investigation will also be looking into Cambridge. Finally, investigative journalists in the UK went undercover and have video of Cambridge executives talking about setting up opponents to look like they're corrupt or involved with prostitutes and leaking videos on the Internet. Cambridge is denying it, claiming it was a setup and that they were lured into a "hypothetical discussion." Taken together and if accurate, Cambridge may have gone far beyond just targeting election ads. They may have actively manipulated and deceived the public. They may possibly be real "fake news." Based on what has been reported to date, if accurate, we'd be surprised if Cambridge Analytica can survive as a company. Facebook too may be wounded even if it is too large to be killed. Even if the US doesn't take action against Facebook, other jurisdictions can.  Several states with breach disclosure laws may act and the EU already has a tense relationship with Facebook. One thing that is certain is that there is a lot more to this story and we will be hearing about it for a long time to come. What follows is a summary of news articles which should get you started.  Keeping up on this will surely challenge everyone given the rate of new articles that keep appearing.

What Has Been Reported?

Cambridge Analytica, Strategic Communications Laboratories, and SCL Elections (all related) used a personality app to profile approximately 270K Facebook Users, using a further "loophole" they were able to gather information on another 50M users without asking for any consent, these were in turn used to generate over 30M psychographic profiles.  The company has further been denying this for years. Facebook denies this was a breach, confirms that Cambridge stole it's data, and shuts out the whistle-blower, Strategic Communication Laboratories, and Cambridge Analytica

Some background

Not to be confused with ...

  [post_title] => Equifax Move Over, Here Comes The Cambridge Analytica and Facebook Scandal! [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => cambridge-analytica-facebook-scandal [to_ping] => [pinged] => [post_modified] => 2018-03-20 14:45:39 [post_modified_gmt] => 2018-03-20 14:45:39 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=1673 [menu_order] => 45 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 47 [max_num_pages] => 16 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => 1 [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => 1 [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => [is_404] => [is_embed] => [is_paged] => 1 [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => 33cf985084681950bc0bf4e00b11dc6e [query_vars_changed:WP_Query:private] => 1 [thumbnails_cached] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )
WP_Query Object ( [query] => Array ( [post_type] => post [post_status] => publish [cat] => 14, 134, 1 [orderby] => date [order] => desc [posts_per_page] => 3 [paged] => 2 [ignore_sticky_posts] => 1 ) [query_vars] => Array ( [post_type] => post [post_status] => publish [cat] => 14 [orderby] => date [order] => DESC [posts_per_page] => 3 [paged] => 2 [ignore_sticky_posts] => 1 [error] => [m] => [p] => 0 [post_parent] => [subpost] => [subpost_id] => [attachment] => [attachment_id] => 0 [name] => [static] => [pagename] => [page_id] => 0 [second] => [minute] => [hour] => [day] => 0 [monthnum] => 0 [year] => 0 [w] => 0 [category_name] => charity [tag] => [tag_id] => [author] => [author_name] => [feed] => [tb] => [meta_key] => [meta_value] => [preview] => [s] => [sentence] => [title] => [fields] => [menu_order] => [embed] => [category__in] => Array ( ) [category__not_in] => Array ( ) [category__and] => Array ( ) [post__in] => Array ( ) [post__not_in] => Array ( ) [post_name__in] => Array ( ) [tag__in] => Array ( ) [tag__not_in] => Array ( ) [tag__and] => Array ( ) [tag_slug__in] => Array ( ) [tag_slug__and] => Array ( ) [post_parent__in] => Array ( ) [post_parent__not_in] => Array ( ) [author__in] => Array ( ) [author__not_in] => Array ( ) [update_post_term_cache] => 1 [suppress_filters] => [cache_results] => [lazy_load_term_meta] => 1 [update_post_meta_cache] => 1 [nopaging] => [comments_per_page] => 50 [no_found_rows] => ) [tax_query] => WP_Tax_Query Object ( [queries] => Array ( [0] => Array ( [taxonomy] => category [terms] => Array ( [0] => 14 [1] => 134 [2] => 1 ) [field] => term_id [operator] => IN [include_children] => 1 ) ) [relation] => AND [table_aliases:protected] => Array ( [0] => wpcm_term_relationships ) [queried_terms] => Array ( [category] => Array ( [terms] => Array ( [0] => 14 [1] => 134 [2] => 1 ) [field] => term_id ) ) [primary_table] => wpcm_posts [primary_id_column] => ID ) [meta_query] => WP_Meta_Query Object ( [queries] => Array ( ) [relation] => [meta_table] => [meta_id_column] => [primary_table] => [primary_id_column] => [table_aliases:protected] => Array ( ) [clauses:protected] => Array ( ) [has_or_relation:protected] => ) [date_query] => [request] => SELECT SQL_CALC_FOUND_ROWS wpcm_posts.ID FROM wpcm_posts LEFT JOIN wpcm_term_relationships ON (wpcm_posts.ID = wpcm_term_relationships.object_id) WHERE 1=1 AND ( wpcm_term_relationships.term_taxonomy_id IN (1,14,134) ) AND wpcm_posts.post_type = 'post' AND ((wpcm_posts.post_status = 'publish')) GROUP BY wpcm_posts.ID ORDER BY wpcm_posts.menu_order, wpcm_posts.post_date DESC LIMIT 3, 3 [posts] => Array ( [0] => WP_Post Object ( [ID] => 1673 [post_author] => 2 [post_date] => 2018-03-20 14:43:11 [post_date_gmt] => 2018-03-20 14:43:11 [post_content] => We've been following security and breaches for a long time and they have been getting unquestionably worse. While mega-credit card breaches seem to have been falling off lately, other industries like healthcare, research analytics, and financial services have quickly taken their place. Last year was a record breaker for vulnerabilities and data breaches. We thought that Equifax was about as bad as it could get short of an all-out cyber-war. In light of recent events, that opinion now looks optimistic.

What Could Eclipse Equifax?

The big news that has emerged over the weekend and on Monday, March 19th is a breach or theft of data from Facebook by Strategic Communications Laboratories and Cambridge Analytica.  It's not so much the scale of the breaches as Equifax is currently about 3 times larger. It is the very nature and exploitation of the breach/theft. If the reporting on this is accurate, this is far more disturbing than the neglect and apparent incompetence that led to the Equifax breach. The reporting not only hints at neglect and disinterest but carries strong suggestions of criminal activity.  Currently, Facebook is aggressively investigating the incident and Cambridge have denied these claims. What is certain at this point is that both Facebook and Cambridge need to do some serious explaining.  It's not just that Cambridge took the data but also that Facebook appears to have known and been less than forthcoming about what they knew. There will be multiple inquiries and investigations in many countries. There will also be lawsuits and possibly criminal trials; as well as calls to put limits on tech companies or possibly break them up. Lastly, even if Facebook naively trusted a researcher who lied and cheated, there will be demands for changes. Another thing that is certain is that Cambridge Analytica's role in the Brexit vote will raise questions in the UK. Their association with the Trump campaign in the 2016 US elections and connections to political figures like Steve Bannon, a one-time VP with Cambridge, and Donald Trump will further intrigue and add fuel to the already fragmented US political scene. Reporting indicates the Muller investigation will also be looking into Cambridge. Finally, investigative journalists in the UK went undercover and have video of Cambridge executives talking about setting up opponents to look like they're corrupt or involved with prostitutes and leaking videos on the Internet. Cambridge is denying it, claiming it was a setup and that they were lured into a "hypothetical discussion." Taken together and if accurate, Cambridge may have gone far beyond just targeting election ads. They may have actively manipulated and deceived the public. They may possibly be real "fake news." Based on what has been reported to date, if accurate, we'd be surprised if Cambridge Analytica can survive as a company. Facebook too may be wounded even if it is too large to be killed. Even if the US doesn't take action against Facebook, other jurisdictions can.  Several states with breach disclosure laws may act and the EU already has a tense relationship with Facebook. One thing that is certain is that there is a lot more to this story and we will be hearing about it for a long time to come. What follows is a summary of news articles which should get you started.  Keeping up on this will surely challenge everyone given the rate of new articles that keep appearing.

What Has Been Reported?

Cambridge Analytica, Strategic Communications Laboratories, and SCL Elections (all related) used a personality app to profile approximately 270K Facebook Users, using a further "loophole" they were able to gather information on another 50M users without asking for any consent, these were in turn used to generate over 30M psychographic profiles.  The company has further been denying this for years. Facebook denies this was a breach, confirms that Cambridge stole it's data, and shuts out the whistle-blower, Strategic Communication Laboratories, and Cambridge Analytica

Some background

Not to be confused with ...

  [post_title] => Equifax Move Over, Here Comes The Cambridge Analytica and Facebook Scandal! [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => cambridge-analytica-facebook-scandal [to_ping] => [pinged] => [post_modified] => 2018-03-20 14:45:39 [post_modified_gmt] => 2018-03-20 14:45:39 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=1673 [menu_order] => 45 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [1] => WP_Post Object ( [ID] => 1621 [post_author] => 2 [post_date] => 2018-02-22 15:03:29 [post_date_gmt] => 2018-02-22 15:03:29 [post_content] => Executives and managers in organizations preparing for their first onsite PCI security assessment may feel confident that having passed a SOX audit will make passing a PCI audit relatively easy. And while it’s true that it can make passing PCI easier, there can often be significant and expensive gaps between complying with the two frameworks.

SOX and PCI Have Different Programs, Objectives and Methods

Perhaps it's human nature to confuse these very different programs. That certainly seems to be what we've seen in the industry. Without question, SOX and PCI require strenuous effort to achieve compliance and complete audits; however, we find that the gaps can be so significant which is often unexpected and surprising. Understanding why, requires a slightly deeper look as there are several reasons why SOX and PCI don’t align:
  • The most significant reason is that while both standards focus on protecting information and both deal with best practices, their fundamental objectives are quite different. Both are reactions to control failures that began more than a decade ago. SOX to Enron et al and PCI to Egghead, Card Systems, TJX, Hartland, Target, Home Depot, and many others. SOX is really all about accuracy and integrity for the purpose of supporting audited financial statements. PCI is about preventing payment card account data breaches. Consequently, SOX is concerned with who changed what, whereas, PCI is ultimately more concerned with who saw cardholder data.
  • PCI is far more prescriptive and detailed than SOX. Management and auditors have more flexibility in their choice and tuning of best practices adopted in a SOX world. SOX controls often come up short when viewed through a PCI lens.
  • PCI scope and applicability are often broader than under SOX. PCI scope extends across the entirety of unbounded networks and connected systems. As such it tends to consume entire corporate networks and all connected systems. While there is no requirement for internal segregation of systems under PCI, in many cases achieving full compliance without segregation is impossible in practice. SOX simply allows more flexibility and selectivity than PCI.
  • SOX controls are based upon well-established criteria for determining materiality. PCI has no similar built-in concept. The underlying regulations are written without regard to transaction/account volumes or risk. While the application of PCI under the payment brand regulations does include concepts of risk based on transaction/account volumes and payment channels, the lack of a materiality concept can be challenging in low risk situations.
Similarly, PCI and ISO/IEC 27001 also don't completely align and many gaps can arise if the ISO Information Security Management System (ISMS) doesn't specifically consider PCI DSS control requirements.

13 Years On and PCI DSS Is Still A Challenge

With PCI DSS entering into its 13th year, a fair question to ask would be "why are organizations still finding PCI challenging?" One reason is that PCI DSS validation isn't one size fits all :
  • The only organizations fully assessed (i.e. completing a Report on Compliance) under PCI DSS are the largest merchants and service providers (by transaction/account volumes), those unfortunate to have suffered a data breach, and any that voluntarily assess.
  • Smaller organizations are expected to be fully compliant but are measured using a lighter weight validation process (i.e. a Self-Assessment Questionnaire) that leaves out much of the detail and rigor of a full assessment.
  • Issuers of credit cards, often large banks, are also expected to be fully compliant but have been so far exempt from the mandatory formal annual validation required of those accepting credit cards.
The main reasons are that business and technology changes within the organization can be a significant factor contributing to the ongoing challenge. These almost always result in a PCI DSS scope change:
  • Business changes such as mergers, acquisitions, and new lines of business can introduce non-compliant elements.
  • Business changes that exploit new technologies (e.g. mobile applications, pay at the door) that will need to be compliant.
  • Business growth can lead to increased account/transaction volumes that can cross the threshold requiring a full assessment.
  • Previously unidentified cardholder data processes and flows such as Shadow IT going through their first assessment.
  • Technology changes (e.g. telephony) within the business can dramatically impact an organizations compliance footprint.
  • Contractual and other business requirements from customers (where the business is a service provider).
  • Inadequate due diligence on validating a solution, a service provider or other third party.
  • Businesses also need to be prepared for future mandated DSS requirements which are added to address new threats and feedback from breaches.
We believe we've covered the major reasons above; however, other factors such as staff changes, training, and even assessor changes can also create their own challenges. We hope that this provides some insight into why many organizations and some large players are still struggling with PCI DSS to this day. We also hope that you will find our learn more resources valuable.

Learn More

__________________________________________________________________________________________________________________ Becoming PCI Compliant can be difficult, so why not let Control Gap guide you. We are the largest dedicated PCI compliance company in Canada. Contact us today and learn more about how we can help you: Get PCI Compliant. Stay PCI Compliant. [post_title] => PCI DSS May Require Pulling Up Your SOX (or ISO) [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => sox-vs-pci-compliance [to_ping] => [pinged] => https://controlgap.com/blog/connected-to-pci/ https://controlgap.com/blog/call-centers-pci-compliance/ https://controlgap.com/blog/pci-compliance-footprints/ [post_modified] => 2018-05-02 02:33:57 [post_modified_gmt] => 2018-05-02 02:33:57 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=1621 [menu_order] => 50 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 1625 [post_author] => 2 [post_date] => 2018-01-10 10:07:08 [post_date_gmt] => 2018-01-10 10:07:08 [post_content] => PCI DSS v3.2 is due for an update this year - but what will that look like? In this article, we peer into our crystal ball to make some predictions ...

What Will The New DSS Bring?

Q: The updated DSS will need a new version number, so will that be:  4.0,  3.3, or 3.2.1?
A: The PCI Council indicated in 2017 that they expect that the next update to the DSS will not be a major overhaul. We've also seen indications that there will likely be changes that go beyond just baking in future dated requirements.  We expect a new DSS published before the end of Q3 2018 and it will be version 3.3.
Q: What about SSL and early TLS?
A: The transition period ending June 30, 2018 will not be extended. The exemption for POI devices that can show they remain safe to use will remain for the foreseeable future. As PCI PTS and PA-DSS have not allowed this exemption for some time there may be clarification that this is intended for legacy devices (i.e. pre-existing deployments).
Q: What about Multi-factor Authentication requirements?
A: The current MFA requirements dated January 31, 2018 will be baked into the new DSS. This was supported by recently released guidance on MFA (see PCI below). So we don't expect major changes here. Some minor clarifications are possible and we wouldn't be surprised to see FAQs emerge (e.g. strong vs. weak MFA).
Q: What about the other January 31, 2018 requirements?
A: The requirements to ensure that all entities include PCI DSS controls in all new or updated systems; as well as, the additional documentation and procedures required of service providers will be baked into the new version. Possibly these will be accompanied by some clarifications.
Q: How soon will the new DSS come into effect?
A: We expect that the new DSS will be designed to come into effect very quickly after publication. In order to facilitate this, we expect that any significant changes will be future dated to allow for orderly transition.
Q: How will PCI align with the new NIST password complexity guidance?
A: We would expect the new DSS will handle this in an evolutionary manner retaining backward compatibility and using "equivalent or better strength" interpretations. We'd like to see adjustments that wouldn't require the use of compensating controls (see NIST below).
Q: How will  the DSS align with the updated OWASP 2017 top 10 list?
A: While OWASP and PCI don't always stay in perfect alignment, this generally should not be a problem as PCI is intended to align with current industry best practices (note on 6.5) and has a backstop rule (6.5.6). The back stop requirement mandates that "high severity" vulnerabilities must be corrected.  However, there has been some recent drift which includes a couple of significant changes (see OWASP below).  We expect there is a reasonable chance of PCI DSS clarifications and possibly some future-dated requirements to bring these closer together.  The following have no direct correlation in (6.5.x) and we think that there may be some adjustment to better align with A4, A8, and A9.  From a best practice perspective, it may be time to ensure that code reviews look for logging deficiencies (A10).
  • A4:2017 XML External Entities (XXE)
  • A8:2017 Insecure Deserialization
  • A9:2017 (and 2013) Using Components with Known Vulnerabilities
  • A10:2017 Insufficient Logging & Monitoring
Q: Will any of the requirements that apply only to service providers be applied to merchants?
A: Several Business as Usual (BAU) requirements, such as validating that executive management has established responsibility for an internal PCI DSS compliance program (12.4.1) and  that processes are being followed throughout the year (12.11), may be considered for expansion to merchants. Again, we would expect these to be future dated and possibly with different frequency (e.g. semi-annually vs quarterly).
Q: Will any of the Designated Entity Supplemental Validation (DESV) requirements make it into the core of the DSS?
A: We expect that the bulk of the DESV requirements will remain in Appendix A3.
Q: How will the DSS address industry changes, such as the new 8-digit BINs?
A: The rules for truncation will remain the same; however, there may be clarifications added to account for the fact that in some cases full 8-digit BINs may be considered cardholder data requiring protection (e.g. encryption). See BIN truncation below)
Q: Will the new DSS deprecate 64-bit-block ciphers like 3-DES and Blowfish?
A: PCI tends to avoid specifying algorithms within the DSS and relies instead on the use of "strong cryptography" and the use of supporting documents.  However, the problem with 64-bit-block is similar to the SSL and early TLS problem with a similar mix of use cases and migration challenges (see Sweet32 below).  We anticipate that a solution similar to Appendix A2 and the SSL/early TLS migration with long future dates may be included in the next DSS.
Q: Will the new DSS deprecate SHA-1?
A: The DSS relies upon the definition of strong cryptography in the official PCI DSS Glossary and FAQs (see SHA-1 below and PCI FAQ).  We expect this will be addressed within the Glossary.
Q: Will there be requirements for new security technologies like white-listing, code-signing, or Data Loss Prevention?
A: We don't anticipate the council will require the addition of new technologies into the DSS.  They will continue to be used as examples in guidance and by organizations needing formal compensating controls.
Q: Will the DSS directly address newer technologies such as cloud and containers?
A: These are not generally addressed directly by the DSS but through separate guidance such as the 2013 Cloud guidance.  At this time, there is no scheduled update for Cloud or Container technologies.  If your organization is interested, you may want to contact the PCI Special Interest Group team.
Q: Will there be further clarifications to the e-commerce applicability scenarios used in SAQ A and A-EP and the supporting IFRAME/URL-redirection FAQs?
A: The current criteria for distinguishing these use cases continues to cause confusion in cases such as scripted IFRAMEs. While we don't expect the DSS to directly address this, we do expect that further clarifications in the form of FAQs are likely.  While there is a potential for some future dated requirements such as confirming the same origin policy is in force, we expect that additional SAQ eligibility requirements, or increasing the compliance footprint used for the simplest redirection use cases are more likely.
Q: Will there be further changes to segmentation and isolation requirements/guidance?
A: We don't anticipate any major changes in the DSS requirements or current scoping guidance a around segmentation and isolation. While there is always the potential for clarifications or minor updates through FAQs, we view this as mature and stable. (see "Connected-to" below and Scoping below)
Q: Will PCI DSS continue to challenge organizations?
A: That much won't change.

Learn More

PCI Publications and Guidance

Industry Best Practice

Insight Articles

_______________________________________________________________ Becoming PCI Compliant can be difficult, so why not let Control Gap guide you. We are the largest dedicated PCI compliance company in Canada. Contact us today and learn more about how we can help you: Get PCI Compliant. Stay PCI Compliant. [post_title] => 17 Predictions About the Next Version of PCI DSS [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => predictions-next-version-pci-dss [to_ping] => [pinged] => https://controlgap.com/blog/connected-to-pci/ https://controlgap.com/blog/sha-1-is-dead/ https://controlgap.com/blog/nist-moves-on-sweet32/ https://controlgap.com/blog/pci-truncation-rules-clarified/ https://controlgap.com/blog/call-centers-pci-compliance/ [post_modified] => 2018-08-20 23:16:45 [post_modified_gmt] => 2018-08-20 23:16:45 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=1625 [menu_order] => 57 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 3 [current_post] => -1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 1673 [post_author] => 2 [post_date] => 2018-03-20 14:43:11 [post_date_gmt] => 2018-03-20 14:43:11 [post_content] => We've been following security and breaches for a long time and they have been getting unquestionably worse. While mega-credit card breaches seem to have been falling off lately, other industries like healthcare, research analytics, and financial services have quickly taken their place. Last year was a record breaker for vulnerabilities and data breaches. We thought that Equifax was about as bad as it could get short of an all-out cyber-war. In light of recent events, that opinion now looks optimistic.

What Could Eclipse Equifax?

The big news that has emerged over the weekend and on Monday, March 19th is a breach or theft of data from Facebook by Strategic Communications Laboratories and Cambridge Analytica.  It's not so much the scale of the breaches as Equifax is currently about 3 times larger. It is the very nature and exploitation of the breach/theft. If the reporting on this is accurate, this is far more disturbing than the neglect and apparent incompetence that led to the Equifax breach. The reporting not only hints at neglect and disinterest but carries strong suggestions of criminal activity.  Currently, Facebook is aggressively investigating the incident and Cambridge have denied these claims. What is certain at this point is that both Facebook and Cambridge need to do some serious explaining.  It's not just that Cambridge took the data but also that Facebook appears to have known and been less than forthcoming about what they knew. There will be multiple inquiries and investigations in many countries. There will also be lawsuits and possibly criminal trials; as well as calls to put limits on tech companies or possibly break them up. Lastly, even if Facebook naively trusted a researcher who lied and cheated, there will be demands for changes. Another thing that is certain is that Cambridge Analytica's role in the Brexit vote will raise questions in the UK. Their association with the Trump campaign in the 2016 US elections and connections to political figures like Steve Bannon, a one-time VP with Cambridge, and Donald Trump will further intrigue and add fuel to the already fragmented US political scene. Reporting indicates the Muller investigation will also be looking into Cambridge. Finally, investigative journalists in the UK went undercover and have video of Cambridge executives talking about setting up opponents to look like they're corrupt or involved with prostitutes and leaking videos on the Internet. Cambridge is denying it, claiming it was a setup and that they were lured into a "hypothetical discussion." Taken together and if accurate, Cambridge may have gone far beyond just targeting election ads. They may have actively manipulated and deceived the public. They may possibly be real "fake news." Based on what has been reported to date, if accurate, we'd be surprised if Cambridge Analytica can survive as a company. Facebook too may be wounded even if it is too large to be killed. Even if the US doesn't take action against Facebook, other jurisdictions can.  Several states with breach disclosure laws may act and the EU already has a tense relationship with Facebook. One thing that is certain is that there is a lot more to this story and we will be hearing about it for a long time to come. What follows is a summary of news articles which should get you started.  Keeping up on this will surely challenge everyone given the rate of new articles that keep appearing.

What Has Been Reported?

Cambridge Analytica, Strategic Communications Laboratories, and SCL Elections (all related) used a personality app to profile approximately 270K Facebook Users, using a further "loophole" they were able to gather information on another 50M users without asking for any consent, these were in turn used to generate over 30M psychographic profiles.  The company has further been denying this for years. Facebook denies this was a breach, confirms that Cambridge stole it's data, and shuts out the whistle-blower, Strategic Communication Laboratories, and Cambridge Analytica

Some background

Not to be confused with ...

  [post_title] => Equifax Move Over, Here Comes The Cambridge Analytica and Facebook Scandal! [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => cambridge-analytica-facebook-scandal [to_ping] => [pinged] => [post_modified] => 2018-03-20 14:45:39 [post_modified_gmt] => 2018-03-20 14:45:39 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=1673 [menu_order] => 45 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 47 [max_num_pages] => 16 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => 1 [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => 1 [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => [is_404] => [is_embed] => [is_paged] => 1 [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => 33cf985084681950bc0bf4e00b11dc6e [query_vars_changed:WP_Query:private] => 1 [thumbnails_cached] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )
Equifax Move Over, Here Comes The Cambridge Analytica and Facebook Scandal!
March 20 2018

We’ve been following security and breaches for a long time and they have been getting unquestionably worse. While mega-credit card breaches seem to have been falling off lately, other industries like healthcare, research analytics, and financial services have quickly taken their place. Last year was a record breaker for vulnerabilities and data breaches. We thought

Read More
PCI DSS May Require Pulling Up Your SOX (or ISO)
February 22 2018

Executives and managers in organizations preparing for their first onsite PCI security assessment may feel confident that having passed a SOX audit will make passing a PCI audit relatively easy. And while it’s true that it can make passing PCI easier, there can often be significant and expensive gaps between complying with the two frameworks.

Read More
17 Predictions About the Next Version of PCI DSS
January 10 2018

PCI DSS v3.2 is due for an update this year – but what will that look like? In this article, we peer into our crystal ball to make some predictions … What Will The New DSS Bring? Q: The updated DSS will need a new version number, so will that be:  4.0,  3.3, or 3.2.1?

Read More

e-newsletter

Want important PCI information delivered to you? Sign-up to our e-newsletter and be the first one to know about industry news and trend, offers and promotions.

×

Contact

×

PCI Pilot™ is coming soon!

Our highly-anticipated online tool will be launching very soon to make your PCI SAQ process quick and seamless.

Sign-up today and be among the first to know when PCI Pilot™ is live!