Blog

Hi, I'm Matt Crane. I'm a leader in the payment security practice here at Schellman. We're often asked if we're able to do both PCI assessments and penetration testing for the same client. In this video, we'll explain how we're able to provide both and why it's not an independence issue. First and foremost, I want to cover what the PCI Council says about this. While they don't specifically state that it is or is not an independence issue, if you look at Requirement 11.4 of PCI DSS v4.0, it talks about penetration testing services methodologies. The two main criteria that you have to have as a penetration tester to meet that requirement are: You have organizational independence, which means that the individual performing the test cannot be ultimately responsible for securing that system. (It goes on to say that organizational independence doesn't mean it has to be an ASV or approved scanning vendor or even a QSA, but so long that that individual doesn't have control over the systems they're testing, it's fine. So, if you have an internal resource that's qualified, you can move forward with them.)

You're undertaking a SWIFT independent assessment, but how should you prepare? What cybersecurity requirements will be assessed? In this video, we discuss the structure of the SWIFT customer security controls framework, how it applies to your SWIFT implementation, and what to look out for as you prepare to undertake your SWIFT independent assessment. Hi. I'm John Anderson, a SWIFT practice leader here at Schellman. I've been conducting and managing SWIFT assessments since 2020, using the contemporaneous version of the SWIFT Customer Security Controls Framework (CSCF), which is at the core of the SWIFT customer security program and outlines a comprehensive set of controls designed to safeguard the SWIFT network, which is made up of critical infrastructure for the facilitation of global financial communications.

Does your organization use the SWIFT network with some or all of your IT services outsourced to a third party? Are you one of those third-party organizations engaged by a SWIFT user for the hosting, installation, operation, and/or maintenance of components involved in your customer's SWIFT implementation?

Hi, I'm Matt Crane. I'm a leader in the Payment Security Practice, and today we're going to tackle what exactly cardholder data is because the PCI Council has introduced a new term in PCI DSS v4.0. But first, let's talk about PCI DSS v3.2.1, because--similar to the dinosaurs on my shirt in this video--some of the terminology in v3.2.1 is now extinct, as this version was officially retired on March 31, 2024.

Haga clic aquí para ver este video en español

With the December 31st attestation submission date for annual SWIFT Independent Assessments looming closer, it's crucial to ensure readiness and a big part of that is choosing your assessor.

Recently, we've had a surge in inquiries surrounding SWIFT, and so in this video, Schellman's Matt Crane will take a closer look at what a SWIFT Customer Security Independent Assessment entails. What is the SWIFT Customer Security Program (CSP)? The Society for Worldwide Interbank Financial Telecommunications, or SWIFT, serves as a member-owned cooperative that facilitates the exchange of financial messages between entities. Organizations utilizing SWIFT gain access to its network and associated software, thereby creating a cybersecurity risk to both the network and application ecosystem. In response to those growing cybersecurity concerns, SWIFT introduced the Customer Security Program (CSP) in May 2016. As an international standard that aims to mitigate cyber threats and safeguard the integrity, availability, and confidentiality of the global financial system, the CSP's framework of policies, standards, and guidelines are designed to bolster cyber defenses, detect and prevent fraud, and enable threat information sharing among users. Understanding Independent Assessment Central to the CSP is the requirement for SWIFT users and providers to undergo regular independent assessments to validate their compliance with the applicable cybersecurity framework. These assessments, mandated annually since 2021, ensure that organizations adhere to the Customer Security Controls Framework, which outlines mandatory and advisory security controls intended to enhance the security of financial messaging services. The Role of Assessors Assessments must be conducted by external independent assessors—like Schellman or others listed on the CSP Assessment Provider list on SWIFT.com—or internal independent assessors. These assessors deliver comprehensive reports that include executive summaries, controls assessments, and completion letters, outlining your organization's compliance status with the CSP. Moving Forward Now Instead of Later The SWIFT Customer Security Independent Assessment plays a pivotal role in safeguarding the integrity of financial transactions in today's interconnected world. If you're a SWIFT user, you must recognize the significance of annual assessments and prioritize compliance with the CSP—instead of waiting until the fourth quarter to initiate assessments, you can begin the process as early as the second quarter to ensure ample time for review and resolution of any identified issues. By adhering to the CSP and undergoing regular assessments, you can enhance your cyber defenses and contribute to a more secure global financial ecosystem. To learn more about SWIFT and the related assessments, contact us today and ensure your timely compliance and proactive risk management.

When seeking Payment Card Industry (PCI) compliance, the expiration of terminals can introduce complexities and uncertainties for merchants. In this video, Sully Perella, a practice leader at Schellman, sheds light on the significance of expired terminals and offers insights into navigating this compliance challenge.

To address some of the past confusion regarding the dating of PCI reports, the PCI Security Standards Council (SSC) has altered the report date methodology for PCI DSS v4.0 to provide more clarity and consistency to this process.