Today I visited the PCI Europe event in Brussels Belgium. An event aimed at companies that want to know more about PCI DSS compliance or perform a better job at it. It attracts merchants that need to be compliant, PCI DSS solution vendors, QSA security companies and many more.
It's a nice event where you'll learn something new about the PCI compliance everytime. My focus was to learn about solutions that can make my life and that of my colleagues a little easier. This time we arrived rather late because of an accident near Antwerp so we missed the first sessions. I have some nice papers of new solutions we might consider. So from that perspective it was good to be there.
My impression of the event that it's aimed at people who need to be convinced of PCI or are just starting. Not aimed at people that are already compliant and want to go a little more in-depth or technical. That's a miss I must say I'm quite sure there is need for such an event or sessions. We are now in the second year of being compliant and don't need to be convinced about it's need anymore. It has become a business need required by partners, acquiring banks and bigger merchants.
But I must admit each time I go I see more people. Not being compliant or starting. Weird or not? Maybe next year will be different since I expect lot of companies try to be compliant before the end of this year.
Let me know how you think about PCI.
Showing posts with label PCI DSS. Show all posts
Showing posts with label PCI DSS. Show all posts
Tuesday, October 21, 2008
Tuesday, September 16, 2008
Compliancy, innovation and security
In this first in-dept topic I will try to cover the impact compliancy can have on security and innovation.
Many companies store customer data like privacy information such as names, email addresses, addresses, phone numbers. But that's not all companies that sell or provide online services might store purchase and payment information like credit card or bank details.
The whole process of obtaining, retrieving and storing the data can be a potential risk and needs to be conform a standard defined by a compliancy institution. Popular certifications and compliancy standards are Sarbanes Oxley, PCI DSS and ISO standards.
It's obvious that compliancy affects many employees, procedures and systems. Therefor it's important to know what is in scope and what not. In my experience I find it use full to set all Internet facing systems in scope. Threating all Internet facing systems the same way as defined by the compliancy standard is a good security practice.
Internet facing systems include mail, voip services, websites and remote access. If these systems must be compliant.
You don't want to be in the middle of a migration when the auditor is looking behind your back. So planning upgrades to new versions or introducing new services need to be between visits of auditors. At least that is what I suggest.
It might be worth to upgrade to a new version or introduce new systems before the auditor comes. If your schedule finds time for planning, deploying, testing and updating documents needed for compliancy.
Upgrades (Microsoft products) that provide better security and are mostly appreciated by auditors are:
With the right hardware investment Vista provides a faster and better more secure computer environment. Especially the dreaded UAC which is a really good security feature against, scripts, virus and trojans.
Forefront client security with WSUS and MOM
This gives you full control over the computers in your network.
Thank you for reading. Let me know if this works for you.
Many companies store customer data like privacy information such as names, email addresses, addresses, phone numbers. But that's not all companies that sell or provide online services might store purchase and payment information like credit card or bank details.
The whole process of obtaining, retrieving and storing the data can be a potential risk and needs to be conform a standard defined by a compliancy institution. Popular certifications and compliancy standards are Sarbanes Oxley, PCI DSS and ISO standards.
It's obvious that compliancy affects many employees, procedures and systems. Therefor it's important to know what is in scope and what not. In my experience I find it use full to set all Internet facing systems in scope. Threating all Internet facing systems the same way as defined by the compliancy standard is a good security practice.
Internet facing systems include mail, voip services, websites and remote access. If these systems must be compliant.
You don't want to be in the middle of a migration when the auditor is looking behind your back. So planning upgrades to new versions or introducing new services need to be between visits of auditors. At least that is what I suggest.
It might be worth to upgrade to a new version or introduce new systems before the auditor comes. If your schedule finds time for planning, deploying, testing and updating documents needed for compliancy.
Upgrades (Microsoft products) that provide better security and are mostly appreciated by auditors are:
- Exchange servers upgraded to Exchange server 2007
- Introducing Office Communicator 2007 and services
- Windows XP to Windows Vista
- Forefront client security
- Removes relaying options on your external SMTP server by introducing the transport role.
- Adds advanced anti spam functions
- Advanced antivirus system with forefront for exchange
- Improved global security with roles and rewritten services and structure
Introducing Office Communicator 2007 and services
- Secure voip services
- Encrypted instant messaging (no need for MSN, skype or other)
- Improved secure communication
Also a drawback which is more externally connected Internet facing IP's and services.
Windows XP to Windows VistaWith the right hardware investment Vista provides a faster and better more secure computer environment. Especially the dreaded UAC which is a really good security feature against, scripts, virus and trojans.
Forefront client security with WSUS and MOM
This gives you full control over the computers in your network.
- Security state assessment and alert reporting
- Enforced real-time antivirus scanning with daily updates
- WSUS for scheduled enforced centrally managed updates
- AD Group Policy Objects for controlling forefront protected computers
Thank you for reading. Let me know if this works for you.
Wednesday, September 3, 2008
ICT Innovation and Security blog
Dear Reader,
This my blog about ICT innovation and security, or is the security and innovation? Happily for me ICT innovation creates new security threats as well decreased security risks. So which one comes first and is more important? A hard question. Which I hope to answer with a series of articles. In these articles I will try to cover important aspects of new technology and how it benefits you or might have possible security concerns.
Focussing on Microsoft products, but also covering compliancy, managed services, outsourcing, servers, firewalls, switching, virtualization and applications. From A-Z from the end-user as consumer or employee to partner or client.
In these articles I will try to apply my knowledge and experience which I have gathered the last 10 years. In my position as CTO and CSO of Payvision a credit card processing company I often have to make choices regarding to security and innovation.
Credit card processing companies need to be PCI DSS compliant nowadays. A good thing which enforces security policies and best practices with companies which process MasterCard and Visa transactions. But having this compliancy obligation innovation can be postponed or not possible, because compliancy can be more important then innovation. Or not? See my next article.
I hope my articles can shed some light on today issues and technology. But feel free to request a topic which is on your mind.
Thanks for reading. write to you soon...
This my blog about ICT innovation and security, or is the security and innovation? Happily for me ICT innovation creates new security threats as well decreased security risks. So which one comes first and is more important? A hard question. Which I hope to answer with a series of articles. In these articles I will try to cover important aspects of new technology and how it benefits you or might have possible security concerns.
Focussing on Microsoft products, but also covering compliancy, managed services, outsourcing, servers, firewalls, switching, virtualization and applications. From A-Z from the end-user as consumer or employee to partner or client.
In these articles I will try to apply my knowledge and experience which I have gathered the last 10 years. In my position as CTO and CSO of Payvision a credit card processing company I often have to make choices regarding to security and innovation.
Credit card processing companies need to be PCI DSS compliant nowadays. A good thing which enforces security policies and best practices with companies which process MasterCard and Visa transactions. But having this compliancy obligation innovation can be postponed or not possible, because compliancy can be more important then innovation. Or not? See my next article.
I hope my articles can shed some light on today issues and technology. But feel free to request a topic which is on your mind.
Thanks for reading. write to you soon...
Subscribe to:
Posts (Atom)
