PCI DSS 12.5 “Assign to an individual or team the following information  security management responsibilities” is not just about putting somebody’s name down to pass an audit and us QSAs are clamping down hard on those whom pay governance lip service, then forget about it for a year until the next audit is due. Even in smaller […]

Well, maybe manipulation is a bit of a strong word, but the reason for this title is due to the increasing number of requests we get as QSAs to help out smaller, level 4 merchants, whom have been instructed by the likes of Worldpay, RBS Worldpay (aka Streamline), Barclaycard Business, HSBC or PayPal, to go

I am presenting a proposal to setup a SIG for Third Party Assurance at both Orlando and Dublin PCI SSC Community Meetings.  The aim of the SIG is to provide additional guidance around control 12.8, which to date we think is somewhat open to interpretation. The control as it stands: 12.8 If cardholder data is

Look out for us at PCI Europe’s London event on July 5th, in association with Visa and Barclaycard – http://www.pci-portal.com/pci-europe/.  A limited number of tickets are still available and register quickly if you would like to come along.   The invite only, world renowned 2-sec after party returns in the evening, which offers an informal setting

Much of my work circles around PCI DSS, and it was interesting to see an announcement from the SSC this week for yet another programme. This time, a select few that are priviliged to be in the right place at the right time, can register as QIRs – Qualified Integrator and Resellers for PA-DSS validated

I’ve been to a few talks lately and it seems to be a growing theme. People think that being compliant doesn’t make you secure, and that to be “secure” you need to exceed what you are doing at a compliance level. I have to say I disagree, and I wish people wouldn’t keep quoting such

I ran a couple of sessions at RSA Europe 2011 to talk about PCI DSS and Risk Based Compliance. What struck me was the make up of the audience. One or two years ago, I could have put good money on the make up of the audience being 90% merchants, but now, an equal balance

I’ll be talking about PCI DSS and Risk Based Approaches at RSA Europe this week, Thursday 13th October at 13:00 – 13:50. If you are planning to attend, would be great to see you. If you can’t make it, you can download my presentation here: GRC-304 – Taking a Risk Based Approach to PCI DSS

You might have noticed things have gone a little quiet round here, as my last blog post seemed to get me into a spot of trouble… Anyway. It’s certainly not my style to tread on the feet of a major UK acquirer and in the end I was asked to remove the names of the