Tony L. Keith

Fractional CTO for startup fintech providing strategic planning and vision, management and leadership.

• Designed data flows and UI/UX for web/mobile application to on-ramp/off-ramp USD, MNX, EUR (ACH, wire, SPEI, SEPA) payment rails.
• Designed and documented client-facing APIs for KYC/KYB onboarding, stablecoin wallets (USDC, USDB, EURC), virtual accounts, and multi-channel transfers orchestrated through Bridge.
• Built a comprehensive E2E and functional testing platform using Jest and TypeScript, ensuring reliability across all API workflows. Created shareable Postman collection to accelerate client integration.
• Led small development team in creating client-facing APIs and client billable operations (usage orchestration fees).
• Developed and maintained critical technical documentation including system requirements and public APIs (REST, WebSockets).
• Provided artifact collection support for several assessments including SOC 2 - Type 2, ISO 27001, and PCI DSS, Level 1.

Tony Keith Consulting — Part-time, remote independent consulting position providing PCI DSS consulting, project management and system administration.

• Delivered comprehensive PCI DSS expertise guiding Proactiv through five consecutive V3.2.1 Level 1 certifications and first V4.0.1 SAQ Level 2 certification as a merchant on AWS cloud infrastructure.
• Conducted initial security posture assessment producing detailed gap analysis report with infrastructure recommendations and strategic roadmap for remediation actions.
• Implemented cross-departmental project management framework including weekly status meetings across multiple teams, ServiceNow ticket coordination, and comprehensive remediation tracking.
• Designed and deployed critical security infrastructure including jump host architecture, multi-factor authentication systems, enterprise password policy, and web vulnerability scanning capabilities.
• Developed complete security governance ecosystem featuring comprehensive information security policies, threat model risk assessments, TPSP management program, secure SDLC, and detailed network/connectivity/data flow diagrams.
• Managed end-to-end audit coordination including team preparation, evidence collection, penetration testing, vulnerability scans, and serving as company representative for assessments and QSA interactions.
• Achieved 90% reduction in compliance costs and asset footprint by designing and implementing optimized PCI scope environment in AWS, while maintaining ongoing system administration and compliance support through quarterly security reviews.

Tony Keith Consulting — Part-time, remote independent consulting position providing PCI DSS consulting, project management and system administration.

• Spearheaded PCI compliance during critical business transition when Meaningful Beauty separated from Guthy-Renker to become an independent entity, providing comprehensive consulting services throughout the separation process.
• Designed and implemented secure AWS development environment with full responsibility for system administration while ensuring continuous PCI DSS compliance during organizational transition.
• Led end-to-end compliance validation process including artifact and evidence verification against all PCI requirements, serving as primary company representative during assessments and QSA interactions.
• Delivered comprehensive PCI DSS expertise through leadership, remediation guidance, implementation strategy, policy development, and project management for three consecutive successful PCI DSS assessments while operating under the Guthy-Renker PCI umbrella.

Tony Keith Consulting — Part-time, remote independent consulting position providing PCI DSS consulting and project management.

• Provided expert PCI DSS leadership through four consecutive V3.2 certifications and first V4.0.1 Level 1 certification as a merchant on AWS cloud infrastructure, culminating in successful completion of 6th annual assessment.
• Implemented cross-departmental project management with weekly status meetings across multiple business units, comprehensive remediation tracking, and creation of detailed TPSP responsibility matrices for service providers, managed security services, and security service providers.
• Served as primary compliance validator and QSA liaison, thoroughly reviewing all artifacts and evidence against PCI requirements and representing the company during formal assessments and auditor interactions.
• Maintained ongoing compliance program through structured monthly and quarterly security reviews, vulnerability scan analysis, remediation support, and regular updates to policies, procedures, diagrams, and system inventories.

Hexaware — Remote, six-month, full-time sub-contract consulting position providing PCI DSS consulting.

• Facilitated critical business acquisition by leading PCI DSS compliance for 26 call centers (8 clients) requiring both SAQ and AoC/RoC certifications, with sale contingent upon successful compliance validation.
• Provided expert guidance to Hexaware consulting team delivering comprehensive PCI DSS training and development of specialized procedures for artifact validation and evidence collection across multiple compliance requirements.
• Performed extensive technical remediation oversight including EOL hardware upgrades, network and server security control implementation (hardening, patching, logging), and comprehensive evidence collection for multi-client audits.
• Personally validated hundreds of compliance artifacts against PCI requirements across concurrent audits for 8 clients, utilizing Conduent's online tracking tools to ensure thorough documentation and validation.
• Led critical security assessment remediation through detailed network vulnerability scan analysis, extensive firewall ruleset reviews, and penetration test result evaluations with targeted remediation recommendations.

Tony Keith Consulting — Part-time, hybrid, independent consulting position providing PCI DSS consulting and project management.

• Led comprehensive PCI DSS compliance initiatives from V3.2 through V4.0.1, successfully guiding DonorDrive to achieve and maintain Level 1 certification as both a service provider and shared hosting provider across six consecutive assessments.
• Developed and executed strategic compliance roadmap by conducting thorough gap assessments, creating detailed infrastructure recommendations, and implementing targeted remediation plans.
• Established robust project management framework including weekly status meetings, JIRA ticket tracking system, and comprehensive remediation coordination for all compliance tasks.
• Implemented critical security infrastructure enhancements including jump host architecture, multi-factor authentication protocols, password policy frameworks (internal and client-facing), and web vulnerability scanning systems.
• Created comprehensive information security documentation suite featuring policies, risk assessments utilizing threat modeling, TPSP management program, secure SDLC protocols, network diagrams, and data flow documentation.
• Orchestrated all aspects of PCI audit preparation and execution including team coordination, evidence collection, internal/external penetration testing, vulnerability scanning, and serving as primary representative during on-site audits and QSA interactions.
• Successfully navigated complex platform migration from colocation facility to cloud environment while ensuring uninterrupted compliance through third and fourth annual on-site PCI DSS assessments.

Vivitech Business Solutions — Part-time, sub-contract consulting position providing PCI DSS gap assessment and PCI PIN Compliance Manager roles.

• Served as PCI PIN Compliance Manager for 6 years overseeing Key Injection Facility (KIF) operations for POS PIN pad security, including documentation maintenance, security process implementation, and continuous compliance improvement.
• Achieved perfect compliance record successfully guiding team through four consecutive PCI PIN audits, spanning three V2 assessments and one V3 assessment with zero critical findings.

• Conducted comprehensive PCI DSS Gap Assessment through on-site and remote interviews with technical personnel, extensive documentation review, system configuration analysis, and evaluation of existing PCI artifacts.
• Delivered expert Cardholder Data Environment (CDE) analysis with detailed in-scope determination and documentation, creating comprehensive scope memorandum as key project deliverable.
• Facilitated remediation planning process by collaborating directly with business owners to establish realistic timeframes and implementation strategies for addressing compliance gaps.
• Created extensive assessment documentation including 50+ page gap assessment report with detailed analysis, infrastructure recommendations, and strategic remediation roadmap, culminating in executive-level presentation to Pomeroy's management team.

Tony Keith Consulting — Part-time, hybrid, independent contract consulting position providing PA-DSS consulting for an ERP software product.

• Spearheaded PA-DSS V3.2 compliance initiative for MACH Software ERP product, performing comprehensive gap assessment of software controls and documentation against stringent payment application requirements.
• Implemented enhanced security testing protocols including web vulnerability scanning, network traffic analysis, and specialized scanning for sensitive cardholder data, complemented by a thorough threat model risk assessment methodology.
• Developed comprehensive compliance documentation by rewriting implementation guide and SDLC documentation to meet PA-DSS requirements, supported by detailed network and data flow diagrams.
• Orchestrated complete compliance process by scheduling and coordinating all PCI-related activities including team meetings, evidence collection, and direct interface with Qualified Security Assessor (QSA).

Tony Keith Consulting — Part-time, hybrid, independent consulting position providing PCI DSS consulting and project management. Physical and online-based travel agency and loyalty program solution provider — $300M revenue, 220+ employees.

• Led, Directed, Oversaw system and network security assessments to ensure PCI DSS compliance; provided strategic recommendations for security technologies and architectural improvements.
• Initiated, Coordinated, Executed PCI-related projects across departments, including deployment of a secure FAX system, password and data retention policy updates, database encryption integration, and a full data center migration.
• Managed, Streamlined, Tracked all PCI project workflows and audit evidence collection using JIRA, ensuring timely completion of milestones and audit readiness.
• Planned, Scheduled, Facilitated all audit-related activities such as penetration tests, vulnerability scans, team meetings, and on-site audit coordination.
• Represented, Communicated, Liaised as the company interface during QSA audits, penetration testing sessions, and compliance reviews.
• Achieved, Delivered, Led three successful PCI DSS Level 1 certifications (2014 v2.0, 2015 v3.1, 2017 v3.2), certifying Montrose Travel as a compliant merchant and service provider through Trustwave.

Online payment processing platforms in EU and USA. From July 2008 to February 2015, worked for a technology group including Emanon Management (U.S.) and Commercegate (EU).

• Directed enterprise-wide technology including infrastructure, cybersecurity, and support services across multiple organizations and platforms.
• Shaped the company's long-term technology vision by formulating and executing IT strategies aligned with business goals.
• Architected a modern, scalable processing platform with rule-based fraud filtering, template-driven payment forms, and a configurable rebill system using Apache, Tomcat, Java, Oracle, Spring, Hibernate, GWT, and Sencha.
• Led geographically dispersed development teams across five global locations and four time zones, ensuring seamless collaboration and project delivery.
• Managed compliance process through 11 consecutive and successful Level 1 PCI DSS 2.0 compliance audits by overseeing all aspects of security strategy and audit preparation as CSO.
• Developed and maintained critical technical documentation, including PCI DSS policies/procedures, system requirements, and public APIs (JSON, XML, REST).

The first online pre-paid re-loadable VISA debit payment system in the world.

• Led, architected, and delivered the end-to-end development of Epassporte, taking the product from concept to market launch as one of the first and most successful online prepaid reloadable card solutions.
• Designed, developed, and standardized a SOAP/HTTPS communication framework enabling secure interactions between the platform and cardholder VISA accounts — later adopted as a standard by payment processor TSYS.
• Directed, managed, and mentored programming, development, and administrative teams in a fully open-source technology stack (Linux, Apache, Tomcat, MySQL, Java, PHP).
• Conceptualized, prioritized, and implemented product enhancements and new features through Agile methodologies, accelerating time-to-market and improving user experience.
• Wrote, maintained, and refined all technical documentation and architectural diagrams to support scalability, compliance, and ongoing development.

An industry leader in online payment processing.

• Conceptualized, led, and launched innovative products and features in the payment processing domain, including fraud filtering mechanisms, alternative payment models, cross-sell engines, affiliate/reseller tools, and strategic marketing integrations.
• Directed, managed, and scaled a 22-member team across Technical and Technical Support departments, including 11 Java/PHP developers and system administrators responsible for all production systems, and 11 highly trained technicians supporting client setup, configuration, and data issues.
• Authored, implemented, and maintained all internal procedures, security policies, and documentation to ensure full compliance with PCI-DSS (formerly CISP).
• Completed, coordinated, and passed four consecutive Level 1 PCI-DSS (CISP) audits as Chief Security Officer, working closely with external assessment firms.
• Envisioned, led, and executed the technical design of an online prepaid debit card system — Epassporte — which evolved into a pioneering product in the fintech space.

• Led and managed all aspects of a charitable organization dedicated to funding early detection screenings for ovarian cancer.
• Spearheaded the inaugural fundraising event, raising and donating over $15,000 to support ovarian cancer awareness and research.
• Successfully led a multi-year fundraising initiative that resulted in a $250,000 donation to establish the Tracy Madrick Keith Center for Gynecologic Cancer Care at St. Elizabeth Cancer Center in Edgewood, KY, fulfilled in September 2023.
• Served as the organization's spokesperson and oversaw strategic planning, daily operations, donor relations, sponsorship outreach, and volunteer coordination.
• Planned and facilitated committee meetings and events; developed and maintained the foundation's eCommerce website to support fundraising efforts.