Having a poke around recently, it became apparent that there was no clear definition as to what a DSE or a TPP actually ‘is’. Some QSAs have assumed that Third Party Processor (TPP) in effect means ANY payment/transaction service provider and have incorrectly classed entities that service To clarify what a TPP actually is – […]
Dear MasterCard, what is a DSE? Read More »
Finally those little snippets of electronic information that websites have left behind on your computer will be subject to EU legislation. Website owners (at least those based in the UK) will need to get consent from visitors in order to store cookies on user’s computers. The revised Privacy and Electronic Communications Regulations come into ‘force’
It’s far too depressing to blog about the state of information security affairs in the world today – a criminal clicks his/her fingers and corporations are brought to their knees… so today, what does it mean to be President of ISSA-UK, what do I get up to and why do I do it? Partly, the
A Day in the Life of a President Read More »
The last prioritized approach (v1.2) was released over 2 years ago now. Many have agreed, disagreed, argued (as you might expect with anything PCI related) about which order the controls should be in. The standard “governance” controls we all know and love were pushed into the lowest priority milestone 6 category and odd things like
Prioritized Approach for PCI DSS Version 2.0 Read More »
Right. Just how many more companies need to lose or have personal data stolen before we get to the point there’s a reasonable chance that x out of y people can no longer use their personal data as unique identifiers, and what exactly is that going to do to the person-not-present industry? We have circa
Calm down dear, only 70m records Read More »
Just because a network might be ‘private’ in terms of PCI DSS, for example MPLS, IP-VPN, leased line, X.25 et al does NOT mean it is out of scope for PCI DSS. Being ‘private’ negates ONE control, and that is that you don’t need to encrypt traffic that passes over a ‘private’ network (control 4.1).
What is a private network in terms of PCI DSS? Read More »
I had a call from O2 today with regards to a phone upgrade. It went something like this: “Hello, is that Mr Tim Holman” “Yes” “You’re phone’s due for an upgrade and I have some fantastic news for you. We can offer you a lower tariff and get you an iPhone 4! Isn’t that great?”
Call centre “Security Questions”? Read More »
Reading Uri Rivner’s blog this week (http://blogs.rsa.com/rivner/anatomy-of-an-attack/), RSA have been rather brave to disclose how their systems were recently breached. According to Uri, an Excel attachment with embedded Adobe Flash content was sent to a small group of low profile users within RSA, with the title “2011 Recruitment Plan”. At least one user had opened
Advanced Persistent Threats and why being PCI DSS Compliant doesn’t help…. Read More »
With the ‘advent’ of ‘cloud’ computing, which in real language means outsourcing using a common, shared contract, many companies are putting their data and absolute faith in the hands of third parties, perhaps without performing the exact same level of due diligence as they might should they ‘insource’. Or Ground Computing as I’ve decided to
