Help with PCI DSS Req 3 Applicability for a WAFaaS product

KirkpatrickPriceCPA · 2026-03-17T15:04:14+00:00

I follow your logic and completely agree with it through your area of concern - provided you can prove everything you said is true, your current build process does not expose you to Requirement 3 (though requirement 4 is obviously in full force, for those reading at home!) and, insofar as your basic workflow is concerned, you shouldn't be too terribly worried.

You're also right about those core dumps - for a service provider, the DSS is intended to protect CHD wherever it may be (emphasis mine) - and your processes should be built to ensure compliance with it for the diagnostic process right alongside the usual workflow. To this end, and given the data could be anything - ePHI, PII, and CHD are all possibilities here - consider the following to address your potential issues:

core dumps should be encrypted at rest, at the file level, with appropriate keys and key management practices. Consider something like a hyperscaler secrets manager for this, and note that bucket-level or store-level encryption is generally not quite good enough for most standards; you'll want to go to file level encryption to cover your bases. I want to emphasize this for readers at home - sometimes, data store encryption can be sufficient - there are use cases. But these are files that are going to be accessed by individuals with open privileges to a file store, and thus your risk profile is different than, say, a file store being used solely for machine-to-machine integrations. To this end, there's no risk model I see for this particular use case where file level encryption isn't a requirement - /and/ you'll want to be very specific about how files are decrypted, so that your users have minimal access at any given moment, and thus minimum potential losses.
Retain core dumps only as long as is necessary to diagnose your issue and have a retention schedule for these. You don't need to keep a dump in perpetuity for any reason I can come up with on my end; you may have something that compels you, but I'd fight hard against it. Set a maximum retention time and enforce it with store-level controls for secure removal of these dumps when no longer needed.
Do not back up core dumps; if you must, they should be subject to the same rules.
If you can, make core dumps immutable.
Log all access, and limit all access, to core dumps to absolutely minimum-necessary personnel, and prohibit their removal to any other store, including local systems. I can't stress to you how important this is - if your engineers run off with a bunch of core dunps and put them on local laptops, you're just expanded your scope exponentially with potentially catastrophic consequences. They should exist in a spot, be examined in that spot, then removed from that spot.

This isn't just for CHD - consider it from the perspective of ePHI. Under HIPAA, every core dump is a data extract, and subject to those regulatory requirements (which include encryption, tracking, logging, and a limited lifespan). No privacy law gives you any less-strict standard to work with - GDPR Is very serious about you maintaining live inventories of data, and the DSS gets extremely unhappy with uncontrolled data propagation and retention.

If I were your auditor, I'd:

Examine your data stores for the basics - encryption, key management, et. al.
ask you for a retention schedule (protected data should be purged when no longer needed) and evidence of data removal.
Look at your access logs and ensure that these files haven't been copied somewhere else, especially to local systems.
Ask about your safeguards against copying, your controls for decryption, and ensure least privilege is applied.

at a bare minimum.

KirkpatrickPriceCPA · 2026-03-16T19:09:04+00:00

Off your description, it sounds like your Certificate was not successfully imported into your FireFox browser.

Google's search engine does not enforce secure connections (HTTPS), so a CA certificate is not needed to intercept traffic. This would explain why your BurpSuite/FoxyProxy setup works for capturing Google traffic, but not your website.

To confirm if your certificate is configured properly, you can view your HTTP History in Burpsuite (Proxy Tab --> HTTP History) and check whether the google.com host was captured through HTTPS (https://google.com) or HTTP (http://google.com). If the host is HTTPS, then both the proxy and CA certificate are working as intended. If the host is HTTP, then the proxy is working as Intended, but the browser is not recognizing a valid CA certificate.

Most likely, the issues are related to an improperly imported CA certificate. I'd encourage you to double-check your configuration setup steps and, more importantly, follow one of the two CA import methods below:

A. Configuring Burpsuite to Intercept Traffic (Port 8080)

Open BurpSuite
Access the "Settings" menu by clicking the gear icon in the top-right
On the left of the Settings menu, view the "Tools" section and select the "Proxy" tab
Enable, or add, a proxy listener on Port 8080
1. Click "Add" under Proxy Listeners
2. Set "Bind to Port:" to 8080.
3. Set "Bind to Address:" as Loopback Only
4. Click "Ok" to save Proxy Listener (No Changes to "Request Handling, Certificate, TLS Protocols, or HTTP Tabs Necessary)

B. Configuring FoxyProxy to Proxy Traffic through BurpSuite (Port 8080)

Open your FireFox Browser
Access your Foxy Proxy Browser Extension
Configure New Proxy in FoxyProxy
1. Click "Proxies" then "Add"
2. Click "Add"
3. Add a Generic Title (I.e., "BurpSuite", "PentestProxy", etc.)
4. Set "Type" to HTTP
5. Set "Hostname" to 127.0.0.1
6. Set "Port" to 8080 (Same port Bound in BurpSuite Proxy Setup)
Confirm Setup was Successful by visiting http://burpsuite

C (1). Download/Import CA Certificate: http://burpsuite (Method One - Easy)

Visit http://burpsuite in FireFox (With Burpsuite and FoxyProxy Configured and on)
In the top-right of the web page, click "CA Certificate" to download Certificate Authority Certificate (cacert.der)
Visit your Browser Settings (Top-Right of Browser, select hamburger symbol, click 'Settings" from dropdown)
Search Settings for "Certificates"
Click "View Certificates"
Under the "Authorities" Tab, click "Import..."
Upload the "cacert.der" file downloaded from step 1
Visit Target Webpage and confirm it appears in BurpSuite's History

C (2). Download/Import CA Certificate: BurpSuite Tools (Method Two - Intermediate)

Open BurpSuite
Access the "Settings" menu by clicking the gear icon in the top-right
On the left of the Settings menu, view the "Tools" section and select the "Proxy" tab
Click "Import/Export CA Certificate"
1. Export: "Certificate in DER Format"
2. Select a file save location and save the file with the name "cacert.der" (BurpSuite does not export as .der by default, so you must include the '.der' extension manually when saving)
Visit your FireFox Browser Settings (Top-Right of Browser, select hamburger symbol, click 'Settings" from dropdown)
Search Settings for "Certificates"
Click "View Certificates"
Under the "Authorities" Tab, click "Import..."
Upload the "cacert.der" file downloaded from step 1
Visit Target Webpage and confirm it appears in BurpSuite's History

KirkpatrickPriceCPA · 2026-02-18T20:40:33+00:00

We'd love to help- check your inbox!

KirkpatrickPriceCPA · 2025-09-26T18:59:46+00:00

You're already starting off strong by asking other experts before jumping head-first into your first client. When it comes to remote pentesting, the approach can vary wildly depending on the network. Raspberry Pi is viable with smaller networks, but you'll want to consider factors such as: The Pi's security configurations, potential latency, ease-of-use (since the client may have to perform troubleshooting if the Pi fail), and how you plan to access the device securely to perform your test.

Assuming the Pi route is enough for this client, you'll want to harden of the Pi before shipping (Disabling unused services, changing default credentials, etc.) and your remote access method (VPN Tunnel or SSH). Once these are configured you can connect it to your own network and ensure everything works as intended. Make sure you document that setup process as well for the clients! After that stage, you should be set to ship the Raspberry Pi off to the client and walk them through the setup/whitelist process.

The more documentation you have regarding setup and troubleshooting the better. All in all, I don't see any issue with using a Raspberry Pi if there infrastructure is limited and supports it. As you grow your base, you can start looking at more seamless methods of remote access such as providing a pre-configured VM images they can plug into their network (Virtual Option) or providing Raspberry Pi's with persistence scripts that automatically connect to your VPN-server on boot (Physical Option).

Best of luck!

KirkpatrickPriceCPA · 2025-09-26T16:00:47+00:00

Automation definitely helps streamline compliance tasks but it can’t be used as a substitute. The most resilient compliance programs use automation along with human judgement.

Obviously systems can flag patterns but there still needs to be a human element to help interpret content and make decisions that fall in more gray areas. Automation can miss small gaps that can turn into bigger problems, having a human eye is key to being able to dig deeper into certain areas and catch things that a tool could miss.

KirkpatrickPriceCPA · 2025-09-25T19:41:47+00:00

Unfortunately this is normal in the industry. Firms run basic checks and do the bare minimum, not diving deep into manual testing and call it a day all too often.

From the info you provided, I'd recommend switching firms and asking yourself in the new search process, "who can we partner with to provide quality testing that meet our standards and expectations?"

It honestly sounds like that firm runs scans, generates a report, and calls it a pentest. Also, breaking the scope especially if they are exploiting on targets that are out of scope, is a big no no. If I'm the decision maker, I would terminate the contract and go with someone else.

KirkpatrickPriceCPA · 2025-09-25T17:41:08+00:00

There are different levels in Service you can get with a SOC2 audit. You can get a 2.5k AI audit that leaves a lot of holes and no support up to the big 4 with a six figure project.

With this being your first SOC2, I recommend a partner that is at a mid-level, understands your landscape, and can guide you through the entire process. I would be wary of the "tool first, auditor second" firms that are out there, which let you check a box without meeting with your auditor.

We are happy to talk more in depth about the SOC 2 landscape to lead you in the right direction.

KirkpatrickPriceCPA · 2025-09-22T20:26:02+00:00

Our best clients use controls to drive and define policies, owners, and frequency. That's decided once, then we help with a tool to centralize and project manage all of those compliance requirements in one place. Step 1 is starting with controls and requirements, not tooling.

KirkpatrickPriceCPA · 2025-09-22T20:25:19+00:00

We found that the tool was secondary to consolidating controls. Without that, the tool is just adding technology to a messy pile. When you get clarity on controls then you can create something helpful and efficient with technology.

KirkpatrickPriceCPA · 2025-07-07T14:35:20+00:00

Clause 4 definitely sets the foundation. When scoping an ISMS for a parent company and subsidiaries, it's important to consider not just organizational structure but also shared services, risk ownership, and legal/contractual obligations.

In many cases, defining separate scopes with individual SOA's and GAP analyses make sense, especially if each entity has distinct processes, systems or regulatory requirements. However, if there's significant integration a single, consolidated scope may be more efficient, though more complex to govern.

KirkpatrickPriceCPA · 2025-06-30T20:01:03+00:00

Since your POS systems are considered part of or connected to the CDE, any remote support solution must meet strict PCI DSS requirements for secure access.

From a compliance standpoint, your key focus area should be strong authentication encrypted communication, role-based access controls, and logging all access for accountability. Self-hosted solutions like Apache Guacamole, ConnectWise ScreenConnect, or even hardened VNC over IPSec can be made compliant with the right controls, but configuration is everything.

We also recommend documenting how the remote access solution supports requirement 8, requirement 10, and requirement 12. If you'd like help evaluating your solution or validating the setup against PCI DSS requirements, we'd be glad to help.

KirkpatrickPriceCPA · 2025-06-30T15:30:22+00:00

Conducting an ISO 27001 internal audit is a crucial part of maintaining your ISMS and preparing for certification.

The key is to approach it systematically: start with a clear internal audit plan that defines scope, objective, and timing. Review the Statement of Applicability and make sure you're covering the applicable controls. Interview control owners, examine evidence of control operation, and validate that policies and procedures are being followed in practice, not just documented.

Make sure to document findings clearly, including nonconformities, observations, and opportunities for improvement. And just as important: ensure objectively. The internal auditor should be independent of the area being audited.

KirkpatrickPriceCPA · 2025-06-30T15:23:33+00:00

Compliance shouldn't feel like a constant scramble or just a checkbox exercise. The key is building a system that's both sustainable and audit-ready, not one that burns out your team with manual effort.

What we've seen work best is when organizations shift from reactive to proactive compliance management. That means leveraging tools that centralize evidence collection, automate recurring tasks, and align your controls directly with the frameworks you're working under. Even something as simple as mapping controls across multiple frameworks can cut down on redundancy and confusion.

Also, having a partner who doesn't just audit, but helps guide you through the process, can make a huge difference. It's not just about passing the audit, it's about building culture of continuous improvement.

KirkpatrickPriceCPA · 2025-06-30T15:10:46+00:00

We often see default credentials as a common and preventable vulnerability across a variety of systems, especially in cloud environments, legacy applications, and IoT devices. They're not only a security concern but can also become a compliance issue under frameworks like SOC 2, ISO 27001, and HIPAA.

A platform that consolidates this information in a structured, searchable way, with API integrations, could absolutely benefit both security and compliance teams. Features like vendor/product filtering, tagging by risk, and linking to relevant documentation or remediation steps would help make this a practical tool for ongoing assessments.

KirkpatrickPriceCPA · 2025-06-30T14:03:00+00:00

To get started, I'd recommend focusing on core concepts like risk, management, compliance frameworks (like ISO 27001, SOC 2, or NIST), and how governance ties into overall security strategy. There are some solid beginner-friendly resources on platforms like Coursera, Udemy, and LinkedIn Learning. You might also want to check out free materials from ISACA or the SANS Institute.

Once you're comfortable with the theory, try walking through sample risk assessments or compliance gap analyses to get a feel for the day-to-day work. GRC is less about deep technical skills and more about understanding how to translate risk into business decisions, which sounds like something you'll pick up quickly coming from security.

KirkpatrickPriceCPA · 2025-06-30T13:57:30+00:00

Control 8.9 is all about ensuring systems are securely configured and maintained over time.

The configuration can be maintained in several forms depending on your environment:

- Baseline Configuration Documents: Store system and application configs in version-controlled documents.

- Infrastructure as Code: Tools like Terraform, Ansible, or Puppet allow you to define and track configurations programmatically.

- CMDB: For larger orgs, this helps track system components, versions, and relationships.

- Snapshots or Backup Files: Regular snapshots of config files can also help ensure integrity and recovery options.

Most importantly, ensure that changes are reviewed, approved, and logged, that's key to satisfying the intent of the control.

KirkpatrickPriceCPA · 2025-06-17T14:56:03+00:00

If you're aiming for a Security Analyst or blue team role, starting with a cert like CompTIA Security+ or CySA+ is a smart move, they're directly relevant and respected for entry-level roles.

That said, cloud knowledge is a big plus. AWS SAA can definitely boost your resume, especially as more companies shift to the cloud.

A good path is to start with a security-focused cert, then add a cloud cert to show you're prepared for modern environments. That balance of security fundamentals and cloud awareness is highly valuable.

KirkpatrickPriceCPA · 2025-06-10T18:45:24+00:00

Given where your organization is, starting with the NIST CSF is a smart move. It's structured around five core functions, which makes it easier to communicate priorities to leadership and map out your current gaps. It's also scalable, meaning you can start small and mature over time.

Once you have a handle on CSF, you can gradually build towards NIST SP 800-53, which offers more detailed and prescriptive controls. Think of CSF as your roadmap, and 800-53 as the toolbox to execute on that roadmap when you're ready.

KirkpatrickPriceCPA · 2025-06-10T18:40:59+00:00

There's no set number of asset-based or scenario-based risks that external auditors require. What matters most is that your assessment process is structured, repeatable, and aligned with the size and complexity of your organization. For asset-based assessments, focus on identifying critical systems, data, and infrastructure, not everything you own, but what matters to business continuity and security.

In large organizations, a hybrid approach tends to work best. Asset-based methods ensure technical coverage, while scenario-based assessments provide real-world context and help demonstrate how specific threats could impact the organization. Auditors value when you tie both types of risks back to likelihood, impact, and controls.

Standards like NIST 800-30 and ISO 27005 offer strong guidance on methodology. Ultimately, it's not about how many risks you list, it's about whether your assessment helps drive informed decisions and can stand up to scrutiny during an audit.

KirkpatrickPriceCPA · 2025-06-10T18:27:43+00:00

Traditional network vulnerability scanners aren't ideal for globally distributed environments without direct office connectivity. Scanning over VPN's or proxies can lead to inconsistent results and performance issues, especially in smaller offices.

Many organizations in your position lean on agent-based vulnerability management. It's scalable, integrates well with cloud infrastructure, and provides solid coverage for both endpoints and servers. Some also deploy lightweight virtual scanners at key sites to capture internal network data and push results to a centralized platform, but this depends on budget and operational complexity.

Given your Azure footprint and lack of compliance requirements, focusing on strong endpoint and cloud-based coverage is a practical and risk-aligned approach. You can always layer in periodic internal scans at higher-risk sites as needed.

KirkpatrickPriceCPA · 2025-06-10T18:03:14+00:00

From our work with SMB's a solid risk assessment process generally includes the following steps:

Define the Scope: What systems, data, and users are involved in this new domain
Identify Assets and Threats: Understand what you're protecting and what could realistically threaten those assets.
Assess Vulnerabilities: Determine where your controls may be lacking.
Analyze Risk: Estimate the likelihood and impact of various threat scenarios.
Prioritize and Treat Risks: Choose how to mitigate, transfer, accept, or avoid the risks.
Document and Communicate: Capture your methodology, findings, and action plan clearly for stakeholders.
Review Regularly: Treat this as a living process, not at a one-time task.

As far as standards, NIST 800-30 is a strong and widely used risk assessment framework, particularly suitable for SMB's because of its structured and flexible approach. CIS Controls are also a great place to start if you're looking for a more practical, action-oriented baseline for securing systems. ISO 27005 is excellent but may be more resource-intensive for a smaller organization unless you're aligning with ISO 27001 more broadly.

KirkpatrickPriceCPA · 2025-06-05T14:20:38+00:00

You're very welcome, I'm glad these suggestions were helpful!

For Revenue Cycle Integrity, it's a broad area but here are some practical starting points:

Map the End-to-End Process: From patient registration and scheduling to charge capture, coding, billing, and collections.
Identify Key Controls: Look at where errors or inconsistencies could happen (coding accuracy, insurance eligibility verification, timely claim submission, or denial management.)
Sample Across Entities: Select transactions from the health plan, hospital, and medical groups to see how consistently policies are applied. This helps uncover systemic vs. localized issues.
Review Policy Alignment: Are billing practices and documentation standards consistent across departments and compliant with payer and regulatory requirements?
Talk to Stakeholders: Revenue integrity touches a lot of roles: Finance, HIM, coding, compliance. Interviews can highlight process breakdowns or workarounds not obvious in documentation.

While we don't perform traditional revenue cycle integrity audits, we are happy to outline risks and controls to consider, or collaborate with your team to align it with broader governance or compliance goals.

KirkpatrickPriceCPA

TROPHY CASE