By Mat Clarke, Information Security Analyst Whilst guarding against a security breach is often high on the agenda for businesses and security professionals alike, making preparations for the worst-case scenario actually occurring can easily be overlooked. Unfortunately, as a number of recent high-profile security breaches have demonstrated, no set of defences is infallible […]
By David Morris, PCI Compliance Analyst Following on from Natasja Bolton’s article that highlighted the PCI Council June 30th deadline in relation to organisations not using Secure Sockets Layer (SSL) or early Transport Layer Security (TLS) as a security control, David Morris discusses the reasons for the requirement to migrate to a secure version of […]
By Mat Clarke, Information Security Analyst Introduction Testing the security of any network infrastructure and applications which are involved in the storing, processing or transmitting of cardholder data is often a key part of maintaining compliance with Payment Card Industry Data Security Standard (PCI DSS) requirements. Along with internal and external vulnerability scanning (only […]
By Natasja Bolton, Senior Acquirer Support QSA Back in January 2016, we highlighted the PCI Council’s extension of the migration completion date for transitioning from SSL and TLS 1.0 to a secure version of TLS (currently v1.1 or higher). Now, with just 8 months to go until the migration date deadline, we’re here to ask: […]
By Natasja Bolton, Senior Acquirer Support QSA In my last article, I discussed whether two-step authentication was ever acceptable to meet PCI DSS’s requirements for multi-factor authentication. In that article, we also noted that PCI DSS requirement 8.3.1 is currently a best practice which becomes a requirement after 31st January 2018. It seems timely […]
Sysnet CEO, Gabriel Moynagh, explains how acquiring organisations can make a real impact on small business security, by replacing revenue from PCI DSS penalties for non-compliance, with a managed service offering that boosts merchant security. The PCI DSS was set up to help businesses process card payments securely and reduce fraud. Most acquirers will […]
by Peter Burgess, Senior Information Security Consultant Hackers are constantly looking for new ways to access an organisation’s data and sometimes they succeed. One of the more bizarre approaches recently was by using a fish tank. The hackers attempted to access and steal data from a North American casino by accessing a fish tank connected to the […]
By Natasja Bolton, Senior Acquirer Support QSA With the increase of malware and other malicious cyber security attacks that have had a global impact in the last few years, governments around the world have been trying to implement concrete safeguards through regulation. The goal of these regulations being to not only protect valuable infrastructure services […]
By Mat Clarke, Information Security Analyst Let’s face it, putting in place the plans and procedures necessary to support a forensic breach investigation isn’t a job which is likely to end in glory (in most cases, the best outcome is that you never have to use them). Nevertheless, it should be recognised that laying the […]
The PCI SSC has published a further update on the applicability and implementation of the SAQ A requirements to merchant web servers that redirect customers to a third party for payment processing. The SAQ A is applicable to merchant entities that have wholly outsourced their entire ecommerce website infrastructure to a PCI DSS compliant […]
July 24th, 2017. Sysnet Global Solutions a leading provider of cyber security and compliance solutions to the payments industry, today announced that it has appointed Jeremy Coram as SVP Business Development, North America. Jeremy will be responsible for identifying and strategically assessing mutually beneficial opportunities within the cyber security space, for Sysnet and its current […]
With larger organisations that deal directly with an acquirer, they do not have the guidance of an online portal and often rely on the PCI council in relation to SAQ selection as well as advice provided by a third party service provider. In order to address these difficulties with ecommerce SAQ selection we have […]
Many businesses are often unaware that ensuring their payment terminals are part of a Point-to-Point Encryption (P2PE) Solution can carry considerable benefits when it comes to simplifying their PCI DSS compliance. As we discovered here at Sysnet, the reason why many businesses are not aware of P2PE and its benefits is that they often find […]
by Natasja Bolton, Senior Acquirer Support QSA The UK Cards Association’s 2017 report on UK Card Payments, released on 19th June 2017, reported a doubling of debit and credit card purchases in the last 10 years. The volume of card transactions reached 16.4 billion in 2016, an increase of 146% from 2006, even though the […]
Biometrics has largely been hailed as the future of consumer identification, authentication, and confirmation of transactions. Though in South Africa, Mastercard has been trialling a chip and PIN bankcard that includes a fingerprint reader, to date the technology has largely not appeared in Point of Sale (POS) devices or in more traditional payment areas. […]
An account data compromise is when cardholder information has been obtained by an unauthorised person who intends to commit fraud. The opportunity can occur when businesses or designated third parties store cardholder data incorrectly in an unencrypted format. Common ways that fraud can occur includes theft from the premises of a business, physically or electronically, […]
Increasingly, over the last few years, criminals are specifically looking to gain access to consumers’ identity data and not just their payment data. The main reason for this is that with consumer identity data there are few limits to the fraudulent purposes the data can be used for, which makes it much more desirable. […]
Social engineering, the act of psychologically manipulating a person to divulge confidential information or to carry out actions is becoming more common place. Recently Indian police raided call centres and made arrests in which a large scale scam took place where the employees impersonated US Internal Revenue Service and other federal officials, demanding payments […]
by Natasja Bolton, Senior Acquirer Support QSA At the release of the PCI Scoping Guidance back in December 2016, the PCI Council highlighted the fact that “data breach investigation reports continue to find that companies suffering compromises were unaware that cardholder data was present on their compromised systems”. Why is that? Well, often […]
The recent global ransomware attack, referred to as ‘WannaCry’, that resulted in over 45,000 attacks and infected major companies, hospitals and other government institutions, unfortunately caught many off guard. WannaCry targeted computers running Windows operating systems that had not been updated with a security update released by Microsoft in March 2017, as well as […]
By Paul Prior, Senior Vice President Client Engagement As recently reported (BBC, CNBC), Mastercard have just released a payment card with an in-built fingerprint sensor. There is no question that the introduction of EMV has had a significant impact on driving down card-present fraud and while fingerprint scanners are not foolproof this type of biometric authentication […]
Requirement 11.2.2 of the Payment Card Industry Data Security Standard, otherwise known as the ASV scanning requirement, affects a significant number of businesses. These businesses need to engage an Approved Scanning Vendor (ASV to run external vulnerability scans quarterly. It can be difficult for these companies to understand what ASV external vulnerability scanning is, […]
By Natasja Bolton, Senior Acquirer Support QSA Mobile Payments, a broad term covering consumer and merchant-initiated mobile payment methods, have been gaining acceptance in the market place; however, have these methods achieved broad acceptance with consumers and businesses alike? In our article ‘State of Pay – have mobile payments reached a turning point?’ we […]
Most businesses have to comply with multiple information security related standards and regulations. In our experience the average is 3. These can include but are not limited to PCI DSS, GDPR, ISO 2700, Sarbanes Oxley, HIPAA, Cyber Essentials, POPI and even audits by clients.
The EU’s General Data Protection Regulation, or GDPR for short, will come into force across all EU Member States from 25th May 2018. GDPR will affect the processing and movement of the personal data of approximately 500 million citizens.
Online commerce has created incredible new opportunities for businesses to market and sell services globally. Many businesses, in particular small to medium ones, often do not consider that they could be targeted by cyber crime. The reality, unfortunately is that small to medium businesses are now very much being targeted by cyber criminals as many are […]
End-to-End Encryption (E2EE) and Point-To-Point Encryption (P2PE), are the two main ways that payment card data is protected when a transaction is made at a Point-of-Sale (POS) terminal. Both encryption methods have their pros and cons, however what those differences are and understanding the impact on a business of choosing one over the other can […]
In May last year, in advance of the introduction of the PCI DSS v3.2 SAQs (Self-Assessment Questionnaires) we created a downloadable fact sheet to explain in detail the impact of the updated Standard on the SAQ types.
In December, Visa published a Security Alert warning of an increasing fraud threat, as the U.S. EMV migration continues, from “criminals placing skimming devices on or in attended and unattended point-of–sale (POS) devices for the purpose of collecting payment card information, including PIN numbers”.
Information Security is complex. Understanding risk and implementing appropriate mitigating controls, be they technical or otherwise, is a challenge for organisations of any size. There is no getting away from that, but witchcraft?
With its expanded content, fully revised diagrams of the e-commerce implementation methods and inclusion of case studies the 2017 guidance is a useful reference for merchants and services providers alike.
Let us first summarise the applicability and intent of SAQ A. This self-assessment questionnaire is applicable to entities that outsource their e-Commerce payment channel payment processing to a PCI DSS compliant third party.
By Natasja Bolton, Senior Acquirer Support QSA Steps to protect small businesses from this year’s security threats As 2017 rolls out, we continue to explore the security threats and cyber-attacks expected to feature this year. Following on from part 1 which can be read here, in part 2 we examine other risks such […]
Conducting an outreach campaign can be tricky to get right as well as resource heavy. Responding to market conditions while also proactively engaging your customers through their preferred channels can be difficult to achieve successfully. It can make sense to outsource, however often providers are not specialised or experienced enough in conducting an outreach security and compliance […]
By Natasja Bolton, Senior Acquirer Support QSA Steps to protect small businesses from this year’s security threats This week we explore some of the security threats and cyber-attacks expected to feature in 2017. As these risks could impact your small business customers we highlight actions that businesses can take to protect themselves, so […]
By Natasja Bolton, Senior Acquirer Support QSA Since the earliest iterations of the PCI DSS, the standard has included the requirement for scoping and has referenced network segmentation as a method of reducing the scope, cost and difficulty of a PCI DSS assessment. For just as long organisations, QSAs and ISAs have been seeking further guidance […]
The PCI Council recently published a supplement document entitled ‘Guidance for PCI DSS Scoping and Network Segmentation’. The driver for the new guidance document was in response to common questions received from industry stakeholders on scoping and segmentation. The methods outlined within the guidance were formed in collaboration with the council’s board of […]
The PCI DSS v3.2 Self-Assessment Questionnaires requires that all merchants have an Incident Response Plan, regardless of their size, volume of transactions or the extent to which they have outsourced the handling of payment card data. This is to make sure they can respond effectively in the event of a breach that could impact payment […]
by Leon van Aswegen, Senior Consulting Manager In the last two years, the PCI P2PE Standard has gained in popularity amongst Acquirers, Solution Providers, Merchants and their assessing QSAs. This is because PCI P2PE Solutions provide independently assured protection for account data from the point of capture, reducing where and how PCI DSS […]
With the major holiday season just around the corner, many retail businesses are gearing up for the shopping frenzy to commence. Increasingly customers are turning to online shopping to avoid queues and to bag a bargain. Therefore it is essential that online retailers are prepared to service the high customer demand. Unfortunately for retailers, […]
