PCI DSS

How PCI compliance puts you on course for GDPR

For a long time the General Data Protection Regulation has been looming on the horizon but in just a few short days it will arrive; a permanent aspect of the data protection landscape. From 25th May 2018 this European-wide data protection will be a legal requirement for virtually every UK organisation. The task should not be overwhelming; particularly for those who are already PCI compliant, or working towards it. This is because the PCI compliance process means they are already well on course for GDPR. All that remains is an identification of gaps to bring systems and policies in line with GDPR.

The important thing to bear in mind at this stage is that the GDPR, although aimed at the entirety of an organisation and largely enforceable, is less prescriptive than the PCI DSS standard that already exists. GDPR provides detail about what needs protecting but very little in the way of a solid action plan.

PCI DSS on the other hand offers a detailed framework upon which to build, specifying what needs to be done and how, and even giving regular updates and guidance on reviews. The two complement each other and therefore the GDPR will be best enacted alongside the existing PCI DSS. A further aspect to note, is that a PCI breach will also be a GDPR breach, since the information on your cardholder data environment is subject to regulation by GDPR.

GDPR should not be seen in a negative way. It is a positive piece of legislation which will help to build trust. Similarly, PCI DSS compliance provides you and your customers with peace of mind that data is secure. This is the metaphorical carrot. There is also a stick: those who do not comply and suffer a breach will face loss of customer trust, enforced PFI investigations and fines.

For those that are already compliant with the PCI DSS, an annual review of the data being processed should form an integral part of the project. This ensures that any new technologies or processes are not excluded and ongoing compliance is maintained. Once you have identified the data that GDPR affects, applying the PCI approach to the implementation of the GDPR will assist greatly as the framework is already there. There will still be a few gaps to fully adhere to GDPR so professional advice will be of benefit.

And for those who aren’t PCI compliant? Seeking guidance from a qualified advisor and reviewing the gaps in their documentation, policies, training, IT systems and processes should be a pressing matter.

With one of the largest QSA teams in Europe, SRM provide unrivalled technical and compliance expertise within the PCI arena. Our GDPR team provide a business-focused service to organisations at all ends of the GDPR-readiness spectrum. For help and support, or to discuss any aspect of PCI DSS compliance or GDPR contact Mark Nordstrom at mark.nordstrom@srm-solutions.com or 03450 21 21 51.

To gauge your level of GDPR readiness, complete our free GDPR Self Assessment Questionnaire

For more information on our GDPR services, visit our GDPR page.

To view a recording of our webinar GDPR: the roles of manual and automated penetration testing, click here.

Read more on GDPR related blogs.

PCI DSS: With charities gearing up for contactless payments what could possibly go wrong?

More than 40 organisations, including McMillan Cancer, the NSPCC, the RNLI and the Church of England, have introduced technology which means that donations can be made with a quick tap of a card. But as the charitable sector embraces contactless payments their enthusiasm must be tempered by robust compliance with Payment Card Industry (PCI) standards or they risk a world of pain. Just one whiff of a breach will bring notoriety and loss of reputation, bringing this Brave New World of charitable giving crashing down around their ears.

The driver for this new approach is clear. The NSPCC ran a trial which showed that donations by card are higher, compared to cash donations and Barclaycard has estimated that charities will miss out on £80m a year if they only accept cash donations. Some have gone even further with things like the Helping Heart jacket, developed so digital donations can be made via this piece of clothing worn by collectors to a homeless charity, and the Blue Cross ‘tap dogs’ who wear a vest with a sewn-in pocket that holds a contactless device.

So what could possibly go wrong? Well, firstly, in spite of the benign motivation behind the new approach, there is no getting away from the fact that where there is money, there will be crime. Defences will therefore need to be geared specifically for this new technology or charities will risk fatal damage to their reputations.

Secondly, the regulatory environment is getting more stringent with the implementation of the General Data Protection Regulation (GDPR) on 25th May 2018. In addition, the Payment Card Industry (PCI) continues to be hyper vigilant when it comes to the Data Security Standard (PCI DSS) and it has already proved that charities are not exempt from the full force of the law when it comes to administering fines for non-compliance.

If an incident occurs, swift action is required to minimise the impact of an individual attack. But prevention is always better than cure. Those organisations that retain an information security consultant to assist with PCI compliance and to ensure their defences are robust, will reduce the potential of being breached.

SRM offers a full range of services to protect the online environment. Using a range of tools from penetration testing to vulnerability assessments and network security testing, we enhance risk mitigation and ensure that the online environment of our clients is as robust as it is possible to be. We work extensively with charities and HM Government as well as all shapes and sizes of businesses and organisations across various business sectors. For many we provide a bespoke retained PCI Forensic Investigation (PFI) service, working proactively through regular strategic reviews to develop enhanced risk mitigation. Anticipating the potential risk areas for attack, we provide highly-targeted cost-effective solutions.

Given the constantly evolving world of cybercrime and the ingenuity of hackers, attacks can and do happen, however. But with a retained PFI already familiar with a charity’s systems, remediation is rapid and disruption minimal.

For more information on SRM’s PCI services please visit our website.

Or visit our blog:

Network intrusions are on the increase: time to engage a Retained Forensic specialist

 

Coinhive attacks and how to prepare for the (almost) inevitable

This week’s report that more than 5,000 websites, including that of the Information Commissioner’s Office (ICO) have been hacked, shows that it really can happen to anyone. Other affected websites where malware took over the processing power of their user’s devices include the Student Loans Company, the council website for Manchester City, Camden and Croydon and the home page of the United States Courts. Although the initial reaction may be one of schadenfreude – pleasure in someone else’s misfortune – a more measured response would be to realise and accept that hackers are now so ingenious and creative that everyone, including those with top class cyber defence, is likely to be subject to attack at some point.

This latest hack involved a piece of cryptocurrency mining malware, called Coinhive, which ran in the background while the webpages of the hacked organisations were open. This forced visitors’ computers to run the mining programme which can then be used to gain small fractions of cryptocurrency from each victim.

So, how can we protect ourselves? The honest answer is that we can’t fully. What we can do, however, is to be prepared for the probability that our systems will be attacked at some point and to reduce the potential impact this will have. Developing a robust Incident Response protocol is an important start and here a Retained Forensic (RF) service will be of immense benefit. With a detailed knowledge of your systems, an RF team is able to mitigate the damage swiftly and effectively.

Damage limitation is crucial but, in the long term, building additional layers of security into your system’s architecture is also key. We need to ensure we are not giving away information without meaning to. We should also consider our defensive architecture but it is important that we balance the need for security with the practical requirement for our systems to be functional and easily navigable.

Achieving this balance is a complex issue. SRM’s VirtualCISO (vCISOtm) service can resource and support the incumbent CISO or DPO in managing this task. From providing expert strategic guidance to taking on the full CISO role, our vCISOtm team has many years’ experience in providing robust yet agile defences. We work with our clients across a range of services including Incident Response, Retained PFI, Digital Forensic Investigation and Security Breach, Incident Management and Containment Support.

To find our more, visit our website or contact Mark Nordstrom on 03450 21 21 51 or mark.nordstrom@srm-solutions.com

PCI SSC Europe Community Meeting: free one to one meetings with PCI DSS industry thought leaders

Delegates at the PCI SSC Europe Community Meeting in Barcelona this week will have a lot on their minds. Changes to compliance, the security of customer payment card data, issues concerning the Cloud and the ever-present threat presented by hackers and cyber criminals will have brought the industry together to share in a range of seminars and talks which will help to address these issues.

The agenda is diverse ranging from the keynote presentation by the PCI Security Standards Senior Team on Wednesday to an outline of the security road map for the next generation of payments; from the Miracle on the Hudson to the weaknesses in IoT. So why, with all this information readily available, and so many people offering advice, should you spare half an hour to talk to the guys from Security Risk Management (SRM)?

The short answer is this: people. Yes, we are the leading PCI Forensic Investigation company in the UK and cyber security supplier to HM Government. Yes, our team boasts some of the most highly qualified professionals within the world of information security and, yes, our clients range from enterprises and government departments to SMEs and the third sector so we understand all sizes and types of organisation. But when it comes to working with your business, it is the individuals who really make the difference.

Paul Brennecker has been with SRM since 2008. Formerly he was PCI Compliance Manager with Barclaycard and successfully drove the compliance programme forward, working with both VISA and Mastercard in the process. With many years’ experience and a host of high level qualifications (including QSA), Paul is widely recognised as a PCI DSS compliance thought leader, regularly speaking at events. Known for his approachable manner and depth of knowledge, he has a particular skillset in conducting pre-compliance scoping and de-scoping exercises, conducting gap analysis assessments, creating remediation plans and assisting with intrusion detection and prevention systems. Paul is available at the Barcelona event for free one to one consultations.

James Hopper is SRM’s Operations Director, having worked previously within the worlds of consultancy and local government service improvement, delivering significant Transformation Programmes. He also has experience in consultancy, operations and innovation with a large FTSE 100 outsourcing company and a large NHS organisation. James brings this vast strategic experience to the process of company-wide information security solutions. At SRM he ensures that our service is constantly evolving to deliver first class service to a range of clients across many sectors. With a reputation as a clear-thinking no-nonsense problem-solver, James can cut through to what is specifically required so that top level compliance can be achieved in a cost-effective manner. James is also available at the Barcelona event for free one to one consultations.

James and Paul are interested in meeting those involved with PCI DSS compliance programmes. They also have a thorough knowledge of the whole information security sector and can advise on other issues as part of a company-wide strategy. But they are only two people from a highly skilled, experienced team and, where necessary, they can put you in touch with someone with a specific expertise.

Established in 2002, SRM has a proven track record in the industry. As a company it continues to grow in excess of industry norms. It is structured to respond to the continual changes within the world of information security and to ensure that its innovative service offerings evolve to better suit the needs of existing and future clients.

To book your free consultation simply email paul.brennecker@srm-solutions.com or james.hopper@srm-solutions.com.

To find out more about us, visit http://www.srm-solutions.com or to read our blog visit http://blog.srm-solutions.com/

http://blog.srm-solutions.com/win-a-free-days-consultancy-october-offer-to-celebrate-national-cyber-security-awareness-month-ncsam/

http://blog.srm-solutions.com/pci-europe-community-meeting-barcelona-24-26-october-2017/

Win a free day’s consultancy: October offer to celebrate National Cyber Security Awareness Month (NCSAM)

Security Risk Management is offering a free day’s consultancy in support of National Cyber Security Awareness Month.

October may, for many, be associated with the ghouls and ghosts of Halloween. But that is not all this month is about. It is also National Cyber Security Awareness Month. Like Halloween (in its current form) the NCSAM has its origins in the United States. Unlike Halloween, however, it focuses on keeping us safe from those who might wish to harm us.

In 2004 the US Department of Homeland Security and the National Cyber Security Alliance joined forces to create an initiative to educate and raise awareness of staying safe online. Its aim is to engage with and educate businesses, educational organisations and the public in how to build resilience and stay safe online. It is now recognised in the UK as an important way to remind everyone of the potential perils of cybercrime.

This year’s theme is ‘Our Shared Responsibility’ and this has relevance to the business community as well as the general public. Data breaches hit the headlines on a regular basis. Every time a company is exposed in this way it highlights the need for data security to be at the top of every board agenda. It cannot be the sole remit of the IT department or the Chief Information Security Officer (CISO). Its importance is so great that it ought to appear on board agendas every month, even if a sub-group then manages the implementation of compliance and security.

From phishing attacks which exploit human psychology to gain access to an individual’s log in and account details, to large scale Black Hat attacks by highly-organised cyber criminals, company-wide awareness is crucial to protection and defence. Increasingly, boards are becoming aware of their collective responsibility to provide additional resource and support for their information security teams. Outside expertise is an important aspect of this, particularly when it comes to testing a company’s defences.

Rather than waiting for a malicious attack from an unprincipled attacker, it is important to make use of the skills of experienced information security test teams. The very best include individuals with the Offensive Security Chartered Practitioner (OSCP) qualification. Unlike their counterparts with only theoretical knowledge of hacking, those with OSCP training have practical skills. Their rigorous training includes the requirement to be able to effectively hack a range of well-protected networks within a challenging timeframe. Through this process they get into the minds of the hackers themselves.

Those boards that are seen to be proactive will help to make their organisation less appealing to hackers. Those who have engaged with the best test teams will make the actual task of breaching security sufficiently difficult that hackers will look for easier prey. So let October be the month in which every board of every company in the UK prioritises data security and recognises its shared responsibility.

To win a free day’s consultancy, just leave your details on the Contact Us page. The prize includes:

  • Development of the information security risk profile of your organisation delivered by an experienced Information Security Consultant;
  • A prioritised roadmap to help you focus on the issues to fix now and suggested mitigation steps to help you manage key risks;
  • Where your organisation ranks on the GDPR maturity scale and the next steps you should take to be prepared for May 2018;
  • A scan of your website to uncover any significant security risks using our best of breed scanning tool;
  • Preparation for Cyber Essentials and a discount on obtaining certification.

This prize is worth over £1000 and will provide you with comprehensive insight of your organisations Information Security risk profile.

SRM Blog