Regulation and Compliance – It’s all relative and what you are used to…

This old Beast or Buddha post from 2009, our CEO, Drazen Drazic looked at regulation and compliance. It’s worth reviewing again and seeing where we stand in 2013 as the Government starts to follow the likes of the US now in terms of assessing whether more regulation and compliance is needed.

http://beastorbuddha.com/2009/04/14/regulating-it-security-practices-pci-dss-tough-it-could-be-worse-or-betterdepends-how-you-look-at-it/index.html

We welcome your thoughts and comments….

Continue reading

Businesses must ensure PCI DSS compliance in age of online retail shopping

As technology evolves, consumers are being provided with more tools than ever before with which to meet their shopping needs.

While this offers an exciting new frontier for innovative retailers, it is worth considering the importance of consumer safety and Payment Card Industry Data Security Standard (PCI DSS) compliance during this time.

The IBM Center for Applied Insights has just released a new study into the modern world of digital retail, titled The Value of a Smarter Shopping Experience, and the results are an indication of just how enormous the potential for online business success is.

"To win in today’s increasingly competitive marketplace, it is imperative for retailers to understand how consumers engage with their brand across all possible points of interaction," reads the document.

"No longer is a one-size-fits-all approach good enough, as today’s smarter consumers demand that retailers meet their unique needs and timeframes."

According to the International Telecommunications Union (ICT), there are now 5.9 billion mobile-cellular subscriptions worldwide – that's global penetration of 87 per cent.

Furthermore, the ICT states that one-third of the 1.8 billion households worldwide now have internet access.

In order to fully capitalise on this market, IBM suggests that retailers deliver an engaging, timely and consistently aware online shopping experience for users.

However it is important to note that any business which accepts credit or debit card payments, whether it be online or in a traditional bricks and mortar environment, needs to ensure that it is up to date with PCI DSS compliance.

This standard guarantees that retailers are fulfilling their obligations when it comes to protecting customer information, in order to ensure any potential for cybercrime or information theft is minimised.

IBM asserts that five key competencies are required for retailers to realise the rewards of investment in a smarter shopping experience – integrated information, prescriptive insight, precision marketing, relevant experience and continuous dialogue.

Facebook donates $10 million as part of privacy class-action settlement

Facebook has become the latest company to pay the price for not properly considering the privacy of users.

The social media giant has agreed to donate US$10 million to charity as part of a legal settlement reached in May.

The proposed class-action lawsuit was brought on by five users, who argued that Facebook had violated their right to privacy by publicising their ‘Likes’ on paid advertisements without permission.

However, Facebook may have got off lightly. A study conducted in January 2011 by Edison Research found that 51 per cent of Americans aged 12 and over – or around 160 million people – were now using Facebook.

Had the lawsuit included every one of those users, Mark Zuckerberg’s empire may have been facing billions of dollars in payments.

Companies who operate in the online environment have a responsibility to protect the privacy and secure information of clients.

But as new technology emerges and businesses find new ways to interact with customers, companies may find themselves left with unexpected vulnerabilities.

If you’re concerned about the privacy of your client information, then a due diligence assessment is an excellent way to review the security protocols of your business.

A security due diligence assessment is a third party evaluation of the threats and compliance gaps in your system, and provides you with a thorough list of recommendations aimed at ensuring complete user privacy.

PCI compliance worth the investment

Keeping on top of data security commitments can be a difficult task for businesses and firms in the finance industry, as the nature of the game can change rather quickly.

This means that the ideal setup in terms of internal structure and online defences tends to shift on a regular basis – leaving IT professionals and information officers chasing a moving target.

When it comes to handling sensitive client details, help is at hand in the form of dedicated data security standards from the payment card industry (PCI) council.

PCI compliance means that the organisation has met the requirements laid out by the leaders in digital payment technology and has the capacity to protect the information of valued customers and stakeholders.

The good news about achieving this level of internal security is that the necessary frameworks are laid out by a professional body on a regular basis – with industry standards changing to meet the challenges presented by evolving methods of identity theft and payment card fraud.

This means that the organisations responsible for collecting and storing client details do not need to undertake extensive research into these areas – the hard work has essentially been done for them.

With the assistance of an accredited PCI DSS assessment team, a firm is able to have their frameworks reviewed quickly and professionally for any potential gaps that may have been overlooked.

From there, recommendations can be made in regard to the efforts needed to shore up any potential breach points – either on their own terms or with the assistance of a professional security provider.

Once these areas have been dealt with, the PCI assessment can be provided and the organisation will be able to continue serving its stakeholders with confidence.

PCI DSS neglect can damage a business’ reputation

The payment card industry data security standard (PCI DSS) is a set of requirements developed and maintained by an industry council made up of some of the biggest names in the game.Compliance with these measures is important for businesses and clients – not to mention financial providers – as it protects their reputation and helps to enhance the purchasing experience. However, a recent interview published by ZDNet on April 24 with a leading expert on PCI DSS asserted that many firms had neglected their security obligations. According to senior security consultant Steven Surdich, from Securus Global, companies sometimes engaged in so-called ‘patching’ behaviour before a yearly audit rather than ensuring their system was adequately protected at all times. The PCI expert stated that this kind of activity was obvious to external qualified security assessors who are charged with ensuring that a company’s defences are in line with the industry standards Mr Surdich explained: “The environment that was certified as PCI compliant – that needs to be protected from unauthorised changes.”You want to make sure that you understand the environment, and that you’re actually part of the change process in some capacity.”Regular reviews of the payment card systems by a registered professional can be helpful in this process, as they explain the requirements on a relatable basis.

 

Security audits for mobility and business intelligence operations

Australian firms are focusing more on mobility and business intelligence than ever before, according to a recent report.

The Chief Information Officer Agenda survey performed by Gartner as part of its Executive Programs 2012 initiative covered over 2,000 CIOs around the world – 132 of which were in Australia.

Researchers found that the main drive for these professionals for projects in 2012 was related to extracting value from mobile technologies and business intelligence (BI) operations.

While areas such as cloud services and virtualisation were still ranking well in terms of future planning, the survey found that the increase in adoption rates for smartphones and personal tablets made them less of an immediate priority.

Vice-president of Gartner Andy Rowsell-Jones explained that the new ranking was something of an anomaly for researchers to find.

He asserted: "BI has had a chequered history in Gartner's annual CIO survey. Is it new ideas, new tools, or the triumph of hope over experience that has propelled BI back into the limelight? We will find out over the course of the year."

However, the added amount of information collected and stored by businesses involved in data mining and mobile access also necessitates an increase in security audits and compliance certification, as the value generated by the collection of client details is also widely recognised by malicious online parties.

Cheques vs electronic payments PCI DSS compliance

Electronic payment processing technology still has some inherent weaknesses when it comes to customer data, according to the assistant governor (financial system) of the Reserve Bank of Australia.

In a speech given earlier this week (March 20), Malcolm Edey asserted that while recent technological developments – including online payment services and mobile phones – have made electronic payments quicker and more efficient to use, the humble cheque still sets a relatively high benchmark.

He told an audience at the Cards & Payments Australasia 2012 Conference in Sydney: "Cheques are always a good reminder of the things that are missing in our electronic payments."

As an example, he noted that when making a payment with a cheque, all the person making the payment needs to know is the recipient's name, while electronic payments tend to require a bit more information.

Until details like account and BSB numbers can be integrated seamlessly, there will always be opportunities for further progress in the payment sector.

Widespread adoption of payments made via smartphones has underscored the importance of data security compliance in this sector, according to the general manager of the Payment Card Industry Security Standards Council.

Speaking last month in a podcast interview with Information Security Media Group, Bob Russo noted that PCI DSS compliance will be essential when taking mobile phone payments – and he urged companies to take a forward-thinking approach to managing vulnerabilities.

PCI DSS