Monthly Archive November 2012

PCI DSS Risk Assessment Guidelines Launched

The PCI Security Standards Council have just released a new ‘Information Supplement’ covering the various ways in which Risk assessments are useful when conducting a PCI assessment. In particular, the requirement for an organisation to conduct a formal risk assessment on an annual basis, (requirement 12.1.2), has caused headaches for some entities striving for compliance with the standard for some time.

For those in the know, there are many methodologies that can be used to assess risk and document the findings, the only problem is…..most folks invovled in taking payments are not exposed to these methodologies on a daily basis, so they may just as well be written in ancient aramaic. Here is where the PCI supplement will come in handy. It gives an in depth description of the types of risk commonly associated with taking card payments.

Risk is dependant on many conditions, and as such is prone to change over time. This document helps to address many of the common questions that arise when conducting risk assessments and acts as a guide to developing a risk management strategy.

See –

This document has been written by a panel of payment security industry experts, including representation from SRM Ltd, to enable organisations to gain a better understanding of the threats to their Cardholder Data environment. The basic principles are also useful to extend to the larger corporate environment.

Information Security Consultant, SRM's Principal PCI DSS QSA and Payment Card Industry expert, Paul B is a regular contributor to the SRM blog.

UK Information Commissioners Office has views about Cloud Computing Solutions

The UK’s data protection watchdog has reminded companies of their responsibilities to safeguard confidential details in the cloud.

According to the Information Commissioner’s Office (ICO), firms should ensure that they safeguard personal data held using cloud computing solutions and the organization has published new guidelines to ensure compliance when records pass to cloud network providers.

With the increasing adoption of cloud computing tools, the ICO noted that the cloud offers flexible and scalable options to expand the capabilities of businesses of all kinds, but pointed out that some organizations are not aware that they are still responsible for data when it is stored in the cloud.

Simon Rice, Technology Policy Advisor, cautioned: “Where personal information is involved, the stakes are high and the ICO has already demonstrated it will act firmly against those who don’t meet data protection laws.”

A survey for the ICO by YouGov revealed that 46 per cent of UK adult internet users using cloud storage have reservations about the security of their information.

Neelie Kroes, European Commission Vice-President Responsible for the Digital Agenda, recently revealed in a press conference on cloud strategy across the region that the EU is planning to draw up international standards relating to data protection in the field.

According to the official, planned regulations and reforms for the market include establishing a global privacy standard for the cloud, creating a system for fair and safe cloud contracts and harnessing the buying power of the public sector.

She explained: “Cloud computing could offer a huge lift to the European economy. But only if users can understand and trust it.”

The EU executive predicts that GDP across the region could be boosted by more than £1 trillion in gross domestic product by 2020 as a result of the cloud, with millions of extra jobs created.

I recommend that to assist cloud customers in assessing the security offered by a cloud provider the use of industry recognised standards and publications is essential.

More about the legal issues concerned with cloud computing can be gleaned from an introductory book available from our website

SRM's Operations & Finance Director, Brian F is a regular contributor to the SRM Blog.

SRM Blog

SRM Blog