79 posts tagged with “blog”

Non-Compliance Lesson No. 1: Wait until your assessment to validate scope


PCI DSS can be hard and not preparing it for just makes it harder. Following this advice is guaranteed to make it both more exciting and…

Read More >

Quantum Cryptography for Risk Managers or Shor, Grover, and the Crypto-Apocalypse


According to some, quantum cryptography will revolutionize cryptography, kill our current ciphers, and reveal all our secrets. But if you're…

Read More >

Why Organizations Need to Become Crypto-Agile and What that Means


Cryptographic change is a reality. Since 2006, we have seen the sunset of WEP, SSLv2, RSA-1024, SSLv3 and early TLS. We know that Triple DES…

Read More >

Why did my PCI DSS Scope Explode?!


It can be extremely frustrating for a compliance team to realize that additional systems are in-scope. It means additional and unexpected…

Read More >

Don’t Tie Yourself in Knots Thinking you can Store Payment Card Verification Codes/Values


Card Not Present Security Codes/Values are the 3 and 4 digit printed numbers on your payment cards used to verify card-not-present…

Read More >

Our Offensive Security Hiring Process


Control Gap is expanding our Offensive Security team and looking for talented individuals. To ensure that we have the right team, we needed…

Read More >

The DSS, MageCart, and the DOM – Part 3 e-Commerce Skimming


Cyberattacks and data breaches have risen dramatically in recent years and no industry or organization is immune to these attacks. Merchants…

Read More >

The DSS, MageCart, and the DOM – Part 2 Browsers, the DOM, and 3rd Party JavaScript


In part two of our series, we take a deeper dive into how JavaScript works and its implications to web and e-commerce security and…

Read More >

The DSS, MageCart, and the DOM – Part 1: The PCI DSS e-Commerce Rules


It turns out that how you implement e-commerce can have a huge impact on your compliance footprint (i.e., the number of PCI security…

Read More >

Why do some Issuers believe they don’t need to be PCI DSS compliant?


Documents from the PCI Council, MasterCard, and Visa clearly indicate that Issuers are required to be PCI DSS compliant (see Learn More…

Read More >

6 Ways to Deal with the Magnitude of PCI DSS


Are you new to PCI DSS? Perhaps you need to refresh your approach? If so, this article breaks down 6 strategies that will help you eat the…

Read More >

PCI DSS v4 is Coming – What Can You Rely On


PCI DSS v4.0 is coming and will bring big changes. The exact nature of the changes aren’t yet available as the standard is still evolving…

Read More >

How a $1200 Graphics Card Threatens Your PCI DSS Compliance and Security


Organizations subject to PCI DSS compliance validation spend significant amounts of time, effort, and money to maintain and validate their…

Read More >

Another Way 8-Digit Bins Complicate PCI Compliance: It's Not Just Data-at-Rest


The adoption of 8-digit BINs in 2022 has already created many transitional challenges for organizations needing access to the full BIN…

Read More >

The MS Exchange - World-Wide Exploitation


For organizations running on-premise Microsoft Exchange servers, we want to make you aware of four severe zero-day vulnerabilities announced…

Read More >

Visa 8-Digit BINs are Just Around the Corner and Many Questions Remain


If your business processes or stores the full-BIN, you need to know if you will be impacted by Visa's Numerics Initiative (i.e., the 8-Digit…

Read More >

PINs, Passwords, and PCI


PINs, Passwords, and PCI What is the difference between Passwords and Passphrases, PINs, and other authentication factors under PCI DSS…

Read More >

LLMNR / NBT-NS: You’re Poison!


Attention Windows sysadmins: search for "LLMNR" and once you've finished panicking, then get that nonsense disabled. Over the past year…

Read More >

CDRThief New VoIP Linux Malware – Can Credit Card Skimmers be Far Behind?


Many organizations have either undergone or are planning migrations or acceleration of call centers, remote working, and online presence…

Read More >

Did you MEME to share your personal info?


What’s your Covid-19 Plan? Our plan is to curl up in the fetal position in a supermarket with a tin-foil hat. But seriously… Everyone…

Read More >

The ENTITY (a scary PCI monster)


If you're subject to PCI DSS you need to understand "The ENTITY". We aren't talking about a horror movie. Instead we are talking about…

Read More >

Control Gap gets Cyber!


We are pleased to announce that we are now offering new CYBERSECURITY services! We want the name Control Gap to be synonymous in your mind…

Read More >

Control Gap at Vancouver PCI Community Meeting


Control Gap is excited to announce that we will be exhibiting at this year’s @PCISecurityStandardsCouncil Community Meeting on September 1…

Read More >



Whether you embrace or eschew the label of Road Warrior, if you've traveled extensively for business then you have experienced the trials…

Read More >

What's the minimum I need to do for PCI?


As we complete the 3rd hour of the meeting discussing PCI scope, the customer turns to me and asks, “So what’s the minimum that I need to do…

Read More >

Why POI Tamper Inspections are so Important


It is amazing to see how many organizations take things for granted in their environment. In the video below, you can see a skimmer device…

Read More >

NIST is Sunsetting Triple DES - so what will the Financial Industry do?


NIST recently published a document "Transitioning the Use of Cryptographic Algorithms and Key Lengths" which formalizes the sunset of Triple…

Read More >

NIST Update to Format Preserving Encryption Standard affects PCI Use Cases


Last month NIST announced they were seeking feedback on a proposed updated guidance for FPE. More formally this is SP 800-38G rev…

Read More >

PCI SPoC (PIN on COTS) - Grand Experiment in Mobile Payments


Big changes are coming to payment security in 2019. PCI is launching a grand experiment in payment security - Software PIN on COTS (SPoC…

Read More >

How can I tell if the site I shop from is secure?


Payment card breaches concern customers and businesses alike. A recent epidemic of e-commerce breaches is focusing attention on what makes a…

Read More >

PCI DSS v3.2.1 - What You Need to Know to Stay PCI Compliant


To accept credit cards in Canada, businesses need to be PCI compliant. Becoming PCI compliant can be difficult in the first place and…

Read More >

Control Gap is Proud to Support Casey MacKay in the 2018 Toronto Maple Leafs Skate for Easter Seals Kids!


We are excited to announce that we are supporting Casey Mackay, a student at Humber College finishing his program in Broadcasting…

Read More >

Social Network Spiraling - Everything Going On with Facebook Up Until Now


In case you missed it, Facebook has had some issues recently and its only getting uglier. Catch up on the news below: September's Breach The…

Read More >

If You Take Credit Cards By Phone or Mail - You Need to Read About Visa's October Mandate


PCI Rules Aren't the Only Ones You Need to Comply With Most organizations concerned with payment compliance are focused on the PCI Data…

Read More >

The 3 Approaches to Penetration Testing for PCI DSS


Understanding PCI DSS requirements in depth can often be confusing and frustrating. The requirements covering penetration testing, PCI DSS…

Read More >

Equifax Move Over, Here Comes The Cambridge Analytica and Facebook Scandal!


We've been following security and breaches for a long time and they have been getting unquestionably worse. While mega-credit card breaches…

Read More >

PCI DSS May Require Pulling Up Your SOX (or ISO)


Executives and managers in organizations preparing for their first onsite PCI security assessment may feel confident that having passed a…

Read More >

17 Predictions About the Next Version of PCI DSS


PCI DSS v3.2 is due for an update this year - but what will that look like? In this article, we peer into our crystal ball to make some…

Read More >

Understanding "Connected-to" - Is The Internet In Scope For PCI DSS?


PCI DSS is all about scope. Getting scope right or wrong is perhaps the single most critical factor determining the ultimate success or…

Read More >

Control Gap Inc. Supports Easter Seals Ontario


This year, and for many years prior, Control Gap Inc. continues to be a proud supporter of Easter Seals Ontario through the Toronto Maple…

Read More >

In The Payments World, Even Canadians Have ZIP Codes!


Many Canadians traveling to the US have experienced the frustration of running into a form of address verification. This is a common extra…

Read More >

Hurricane Harvey: How To Avoid Scams When Donating To Natural Disaster Charity Groups


It's hard to imagine a natural disaster until it starts happening in your own backyard. Unfortunately, the people of Texas have experienced…

Read More >

NIST Moves on Sweet32 - 3DES, Blowfish, and Others - Mostly Unsafe


Now is the time to stop using 64-bit block length ciphers such as 3DES (TDEA) and Blowfish in general purpose applications of cryptography…

Read More >

Understanding P2PE, NESA, E2EE, and PCI Compliance


Compliance simplification, what most people call “scope reduction”, can have huge benefits in terms of saving time, effort, headaches, and…

Read More >

PCI Compliance and the Intel AMT Vulnerability


On May 1st a critical new and possibly unprecedented vulnerability was announced.  The flaw in Intel's Active Management Technology (AMT…

Read More >

8-digit BIN Issues and Risks Remain after PCI Truncation Rules Clarified


Last month we wrote this article about issues arising from the addition of new BIN ranges and the lack of clear guidance specifically with…

Read More >

7 Things You Can Do To Deal With The Recent Format Preserving Encryption (FPE) Compromise


Barely a year after NIST approved Format-Preserving Encryption (FPE) based on AES they've issued a news release that one of the approved…

Read More >

3 Ways 8-Digit BIN Ranges May Impact PCI Compliance


New 8-digit Bank Identification Numbers (BIN) could complicate PCI truncation rules and create compliance headaches for those required to…

Read More >

What The CIA WikiLeaks Dump Has In Common With PCI Compliance


In recent news, WikiLeaks exposed a huge trove of CIA documents.  Journalists and bloggers will of course have a field day with this and the…

Read More >

SHA-1 Is Dead!


History The SHA-1 cryptographic hash function was introduced in 1995. Weaknesses began to be discovered in 2005, and in 2011 NIST deprecated…

Read More >

2017 Toronto Ride To Conquer Cancer


This year, Control Gap Inc. has donated $2,500 to The Enbridge Ride to Conquer Cancer which has been supporting the Princess Margaret Cancer…

Read More >

What Is The Difference Between Masking And Truncation In PCI Compliance?


Masking and truncation of cardholder data may seem the same on the surface (eg. 423456XXXXXX7890); however, each implies different…

Read More >

What Is Cardholder Data In PCI Compliance?


Cardholder data, aka CHD, comes from credit, debit, and prepaid cards bearing the logo of one of the PCI founding card brands.  CHD includes…

Read More >

What Is Sensitive Authentication Data in PCI Compliance?


Sensitive authentication data, aka SAD, in PCI compliance is data used by the issuers of cards to authorize transactions. Similar to…

Read More >

Supporting the Uganda Plastic Surgery Project


In September 2016, Control Gap Inc. donated $5,000 to the University of British Columbia's Uganda Plastic Surgery Project. About the Mission…

Read More >

Call Centers and PCI Compliance: Things You Need to Know


Call centers can be challenging places. They range from small and simple to large and complex. For many businesses they are a place where…

Read More >

In Support of The Canadian Cancer Society


In October 2016, Control Gap donated $5,000 to FCT in support of The Canadian Cancer Society's Relay for Life. In November, Gary Gallacher…

Read More >

4 FAQs The PCI Security Standards Council Renamed in 2016


Anyone who relies on the PCI FAQ site for guidance may have noticed some changes in the last few months. In fact if you bookmarked some of…

Read More >

PCI Announces NESA - A Stepping Stone To P2PE


Earlier this month the PCI Security Standards Council published a new document as part of the Point-to-Point Encryption (P2PE) program. This…

Read More >

PCI Compliance Footprints: 7 Ways To Simplify Compliance, Reduce Risk And Save Money


While you may have heard of carbon footprints and ecological footprints, you might not be aware that there is such thing as a PCI Compliance…

Read More >

3 Risks of Ignoring PCI Compliance


With more than 510 million records containing sensitive information breached since January 2005, statistics indicate that cardholder data…

Read More >

12 Tips To Avoid Credit Card Data Breaches


PCI DSS: 12 Requirements to Protect Your Customer’s Credit Card Data Traditionally, ill-intentioned criminals have targeted banking…

Read More >

PCI Compliance & Why You Need to be Compliant


Getting paid is just as important as PCI compliance. Businesses of all sizes rely on cash flow to effectively manage business operations. To…

Read More >

What's changed in PA-DSS 3.2? Impacts to Vendors, Implementers, and Operators.


Recently, Control Gap posted an article performing a detailed analysis of the recent changes in the DSS due to 3.2. We do this because the…

Read More >

How Microsoft Support Expiry can Affect Your PCI Compliance


Microsoft support offerings are designed to provide guidance for system administrators and managers. However, details of the Microsoft…

Read More >

PCI DSS: Guide to Effective Daily Log Monitoring


Despite the widespread adoption of logging as part of operational security practices, organizations have continued to be challenged in…

Read More >

PCI Under The Microscope


The PCI Council has testified before Congress about standards and breaches in both 2014 and 2009 (links are to Google Searches). This year…

Read More >

Is Your Payment Application Ready to Leap to PA-DSS Version 3.2?


With the release of PA-DSS 3.2, on June 8th, the PCI Council has provided sunset dates for PA-DSS 3.1 applications and application listing…

Read More >

PCI DSS v3.2 - What You Need to Know to Stay PCI Compliant


To accept credit cards in Canada, businesses need to be PCI compliant. Becoming PCI compliant can be difficult in the first place and…

Read More >

The Panama Papers - a new kind of breach?


In the world of data breaches, it’s not often that we see something totally new. This last week we may just have had such a thing.  Most…

Read More >

PCI DSS V3.2 Is Almost Here!


The PCI Security Standards Councils confirmed last week that the updated version of PCI DSS (v3.2) will be released at the end of April 201…

Read More >

Why the Apple vs. FBI Dispute Is A Good Thing


The Internet and mainstream media has been ablaze with articles and opinion pieces about the dispute between the FBI and Apple over an…

Read More >

Just like spring - a new version of PCI DSS will come early this year!


Last week the PCI Standards Council commented on the upcoming DSS 3.2 update and what it means for the rest of 2016. Ever since the sunset…

Read More >

Sunset of SSL Extended


If you’ve been struggling with keeping up with various SSL vulnerabilities and planning an orderly cutover to TLS then the recent…

Read More >

Must Format Preserving Encryption (FPE) be distinguishable from cardholder data for PCI?


Previously we looked at Format Preserving Encryption (FPE) its characteristics and suitability for application in solutions intended for PCI…

Read More >

PCI DSS Version 3.1 Has Arrived


The PCI Security Standards Council today published the expected update to PCI releasing these documents including some specific migration…

Read More >

PCI Security Standards Council set to kill off SSL in PCI DSS/PA-DSS 3.1 updates


The PCI council has released an announcement that they are preparing an updated version of the PCI DSS (v3.1) and PA-DSS (v3.1), where they…

Read More >

What is Format Preserving Encryption and is it suitable for PCI DSS?


Format Preserving Encryption or FPE is recent technology that is beginning to show up in payment solutions with the promise of simplifying…

Read More >

Analysis of PCI DSS 3.0


PCI DSS 3.0 was released Nov 2013. There are new and changed requirements with a more organized look. Check out our in-depth analysis and…

Read More >