Aperia Compliance

I believe the work of the Identity Theft Resource Center (www.idtheftcenter.org) deserves more recognition within our industry. One notable development is the creation of the PCD-Previously Compromised Data category. This category addresses the repackaging and recirculation of personal information that has been previously reported as stolen, including logins and passwords - a concerning trend for safeguarding personal data. Recent findings highlight the critical vulnerability in the Supply Chain sector, with approximately one-half of one percent of compromises leading to nearly 50 percent of breach notices across almost seven hundred companies. The connection between Third Party Service Providers (TPSP) and breaches remains unsurprising in the payments/PCI world. Do you remember the QIR-Qualified Integrators and Resellers program? The focus areas of software patching, password management, and secure remote access are key aspects that demand attention for data security. Considering the significance of these insights, it prompts the question of whether revisiting such programs would provide consistent and vital information to developers and business leaders handling payment data integration. The evolving landscape of AI-generated payments, exemplified by Agentic Commerce, raises further questions about the impact on TPSP-related risks in payment transactions. As I delve into this evolving field for the rest of 2025 and beyond, I invite your perspectives on these crucial matters. - Chris

Chicago brought the energy! 💥 🚀 #MWAA2025 was full of meaningful conversations, new connections, and momentum for what’s ahead. A huge thank‑you to Amanda Beam, ETA CPP (Maverick), Jeanie Rees (PayCompass), and our own John Newton and Mark Hayward for making for making this year’s event unforgettable. Swipe through for some highlights ⬇️

Everyone’s favorite board has landed in Chicago and are hard at work getting prepped for the best conference yet! Who’s ready to join the board at #MWAA2025?

What can those operating in the PCI DSS Level 3 & 4 space learn from successful attacks via methods like those of the cybercrime group Scattered Spider? Given that the attacks primarily involve large companies with extensive call centers and IT networks, on the surface we might first assume we can learn little. But I am making the argument that there is a good deal we can learn, regardless of size and scope of the organization. “How it works: The group's primary tactic remains voice-based phishing where they call a company's overseas help desk, impersonate an employee, and reset their single sign-on passwords. They then use SIM swapping to intercept multifactor-authentication codes.” * On June 28, 2025, the FBI posted an alert about a scheme showing expanded targeting activity, including the airline industry, by a cybercriminal group known as Scattered Spider. It involves what I would classify as three of the most common elements we continue to see: ·      Social engineering: fake calls and phishing emails-employees pressured and tricked. ·      Third Party Service Providers (often IT companies)-looking for those with weaker security postures. ·      Bypass authentication methods like MFA-Multi-factor authentication. Firstly, what struck me is that there is so much we can glean from these attacks that I need to spread the story out over 2-3 posts. So, consider this to be post #1 (of 2 or 3). Here are some key observations for you to consider: ·      The human element: I always think of Jessica Barker’s books, including “Confident Cyber Security: The essential insights and how to protect from threats.” No one has shed more light on the human element than Dr. Barker has. https://lnkd.in/e4ktHN4n     ·      Authentication work arounds ·      TPSPs: Did service provider attack attempts come back into vogue, or was it present all along? Not really a trick question. Only the impacts and frequency wax and wane over time. ·      Growth of Cyber Resilience laws- Do you have a way to identify and address all the new legislation in this area, regardless of where your cardholder customers are located? In my next post I will do a deeper dive into some of the key elements I listed. I will also ask some questions about the effectiveness of Security Awareness Training and the increased focus on behavioral analysis as a prevention tool. * https://lnkd.in/eMQEqY_B

We're excited to return to MWAA 2025 at the Chicago Marriott Downtown Magnificent Mile! 📍 Booth E34 – Join Aperia Compliance on July 30–31 to see how leading ISOs, acquirers, and PayFacs are turning compliance into a revenue driver. From simplifying PCI to merchant lifecycle oversight, our platform helps you:  ✅ Unlock recurring revenue through value-added compliance services ✅ Improve portfolio retention and margin ✅ Streamline onboarding and reduce manual effort Connect with Mark Hayward, CPP and John Newton in Chicago and explore how to scale smarter.