Journey to the Cloud
Last week, I had the privilege of speaking on a webinar with F5 about the complexities of securing internally created Large Language Models (LLMs) for organizations. This wasn’t about protecting end-users from asking ChatGPT how to make apple pie, it was about helping organizations safeguard their internal models from disclosing sensitive information. I was prepared to discuss AI Gateway features, profiles, and processes, but someone asked a question that really stuck with me: “What if we want to deploy this technology, but we haven’t even started our cloud journey?” AI is not a passing fad, it’s ubiquitous, and it’s reshaping cybersecurity. But it also highlighted an important point, some organizations haven’t yet embraced the cloud. So what steps should be taken when starting that journey? Top 3 Considerations for Your Cloud Journey A smooth move to the cloud isn’t just about shifting workloads, it’s about building a secure foundation. Here are three key areas to focus on when transitioning from on-premises to the cloud: IAM, segmentation, and resiliency. Think of it like moving to a new house, before unpacking, validate what you really need, and don’t carry over that old box of shoes lurking under the staircase. 1. IAM (Identity and Access Management) There are countless guides on configuring IAM roles and policies, but how do you validate who actually needs access? Does a security analyst who is also a cloud administrator need full admin rights? What about a network engineer who occasionally requires elevated privileges? Should you just give this individual (*) access? Getting IAM right requires careful planning with your business units. It’s arguably the most important step when moving to the cloud, because overly permissive access can introduce significant risks. 2. Segmentation When migrating to the cloud, traffic segmentation and policing are critical. Cloud providers offer many built-in security tools, but sometimes third-party solutions provide better efficacy for controlling and monitoring traffic. Thoughtful segmentation ensures that even if one segment is compromised, the rest of your environment remains secure. 3. Resiliency In traditional data center design, we built redundancy into power feeds, port-channels, and VM placement to ensure failover in case of a failure. The cloud promises high availability, but if your architecture isn’t designed for failover across multiple availability zones, a major outage can leave you vulnerable. Your most critical data, whether you call it your “crown jewel” or “honey-pot,” deserves protection through resilient designs that account for failover and disaster recovery. Final Thoughts Cloud adoption isn’t just a technology shift, it’s an opportunity to rethink security and resiliency from the ground up. Start with IAM, plan your network segmentation carefully, and design for failover. By doing so, you’ll not only protect your data, but also ensure a smooth, secure move to the cloud.
Governance of AI and Other Emerging Technologies: Balancing Innovation and Responsibility
Artificial Intelligence (AI) and other emerging technologies, such as blockchain, IoT, quantum computing, and biotechnology, are not just reshaping industries and societies but also offering a beacon of hope. These innovations bring immense potential to solve complex problems, drive efficiency, and enhance the quality of life. However, they also raise critical questions about ethics, privacy, security, and accountability. The challenge lies in ensuring that these technologies are developed and deployed responsibly, balancing innovation with societal values and public trust. This is where governance frameworks come into play, providing guidelines, policies, and regulations to manage the development and use of these technologies. In this blog, we’ll explore the importance of governance for AI and other emerging technologies, the challenges it addresses, and strategies for building robust governance frameworks to foster responsible innovation. Why Governance of Emerging Technologies Matters 1. Ethical Considerations Emerging technologies, particularly AI, often raise significant ethical implications. Without robust governance, technologies can lead to unintended consequences such as bias in AI systems, misuse of data, or decisions that harm vulnerable populations. Governance ensures that ethical principles such as fairness, transparency, and accountability are upheld. 2. Mitigating Risks Emerging technologies introduce new risks, including security vulnerabilities, privacy violations, and the potential for misuse. However, governance frameworks play a crucial role in mitigating these risks by establishing standards and best practices for secure development and deployment, thereby providing a sense of reassurance. 3. Building Trust Public trust is essential for the widespread adoption of emerging technologies. Governance frameworks create transparency, demonstrating that developers and organizations prioritize user safety, privacy, and ethical behavior. 4. Ensuring Compliance and Regulation Many sectors, such as healthcare, finance, and defense, are heavily regulated. Governance frameworks ensure that emerging technologies comply with industry-specific regulations and legal requirements, minimizing the risk of fines and legal challenges. 5. Supporting Sustainable Innovation By providing guidelines and accountability mechanisms, governance frameworks help ensure that emerging technologies contribute to long-term societal and economic goals without causing harm or exacerbating inequality. Key Challenges in Governing Emerging Technologies 1. Rapid Pace of Innovation Emerging technologies evolve faster than regulatory frameworks can keep up. Policymakers often struggle to create rules that are flexible enough to accommodate future advancements while addressing present risks. 2. Global Scope Technologies like AI and blockchain operate across borders, raising questions about jurisdiction and enforcement. Coordinating governance efforts on a global scale is a significant challenge. 3. Ethical Ambiguity What is considered ethical or acceptable varies across cultures, industries, and stakeholder groups. Defining universal ethical standards for technologies like AI is complex and requires nuanced debate. 4. Balancing Regulation and Innovation Over-regulation can stifle innovation, while under-regulation leaves room for misuse. Striking the right balance between fostering innovation and ensuring safety is a delicate task. 5. Accountability and Liability Determining responsibility when emerging technologies fail or cause harm can be difficult, especially in cases involving autonomous systems or complex algorithms. Principles for Governing AI and Emerging Technologies Effective governance frameworks should be guided by principles that prioritize ethics, security, and inclusivity. Here are some key principles: 1. Transparency 2. Fairness and Inclusivity 3. Accountability 4. Security and Privacy 5. Adaptability Strategies for Building Governance Frameworks 1. Multi-Stakeholder Collaboration 2. Develop Ethical Guidelines 3. Implement Regulatory Sandboxes 4. Invest in Education and Awareness 5. Use Standards and Certifications 6. Leverage Technology for Governance Examples of Governance in Action 1. GDPR (General Data Protection Regulation) 2. OECD AI Principles 3. AI Governance in Healthcare The Future of Governance for Emerging Technologies As emerging technologies continue to evolve, governance frameworks must adapt to address new challenges. Here are some trends to watch: The future of governance will require a delicate balance between fostering innovation, protecting public interests, and ensuring equitable access to technology. Conclusion The governance of AI and other emerging technologies is critical to unlocking their full potential while minimizing risks. By establishing robust frameworks that prioritize ethics, security, and inclusivity, we can ensure that these technologies drive positive change for society as a whole. The task ahead is complex, but with collaboration, transparency, and a commitment to responsible innovation, we can navigate the challenges of the digital age and create a future where technology works for everyone. Are you ready to embrace governance as a cornerstone of your approach to emerging technologies? AccessIT can help you balance innovation and responsibility by implementing Governance of AI and Other Emerging Technologies into your processes. Let’s build a safer, more ethical, and sustainable future together.
Inside the 2025 PCI SSC North America Community Meeting: Insights, Myths, and Key Takeaways
This week, the payments security community gathered in Fort Worth, Texas, for the highly anticipated 2025 PCI SSC North America Community Meeting. Held from September 16–18, the event brought together Council staff, industry experts, and stakeholders from across North America to discuss the latest in payment card security, technical updates, and collaborative opportunities. Setting the Stage: Why the PCI Community Meeting Matters Every year, the PCI SSC North America Community Meeting is more than just a conference; it’s a crucial gathering spot that wouldn’t be the same without the varied perspectives from across the industry, including yours. This event sparks innovation, deepens relationships, and guarantees that the standards safeguarding cardholder data stay strong and up-to-date in a rapidly changing environment. Key Themes and Highlights 1. Technical and Security Updates A central focus of this year’s meeting was on the latest technical and security developments in the payments ecosystem. Council staff and industry leaders shared insights on evolving threats, compliance requirements, and best practices for securing payment data. Attendees learned about upcoming changes to PCI standards and how these will impact merchants, service providers, and solution vendors. 2. Engaging Sessions and Expert Speakers The agenda featured a robust lineup of sessions led by renowned speakers and subject matter experts. Topics ranged from practical guidance on implementing PCI DSS v4.0 to deep dives into emerging technologies such as tokenization, cloud security, and AI-driven fraud prevention. Panel discussions and interactive workshops encouraged lively debate and knowledge sharing among participants. 3. Community Collaboration Collaboration remains a pledge of the PCI Community Meeting. This year’s event emphasized the importance of active participation within the PCI ecosystem. Attendees were encouraged to join Special Interest Groups (SIGs), contribute to standards development, and network with peers facing similar challenges. 4. Looking Ahead: A Global Perspective While the focus was on North America, the meeting also previewed upcoming PCI SSC events in Europe and Asia-Pacific, highlighting the global nature of payment security challenges and the need for international cooperation. My Presentation: Busting PCI Myths A personal highlight this year came unexpectedly when I was asked at the last minute to fill in for a tech talk slot. I presented “Busting PCI Myths: Practical Truths for Real Security,” a topic I’m passionate about after nearly two decades as a QSA and PCI advisor. During my talk, I addressed some of the most persistent misconceptions that continue to circulate in the industry: The key takeaway? Don’t let PCI myths lull you into a false sense of security. Real protection comes from understanding your true responsibilities and building strong, layered defenses. Ongoing Challenges: Requirements 6.4.3 and 11.6.1 Just like last year, there was significant discussion and some confusion around PCI DSS requirements 6.4.3 and 11.6.1. These requirements introduce critical mandates for monitoring and tamper detection, even for merchants completing the simplest SAQ-A. Many attendees were seeking practical guidance on how to implement these controls effectively, especially in cloud environments and where third-party service providers are involved. Final Thoughts The 2025 PCI SSC North America Community Meeting reaffirmed its status as the premier forum for shaping the future of payment security. Whether you’re a seasoned QSA or new to PCI, the event is a reminder that compliance is a journey, not a checkbox. If you missed it, I highly recommend checking out the PCI SSC website for session recordings and resources. Let’s continue to bust myths, share knowledge, and work together to build a stronger, more secure payments ecosystem. Did you attend the meeting or have thoughts on some of the new requirements? Share your experiences in the comments below!
Legacy Stripe API Exploited: Why PCI DSS Requirement 6.4.3 is Critical for Payment Security
The digital payment ecosystem is under constant attack, and a recent campaign exploiting a legacy Stripe API has brought a new level of urgency to securing payment pages. Cybercriminals used this API to validate stolen credit card details, combining it with malicious scripts injected into payment pages to skim sensitive data. This attack highlights the evolving sophistication of skimming campaigns and the critical need for compliance with PCI DSS Requirement 6.4.3. The Attack: A Wake-Up Call for Payment Security In this campaign, attackers exploited a legacy Stripe API to validate stolen card details in real time. By injecting malicious JavaScript into payment pages, they were able to skim sensitive payment information directly from users. This attack was particularly dangerous because it could evade detection by only exfiltrating valid card data, ensuring the stolen information was immediately usable. This incident underscores the vulnerabilities that can arise when legacy APIs and unsecured client-side scripts are not properly managed. It also demonstrates why the PCI DSS v4.0 Requirement 6.4.3 is a game-changer for payment security. What is PCI DSS Requirement 6.4.3? PCI DSS Requirement 6.4.3, introduced in version 4.0 of the standard, focuses on securing client-side scripts that execute on payment pages. It requires organizations to: Maintain an inventory of all scripts running on payment pages. Justify the necessity of each script. Implement controls to ensure that only authorized scripts are loaded and executed in the consumer’s browser. This requirement is designed to address the growing threat of JavaScript-based skimming attacks, like the one targeting the Stripe API. By enforcing tighter controls over client-side scripts, businesses can significantly reduce the risk of such attacks. Why Compliance is Non-Negotiable The consequences of non-compliance with PCI DSS can be severe. Beyond the risk of data breaches, businesses face potential fines, reputational damage, and loss of customer trust. The recent Stripe API attack is a stark reminder of the importance of securing payment pages and adhering to the latest security standards. Even if you use a PCI-compliant payment processor like Stripe, your organization is still responsible for addressing potential gaps in your security posture. As noted in Stripe’s own documentation, businesses must ensure that their integration and client-side scripts meet PCI DSS requirements to avoid vulnerabilities. With 4.0 compliance becoming mandatory in 2025, now is the time to act. How AccessIT Group Can Help Navigating the complexities of PCI DSS compliance can be challenging, but you don’t have to do it alone. As a Qualified Security Assessor (QSA), AccessIT Group specializes in helping businesses understand and meet PCI DSS requirements. Our team of experts can: Conduct a comprehensive assessment of your payment page scripts. Guide you through the implementation of PCI DSS Requirement 6.4.3. Provide tailored solutions to ensure your organization achieves and maintains compliance. Whether you’re just starting your compliance journey or need assistance adapting to the new requirements, AccessIT Group is here to help. Take Action Today The evolving threat landscape demands proactive measures to secure payment data. By prioritizing compliance with PCI DSS Requirement 6.4.3, you can protect your customers, safeguard your reputation, and stay ahead of cybercriminals. Ready to get started? Contact AccessIT Group today to learn how we can help you achieve PCI DSS compliance and fortify your payment security. Don’t wait until it’s too late-take the first step towards securing your business and your customers’ data. You can read more about this story here. By: Chad Barr – Director of Governance, Risk & Compliance – CISSP | CCSP | CISA | CDPSE | QSA
Navigating the New PCI DSS SAQ-A Updates: What Merchants Need to Know
The Payment Card Industry Security Standards Council (PCI SSC) has introduced significant updates to the Self-Assessment Questionnaire A (SAQ-A), effective March 31, 2025. These updates significantly change merchant eligibility requirements and compliance obligations, particularly for e-commerce businesses that outsource cardholder data processing. While the removal of two specific compliance requirements, 6.4.3 and 11.6.1, might initially appear to simplify the compliance process, a closer examination reveals a more complex reality. The updates shift the focus from explicit controls to broader, high-standard obligations, raising the bar for merchants seeking to qualify for SAQ-A. This blog post delves into the key changes to SAQ-A, their implications for merchants, service providers, and Qualified Security Assessors (QSAs), and actionable steps stakeholders can take to navigate this evolving compliance landscape. Understanding the Changes to SAQ-A The updated SAQ-A introduces two major changes: specific compliance requirements (6.4.3 and 11.6.1) are removed, and new eligibility criteria are added. Let’s examine these changes in more detail. 1. Removal of Requirements 6.4.3 and 11.6.1 Previously, SAQ-A merchants needed to comply with the following requirements: Requirement 6.4.3: Mandated the inventory, justification, and control of all scripts on payment pages, ensuring that each script was authorized and its integrity assured. Requirement 11.6.1: Merchants must monitor payment pages for unauthorized modifications, including changes, additions, and deletions to scripts or security-impacting HTTP headers. These controls were designed to protect against malicious script-based attacks, such as eSkimming or Magecart, which target e-commerce systems to compromise sensitive data. However, with the latest SAQ-A update, these requirements are no longer explicitly mandated for SAQ-A merchants. This does not mean that the underlying security objectives have been abandoned. 2. New Eligibility Criteria While removing 6.4.3 and 11.6.1 might seem like a relaxation of obligations, introducing a new eligibility criterion significantly raises the compliance threshold. To qualify for SAQ-A, merchants must now confirm that their entire e-commerce site—not just the payment page—is secure and not susceptible to attacks from malicious scripts. This includes: Protection against first-party, third-party, and external scripts that could compromise e-commerce systems. Comprehensive security measures to prevent vulnerabilities across the entire website beyond the scope of the payment page. This shift in focus creates a circular compliance challenge: even though 6.4.3 and 11.6.1 are no longer required, the new eligibility requirement effectively necessitates adherence to the principles of these controls. Merchants must still implement robust protections, such as script monitoring and integrity checks, to secure their e-commerce environments and maintain compliance. Guidance and Clarifications On February 28, 2025, the PCI SSC released FAQ 1588, further clarifying the updated SAQ-A requirements. Key takeaways include: 1. Scope: The new eligibility criteria apply only to merchant sites hosting embedded payment forms (e.g., iFrames). Redirects or links to payment pages are excluded. Third-party scripts unrelated to payment processing and incapable of compromising account data security are not considered third-party service providers. 2. Eligibility Options: Implementing requirements 6.4.3 and 11.6.1 remains sufficient to meet the new eligibility criteria. Alternative solutions, such as penetration testing, web application firewalls (WAFs), or processor attestations, may also fulfill the criteria, subject to QSA discretion. Provided merchants adhere to implementation guidelines, payment processors can provide written confirmation that their iFrame solutions include necessary protection against script-based attacks. What Hasn’t Changed? Despite the updates to SAQ-A, several key elements remain unchanged: 1. Compliance Deadlines: The deadline for compliance with PCI DSS v4.0.1, including the requirements for 6.4.3 and 11.6.1, remains March 31, 2025, for all merchants not eligible for SAQ-A. 2. Requirements for Service Providers: Service providers must still comply with 6.4.3 and 11.6.1, ensuring comprehensive script inventory, monitoring, and security of payment flows. 3. Security Expectations for SAQ-A Merchants: While the compliance process may appear streamlined, SAQ-A merchants are still expected to implement robust protections against vulnerabilities, particularly those related to script-based attacks. Implications for Stakeholders The changes to SAQ-A have far-reaching implications for merchants, service providers, and QSAs. Here’s what each group needs to know: 1. For SAQ-A Merchants The new eligibility criteria are likely to pose significant challenges for merchants: Eligibility Hurdles: To qualify for SAQ-A, merchants must now secure their entire e-commerce site against script-based attacks. This requires implementing robust script controls and monitoring solutions, even though 6.4.3 and 11.6.1 are no longer explicitly required. Expanded Compliance Obligations: Merchants who cannot meet the new eligibility criteria will need to complete other, more comprehensive Self-Assessment Questionnaires (SAQs), such as SAQ A-EP. This represents a significant compliance uplift, as SAQ A-EP includes 151 requirements compared to the 19 in SAQ-A. 2. For Service Providers Service providers play a crucial role in helping merchants navigate these changes: Educating Merchants: Small merchants must be educated about the importance of script controls and the implications of the new eligibility criteria. Misinterpreting the updates as a relaxation of obligations could leave merchants vulnerable to attacks. Offering Solutions: Service providers can generate additional revenue by offering value-added services that simplify compliance for merchants while enhancing their security posture. For example, solutions that monitor and secure scripts can help merchants meet the new eligibility criteria. 3. For QSAs Qualified Security Assessors must adapt their approach to reflect the new SAQ-A requirements: Clarifying Misconceptions: QSAs must emphasize that removing 6.4.3 and 11.6.1 does not reduce security obligations. Under the new eligibility criteria, the expectation to secure e-commerce environments remains unchanged. Providing Guidance: QSAs should recommend proven tools and solutions, such as Content Security Policies (CSP) and Subresource Integrity (SRI), or third-party platforms, such as Human Security, Source Defense’s platform, or Jscrambler, to help merchants secure their websites and achieve compliance. Addressing the Compliance Challenge Merchants facing the new SAQ-A eligibility criteria have several options to ensure compliance: 1. Conduct Web Application Testing Merchants can take a proactive approach by conducting web application assessments to demonstrate that their e-commerce site is not susceptible to malicious script-based attacks. This approach empowers merchants to provide the evidence needed to satisfy the new eligibility requirements, giving them a sense of control over their compliance. 2. Implement 6.4.3 and 11.6.1 Across the Entire Site Although these