Securisea Resources

Achieving and maintaining PCI Compliance is essential to online retailers that want to prove to customers that their sensitive cardholder data is secure. The most common way to do this is through the PCI Self-Assessment Questionnaire (SAQ) A, but with the introduction of PCI DSS v4.0, new requirements have been added, specifically around Approved Scanning Vendor (ASV) scans. 

What is PCI DSS SAQ A?

Any business that stores, processes, or transmits credit card data must demonstrate PCI compliance. To do so, companies can often complete the "PCI DSS Self-Assessment Questionnaire," but it’s important to check with your acquiring bank to confirm the appropriate SAQ for your situation.

Different types of SAQs are available, depending on how payment processing is handled. Online merchants, for example, often choose between SAQ A-EP and SAQ A. For merchants who outsource payment processing to PCI-certified third parties, SAQ A has been a simpler option because it traditionally required compliance with fewer standards—just 29 in total.

ASV Scans and PCI DSS v4.0 SAQ A

What are ASV Scans? ASV scans are designed to identify security vulnerabilities on external systems that could be exploited by attackers to compromise sensitive payment data. Previously, SAQ A did not require these scans, but with PCI DSS v4.0, this has changed. 

Now, businesses completing SAQ A must undergo vulnerability scans by an ASV at least every 90 days.

“Even if your business uses a redirect or iFrame for payments, you will still need these scans.” 

This is because cybercriminals often exploit weak spots in systems, and unpatched servers hosting your payment page could be targeted to inject malicious code or replace redirects with fraudulent checkout pages, potentially sending payment details to criminals.

This new requirement helps protect your website and your customers by identifying and addressing security issues before they can be exploited.

Why Did The PCI Council Mandate ASV Scans for SAQ A Merchants?

The PCI Council mandated ASV scans for SAQ A merchants to enhance the security of payment card data. While SAQ A merchants may not store or process cardholder data directly, their websites and systems still play a critical role in facilitating transactions. By introducing ASV scans, the PCI Council aims to close security gaps in the broader payment ecosystem, ensuring that merchants maintain secure environments even when using outsourced payment processing.

 The PCI Council has found that many data breaches occur due to: 

• Weak passwords 
• Misconfigured network devices
• Other security flaws (that can be identified through ASV scans.) 

By mandating ASV scans for SAQ A merchants, the PCI Council is taking a proactive approach to security, rather than waiting for a data breach to occur before taking action.

What are the PCI DSS v4.0 SAQ A ASV Scan Requirements?

As specialists in PCI DSS, we want to highlight the changes introduced in this version that could impact businesses using SAQ A for their compliance, especially those who have done so in the past or are planning to in the future. This article will provide an overview of the SAQ A and its new ASV scanning requirements to help you prepare for these changes when you start filling out the questionnaire.

Best Practices for PCI DSS ASV Scans

With these new requirements in place, here are some recommended best practices to help businesses meet compliance:

• Expand the scope of your ASV scans beyond just the payment page to include all relevant systems.
• Whitelist trusted iFrame sources to minimize the risk of third-party interference.
• Monitor your payment service provider’s compliance with PCI standards to ensure they’re not compromising your compliance efforts.
• Address vulnerabilities quickly, especially high-risk findings that could be exploited.
• Ensure that your ASV is PCI SSC-approved and properly trained to meet the rigorous standards required for PCI compliance.
• Document your scanning processes to streamline future scans and ensure you’re prepared for compliance audits.
• Consider scanning every 30 days instead of quarterly to catch vulnerabilities sooner.
• Test your redirects and iFrames to ensure they are secure and functioning correctly.
• Stay informed about ongoing changes in PCI DSS and leverage available tools to protect your business.

Securisea's ASV Scanning Services

Securisea is an Approved Scanning Vendor that offers PCI ASV scanning services to merchants of all sizes. Securisea specializes in helping merchants meet the requirements of the ASV scan mandate and maintain PCI compliance. Securisea's ASV scanning services include regular on-demand scans, annual scans for merchants using SAQ A, and vulnerability scanning. Securisea’s goal through this service is to protect consumers from the potential financial and logistical burdens of a data breach.

Securisea Can Help with PCI DSS v4.0

At Securisea, we understand that navigating the complexities of PCI DSS v4.0 can be overwhelming, but it doesn’t have to be. Our team of experts is here to guide you every step of the way, from understanding new requirements like ASV scans to ensuring you meet all compliance standards with confidence. Whether you're starting your PCI journey or transitioning to the latest version, Securisea can provide the expertise and solutions you need to secure your business and protect your customers. Contact us today to get started on your path to PCI DSS v4.0 compliance and safeguard your business for the future.

DNSSEC (Domain Name System Security Extensions) is a feature of the Domain Name System (DNS) that verifies the authenticity of data in responses from authoritative DNS servers. It's a key requirement for cloud service providers (CSPs) to achieve and maintain Authority to Operate (ATO) for FedRAMP.

The DNS is essentially the phonebook of the internet, translating human-readable domain names (like securisea.com) into IP addresses that computers use to access websites. However, traditional DNS is inherently vulnerable to attacks like DNS spoofing and cache poisoning, where attackers can redirect users to malicious sites without their knowledge. DNSSEC adds a layer of cryptographic protection to DNS lookups, ensuring that the information returned by a DNS query is authentic and has not been tampered with. For organizations seeking FedRAMP compliance, implementing DNSSEC is essential to protect against these threats and maintain the integrity of their online services.

DNSSEC Requirements for FedRAMP certification

The FedRAMP Readiness Assessment Report includes the following questions in relation to your organization's DNSSEC configuration:

• Does the system’s external DNS solution support DNS Security (DNSSEC) to provide origin authentication and integrity verification assurances? This applies to the controls SC-20, SC-21, and SC-22 in the SSP." (section 4.1)
  
  
• Did the 3PAO [third-party assessment organization] verify that the external DNS server replies with valid DNSSEC responses and that the recursive server is within a FedRAMP Authorized boundary, makes DNSSEC requests for domains outside the boundary, and that DNS calls maintain DNSSEC authentication and integrity? [SC-20, SC-21]" (section 4.2)

Here's how DNSSEC helps:

Prevents DNS Spoofing and Cache Poisoning: DNSSEC adds a layer of security to the DNS by enabling the authentication of DNS responses. This prevents attackers from injecting false DNS data into the resolver's cache (cache poisoning) or redirecting traffic through DNS spoofing, which could lead to man-in-the-middle attacks.

Data Integrity Through Digital Signatures: DNSSEC ensures that the data returned by the DNS server is authentic and has not been altered in transit. It does this by using public-key cryptography to sign DNS data. When a DNS resolver receives a response, it checks the signature with the public key published in the DNS. If the signature is valid, the resolver knows the data has not been tampered with.

Enhanced Trustworthiness: For cloud service providers, ensuring the integrity of DNS data is crucial because any tampering could lead to users being redirected to malicious sites or services. DNSSEC helps maintain the trustworthiness of the DNS infrastructure by ensuring that users are directed to the correct IP addresses for cloud services.

Protection Against Downtime and Data Breaches: By securing the DNS infrastructure, DNSSEC helps cloud service providers protect against potential downtime caused by DNS attacks and prevents unauthorized access to sensitive data that could result from DNS hijacking.

Support for Secure Authentication Mechanisms: DNSSEC lays the foundation for additional security mechanisms, such as DANE (DNS-based Authentication of Named Entities), which can be used to ensure secure connections to cloud services by verifying the authenticity of SSL/TLS certificates.

How Securisea Can Help with DNSSEC and FedRAMP certification

Achieving and maintaining FedRAMP compliance is no small task, and DNSSEC is just one piece of the puzzle. As cybersecurity and compliance experts, Securisea provides comprehensive services to help your organization navigate the complexities of FedRAMP, including the implementation and management of DNSSEC.

FedRAMP Advisory. Considered by many to be the most comprehensive and challenging security program in the world, many firms seeking a FedRAMP ATO chose to retain a 3PAO company to assist with building their compliance program. At Securisea, we have the experience and expertise to build out an efficient and cost effective compliance program that enhances overall security posture while de-risking the ATO application.

FedRAMP Readiness Assessment. For most cloud service providers, the FedRAMP Readiness Assessment is the fastest route to being listed in the Federal Marketplace. This engagement is especially beneficial for companies seeking an agency sponsor to obtain their first ATO and is seen by many as a requirement for unlisted services that wish to apply for a P-ATO.

FedRAMP Assessment. Undergoing a FedRAMP Assessment is the final step in achieving your Agency or Provisional Authorization to Operate (ATO). As a 3PAO, Securisea is one of a select number of firms qualified to represent your compliance program to your Agency or Joint Authorization Board contact.

Ready to tackle FedRAMP?Contact Securisea today to learn more about how we can help get the ball rolling with our FedRAMP Advisory Services.

When it comes to ensuring the security and compliance of sensitive data, particularly in industries like healthcare, achieving both SOC 2 and HITRUST certifications can offer substantial advantages. SOC 2 focuses on the Trust Services Criteria, which are essential for safeguarding customer data across any industry, while HITRUST is tailored specifically to the healthcare sector, incorporating a comprehensive set of controls based on various regulations, including HIPAA. 

Compliance with both SOC 2 and HITRUST not only shields organizations from potential data breaches but also demonstrates a strong commitment to information security and privacy, fostering trust. The combined assurance provided by these certifications can help build confidence with clients, reduce the complexity of managing multiple compliance requirements, and ultimately streamline the audit process.

Understanding SOC2

SOC 2, which stands for Service Organization Control 2, outlines standards for companies to securely manage customer data. Created by the American Institute of CPAs (AICPA), SOC 2 is crucial for organizations providing SaaS (Software as a Service) and cloud services.

The framework is built around five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.

• Security ensures data protection against unauthorized access.
• Availability ensures that systems are operational and accessible when needed.
• Processing Integrity ensures data processing is complete, accurate, and authorized.
• Confidentiality protects sensitive information.
• Privacy governs the collection, use, retention, and disposal of personal information according to an organization's privacy policy and applicable laws.

SOC2 has two types of audit reports:

• Type I assesses the design of internal controls at a specific point in time.
• Type II evaluates both the design and the operational effectiveness of controls over a period of time. 

Understanding HITRUST

HITRUST, which stands for Health Information Trust Alliance, is a comprehensive cybersecurity framework that is used by any organization that collects, stores, processes, or transmits sensitive data. Created by the American Institute of CPAs (AICPA), HITRUST is used to demonstrate compliance with various industry regulations, such as HIPAA, GDPR, and SOC 2. 

The HITRUST CSF is the leading security framework in the healthcare sector, with 81 percent of hospitals and 80 percent of health plans integrating it into their operations. Whether used as a foundational resource for best practices or as the core of their information protection strategies, the HITRUST CSF has become a key component for ensuring security across the industry.

There are three types of HITRUST assessments:

• e1 Assessment (Enhanced Assessment) is a one-year assessment that focuses on cybersecurity essentials and is intended for organizations with low risk profiles or limited complexity. It has 44 control requirements and is good for startups.
• i1 Assessment (Initial Assessment) is a one-year assessment that focuses on leading security practices and is intended for organizations with established information security programs. It's considered easier than the r2 assessment.
• r2 Assessment (Repeatable Assessment) is a two-year assessment that focuses on expanded practices and is risk-based. It can have up to 1,000 requirements based on an organization's risk factors, which can include general, organizational, geographic, technical, and regulatory factors. The r2 assessment is considered more work than the i1 assessment, but it can help organizations achieve a higher level of risk management maturity. 

How is HITRUST different from HIPAA?

The main difference between HITRUST and HIPAA is that HIPAA is a U.S. law that sets standards for protecting patient health information in the health industry. HITRUST is a global framework for managing security and risk, and includes a Common Security Framework (CSF) that helps organizations comply with regulations such as HIPAA. 

Benefits of SOC2 + HITRUST 

In the past, organizations requiring both SOC 2 and HITRUST certification reports had no choice but to undergo two separate assessments. This approach led to increased costs for businesses striving to comply with both the Trust Services Criteria and HITRUST CSF standards. Recognizing the inefficiency, the American Institute of Certified Public Accountants (AICPA) collaborated with HITRUST Alliance to streamline the process. The result is the SOC 2 + HITRUST program, a unified reporting framework that allows service organizations to demonstrate compliance with both sets of requirements in a single, consolidated report.

Securisea Simplifies SOC2 + HITRUST Compliance

The complementary nature of SOC 2 + HITRUST allows for a unified approach to compliance, benefiting organizations in the healthcare sector or those working with healthcare data. Securisea’s integrated approach to security and compliance translates into real savings of both time and money for our clients, helping them reach their goal of achieving and maintaining SOC 2 and HITRUST compliance more quickly. As a trusted advisor, Securisea will work alongside you to understand your business, and help you meet your security and compliance objectives.

Securisea is one of only a handful of audit firms in the world certified to provide PCI DSS, FedRamp/StateRAMP 3PAO, HITRUST & HIPAA, ISO27001 and 27701, SOC2, SOC1, and CSA STAR assessments all under one roof.

‍

Securisea has worked with Conquer on several audits over the years, starting with a SOC2 Type 1 Audit followed by a SOC2 Type 2 audit. 

Like many first time SOC clients, Conquer had several large new business prospects that were close to closing, but required a SOC 2 report as part of their due diligence. Conquer initially selected Securisea after building an internal short list of 6 security vendors they wanted to interview to see which company was the right fit. According to Ian Skebba, Chief Technology Officer at Conquer, “We were looking for that partner that would make us a priority and could help us accomplish our goals quickly, but also was cost-effective for us based on who we are as a company, and our size at the time.” Since this was Conquer’s first foray into a SOC 2 engagement, they needed a company that could do more than just execute a set of control tests but also look at the controls they had designed within their specific technical context.

(Annapolis, MD, August 5, 2024) Securisea, a leading provider of security and compliance services, announced today that they have been re-elected to serve on the PCI Security Standards Council’s Global Executive Assessor Roundtable (GEAR). 

Securisea is one of 33 organizations to join the PCI Security Standards Council’s Global Executive Assessor Roundtable in its efforts to secure payment data globally. As strategic partners, Roundtable members bring industry, geographical and technical insight to PCI SSC plans and projects on behalf of the assessor community. 

“We’re proud to have our contributions recognized and to continue our service on the GEAR Roundtable,” said Josh Daymont, CEO of Securisea. “The threats to payment security continue to evolve at a rapid pace, and as a global assessor on the front lines, we appreciate the opportunity to use our experience and expertise to shape the future of PCI compliance standards.”

“We need voices from across the assessor community to help ensure we are providing the best standards and programs to support the industry in protecting against today’s modern cybercriminal”, said Gina Gobeyn, Executive Director of PCI SSC. “We’re pleased to have Securisea on the PCI SSC Global Executive Roundtable to provide critical insights and help us build on the great efforts that are already being done to increase payment security globally.”

Securisea is one of only a handful of audit firms in the world certified to provide PCI DSS, FedRamp/StateRAMP 3PAO, HITRUST & HIPAA, ISO27001 and 27701, SOC2, SOC1, and CSA STAR  assessments all under one roof. Their integrated compliance approach allows clients to leverage existing security controls from other frameworks directly into each engagement, reducing overhead and work duplication. 

Founded in 2006, Securisea provides audit support for organizations of all sizes, from startups to some of the world’s most security-minded technology companies. Their customers rely on them to continue to evolve to meet an ever-changing security and compliance landscape, while maintaining a high level of expertise, responsiveness, and customer service to every unique engagement. 

About Securisea
Securisea is a leading provider of security and compliance services, helping companies secure their sensitive data and systems. With a personalized approach to customer service and a deep understanding of the unique needs of large enterprise companies, Securisea has built a reputation for delivering reliable, effective, and efficient security and compliance solutions. For more information, please visit http://www.securisea.com.

About the PCI Security Standards Council

The PCI Security Standards Council (PCI SSC) leads a global, cross-industry effort to increase payment security by providing industry-driven, flexible, and effective data security standards and programs that help businesses detect, mitigate, and prevent cyberattacks and breaches. 

Contact Information:
Josh Daymont, CEO
sales@securisea.com
1 877-563-4230

‍

‍

The primary reason an organization decides it’s necessary to start the ISO 27001 process is simple: their customers are asking for it, and refuse to do business without it. 

Having an ISO27001 certification demonstrates to your customers that your organization is committed to maintaining high standards of information security. Here are some key points it conveys:

1. Trust and Confidence: It reassures customers that their data is handled securely and is protected against breaches, unauthorized access, and other security threats.
2. Compliance: It indicates that your organization meets international standards for information security management, which can be crucial for regulatory compliance and contractual obligations.
3. Risk Management: It shows that your organization has a systematic approach to managing sensitive company and customer information, including risk assessment and mitigation strategies.
4. Operational Excellence: It highlights that your organization follows best practices in information security, which can improve efficiency and reduce the risk of data-related incidents.
5. Competitive Advantage: It sets your organization apart from competitors who may not have such certifications, potentially attracting more security-conscious customers.
6. Continuous Improvement: It signifies that your organization is committed to continuous improvement in information security practices, as ISO27001 requires regular reviews and updates to the security management system.

Overall, having an ISO27001 certification can enhance your organization's reputation, build customer trust, and open up new business opportunities. 

Preparing for An Internal ISO 27001 Audit

An internal ISO 27001 audit is a process that evaluates an organization’s information security management system (ISMS) against the requirements of the ISO 27001 standard. This audit is conducted by internal staff with the assistance of an external auditor like Securisea to ensure compliance, identify areas for improvement, and prepare for external certification audits. 

Steps Involved in an Internal ISO 27001 Audit:

1. Planning: Define the scope, objectives, and criteria of the audit. Develop an audit plan and schedule.
2. Documentation Review: Examine the ISMS documentation to ensure it meets ISO 27001 requirements.
3. Conducting the Audit: Perform the audit through interviews, observations, and reviewing records and processes.
4. Reporting: Document the findings, including non-conformities, observations, and opportunities for improvement.
5. Corrective Actions: Implement corrective actions to address non-conformities and improve the ISMS.
6. Follow-Up: Verify the effectiveness of corrective actions and ensure ongoing compliance.

How Securisea Can Help

Navigating the intricacies of an ISO 27001 internal audit can be challenging. This is where Securisea comes in. Our team of experienced professionals is dedicated to helping organizations achieve and maintain ISO 27001 certification with ease and confidence.

Here’s how Securisea can assist:

1. Expert Guidance: Our consultants have extensive experience with ISO 27001 standards and can provide expert guidance throughout the internal audit process. From planning to execution, we ensure that every step is conducted thoroughly and efficiently.
2. Comprehensive Audit Services: Securisea offers comprehensive internal audit services tailored to your organization’s specific needs. We assess your ISMS against ISO 27001 standards, identify areas of non-conformity, and provide actionable recommendations for improvement.
3. Training and Education: We believe in empowering your team with the knowledge and skills necessary to maintain ISO 27001 compliance. Securisea provides training sessions and workshops to educate staff on information security management best practices.
4. Continuous Support: Achieving ISO 27001 certification is just the beginning. Securisea offers ongoing support to help you maintain compliance and continuously improve your ISMS. Our team is always available to answer questions, provide guidance, and assist with any challenges that arise.
5. Tailored Solutions: Every organization is unique, as are its information security needs. Securisea takes a personalized approach, tailoring our services to align with your specific requirements and business objectives.

Final Thoughts:

An ISO 27001 internal audit is a critical component of maintaining a robust and compliant information security management system. With Securisea's expert assistance, your organization can navigate the complexities of this process with confidence. Our comprehensive audit services, expert guidance, and continuous support ensure that your ISMS not only meets ISO 27001 standards but also evolves to address emerging security threats and challenges.

Ready to take the next step in securing your organization’s information assets? Contact Securisea today and let us help you achieve ISO 27001 certification and maintain the highest standards of information security.

‍