There has been some reaction to this piece of PR.
While the idea of compliance in a box is nice, it seems risky to promise it in such a way. However, if you actually read the statement it does specifically say "...new program will help companies worldwide implement encryption..."
Given PCI compliance involves everything from the writing of policy documents through to how specific data needs to be secured and audited, this statement merely confirms that PCI Compliance can take a while and resources to deploy.
Encryption is one of the many things that needs to be done, so with that date looming, things need to happen fast and every little bit helps.
Saturday 4 August 2007
Friday 3 August 2007
And the results are....
Interesting article relating to the PCI Deadline and progress amongst retailers in US.
Even more interesting is this which outlines some of the aggravating aspects of PCI and how retailers are still having problems understanding what they are supposed to be doing.
Seems like there is still a lot to do in the whole area of PCI and compliance.
Even more interesting is this which outlines some of the aggravating aspects of PCI and how retailers are still having problems understanding what they are supposed to be doing.
Seems like there is still a lot to do in the whole area of PCI and compliance.
PCI Assessors could be having a negative impact ?
Interesting article that highlights customer concerns about the PCI DSS and how QSAs aren't actually helping things !
The question of Conflict of interest for QSAs who resell product or market services is also a cause for concern.
Would you be skeptical if the person providing you with advice also then tried to sell you product or services?
The question of Conflict of interest for QSAs who resell product or market services is also a cause for concern.
Would you be skeptical if the person providing you with advice also then tried to sell you product or services?
Friday 29 June 2007
DPA and its lack of teeth
Interesting article on Mondaq regarding Price of security when it comes to Data Privacy Act, focusing on the recent Nationwide incident involving the potential for data exposed on a lost laptop.
Requires registration
Requires registration
Tuesday 26 June 2007
When is a deadline not a deadline?
When it is a PCI Deadline?
Back in April some retailers seemed intent on meeting a deadline for PCI compliance of 30th June 2007. Much was made about the efforts to achieve this and smaller retailers and PSPs followed suit.
Fast Forward virtually two months and the same two retailers are now reigning in their efforts to fast track their PCI efforts because of an easing back on enforcement.
This slowdown could certainly be attributed to an article that appeared on the front page of Computer Weekly in UK.
Card firms ease back on security demands
Credit card issuers have backtracked on demands that retailers and online merchants meet tough new standards to safeguard customer credit card data by the end of June.
Visa admitted this week that deadlines for retailers to comply with the Payment Card Industry Data Security Standard (PCI DSS), which requires firms to adopt a package of security measures, were "unrealistic".
The move follows growing evidence that many retailers are struggling to implement the standards and are unlikely to have their systems fully secured for another one or two years.
Card companies are now limiting their demands to an immediate requirement that retailers put risk mitigation strategies in place to protect their most sensitive data, rather than insisting that all of the standard's criteria are met. Retailers must also be able to prove that they are working towards full compliance.
"Visa and MasterCard agree that risk mitigation is of prime importance and we expect this to be done immediately," said Stanley Skogland, head of policy compliance at Visa Europe. "It does not mean that we do not expect all parts of the standard to be achieved, but we cannot expect miracles overnight."
The PCI DSS was developed in January 2005 by Visa and MasterCard to compel businesses that process payment card data to meet 12 security standards.
But retailers only began to get to grips with the standard last year, following a series of high-profile leaks of confidential credit card data, including the loss of 45 million credit card details from US retailer TJX.
Paul Smith, director of payment systems at the British Retail Consortium, said the deadline was the second to pass without retailers achieving full compliance. He blamed poor communication for the delays.
"Communication was not good in the early days of this programme. Retailers need to know when and how these things need to happen," he said.
Smith added that about 20% of the requirements were still being discussed because "it is not clear what is actually required".
Simon Langley, head of PCI DSS at KPMG, said the reduced focus on the full 12 requirements was sensible given the mixed messages. "Visa and MasterCard agreed on the standard, but compliance has not been standardised," he said.
This could potentially mean a slow down in PCI compliance, at least with the big boys.
Back in April some retailers seemed intent on meeting a deadline for PCI compliance of 30th June 2007. Much was made about the efforts to achieve this and smaller retailers and PSPs followed suit.
Fast Forward virtually two months and the same two retailers are now reigning in their efforts to fast track their PCI efforts because of an easing back on enforcement.
This slowdown could certainly be attributed to an article that appeared on the front page of Computer Weekly in UK.
Card firms ease back on security demands
Credit card issuers have backtracked on demands that retailers and online merchants meet tough new standards to safeguard customer credit card data by the end of June.
Visa admitted this week that deadlines for retailers to comply with the Payment Card Industry Data Security Standard (PCI DSS), which requires firms to adopt a package of security measures, were "unrealistic".
The move follows growing evidence that many retailers are struggling to implement the standards and are unlikely to have their systems fully secured for another one or two years.
Card companies are now limiting their demands to an immediate requirement that retailers put risk mitigation strategies in place to protect their most sensitive data, rather than insisting that all of the standard's criteria are met. Retailers must also be able to prove that they are working towards full compliance.
"Visa and MasterCard agree that risk mitigation is of prime importance and we expect this to be done immediately," said Stanley Skogland, head of policy compliance at Visa Europe. "It does not mean that we do not expect all parts of the standard to be achieved, but we cannot expect miracles overnight."
The PCI DSS was developed in January 2005 by Visa and MasterCard to compel businesses that process payment card data to meet 12 security standards.
But retailers only began to get to grips with the standard last year, following a series of high-profile leaks of confidential credit card data, including the loss of 45 million credit card details from US retailer TJX.
Paul Smith, director of payment systems at the British Retail Consortium, said the deadline was the second to pass without retailers achieving full compliance. He blamed poor communication for the delays.
"Communication was not good in the early days of this programme. Retailers need to know when and how these things need to happen," he said.
Smith added that about 20% of the requirements were still being discussed because "it is not clear what is actually required".
Simon Langley, head of PCI DSS at KPMG, said the reduced focus on the full 12 requirements was sensible given the mixed messages. "Visa and MasterCard agreed on the standard, but compliance has not been standardised," he said.
This could potentially mean a slow down in PCI compliance, at least with the big boys.
Friday 25 May 2007
PCI SSC Announces board advisors
Some big names elected onto the PCI SSC council (14 in all).
Their primary role being to serve on the board and provide strategic and technical guidance to the PCI Security Standards Council.
Microsoft and Verifone being the only technology companies the rest are retailers or PSPs with a vested interest in PCI.
I wonder if the PCI SSC will behave like a mini UN with lots of differing groups with their own agenda, generating ideas and statements about what should be done but too much in-fighting and Special Interests to actually get a majority vote to get motions passed through.
With a member like APACS involved (UK Payments association) their should be no excuses in the future from UK organizations to not being PCI compliant, as there were around 18 months ago when PCI DSS conflicted with what APACS required from retailers/PSPs.
It will be interesting to see any minutes from the initial meetings for any future PCI DSS changes, just to see who is in favor of PCI and who isn't.
Their primary role being to serve on the board and provide strategic and technical guidance to the PCI Security Standards Council.
Microsoft and Verifone being the only technology companies the rest are retailers or PSPs with a vested interest in PCI.
I wonder if the PCI SSC will behave like a mini UN with lots of differing groups with their own agenda, generating ideas and statements about what should be done but too much in-fighting and Special Interests to actually get a majority vote to get motions passed through.
With a member like APACS involved (UK Payments association) their should be no excuses in the future from UK organizations to not being PCI compliant, as there were around 18 months ago when PCI DSS conflicted with what APACS required from retailers/PSPs.
It will be interesting to see any minutes from the initial meetings for any future PCI DSS changes, just to see who is in favor of PCI and who isn't.
Thursday 24 May 2007
APAC market gains PCI momentum
A PCI Blog reports on the increase in interest levels within APAC region.
PCI Answers is a great source of PCI news and contributors very active in PCI space.
PCI Answers is a great source of PCI news and contributors very active in PCI space.
Subscribe to:
Posts (Atom)