Tony L. Keith

• PCI DSS/PA-DSS Gap Assessment / Roadmap / Compliance / Remediation
• System / Network Security and Technologies
• Information Security Policy & Procedure Development
• Web Application Vulnerability Scanning & Remediation
• Penetration Testing & Remediation
• Agile / Scrum Development Methodologies
• Staff Leadership & Team Development

PCI Security Specialist / System Admin (Tony Keith Consulting)
Alchemee, formerly The Proactiv Company - Los Angeles, CA

• Provided PCI DSS expertise, organization, remediation advice, policy development and project management to The Proactiv Company for 1st through 5th, PCI DSS, V3.2.1, level 1, certification and 1st, V4.01 SAQ, Level 2, merchant on a cloud based system (AWS).
• First produced PCI gap assessment report with analysis, infrastructure recommendations and roadmap with corrective actions and remediation.
• Second provided project management which included weekly status meetings with two different departments, ServiceNow ticket creation and tracking for all remediation tasks. Also provided recommendations on technology and configuration for segmentation, jump host usage, VPN, multi-factor authentication, password policy and web vulnerability scanning.
• Next developed complete set of information security policies, risk assessment (threat model analysis), Third Party Service Provider (TPSP) management program, secure Software Development Life Cycle (SDLC) and network/connectivity/data flow diagrams.
• Finally scheduled and coordinated all PCI audit related tasks such as team meetings, evidence / artifact collection, internal/external penetration testing, network and application vulnerability scans and assessment. Company representative for assessment, penetration testing and auditor (QSA) liaison.
• Proposed and implemented a reduced PCI scope environment in AWS, reducing the number of assets and monthly costs by 90%. Currently providing system administration and PCI DSS maintenance support which includes quarterly security review meetings, reviewing monthly scans, vulnerability tracking and policy/procedure/diagram/inventory updates.

PCI Security Consultant (Tony Keith Consulting)
Meaningful Beauty - Los Angeles, CA

• When Meaningful Beauty separated from Guthy-Renker to became its own independent entity, Tony Keith Consulting was contracted to implement a secure development environment in AWS and provide PCI DSS consulting services.
• Successfully implemented a secure development environment in AWS and responsible for system administration while maintaining PCI Compliance.
• Responsible for validating all artifacts and evidence against PCI requirements for PCI DSS audit and company representative for assessment and auditor (QSA) interface.
• Provided PCI DSS expertise, leadership, organization, remediation and implementation advice, policy development and project management for 1st through 3rd PCI DSS assessment under the Guthy-Renker PCI umbrella.

PCI Security Consultant (Tony Keith Consulting)
Guthy-Renker - Los Angeles, CA

• Provided PCI DSS expertise, leadership, organization, remediation and implementation advice, policy development and project management to Guthy-Renker for their 2nd through 5th, PCI DSS, V3.2.1, and 1st V4.01, level 1, certification as a merchant on a cloud based system (AWS).
• Provided project management which included weekly update status meetings with two different departments and tracking for all remediation tasks. Created detailed master Third Party Service Provider responsibility matrix for service providers, managed security service provider and security service providers.
• Responsible for validating all artifacts and evidence against PCI requirements for PCI DSS audit and company representative for on-site audit and auditor (QSA) interface. Recently completed 6th annual PCI DSS assessment.
• Currently providing PCI DSS maintenance support which includes quarterly security review meetings, reviewing monthly vulnerability scans, vulnerability tracking and remediation support and policy/procedure/diagram/inventory updates.

PCI SME (Hexaware & Keyword Solutions)
Conduent - Lexington, KY

• Conduent was in the process of selling 26 call centers (8 clients - 4 SAQs, 4 AoCs/RoCs) to another entity. The sale was pending PCI DSS certification of all the 26 call centers. Both types of PCI DSS certification reporting, SAQs and AoCs/RoCs were handled by an outside auditing firm (OBS). Hexaware, a consulting company, was brought in to perform PCI remediation and PCI support activities. This included updating EOL hardware, security controls remediation on network and servers (hardening, patching, logging, etc). Also included providing artifacts and evidence for each client/site audits.
• Provided PCI DSS expertise and training to Hexaware technical personnel with no PCI DSS experience. This includes development of procedures to validate artifacts (network diagrams, data flow diagrams, physical inventory, software inventory, scoping documentation), how and what to collect as evidence for each of the PCI requirements.
• Personally responsible for validating all artifacts and evidence against PCI requirements for all concurrent PCI DSS audits. This involved reviewing and approving 100s of evidences for each of the 8 clients. All artifacts and evidence were tracked using on-line tools provided by Conduent.
• Participated in detailed network vulnerability scan reviews/remediation, extensive firewall ruleset reviews/remediation, penetration tests results review and remediation recommendations.

PCI Security Specialist / PCI SME (Tony Keith Consulting)
DonorDrive (formerly Global Cloud), makers of DonorDrive^® - Cincinnati, OH

• Provided PCI DSS expertise, organization, remediation advice, policy development and project management to DonorDrive for 1st to 6th, PCI DSS, V3.2, level 1, certification as a service provider and shared hosting provider. Successful migrated from PCI DSS V3.2.1 to V4.0.1 for the last assessment.
• First produced PCI gap assessment report with analysis, infrastructure recommendations and roadmap with corrective actions and remediation.
• Second provided project management which included weekly status meetings, JIRA ticket creation and tracking for all remediation tasks. Also provided recommendations on technology and configuration for jump host, multi-factor authentication, password policy (users and client) and web vulnerability scanning.
• Next developed a complete set of information security policies, risk assessment (threat model analysis), Third Party Service Provider (TPSP) management program, secure Software Development Life Cycle (SDLC), network diagrams and data flow diagrams.
• Finally scheduled and coordinated all PCI audit related tasks such as team meetings, evidence / artifact collection, internal/external penetration testing, network and application vulnerability scans and on-site audit. Company representative for on-site audit, penetration testing and auditor (QSA) interface.
• Provided PCI DSS maintenance support which included quarterly security review meetings, reviewing monthly scans, vulnerability tracking and policy/procedure/diagram/inventory updates.
• Successfully completed 3rd thru 6th annual, on-site PCI DSS assessment on a completely new cloud based (AWS) platform that was migrated from a colocation facility.

PCI Security Specialist / PCI SME (Vivitech Business Solutions)
Pomeroy - Hebron, KY

• PCI PIN Compliance Manager (5+ years):
• Acting role as PCI PIN Compliance Manager for Key Injection Facility (KIF). The KIF is used to inject keys in to POS PIN pads. Activities included annual PCI PIN audits, documentation / inventory / diagram review/updates, security process implementation and improvement and quarterly security review meetings.
• Successfully lead Pomeroy through 5 consecutive PCI PIN audits; four PCI PIN - V2 audits and one PCI PIN - V3 audit.
• PCI DSS Gap Assessment (6 months):
• Performed on-site and remote interviews with client’s personnel to gather information about their systems/networks/processes. Reviewed client’s documentation, system technologies configurations and PCI related artifacts.
• Assessed and evaluated the client’s in scope Cardholder Data Environment (CDE) for PCI V3.2 compliance and created in-scope memorandum as part of the project deliverables.
• Reviewed compliance gaps with business owners to determine remediation time frame.
• Produced PCI gap assessment report (+50 pages) with analysis, infrastructure recommendations and roadmap with corrective actions and remediation. Presented executive level presentation for Pomeroy management team outlining project summary and recommendations.

Security Analyst / PA-DSS SME (Tony Keith Consulting)
Data Management Associates, Inc. (DMA), MACH Software - Cincinnati, OH

• Assisted client in bringing ERP software product (MACH Software) into PA-DSS, V3.2 compliance. This included performing a gap assessment on software controls and documentation.
• Provided recommendations for additional testing such as web vulnerability scanning, network traffic analysis and file system scanning for sensitive data (CC Data). Also wrote and performed risk assessment using threat modeling with analysis on Mach Software.
• Rewrote MACH Software implementation guide and DMA SDLC documentation per PA-DSS requirements. Created network and data flow diagrams with textual description.
• Provided scheduling and coordinated all PCI related tasks such as team meetings, evidence collection and meetings with QSA.

PCI Security Consultant / PCI SME (Tony Keith Consulting)
Corporate Travel Management (CTM) - Seattle, WA

• Performed on-site and remote interviews with client’s personnel to gather information about client’s systems/networks/processes.
• Reviewed client’s documentation and system technologies configurations inlcuding a new office 365 implementation with custom DLP policies.
• Assessed and evaluated the client’s in scope Cardholder Data Environment (CDE) for PCI V3.1 compliance.
• Reviewed compliance gaps with business owners to determine remediation time frame.
• Produced PCI gap assessment report with analysis, infrastructure recommendations and roadmap with corrective actions and remediation.

PCI Security Consultant / PCI SME (Tony Keith Consulting)
UC Health - Hospital and Health Care Provider Network - Cincinnati, OH

• Performed on-site and remote interviews with client’s technical personnel to gather information about PCI environment.
• Reviewed client’s documentation and environment technologies configurations.
• Assessed and evaluated the client’s in-scope Cardholder Data (CHD) environment for PCI V3.1 compliance and created in-scope memorandum.
• Performed PCI gap assessment working against the PCI Security Standards Council’s Prioritized Approach Tool v3.1.
• Reviewed compliance gaps with business owners to determine remediation time frame.
• Finalized and submitted appropriate SAQ.
• Produced a formal PCI DSS gap assessment report with analysis, infrastructure recommendations and roadmap with corrective actions and remediation.

PCI Security Consultant / PCI SME (ClearBridge Technology Group)
Forsythe - Skokie, IL

• Performed on-site and remote interviews with client’s personnel to gather information about client’s systems/networks/processes.
• Reviewed client’s documentation and system technologies configurations.
• Assessed and evaluated the client’s in scope Cardholder Data (CHD) environment for PCI V3.1 compliance.
• Reviewed compliance gaps with business owners to determine remediation time frame.
• Produced a formal PCI DSS gap assessment report with analysis, infrastructure recommendations and roadmap with corrective actions and remediation.

Security Specialist / Technical Advisor (Tony Keith Consulting)
Montrose Travel - Montrose, CA
Physical and online based travel agency and loyalty program solution provider - $300M revenue, +220 employees.

• Security Specialist - Related Responsibilities (+4 years):
• Responsible for providing leadership, organization, coordination, scheduling and assessing systems/networks for PCI DSS compliance. Providing recommendations for security related technologies and system/network design changes.
• Working with several departments to manage PCI related projects including a secure FAX system, updating password policy, data retention policy/scripts, new db encryption technologies and a complete data center migration. Managed all projects and evidence collecting for on-site audit using JIRA ticketing system.
• Scheduling and coordinating all PCI audit related tasks such as team meetings, evidence collection, security policy writing, internal/external penetration testing, network and application vulnerability scans and on-site audit. Company representative for on-site audit, penetration testing and auditor (QSA) interface.
• Currently leading a six (6) month development effort of a new Disaster Recovery / Business Continuity Plan (DR/BCP) including Business Impact Analysis (BIA) and recovery strategies gap assessment.
• Successfully lead three (3) PCI DSS, level 1 certifications. Montrose Travel was certified as a PCI DSS, level 1 compliant merchant and service provider by Trustwave (QSA) in December 2014 (V2), October 2015 (V3.1) and January 2017 (V3.2).
• Senior Technical Advisor - Related Responsibilities (4 months):
• Provided complete E2E functional automated Q/A solution using Selenium, Mocha, Should and Web Driver IO including implementation, documentation and training of Q/A personnel.
• Designed and developed an online weather component "widget" including writing the technical documentation for both internal developers and external vendors.
• Interim project manager until a new project manager was hired. I was part of the team that reviewed resumes and interviewed candidates for the project management position.

Chief Technical Officer (CTO) / Security Officer
Commercegate - Barcelona, Spain (Commercegate)
Online payment processing platform in EU.
DHD Media - Santa Monica, CA (Emanon)
Online payment processing platform in USA.
Segpay (Toccata) - Coral Springs, FL (Emanon)
Online payment processing platform in USA.

• Responsible for all technology infrastructure, security, technical development and technical support across multiple organizations. Also shaped the technology vision by formulating, evaluating, and implementing IT solutions, policies, and initiatives that improved the quality and effectiveness of the strategic goals and the efficiency of the firm's business operations.
• Instrumental in the design, implementation, documentation and roadmap of a new processing platform using latest technologies including rules based fraud filtering, template based payment forms and configurable recurring (rebill) system. The system was implemented using the following technologies: Apache / Tomcat / Java / Oracle / Spring / Hibernate / GWT / Sencha.
• Responsible for managing development teams in five (5) locations, four (4) different time zones for three (3) different processing platforms requiring extensive travel, domestically and internationally.
• Successfully completed eleven (11) annual, level 1, PCI DSS 2.0 compliance audits with outside assessment firms as Chief Security Officer (CSO).
• Responsible for writing, developing and maintaining most of the company's technical documentation (PCI DSS policies/procedures, technical/functional requirements, and public facing APIs, including JSON, XML and REST).

Chief Technical Officer (CTO)
Epassporte (24/7 Commercial Marketing) - Santa Monica, CA
The first online pre-paid re-loadable VISA debit payment system.

• Instrumental in complete life cycle development of Epassporte from conception to actually releasing one of the first and most successful online pre-paid re-loadable products.
• Developed a SOAP/HTTPS based communication framework that provided the basis for all interaction between the website and cardholder's prepaid VISA account located at our backend processor's hosting site. This framework later became a standard feature in our processor's (TSYS) prepaid product.
• Directed and managed all programmers, developers and administrators in a complete open-source environment using Linux, Apache, Tomcat, MySql, JAVA and PHP technologies.
• Conceptualized and managed the development of many new ideas and features for this product using Agile system development methodologies.
• Wrote, developed, and maintained all technical documentation and technical diagrams for this product.

Technology Director / Chief Security Officer (CSO) / Equity Partner
Paycom.net / Paycom LLC / Epoch Systems - Marina Del Rey, CA
An industry leader in online payment processing.

• Preformed daily management tasks as an integral part of a small and progressive executive team which included business development, strategic planning and staffing requirements.
• Conceptualized and lead development of many new products and features in the payment processing area including fraud filtering techniques, new payment models, cross-sales, affiliate / reseller / sponsor tools and marketing ideas.
• Directed and managed 22 personnel in the Technical and Technical Support departments. The Technical department of 11, mainly JAVA programmers, PHP developers and System Administrators were responsible for all production based systems and new development. The Technical Support department of 11, were very specialized, well trained technicians to help assist clients with setup, configuration and data/reporting issues.
• Maintained all procedures, policies and documentation for the Payment Card Industry Data Security Standard (PCI DSS, formally known as CISP, Cardholder Information Security Program).
• Successfully completed four (4) annual, level1, CISP / PCI DSS audits with outside audit firms as CSO.
• Performed the technical lead position on an idea for an online prepaid debit payment system which became known as Epassporte.

Turn-Key Software Solution Provider (Keith Consulting Services, Inc.)
Middletown Steel - Middletown, OH

• Completed a large system port of an inventory control and accounting system for a large steel cutting company (Middletown, OH).
• This system port was from SCO Unix to QNX and included recreating over 100 libraries functions written in 'C' that no source code existed for. This included all user interface functions, printing functions, calculation functions and database functions.

Independent Consultant (Keith Consulting Services, Inc.)
H.K. Systems - Hebron, KY

• Successfully completed a large system port (QNX Version 2 to QNX Version 4) and upgrade of a high speed, high volume (SBIR) merchandise sorter for a national women's clothing distributor (Greencastle, IN).
• This system port also included redesigning every process to support an SQL database (Sybase) instead of the existing ISAM database.

Turn-Key Software Solution Provider (Keith Consulting Services, Inc.)
Crane Naval Support Center - Crane, IN

• Successfully completed a large system port (QNX Version 2 to QNX Version 4) and upgrade of a three aisle AS/RS (automatic storage / retrieval system) inventory control system for a government project in electronic parts warehouse and distribution facility (Crane, IN).
• This system port also included converting large ISAM tables to a fully SQL supported database (Sybase) and a complete redesign of all database structures and SQL queries.

Independent Consultant (Keith Consulting Services, Inc.)
CASI (Computer Aided Systems, Inc.) - Hayward, CA

• Lead system software consultant for an international shoe company (Nike) on a complete warehouse management control system (Memphis, TN).
• Participated in system analysis and design, software development, testing, writing documentation, installation, training and technical support on a QNX based system. The system integrated components and sub-systems into a complete warehouse management system. This included a host computer (HP9000), many PLCs and a PLC gateway computer, tilt-tray sorter, pick-to-light paperless picking system and miles of powered conveyor.

Independent Consultant (Keith Consulting Services, Inc.)
F & A Data Systems - East Brunswick, NJ

• Completed a warehouse management system on RF data collection terminals.
• Designed and documented a standard communication and messaging protocol for host systems.
• Implemented and tested six communication client / server processes using TCP/IP sockets on three different systems.
• Developed a library of support functions for RF terminal screens using Curses. This library was used to implement three complete RF based warehouse management systems.

Turn-Key Software Solution Provider (Keith Consulting Services, Inc.)
Forte Industries - Mason, OH

• Independently designed, developed, implemented and installed four real-time, PC based, software systems for Forte Industries (a Buschman conveyor distributor - Mason, OH):
  1. A merchandise tracking and 7 lane shipping sortation system for a baby product warehouse.
  2. A merchandise tracking and 16 lane shipping sortation system for a book distribution warehouse.
  3. A print/apply labeling, merchandise tracking & 21 lane shipping sortation system for a candle manufacturing distribution warehouse.
  4. A complete host label printing system for printing pallet contents on multiple labels.
• All systems were developed in ANSI 'C', QNX Windows, Sybase SQL using QNX (UNIX like) a real-time, multi-tasking, networked, multi-user, operating system.

Senior Software Design Engineer (Full-Time & Consultant) Western Atlas (Litton Automation->H.K. Systems) - Hebron, KY

• Designed, developed, implemented and installed four real-time, PC based, software systems:
  1. A five aisle fully automated storage and retrieval system (AS/RS) with conveyor feed input and output for an international truck tire manufacturer (McMinnville, TN).
  2. A three aisle fully automated storage and retrieval system (AR/RS) with full inventory control for a government electronics parts warehouse installation (Crane, IN).
  3. A high speed, high volume (15K units / hour) merchandise sorter (SBIR) for a national clothing distributor.
  4. A three aisle AS/RS software project for scheduling and delivering cotton and polyester bales to thread processing machines (Rabon Gap, GA).

Senior Software Engineer
The Buschman Company->FKI Logistex - Cincinnati, OH

• Performed technical lead position on a new $750K carousel picking and storage management software product to be written in 'C' and FoxPro under DOS, using Novell network/filesystem and Codebase 5.0 database engine.
• Project was canceled due to the purchase of a competitor company which already had developed a similar software package and had an existing staff of 25 software engineers.

Software Engineer, Systems Analyst III
Practical Control Systems (PCS) - Cincinnati, OH

• Designed, developed and implemented many aspects of real-time, PC based, inventory control and merchandise picking systems. Coded in 'C' using C-Tree ISAM database engine under QNX real-time operating system.
• Interfaced various types of hardware to PCs including mainframe equipment, embedded controllers, and PLCs via RS-232/422/485 serial communication links.
• Responsible for completion and installation of an inventory control / paper-less picking project based in Cape Town, South Africa for Foschini Group (06/91 - 07/91).

President of Non-Profit, Charity Organization
Teal We Find A Cure, Inc. - (Organization Website - www.tealwefindacure.org)

• President of a 100% volunteer, 501(c)3 non-profit, charity organization dedicated to raising funds that gives women the early detection screening they need to beat ovarian cancer. Our inaugural event, we raised and donated more than $15,000 to ovarian cancer awareness and research. In 2019, we made a commitment of $250,000 for the designation of the Center for Gynecologic Cancer Care, at the new St. Elizabeth Cancer Center in Edgewood, KY in which this area is named after Tracy Madrick Keith. Since then, through shared passion for our mission and generosity of our supporters, we fulfilled our commitment of $250,000 in September 2023.
• Responsible for organization spokesperson, overall business functions, attending and organizing committee meetings, creating and maintaining eCommerce web site, requesting sponsorship and donation from companies and individuals.

Professional Information Security Certification
CISSP (Certified Information Systems Security Professional) - #540621

• Currently maintaining good standing with CISSP certification which requires 40 Continuing Professional Education (CPE) credits per year.

Author
Technical Blog / Articles

• "ESP8266 MyWidget" on Hackaday.io and as open source project on Github.
  Learning tool or a template for starting a new ESP8266 Wifi microchip project. It contains many of the components to build a ESP8266 project with dynamic web interface.
• "Web Driver IO Tutorial" on personal blog and as open source project on Github.
  Extensive tutorial article including many working examples and a working web site.
  • Also published on Instructables.com web site.
• "DMX Tester - Inexpensive Tester for sending DMX-512" on personal blog
  DMX-512 is a communication protocol used in the lighting industry. This article is based on a hardware/software project I built.
  • Also published on Hackaday.io and Instructables.com web sites.
• "State Machine Programming and Input Validation" on personal blog
  State machine programming is ideal for keyboard input validation. This article is a complete working example including source code.
  • Also published on Hackaday.io and Instructables.com web sites.

University of Cincinnati - Cincinnati, OH

• Graduated with a Baccalaureate of Science in Electrical Engineering Technology (BSEET).
• Maintained part-time and full-time co-op jobs throughout college to help cover tuition and expenses.
• Designed and built a PC based 24 analog channel stage lighting controller with complete user software and hardware interface as a senior design project. This project was used to control an outdoor lighting show for 3 weeks at the grand opening of the Cincinnati Museum Center at Union Station.