Tony L. Keith

• PCI DSS/PA-DSS Gap Assessment / Roadmap / Compliance / Remediation
• System / Network Security and Technologies
• Information Security Policy & Procedure Development
• Web Application Vulnerability Scanning & Remediation
• Penetration Testing & Remediation
• Agile / Scrum Development Methodologies
• Staff Leadership & Team Development

PCI Security Specialist / System Admin (Tony Keith Consulting)
Alchemee, formerly The Proactiv Company - Los Angeles, CA

• Delivered comprehensive PCI DSS expertise guiding Proactiv through five consecutive V3.2.1 Level 1 certifications and first V4.0.1 SAQ Level 2 certification as a merchant on AWS cloud infrastructure.
• Conducted initial security posture assessment producing detailed gap analysis report with infrastructure recommendations and strategic roadmap for remediation actions.
• Implemented cross-departmental project management frameworkb> including weekly status meetings across multiple teams, ServiceNow ticket coordination, and comprehensive remediation tracking.
• Designed and deployed critical security infrastructure including jump host architecture, multi-factor authentication systems, enterprise password policy, and web vulnerability scanning capabilities.
• Developed complete security governance ecosystem featuring comprehensive information security policies, threat model risk assessments, Third Party Service Provider (TPSP) management program, secure Software Development Life Cycle (SDLC), and detailed network/connectivity/data flow diagrams.
• Managed end-to-end audit coordination including team preparation, evidence collection, penetration testing, vulnerability scans, and serving as company representative for assessments and QSA interactions.
• Achieved 90% reduction in compliance costs and asset footprint by designing and implementing optimized PCI scope environment in AWS, while maintaining ongoing system administration and compliance support through quarterly security reviews, vulnerability tracking, and documentation maintenance.

PCI Security Consultant (Tony Keith Consulting)
Meaningful Beauty - Los Angeles, CA

• Spearheaded PCI compliance during critical business transition when Meaningful Beauty separated from Guthy-Renker to become an independent entity, providing comprehensive consulting services throughout the separation process.
• Designed and implemented secure AWS development environment with full responsibility for system administration while ensuring continuous PCI DSS compliance during organizational transition.
• Led end-to-end compliance validation process including artifact and evidence verification against all PCI requirements, serving as primary company representative during assessments and QSA interactions.
• Delivered comprehensive PCI DSS expertise through leadership, remediation guidance, implementation strategy, policy development, and project management for three consecutive successful PCI DSS assessments while operating under the Guthy-Renker PCI umbrella.

PCI Security Consultant (Tony Keith Consulting)
Guthy-Renker - Los Angeles, CA

• Provided expert PCI DSS leadership through four consecutive V3.2 certifications and first V4.0.1 Level 1 certification as a merchant on AWS cloud infrastructure, culminating in successful completion of 6th annual assessment.
• Implemented cross-departmental project management with weekly status meetings across multiple business units, comprehensive remediation tracking, and creation of detailed Third Party Service Provider (TPSP) responsibility matrices for service providers, managed security services, and security service providers.
• Served as primary compliance validator and QSA liaison, thoroughly reviewing all artifacts and evidence against PCI requirements and representing the company during formal assessments and auditor interactions.
• Maintained ongoing compliance program through structured monthly and quarterly security reviews, vulnerability scan analysis, remediation support, and regular updates to policies, procedures, diagrams and system inventories.

PCI SME (Hexaware & Keyword Solutions)
Conduent - Lexington, KY

• Facilitated critical business acquisition by leading PCI DSS compliance for 26 call centers (8 clients) requiring both SAQ and AoC/RoC certifications, with sale contingent upon successful compliance validation.
• Provided expert guidance to Hexaware consulting team delivering comprehensive PCI DSS training and development of specialized procedures for artifact validation and evidence collection across multiple compliance requirements.
• Performed extensive technical remediation oversight including EOL hardware upgrades, network and server security control implementation (hardening, patching, logging), and comprehensive evidence collection for multi-client audits.
• Personally validated hundreds of compliance artifacts against PCI requirements across concurrent audits for 8 clients, utilizing Conduent's online tracking tools to ensure thorough documentation and validation.
• Led critical security assessment remediation through detailed network vulnerability scan analysis, extensive firewall ruleset reviews, and penetration test result evaluations with targeted remediation recommendations.

PCI Security Specialist / PCI SME (Tony Keith Consulting)
DonorDrive (formerly Global Cloud), makers of DonorDrive^® - Cincinnati, OH

• Led comprehensive PCI DSS compliance initiatives from V3.2 through V4.0.1, successfully guiding DonorDrive to achieve and maintain Level 1 certification as both a service provider and shared hosting provider across six consecutive assessments.
• Developed and executed strategic compliance roadmap by conducting thorough gap assessments, creating detailed infrastructure recommendations, and implementing targeted remediation plans.
• Established robust project management framework including weekly status meetings, JIRA ticket tracking system, and comprehensive remediation coordination for all compliance tasks.
• Implemented critical security infrastructure enhancements including jump host architecture, multi-factor authentication protocols, password policy frameworks (both internal and client-facing), and web vulnerability scanning systems.
• Created comprehensive information security documentation suite featuring policies, risk assessments utilizing threat modeling, Third Party Service Provider (TPSP) management program, secure Software Development Life Cycle (SDLC) protocols, network diagrams, and data flow documentation.
• Orchestrated all aspects of PCI audit preparation and execution including team coordination, evidence collection, internal/external penetration testing, vulnerability scanning, and serving as primary representative during on-site audits and QSA interactions.
• Maintained continuous compliance posture through quarterly security reviews, monthly scan analysis, vulnerability tracking, and regular updates to documentation and system inventories.
• Successfully navigated complex platform migration from colocation facility to cloud environment while ensuring uninterrupted compliance through third and fourth annual on-site PCI DSS assessments.

PCI Security Specialist / PCI SME (Vivitech Business Solutions)
Pomeroy - Hebron, KY

• PCI PIN Compliance Manager (6 years):
• Served as PCI PIN Compliance Manager for 6 years overseeing Key Injection Facility (KIF) operations for POS PIN pad security, including documentation maintenance, security process implementation, and continuous compliance improvement.
• Achieved perfect compliance record successfully guiding team through four consecutive PCI PIN audits, spanning three V2 assessments and one V3 assessment with zero critical findings.
• PCI DSS Gap Assessment (6 months):
• Conducted comprehensive PCI DSS Gap Assessment through on-site and remote interviews with technical personnel, extensive documentation review, system configuration analysis, and evaluation of existing PCI artifacts.
• Delivered expert Cardholder Data Environment (CDE) analysis with detailed in-scope determination and documentation, creating comprehensive scope memorandum as key project deliverable.
• Facilitated remediation planning process by collaborating directly with business owners to establish realistic timeframes and implementation strategies for addressing compliance gaps.
• Created extensive assessment documentation including 50+ page gap assessment report with detailed analysis, infrastructure recommendations, and strategic remediation roadmap, culminating in executive-level presentation to Pomeroy's management team.

Security Analyst / PA-DSS SME (Tony Keith Consulting)
Data Management Associates, Inc. (DMA), MACH Software - Cincinnati, OH

• Spearheaded PA-DSS V3.2 compliance initiative for MACH Software ERP product, performing comprehensive gap assessment of software controls and documentation against stringent payment application requirements.
• Implemented enhanced security testing protocols including web vulnerability scanning, network traffic analysis, and specialized scanning for sensitive cardholder data, complemented by a thorough threat model risk assessment methodology.
• Developed comprehensive compliance documentation by rewriting implementation guide and Software Development Life Cycle (SDLC) documentation to meet PA-DSS requirements, supported by detailed network and data flow diagrams with textual descriptions.
• Orchestrated complete compliance process by scheduling and coordinating all PCI-related activities including team meetings, evidence collection, and direct interface with Qualified Security Assessor (QSA).

PCI Security Consultant / PCI SME (Tony Keith Consulting)
UC Health - Hospital and Health Care Provider Network - Cincinnati, OH

• Performed on-site and remote interviews with client’s technical personnel to gather information about PCI environment.
• Reviewed client’s documentation and environment technologies configurations.
• Assessed and evaluated the client’s in-scope Cardholder Data (CHD) environment for PCI V3.1 compliance and created in-scope memorandum.
• Performed PCI gap assessment working against the PCI Security Standards Council’s Prioritized Approach Tool v3.1.
• Reviewed compliance gaps with business owners to determine remediation time frame.
• Finalized and submitted appropriate SAQ.
• Produced a formal PCI DSS gap assessment report with analysis, infrastructure recommendations and roadmap with corrective actions and remediation.

Security Specialist / Technical Advisor (Tony Keith Consulting)
Montrose Travel - Montrose, CA
Physical and online based travel agency and loyalty program solution provider - $300M revenue, +220 employees.

• Led, Directed, Oversaw system and network security assessments to ensure PCI DSS compliance; provided strategic recommendations for security technologies and architectural improvements.
• Initiated, Coordinated, Executed PCI-related projects across departments, including deployment of a secure FAX system, updates to password and data retention policies/scripts, integration of database encryption technologies, and a full data center migration.
• Managed, Streamlined, Tracked all PCI project workflows and audit evidence collection using JIRA, ensuring timely completion of milestones and audit readiness.
• Planned, Scheduled, Facilitated all audit-related activities such as penetration tests, vulnerability scans, team meetings, and on-site audit coordination.
• Represented, Communicated, Liaised as the company interface during QSA audits, penetration testing sessions, and compliance reviews, ensuring full transparency and alignment.
• Achieved, Delivered, Led three successful PCI DSS Level 1 certifications (2014 v2.0, 2015 v3.1, 2017 v3.2), certifying Montrose Travel as a compliant merchant and service provider through Trustwave.

Chief Technical Officer (CTO) / Security Officer
Commercegate - Barcelona, Spain (Commercegate)
Online payment processing platform in EU.
DHD Media - Santa Monica, CA (Emanon)
Online payment processing platform in USA.
Segpay (Toccata) - Coral Springs, FL (Emanon)
Online payment processing platform in USA.

• Directed enterprise-wide technology including infrastructure, cybersecurity, and support services across multiple organizations and platforms.
• Shaped the company’s long-term technology vision by formulating and executing IT strategies aligned with business goals.
• Architected a modern, scalable processing platform with rule-based fraud filtering, template-driven payment forms, and a configurable rebill system using technologies including Apache, Tomcat, Java, Oracle, Spring, Hibernate, GWT, and Sencha.
• Led geographically dispersed development teams across five global locations and four time zones, ensuring seamless collaboration and project delivery through extensive domestic and international travel.
• Managed compliance process through eleven consecutive and successful Level 1 PCI DSS 2.0 compliance audits by overseeing all aspects of security strategy and audit preparation as CSO.
• Developed and maintained critical technical documentation, including PCI DSS policies/procedures, system requirements, and public APIs (JSON, XML, REST).

Chief Technical Officer (CTO)
Epassporte (24/7 Commercial Marketing) - Santa Monica, CA
The first online pre-paid re-loadable VISA debit payment system.

• Led, architected, and delivered the end-to-end development of Epassporte, taking the product from concept to market launch as one of the first and most successful online prepaid reloadable card solutions.
• Designed, developed, and standardized a SOAP/HTTPS communication framework that enabled secure interactions between the platform and cardholder VISA accounts—later adopted as a standard by payment processor TSYS.
• Directed, managed, and mentored programming, development, and administrative teams in a fully open-source technology stack (Linux, Apache, Tomcat, MySQL, Java, PHP).
• Conceptualized, prioritized, and implemented product enhancements and new features through Agile methodologies, accelerating time-to-market and improving user experience.
• Wrote, maintained, and refined all technical documentation and architectural diagrams to support scalability, compliance, and ongoing development.

Vice President of Technology / Chief Security Officer (CSO)
Paycom.net / Paycom LLC / Epoch Systems - Marina Del Rey, CA
An industry leader in online payment processing.

• Conceptualized, led, and launched innovative products and features in the payment processing domain, including fraud filtering mechanisms, alternative payment models, cross-sell engines, affiliate/reseller tools, and strategic marketing integrations.
• Directed, managed, and scaled a 22-member team across Technical and Technical Support departments, including 11 Java/PHP developers and system administrators responsible for all production systems, and 11 highly trained technicians supporting client setup, configuration, and data issues.
• Authored, implemented, and maintained all internal procedures, security policies, and documentation to ensure full compliance with Payment Card Industry Data Security Standards (PCI-DSS, formerly CISP).
• Completed, coordinated, and passed four consecutive Level 1 PCI-DSS (CISP) audits as Chief Security Officer, working closely with external assessment firms.
• Envisioned, led, and executed the technical design of an online prepaid debit card system—Epassporte—which evolved into a pioneering product in the fintech space.

Turn-Key Software Solution Provider (Keith Consulting Services, Inc.)
Middletown Steel - Middletown, OH

• Completed a large system port of an inventory control and accounting system for a large steel cutting company (Middletown, OH).
• This system port was from SCO Unix to QNX and included recreating over 100 libraries functions written in 'C' that no source code existed for. This included all user interface functions, printing functions, calculation functions and database functions.

Independent Consultant (Keith Consulting Services, Inc.)
H.K. Systems - Hebron, KY

• Successfully completed a large system port (QNX Version 2 to QNX Version 4) and upgrade of a high speed, high volume (SBIR) merchandise sorter for a national women's clothing distributor (Greencastle, IN).
• This system port also included redesigning every process to support an SQL database (Sybase) instead of the existing ISAM database.

Turn-Key Software Solution Provider (Keith Consulting Services, Inc.)
Crane Naval Support Center - Crane, IN

• Successfully completed a large system port (QNX Version 2 to QNX Version 4) and upgrade of a three aisle AS/RS (automatic storage / retrieval system) inventory control system for a government project in electronic parts warehouse and distribution facility (Crane, IN).
• This system port also included converting large ISAM tables to a fully SQL supported database (Sybase) and a complete redesign of all database structures and SQL queries.

Independent Consultant (Keith Consulting Services, Inc.)
CASI (Computer Aided Systems, Inc.) - Hayward, CA

• Lead system software consultant for an international shoe company (Nike) on a complete warehouse management control system (Memphis, TN).
• Participated in system analysis and design, software development, testing, writing documentation, installation, training and technical support on a QNX based system. The system integrated components and sub-systems into a complete warehouse management system. This included a host computer (HP9000), many PLCs and a PLC gateway computer, tilt-tray sorter, pick-to-light paperless picking system and miles of powered conveyor.

Independent Consultant (Keith Consulting Services, Inc.)
F & A Data Systems - East Brunswick, NJ

• Completed a warehouse management system on RF data collection terminals.
• Designed and documented a standard communication and messaging protocol for host systems.
• Implemented and tested six communication client / server processes using TCP/IP sockets on three different systems.
• Developed a library of support functions for RF terminal screens using Curses. This library was used to implement three complete RF based warehouse management systems.

Turn-Key Software Solution Provider (Keith Consulting Services, Inc.)
Forte Industries - Mason, OH

• Independently designed, developed, implemented and installed four real-time, PC based, software systems for Forte Industries (a Buschman conveyor distributor - Mason, OH):
  1. A merchandise tracking and 7 lane shipping sortation system for a baby product warehouse.
  2. A merchandise tracking and 16 lane shipping sortation system for a book distribution warehouse.
  3. A print/apply labeling, merchandise tracking & 21 lane shipping sortation system for a candle manufacturing distribution warehouse.
  4. A complete host label printing system for printing pallet contents on multiple labels.
• All systems were developed in ANSI 'C', QNX Windows, Sybase SQL using QNX (UNIX like) a real-time, multi-tasking, networked, multi-user, operating system.

Senior Software Design Engineer (Full-Time & Consultant) Western Atlas (Litton Automation->H.K. Systems) - Hebron, KY

• Designed, developed, implemented and installed four real-time, PC based, software systems:
  1. A five aisle fully automated storage and retrieval system (AS/RS) with conveyor feed input and output for an international truck tire manufacturer (McMinnville, TN).
  2. A three aisle fully automated storage and retrieval system (AR/RS) with full inventory control for a government electronics parts warehouse installation (Crane, IN).
  3. A high speed, high volume (15K units / hour) merchandise sorter (SBIR) for a national clothing distributor.
  4. A three aisle AS/RS software project for scheduling and delivering cotton and polyester bales to thread processing machines (Rabon Gap, GA).

Senior Software Engineer
The Buschman Company->FKI Logistex - Cincinnati, OH

• Performed technical lead position on a new $750K carousel picking and storage management software product to be written in 'C' and FoxPro under DOS, using Novell network/filesystem and Codebase 5.0 database engine.
• Project was canceled due to the purchase of a competitor company which already had developed a similar software package and had an existing staff of 25 software engineers.

Software Engineer, Systems Analyst III
Practical Control Systems (PCS) - Cincinnati, OH

• Designed, developed and implemented many aspects of real-time, PC based, inventory control and merchandise picking systems. Coded in 'C' using C-Tree ISAM database engine under QNX real-time operating system.
• Interfaced various types of hardware to PCs including mainframe equipment, embedded controllers, and PLCs via RS-232/422/485 serial communication links.
• Responsible for completion and installation of an inventory control / paper-less picking project based in Cape Town, South Africa for Foschini Group (06/91 - 07/91).

President of Non-Profit, Charity Organization
Teal We Find A Cure, Inc. - (Organization Website - www.tealwefindacure.org)

• President of a 100% volunteer, 501(c)3 non-profit, charity organization dedicated to raising funds that gives women the early detection screening they need to beat ovarian cancer. Our inaugural event, we raised and donated more than $15,000 to ovarian cancer awareness and research. In 2019, we made a commitment of $250,000 for the designation of the Center for Gynecologic Cancer Care, at the new St. Elizabeth Cancer Center in Edgewood, KY in which this area is named after Tracy Madrick Keith. Since then, through shared passion for our mission and generosity of our supporters, we fulfilled our commitment of $250,000 in September 2023.
• Responsible for organization spokesperson, overall business functions, attending and organizing committee meetings, creating and maintaining eCommerce web site, requesting sponsorship and donation from companies and individuals.

Professional Information Security Certification
CISSP (Certified Information Systems Security Professional) - #540621

• Currently maintaining good standing with CISSP certification which requires 40 Continuing Professional Education (CPE) credits per year.

Author
Technical Blog / Articles

• "ESP8266 MyWidget" on Hackaday.io and as open source project on Github.
  Learning tool or a template for starting a new ESP8266 Wifi microchip project. It contains many of the components to build a ESP8266 project with dynamic web interface.
• "Web Driver IO Tutorial" on personal blog and as open source project on Github.
  Extensive tutorial article including many working examples and a working web site.
  • Also published on Instructables.com web site.
• "DMX Tester - Inexpensive Tester for sending DMX-512" on personal blog
  DMX-512 is a communication protocol used in the lighting industry. This article is based on a hardware/software project I built.
  • Also published on Hackaday.io and Instructables.com web sites.
• "State Machine Programming and Input Validation" on personal blog
  State machine programming is ideal for keyboard input validation. This article is a complete working example including source code.
  • Also published on Hackaday.io and Instructables.com web sites.

University of Cincinnati - Cincinnati, OH

• Graduated with a Baccalaureate of Science in Electrical Engineering Technology (BSEET).
• Maintained part-time and full-time co-op jobs throughout college to help cover tuition and expenses.
• Designed and built a PC based 24 analog channel stage lighting controller with complete user software and hardware interface as a senior design project. This project was used to control an outdoor lighting show for 3 weeks at the grand opening of the Cincinnati Museum Center at Union Station.