PCI-DSS - the Payment Card Industry Data Security Standard, has attracted some interesting views to it. The latest one is here. The writer describes it operating "like a court" - I don't quite agree, it operates under contract law, and I've been involved in at least one case where the issuing brand failed to have a recovery clause in the contract allowing them to seek reparation from the retailer-in-breach.
However, the interesting thing is that its not just a good idea to be compliant with PCI if you are "storing, processing or transmitting" credit card numbers. If you want to take payment with credit cards, then your bank (urged by VISA and MasterCard) will require you to sign up for PCI, with contractual caveats that any PCI breaches and costs thereof are born by .. erm, you.
In other news, my friend Branden has a spiffy blog online. Go check it out. The link is to his "All QSA's are not created equal" post, which given the legal post above, is worth considering. Not only do you get what you pay for, but selection of a high quality QSA over a bucket shop could save a hell of a lot of money in PCI reparation costs.
What"s in the blog?
- anonymity (12)
- biometrics (1)
- blackmail (1)
- BT (1)
- cars (3)
- ceroc (4)
- certification (4)
- CISSP (1)
- Code (1)
- coffee (2)
- computer security (42)
- computer society (17)
- cooking (1)
- cool tools (3)
- Crack (1)
- cryptography (7)
- current affairs (5)
- cynicsm (28)
- dailydave (1)
- data protection (3)
- ebay (1)
- extortion (1)
- facebook (5)
- fiction (1)
- Financial Ombudsman (1)
- forensics (9)
- Fraud (20)
- future technology (2)
- gaggia (1)
- Ginko (2)
- google (2)
- government (6)
- GPG (1)
- happiness (4)
- hardware (2)
- humour (17)
- identity (1)
- information warfare (13)
- innovation (12)
- instant messenger (2)
- internet knowledge (15)
- jaguar (2)
- Life (11)
- Linux (1)
- Mac (1)
- malware (7)
- Microsoft (1)
- music (11)
- myth (2)
- Net neutrality (2)
- network (3)
- online dating (3)
- openID (3)
- PABP (1)
- PCI DSS (6)
- people (2)
- phorm (2)
- privacy (17)
- psychology (1)
- publishing (1)
- red dwarf (2)
- relationships (1)
- Ross Anderson (1)
- Scam (4)
- scribd (2)
- Second Life (7)
- shredders (5)
- social media (13)
- spam (6)
- swansea (1)
- tango (5)
- telephone spam (2)
- trojan (1)
- university (2)
- unix (3)
- unpacking (2)
- virus (6)
- voip (2)
- wikipedia (1)
- work (9)
- world news (1)
- yahoo (1)
- youtube (8)
Tuesday, 25 March 2008
A Lawyer's analysis of PCI
Monday, 17 March 2008
Sir Tim and I agree
Well, Sir Tim Berners-Lee says:
The creator of the web has said consumers need to be protected
against systems which can track their activity on the internet.
Sir Tim Berners-Lee told BBC News he would change his internet
provider if it introduced such a system.
Plans by leading internet providers to use Phorm, a company
which tracks web activity to create personalised adverts, have
sparked controversy.
Sir Tim said he did not want his ISP to track which websites
he visited.
"I want to know if I look up a whole lot of books about some form
of cancer that that's not going to get to my insurance company
and I'm going to find my insurance premium is going to go up by 5%
because they've figured I'm looking at those books," he said.
Sir Tim said his data and web history belonged to him.
He said: "It's mine - you can't have it. If you want to use it for
something, then you have to negotiate with me. I have to agree,
I have to understand what I'm getting in return."
Seriously folks, imagine how you'd feel if the Royal Mail said "hey, we opened your post and saw that you had a letter from the bank warning you about your overdraft, can we interest you in a low-price loan"? Or if your phone company rang you up and said "You've had a call from the hospital, would you like some low-price funeral expenses insurance?" I could hope that this will encourage more people to use encryption such as PGP, but that's not likely. People have never really understood why encyrption is important in reducing their internet footprint.
More to the point, it would be illegal. Has the law not caught up with the fact that we conduct sensitive and private communications over the Internet, not just by phone and letter?
I wonder if Sir Tim will get an invite from Phorm's PR company to a business briefing as well?
Saying no, the third way
GERALDINE: There are two answers to your question, the long one and the short one. The short answer is "No", and the long answer is "Noooooooooooooooooooooo".
I signed the petition to form a national e-crime unit recently. The gub'mint have found a Third Way:
Thank you for the e-petition, asking for the Government to give priority to the creation of an e-crime unit as proposed by the Metropolitan Police Service and ACPO.
The Government takes seriously all forms of crime, and has passed legislation to support the prosecution of those who steal data and attack IT systems, or who create the technical mechanisms to support such attacks
The Government is currently in receipt of the proposal by the Metropolitan Police Service and ACPO and are actively considering the issues it has raised and the value of creating such a unit.
Government has allocated £29 million over 3 years to implement the recommendations of the Fraud Review. This includes the creation of a National Fraud Strategic Authority (NFSA) which will drive forward a comprehensive strategy for tackling fraud, bringing together the Government, criminal justice practitioners, business and the public. It also includes a new national lead force role for the City of London Police and National Fraud Reporting Centre (NFRC) which will collect and analyse data on all types of fraud (including online fraud), equip law enforcement agencies with a powerful intelligence tool and help form the basis of better prevention advice and alerts to fraud threats for business and the public.
Both the Child Exploitation Online Protection Centre (CEOP) and the Internet Watch Foundation (IWF) have 24 hour reporting mechanisms aimed at members of the public to report instances of child abuse or websites containing child abuse images.
The National Hi Tech Crime Unit (NHTCU) was originally part of the National Crime Squad (NCS), and moved into SOCA along with the rest of NCS in 2006. The name was changed to SOCA e-crime to reflect the new organisation. SOCA e-crime has more resources than the NHCTU and greater international reach via SOCA's international liaison network. The e-crime unit brings together experts from different organisations under one roof and has already developed a national e-Crime strategy with key partners. This aims to improve links with industry and to develop ways for educating businesses and the public about e-crime.
The Government is committed to providing adequate responses to this area of crime in a unified way without duplicating the work carried out by other organisations.
There is of course the fourth way, or "Internet Dating" method of saying no, which is simply to disappear and never be heard from again. But I guess we'd miss Gordon if he did that one.Thursday, 13 March 2008
Deep into Sleep (July-August 2005)
Deep into Sleep (July-August 2005)
What does this have to do with security?
Well, apparently we all have messed up sleep patterns (your author included), and this means our decision making skills are impaired.
Hence, security lapses.
Friday, 7 March 2008
Musing: differences between the US and the UK
US: "If everyone is a speeder, the cops won't arrest everyone"
UK: "If everyone is a speeder, then put automated cameras to catch them"
Inspired by Cringely.
About Me
- Jonathan Care
- Information Security Architect. Computer Crime & Fraud Specialist. Sometime writer, dancer, musician, & chef.
