Society of Payment Security Professionals

For about a week now I’ve noticed that the Society of Payment Security Professionals has lost its homepage. (see below).

Then the following post on seems to indicate that its game over, insert coin for this organisation.

After nearly 4 years we have decided to end of life the PCIAnswers Blog and Forum. While there will be no further posts we will leave the existing posts available for people to access. Thanks for your support!

That’s a real shame. Comments are closed there so I can’t add words of support, but I guess the pressure of day jobs got too much for a bunch of great guys with good ideas.

In Europe, (as some of you reading will know) the activity in PCI DSS is mounting and we are constantly getting questions from customers as to what they need to do to be compliant. My advice follows:

  • Get a real QSA. There are lots of consultants offering services which are “almost as good” as the real thing. But if compliance is important to you (and if its not, ask yourself why not) then you owe it to your career, and your company to get real advice
  • Find one you can work with. Does your QSA just work on technical issues, or processes, or the mixture that your organisation needs to get compliant? Do they understand when to help you compromise? Do they help interface with your acquiring bank(s), service providers, developers and partners? 
  • Are they based on real experience? At a training recently, a couple of my guys met someone who had a vocal opinion on everything – having it based on experience would help, or else you are in danger of waving. Ahem.
  • Do they help you run a structured programme which ensures your company ends up in a position to manage its own compliance? A simple “Yes” here should suffice – anything else, no.
PCI Compliance is not rocket science, and depending on your industry, a lot of it should be very familiar. If you are making careful plans around ICO governance or ISO27002, you may even get a lot of it as part of those programmes. But remember, its  the baseline, or in other words, its a floor, not a ceiling. Being PCI compliant won’t stop you getting hacked, won’t prevent your employees defraudning you and won’t stop your website getting in the hall of shame. It might just limit the damage and stop you being the weakest link.

Copiers contain hard drives, hard drives contain data, data is the lifeblood of your business

In the News of the World today, there’s an article on office copiers. These devices are getting smarter and smarter – if they made cappuchino they’d be great.

They’d also be great if they automatically deleted the information that they cache. But this is the traditional old story, do you care more about confidentiality, integrity or availability? The manufacturers have focused on availability and integrity of information, leaving their customers to manage the confidentiality issues themselves.

The morales of this story is that you are responsible for your own data. Don’t leave it to the repo firm, the WEEE disposal company or the leasing shop.

And we’re back!

Finally! After much technical to-ing and fro-ing, we’re back with a fairly stable and functional new blogging system! Hopefully it will look like the old functional one (pretty much) but keep your eyes peeled for some spiffy new features.

Lots of exciting stuff in the wings, including a breakdown of some interesting talks that have happened of late, updates to the 800lb gorilla of operational risk, PCI DSS, and the new kid on the block, the Information Commissioner’s Office. (Well informed readers will tell me that ICO has been around for a lot longer than the PCI Council, but it is only recently that its got its boots on).

With the proposed cuts in UK.Gov (currently believed to be between 25% and 40% per department) there’s going to be a clear call to ensure that information is safeguarded even better than before, and also that any methods used demonstrate clear cost-effectiveness. One concern we are all expecting is how to use professional advise in a concise, cost-effective manner. The best way to use consultants is to carefully define the scope of what you are asking for.

For example – should you hire a consultant to run your compliance programme for you? Well, of course the answer is it depends – consultants are great for knowledge transfer, for giving a programme initial impetus, and of course, if you identify something that you don’t really care about but have to have done, then outsourcing this task makes sense – for example, most organisations get contract cleaners in.

Compliance might look like one of those hygiene must-do’s, but look at the bigger picture. At some point, your consultant will have applied their awesome subject matter expertise, banged the drums, and you will be the proud possessor of a freshly inked compliance certificate (don’t smudge it!)

But then what? Your choices will then be to either keep the consultant to maintain your compliance programme, or to hope that in the last days, months and years that a magical form of osmosis has happened and that you’ll be able to maintain compliance and fly solo.

If you structure your compliance programme correctly, you will have your consultants advising you on the programme structure and governance, and each project will be headed up by a employee of yours, giving you the knowledge transfer “for free” – situational learning gained by transforming the non-compliant areas into a state of compliance.

Sounds easy, doesn’t it.