Corsica Technologies Acquires AccountabilIT. LEARN MORE HERE.

PCI-DSS Compliance Services

PCI compliance is complex and challenging. Many organizations need expert support and guidance on their compliance journey. Here at Corsica Technologies, we help companies achieve and maintain compliance through experienced consulting and professional services.

Does your PCI compliance feel out of control?

It’s tough to keep up with internal resources alone.

Scope creep is hard to discover (and control).
Legacy systems introduce complexity and risk.
Your documentation is always out of date.

You need continuous compliance.
You don’t have time to manage this.
You just need this stuff to work.

Welcome to Corsica Technologies.

Let’s get you on the right path to PCI compliance.

Self Attestation Questionnaire (SAQ)

It’s challenging to demonstrate through formal attestation that you’re meeting PCI-DSS requirements. Many companies misunderstand the process here. Our consultants bring clarity and a step-by-step process for nailing your SAQ.

GRC Platform Management

Securing cardholder data is a complex undertaking. A GRC (governance, risk, and compliance) platform makes this process simpler through automation. Corsica Technologies provides a GRC platform, enabling your organization to achieve and maintain compliance.

vCISO Consulting for PCI-DSS

Need an expert perspective? vCISO (virtual CISO) consulting provides access to a seasoned PCI expert who can advise on the unique PCI compliance challenges you face.

Expert support for your entire PCI journey

From start-to-finish, we ensure a comprehensive planning phase, seamless cloud adoption process, and professional management of your entire cloud infrastructure.

Scope

PCI-DSS compliance starts with a full understanding of the scope of your data, systems, and processes that must comply. We work with you to get a firm understanding of your scope.

Implement

Do you need to implement additional cybersecurity controls, systems, or processes to achieve and maintain compliance? We collaborate with your team to implement what’s needed.

Manage

PCI compliance doesn’t end with an annual effort. It requires continual effort. That’s why we provide managed cybersecurity services to strengthen your compliance standing.

SYSTEMS OPTIMIZED

4

SAQ PROGRESS

100%

Let’s position you for PCI success.

It’s not enough to fill out your SAQ and hope for the best. Without a clear view of your PCI scope (or a plan for continual compliance), you’ll end up in the same place again.

A managed cybersecurity service provider can help. Here at Corsica Technologies, we’ve helped over 1,000 clients solve their technology challenges. Let’s explore how we can help your organization.

Local or remote PCI compliance services

Wherever you’re located, we’ve got you covered. Our team can work in person if you’re local, or remotely if we’re not nearby. Get the PCI compliance help you need today.

Mid-Atlantic

508 Rhett Street
Greenville, SC 29601

Southwest

8660 E Hartford Dr, Suite 110
Scottsdale, AZ 85255

Midwest

9921 Dupont Circle Dr West
Ft. Wayne, IN 46825

Other Locations

– Augusta, GA

– Birmingham, AL

– Columbus, OH

– Cleveland, OH

– Indianapolis, IN

– Little Rock, AR

– Fort Lauderdale, FL

– Raleigh, NC

Not ready to contact sales?

Continue your journey with these resources.

People still think that hackers are only going after these huge enterprises, but What they realized is instead of spending a year breaking into a Fortune ten, they can, in five minutes, break into three hundred law firms with the exact same technology stack. And SMB owners still have this mindset, like, why would they hack me? Yeah. You never think it's gonna be you until it is. Right? So Welcome back to another episode of unraveling IT, expert tech talks, where we dig into the good, the bad, and occasionally terrifying corners of technology and try to make sense of it all before the hackers do. Today's episode is a special one. We're joined by Valentina Flores, cofounder of Red Sentry, a company built on the idea that the best defense starts with a smart proactive offense. She literally went from chasing criminals down dark alleys to tracking them through firewalls, phishing campaigns, and the occasional poorly secured webcam. We're diving deep into offensive versus defensive cybersecurity, what real world pen tests actually look like, why SMBs are juicier targets than they think, and how AI is making both hackers and defenders terrifyingly efficient. So buckle up, whether you're an IT pro, a business leader, or just someone who still uses password one two three, This conversation is going to give you a lot to think about and probably make you want to schedule a pen test immediately. Well, thank you for joining us today, Valentina, on another episode of Unraveling IT. To kick things off, can you go ahead and tell us a little bit about your journey that started in chasing cybercriminals that kinda led you to Red Sentry? Yeah. Thanks for having me. Yeah. So I start off I start off in investigations literally chasing criminals. And then when I moved into Internet crimes, you know, started chasing them through the computer. And, you know, what made me really successful as an investigator was understanding victim psychology and criminal psychology, and that's kind of where the start of Red Sentry came from. So my cofounder and I, we had just this idea that defense doesn't have to be so reactive, and we wanted to make cybersecurity just a lot more accessible to companies of all sizes and all industries, and so that's why we started Red Sentry. Wow. That's that's so you literally were out there in the field chasing down cybercriminals, finding them, and and arresting them, essentially? Yeah. It's definitely a different background than most. And Yeah. You know? Yeah. So I was on some federal and state task forces and out there just actually on the streets and then, moved to the computer side and then came over to the private sector, which, you know, love this side of the house. Yeah. I bet. So, you know, Red Sentry's tagline is hack before the hackers do. What does that actually mean in in practice, and how does it shape your your company's mission? Yeah. So a lot of people know about defensive cybersecurity, so, like, putting in firewalls and protecting your systems. Not a lot of people know about offensive cybersecurity, which is the other side, and it's testing those defenses. So what we do is we simulate real world attacks. We have a team of hackers. The only difference is we have permission to hack in a much different intent. So we hack into companies and show exactly where all the vulnerabilities are so that they can fix those vulnerabilities before, you know, a malicious attacker finds them. So it's really about that proactivity and, testing your defenses because if you've built a system, you can't unbiasedly test that own system. And happens a lot of creativity, and there's a lot more to it than just the tech involved. And so we come in as that third party resource to really test what you guys have and, you know, see what your security posture is. You know, I I think we've had a a client say to us before that security that's not tested is not security at all. Yep. And it sounds like that's kind of more or less what you're referring to is that, you know, you can put in place all of these defenses, but without actually testing them or vetting them, you have no idea if they're doing what they're supposed to be doing. And so that's where Red Sentry comes in. Is that correct? Yeah. And there's a lot I mean, sometimes there's ego involved and, oh, we're so secure. I mean, no company is unhackable. There's always room for improvement. You know? If we're if we're working with an SMB where this is their first ever test, there's probably gonna be a lot more findings or different, more base level findings. If we're working with a super mature mid market enterprise that has a whole security team, then the testing's probably gonna be a little different, more advanced. Everyone has room for improvement in security. And if you don't have that growth mindset, you're just gonna kinda fall behind. So what does an actual pen test kind of look like in practice? Well, we always start with scoping, and scoping is really figuring out not just what we're gonna test, but the goal of the engagement. So like I just said, you know, an SMB trying to get through SOC two compliance, that test is gonna look very different than an enterprise who might just be like, hey. Here's the flag. Go find it. And We can do anything necessary to get to it. We can use social engineering, phishing versus compliance pen tests or more. These are the tests we're gonna run for this industry. So it starts with scoping, and it's just figuring out what we're gonna test, how we're gonna test it, what are the rules of the engagement, just kinda putting those guardrails in place. And then from there, we move into the actual active testing phase, and we're trying to figure out those entry points into the company depending on the type of test, you know, if it's through passwords or, you know, breaking into the system somehow using leaked credentials or something else. And then once we're inside, we're gonna try to see what we can find. Can we see things we're not supposed to see? Can we find a user credential online and then get up to an admin credential, which is more common than it should be? So we're basically going in and seeing what we can do once we're inside. And then we're putting all of those different vulnerabilities inside a report and prioritizing them for the team so that when we hand that back over to that company, they know, alright. I have x y z to do, but I need to start here. This is the highest priority, and then we'll kinda build out our security road map. Gotcha. And so you you said rules of engagement there, and I kinda want some clarity around that because, you know, hackers, there are no rules of engagement. Right? I mean, they can do whatever they wanna do, and they will do whatever they need to do to get in. Do you guys typically take similar approaches? Do you, you know, set up boundaries with the organization? Is there anything that you're not allowed to do, you know, to try and gain access? It depends on the organization. So, you know, most companies have, like, a specific target, like, hey. Just test our web application or just test this. Or if you get to this point, stop and tell us. So, like, you can break in, but don't obviously, don't steal everything. Or, like, you can break in, but don't shut down the system. That's kind of more what it's like. So it's showing you what we can do more than actually doing it. But there are times when, you know, it's called, like, red team exercises. It's a little more open, and it's just, you know, go see what you can find. Go see what you can do. So it really depends on the organization. But regardless of that, we like to set up clear boundaries, make sure everyone's on the same page with what this is gonna look like, just full transparency. Because, I mean, we are breaking into their system. And if there's not that transparency and communication, you know, a lot can go wrong. What are some common misconceptions, you know, that that people typically have around pen testing? Well, I think for security in general, people think of it as a finish line to get to or, like, a box they check and it's complete, and security is not like that at all. Security is point in time. Yeah. It's a journey. It's everyone has small things they can do. And I think sometimes, especially businesses that don't have huge security teams of their own, they can get overwhelmed by reading the news or seeing all these advanced things they could be implementing. And it's just about starting with the basics and just figuring out what that road map looks like for your company. So I I wish that was more how it was viewed is that it's more of a journey, and it should be a normal conversation had within your business. We're recording this episode in September, but it will be released in October. And as we all know, October is cybersecurity awareness month. Is there a specific message that you think we should be amplifying this year? Yeah. I mean, I think to me, it's I think it's a little bit of a misnomer because cybersecurity awareness I mean, we're all aware that getting hacked is bad. The problem is not enough companies take that and create action plans from it or get traction. So maybe we should call it, like, cybersecurity traction month. But I think, you know, it is a good justification month? Yeah. And at least, like, start those conversations. And, you know, I think one big thing is that it's not an IT problem. It's also a leadership conversation and how leaders are putting this out to their team and, you know, security touches every single person every single day of the year. And it shouldn't just be talked about once a year by a couple of developers. Like, the whole company should be having these conversations. So, you know, I'd love for companies to take this month and just kind of start that conversation process and figure out the road map and make your whole team part of it. I mean, tech support is one of the most frequently attacked, like, HR, finance, sales teams. I mean, everyone needs to be part of that conversation. And how do you suggest organizations go about doing that? You know, building that culture around cybersecurity. Have you have you maybe seen certain certain approaches be more effective than others? Yeah. I mean, I think, know, realizing you don't have to go from zero to a hundred, I think starting out, if I were to say like, everyone listening, look at your calendar right now and just set, like, a one to two hour block on your calendar for at least your leadership team, and you can download, you know, questions for a risk assessment. You can download incident response template and just start having these conversations and figure out what your gaps are, and then just put one thing on that road map for q four or for the next quarter coming up. And that at least gets the the traction. I think that's the hardest part is to start because there's so many options when you're looking at security. So it's kinda just get that meeting, have a risk assessment talk. It's free. Don't have to bring in outside people. You can, but just start the conversation and then get that traction flowing. Yeah. Well and and culture is one piece of the puzzle. Right? There's also a a cost perspective as well. Right? I mean, cybersecurity isn't isn't free, and it's it's maybe not the cheapest thing either. You know, have you found effective ways to get the messaging across or get buy in without just selling based on fear? Yeah. I mean, not every company needs us yet. Like, if you haven't updated your passwords in ten years or if you're switching it from an exclamation mark to an at symbol, you know, there's things you can do for free before you're ready for us. Yep. And I think it also depends on the compliance frameworks and if someone's telling you you have to go get this done. But there's so many things that are free that you can do even just like I mentioned, incident response plan. Just sitting down and being like, hey. If we were hacked today, who's doing what? Who's the first person we're calling? Who's in charge? Who's doing this? That fifteen minute free conversation with your team can just make a drastic difference in your security. So I think it's just starting that and having the culture. And then as you're ready for those more advanced things I mean, it's it's like insurance. We all pay for business insurance. And I think once you start looking at the cost of downtime and reputation loss and ransomware, security is pretty cheap. I think we have this, idea that it's, like, a nice to have that's super expensive, and it's, first of all, not as expensive nowadays, and it's also not a nice to have. Like, we should have it the same way we have insurance or anything else we're paying for like that. Yeah. It's there to protect you. Right? Ultimately, you have to take steps, though, to ensure that, you know, you're protecting yourself. Let's talk about the, you know, the the the biggest buzzword in IT right now and in cybersecurity, and that's artificial intelligence. You know, how does Red Sentry view AI? You know, do you are you beginning to experiment with it, or or do you think it's gonna change the landscape? Where are you guys at with it? Yeah. I mean, it's pretty much a weekly debate among amongst us, our clients, our partners, our competitors. And it's your it's an interesting time. I think a lot's changing very fast. For us specifically, we believe that AI has not come far enough to fully mimic a pen test. We still do human led pen testing, but we are using automation to streamline the things that don't need humans. So Yep. Like gathering assets or, you know, drafting reports, pulling findings into things naturally. So we're using automation where it helps, but keeping our humans for that creative, you know, logic based that side of the house. So I think it's changing very fast. I have no idea where it'll be in a couple years, five years, ten years. Yeah. But for us, we are using it to augment, and we're playing around with a lot and just seeing where it takes us. But from a client perspective, you know, it's a huge part of our business right now because every client we have is just throwing AI in randomly into different places in their company without making sure that they're limiting what it has access to. So, for example, every time we do a web application now or even like a website, you know, your normal website, there's a chatbot. And that chatbot, you've probably hooked ChatGPT up to it or something, and we can use that to ask it questions, and it'll tell us more about you than you want it to. So it's introducing all these vulnerabilities into companies without them really realizing it. So I'd say that would be one message I have is as you're implementing AI, AI is incredible. It's wonderful. I'm really excited to see where it goes. Just do it intentionally. Like, why are you putting this in? What does it actually need access to? And, you know, a big thing we talk about in security is the principle of least privilege. Like, only give this to people that need access to it, and you should treat AI the exact same way. You don't have to give it the keys to the castle. What does it need access to to do this job? And that'll help limit it a lot. Yeah. And, you know, I guess maybe speaking along some of those same lines, you know, it sounds like you've done some of these exercises where you've gone into a web, you know, based application or even just a website, gotten into the chatbot and gotten more information than, you know, the the client probably wanted to wanted to know that, you know, was available to them. Are you able to, you know, without naming names, kinda give a a real world scenario of an instance where, you know, you have breached somebody and one lesson that the CEO maybe took away from from that, you know, engagement. Yeah. I mean, I think I mean, chatbots are huge. We're hacking into chatbots every day. I think often it's just what you forget about. So for example, we had a law firm earlier this year, and their client files were super buttoned up. We couldn't get in. They were I mean, they did a great job securing those sensitive files, but then they had forgotten that the camera in the conference room still had admin admin as the password. So we were able to get into the conference room cameras, which gave us full access to their client data. And so I think it's that's where the third party really comes in is, like, you think you're securing one thing, but this other thing is wide open. And then I think the biggest thing I see also is when that attack happens, just not being ready for it. You know, we spend a lot of time building defenses, but we don't do any time we don't spend any time doing incident response. And I I guess, especially coming from my law enforcement background, like, this happens. Crimes happen. Everyone becomes a victim. So being able to handle that when it comes, is something I'd like for companies to do more of. And I think in twenty twenty five, it was something like Teams without an incident response plan ended up having to pay fifty eight percent more in a breach than teams that just had an incident response process ready. So it's it's a huge difference maker that I wish more companies would take advantage of. And, you know, speaking of maybe some of those companies, I'm assuming a lot of those companies that that don't have the incident response plans are smaller organizations or organizations that may not have, you know, like, a a fully fleshed out IT team. You know, what are the biggest barriers they face, you know, in the the cybersecurity landscape? You know, what what's stopping them from implementing some of these security principles or best practices? Yeah. There's a couple different types of organizations that are, you know, underserved or not as advanced as they need to be. The first is gonna be anything government, and I come from the government sector, so I get why. But especially, like, school districts, police departments, anything like that, it's it's budget. It's red tape. It's You know, there's so much on their plates that security just is always gonna fall to the background. So for those companies, it's trying to figure out an affordable, easy to implement option that doesn't take a lot of back and forth and just finding that that kinda easy starting point because, I mean, those government organizations are being hit so hard by hackers right now. And then for smaller companies that don't have a CISO or don't have a tech team, it's really just figuring out what that first step is. And sometimes it is a pen test, but maybe we're starting with one little piece of their environment. We have a lot of companies that come to us for a web application because that's normally what they want tested in, like, a SOC two or something like that, some kind of compliance. And then maybe, like, six months later, they'll come back and do a social engineering test or, you know, an internal or a cloud. And so it's kinda like you don't have to do this all at once, but, like, what's the most important piece that we need to start with? And that's where we start. And a lot of it's just education and figuring out, you know, what their unique business needs are and what their risk is and where we need to start. And how is Red Sentry specifically may maybe making pen testing more affordable, more scalable for organizations like that? I mean, are you guys doing anything special for them? I mean, I'd like to think it isn't special, but I think what one thing I'm most proud of is just our balance of humans and tech, and I think that's something that a lot of companies are moving a little bit to tech, which may sound weird as a tech CEO. But, you know, there's certain things that are problems and certain things that are human problems. And I think we've done a really good job of automating what we can automate to let our humans do their job better. And I think that's where a lot of SMBs, you know, can get that true pen test, but at a more scalable way or at a more affordable rate. And, also, I mean, you know, ten years ago, their pen testing was just not as common. And so it was there was a lot of, like, fluff in the pricing and a lot of overcharging. And so that's a lot of what we're trying to take away and just get people what they need, you know, for that security. How does the role of diversity right? So whether it's, you know, through background, through thought, experience, sort of help to build a stronger pen testing team? I've actually never been asked that question, and I think it's a great question. Yeah. I mean, we all have different backgrounds. Right? I mean No. It's it's awesome. Different things to the table. Yeah. And neurodiversity is actually one of my, like, side passions. And I think it's so interesting that you say that because hackers exploit blind spots. And the more diverse your team is, the fewer blind spots you have. So on my leadership team alone, I have an engineer. I have a former teacher. I have a marine veteran. And so it's like everyone sees risks differently. And sometimes, you know, we end up butting heads for a whole meeting. But I think it's just like being able to capture that three sixty from all those different angles is so valuable as a leader. So, yeah, I think cognitive diversity is so important right now. I hope more companies are taking that on, and I think it's a huge value add to your team. Yeah. That that makes total sense. I mean, like I said, everybody's got a different background. To your point, we're all seeing risks through different lenses. Obviously, somebody, you know, marine versus a teacher, that's gonna be a pretty dramatic difference in in how they view threats. So And not only threats, but just how you, you know, process those threats. Like, there are people that are gonna wanna go a hundred miles per hour, and then there's those of us that might wanna sit and analyze for months. And it's like having that balance of people, I think, just makes a company so much stronger. Yeah. Analysis paralysis can kill a company, so it's it's good to have a a healthy dose of, you know, I'll say reserved recklessness. Right? You know, you gotta you gotta be quick to respond, quick to react, but it's nice to maybe step back and think at times. But, you know, for business leaders listening today, what's one action you'd like them to take or, you know, suggest they they do take here in the coming weeks or or months? I'd say set up that meeting we talked about earlier. Download a free template for an incident response plan. And just have that initial meeting with your leaders and figure out what those gaps are and just list them out. And then from there, once you have it on paper, it's a lot easier to figure out, you know, what that thing is you're gonna start on. So just one step at a time. I love the phrase, you don't have to outrun the bear. You just have to outrun the person next to you. And that's really what cybersecurity is. You know? You don't have to be better than the hackers because you're not gonna be. But every little step you take, you know, leads them to go somewhere else. So it's just starting with those baby steps. Yeah. You know, that's that's one question I've actually been asked here recently, and I'd love to get your your take on it. But do you think that AI benefits the hackers or the the defenders more? Oh, both. I mean, I think the hackers are always gonna be ahead of us, you know, slightly. I think there's so much it's doing that's cool on the defensive side. A lot I think both sides are kinda moving at a similar pace. But hackers, you know, I we think of them as these guys in basements and hoodies, and that's really underestimating them. Like, yes, they are independent, but they're also operating at these they're combining and operating at these huge organizational levels. And they have tiers, and they have HR teams, and there's so much more to those than we think about. And so they're using the AI the exact same we are to automate their process, to scale their business. So it's really it's both sides. I think AI is just it's like every other piece of technology. You know? Computers helped defenders and attackers, Internet, both sides. So, yeah, it's very interesting question. I think it's I think it's pretty even, but the hackers are always gonna be a little ahead of us. Yeah. I'd I'd probably tend to agree with that statement, especially, you know, hackers what what it's doing is it's allowing them to hack more systems at once. Right? Right. Not that not that they couldn't not that they couldn't do that before, but now they can do it at a scale that, you know Yeah. They couldn't And one thing that's been interesting about it is that's really a big piece of why the targets are changing as well. And people still think that hackers are only going after these huge enterprises. But What they've realized is instead of spending a year breaking into a Fortune ten, they can, in five minutes, break into three hundred law firms with the exact same technology stack. And so it's making them a lot more scalable to the SMB market specifically. And SMB owners still have this mindset of I don't have anything sensitive or importance, like, enough for hackers. Like, why would they hack me? And so that's something that we try to push a lot is it's not just that, like, everyone's a target, and they are, but the reason is that automation and scalability makes SMBs as a whole a lot more attractive. Yeah. You never think it's gonna be you until it is. Right? So Yeah. Well, thank you, Valentina, for joining us today. I I do have one final question. Where can, you know, our listeners and people who are interested, you know, go and find more about Red Sentry? Yeah. Our website is redsentry.com. We're also on LinkedIn. I post a lot there. Just thoughts about cybersecurity, neurodiversity, anything that pops in my head. We're on social media. We're on every platform you could think of, but definitely come find us on LinkedIn. And if you have any questions or or even curious about pen testing or any of the stuff we talked about today, you know, we have resources that make that first step less intimidating, so please reach out. Yeah. Again, thank you for taking time out of your busy day joining us. And, you know, I I certainly learned a little bit about ethical hacking, pen testing. So appreciate your time, and, you know, hope you have a great rest of the week. Yeah. Thanks for having me. Yep. Thank you. Huge thanks to Valentina for joining us today and pulling back the curtain on the world of ethical hacking. If you take nothing else away from this episode, remember, cybersecurity isn't a finish line. It's a full-on marathon where the course changes every mile. If you enjoyed this episode, make sure to subscribe to the podcast, share it with a colleague who still thinks we're too small to get hacked, and leave us a comment or review. It really does help more people discover the show. And as always, remember, technology is only as powerful as the strategy guiding it. I'm Garrett Wiesenberg, and this has been another episode of Unraveling IT: Expert Tech Talks. Thank you, and see you next time.

Cybersecurity tips and thought leadership:

Cybersecurity banking staffing solutions - Corsica Technologies

cyber security in banking

Unlocking Cybersecurity Staffing Solutions for Banking

Last updated September 22, 2025. In today’s threat environment, banking cybersecurity has become more high-stakes than ever. It’s essential to protect customers, data, and deposits.

cybersecurity in banking

cyber security in banking

Cybersecurity in Banking: Expert Advice From a Financial Leader

Cyber security in banking requires specialized solutions that go beyond generic approaches. Banks and credit unions require proven strategies that safeguard customer data while complying

Group of employees meeting at conference table.

cyber security in banking

Cybersecurity Risk Assessments: Uncovering and Mitigating Risk

Last updated August 27, 2025. Cybersecurity risk assessments are essential in today’s threat landscape. But it’s challenging to assess risk, particularly if you don’t have

Get the expert PCI compliance partner you need.

Fill out the form, and we’ll respond within one business day. Let’s take the next step in your PCI compliance journey.

FAQs

Can Corsica Technologies guarantee or confer PCI compliance on a client?

No. PCI-DSS compliance isn’t something that a service provider can grant or promise to a client. PCI compliance is the responsibility of the merchant (the organization that accepts card payments). Compliance must be formally validated by either a QSA (qualified security assessor) or the merchant’s own SAQ (self-assessment questionnaire), depending on transaction volume and scope.

No MSP, MSSP, or IT provider can offer services that guarantee PCI compliance for a client.

Can Corsica Technologies equip us to achieve PCI compliance?

Absolutely! We help clients achieve PCI compliance through three primary services:

Assist with completion of a client’s PCI DSS Self Attestation Questionnaire (SAQ).
Provide a Governance, Risk, and Compliance (GRC) platform to help a client manage its PCI DSS compliance effort.
Provide vCISO consulting to help a client manage its PCI DSS compliance effort.

Can Corsica Technologies help with other cybersecurity services?

Yes! We are a leading provider of managed cybersecurity services. You can explore our other offerings here: Managed Cybersecurity Services.