Mastercard has set a deadline for acquiring organisations to manage risk in their Level 4 Merchant portfolio. Mastercard’s updated Site Data Protection (SDP) Program rules expect PCI DSS compliance validation from your high-risk merchants. Mastercard requires all acquirers to have a Level 4 risk management programme in place to meet the updated SDP requirements. […]
by Michael Hopewell, Managing Information Security Consultant. Introduction Many businesses have heard about Point to Point Encryption (P2PE). Point of Sale vendors, service providers and others often mention its benefits to businesses: P2PE can reduce risk to payment card data by rendering it unreadable, minimise the number of systems and networks in scope for […]
Compliance with the PCI DSS (Payment Card Industry Data Security Standard) is mandatory for all businesses accepting cards for payment. The Standard ensures appropriate security protocols are applied to your payment acceptance environment to protect against fraud. In its simplest form, the process of achieving compliance involves a scoping (or profiling) stage, which determines […]
Lots of Internet-connected devices are available on the market and a popular theme now is devices to create a ‘smart home’, which includes smart door locks, surveillance/security cameras and heating control systems that can be monitored and controlled when you are away from the home. This ability to remotely connect to and integrate devices […]
On the 17th May 2018, the PCI SSC published the latest version of the PCI Data Security Standard: the PCI DSS v3.2.1. In this article we look at the changes that have been included in the updated Standard. These are also discussed in the PCI SSC’s summary of changes document. A new standard? This […]
‘PIN on Glass’ is a catchy phrase that the payments industry and solution vendors have been bandying about as the next big thing for payment card processing: point of sale solutions that will allow merchants to accept card payments using just their mobile device and with no need to purchase expensive hardware. This is […]
Ask A QSA – Mobile attack rates, how can your business customers better secure their mcommerce channel?
By Judith Clark, QSA Consultant Ask a QSA recently received the following query from an acquirer and we felt that this may be of interest to our readers. Merchants had been asking their acquirer “how can we better secure our mcommerce channel?” It’s a good question. Recent research has shown that mobile attack rates […]
Proactive Data Security – take the PCI compliance burden away from small business and make them secure
Many smaller business owners simply don’t have the time or resources to comply with PCI. As a result, they often end up paying ongoing, non-compliance fees leaving them vulnerable to security breaches. So what’s the solution? It’s simple, take the burden away from smaller merchants by providing them with a managed compliance and security […]
PCI DSS compliance and the forthcoming increase of Bank Identification Numbers (BINs). Are there any compliance issues?
Ask a QSA recently received the following Primary Account Number (PAN) Truncation query and felt that this may be of interest to our readers. By Judith Clark, QSA Consultant With the forthcoming increase of Bank Identification Numbers (BINs) from six digits to eight digits, are there any PCI DSS compliance issues with showing […]
The TLS deadline is fast approaching. We examine what it is and how we can help your customers be prepared
With the Payment Card Industry Security Standards Council (PCI SSC) 30th June 2018 deadline fast approaching, it’s important that your customers are prepared to migrate to a secure version of TLS . Back in October of last year, Sysnet’s Natasja Bolton, Senior Acquirer Support QSA, highlighted the key factors as to what the TLS […]
Despite various approaches that some acquirers take to try and engage with businesses when it comes to compliance programs, some merchants simply do not engage. The traditional approach of driving compliance via non-compliance fees unfortunately doesn’t always produce results and can also lead to a negative association with the brand of the acquirer in the eyes […]
By Francis Kyereh, Information Security Consultant Maintaining payment security is required for all entities that store, process or transmit cardholder data. Guidance for maintaining payment security is provided in PCI security standards. These set the technical and operational requirements for organisations accepting or processing payment transactions. The PCI DSS Version 3.2, containing nine new requirements […]
When undertaking any kind of PCI DSS assessment, whether it is a formal assessment or self-assessment questionnaire (SAQ), the most important thing is ensuring that the scope is correct. Without an understanding of the scope, systems may be overlooked and/or insufficient security controls applied. This may lead to a risk of data breach. Conversely, […]
By Mat Clarke, Information Security Analyst Introduction Testing the security of any network infrastructure and applications which are involved in the storing, processing or transmitting of cardholder data is often a key part of maintaining compliance with Payment Card Industry Data Security Standard (PCI DSS) requirements. Along with internal and external vulnerability scanning (only […]
By Natasja Bolton, Senior Acquirer Support QSA Back in January 2016, we highlighted the PCI Council’s extension of the migration completion date for transitioning from SSL and TLS 1.0 to a secure version of TLS (currently v1.1 or higher). Now, with just 8 months to go until the migration date deadline, we’re here to ask: […]
The PCI SSC has published a further update on the applicability and implementation of the SAQ A requirements to merchant web servers that redirect customers to a third party for payment processing. The SAQ A is applicable to merchant entities that have wholly outsourced their entire ecommerce website infrastructure to a PCI DSS compliant […]
With larger organisations that deal directly with an acquirer, they do not have the guidance of an online portal and often rely on the PCI council in relation to SAQ selection as well as advice provided by a third party service provider. In order to address these difficulties with ecommerce SAQ selection we have […]
Many businesses are often unaware that ensuring their payment terminals are part of a Point-to-Point Encryption (P2PE) Solution can carry considerable benefits when it comes to simplifying their PCI DSS compliance. As we discovered here at Sysnet, the reason why many businesses are not aware of P2PE and its benefits is that they often find […]
by Natasja Bolton, Senior Acquirer Support QSA The UK Cards Association’s 2017 report on UK Card Payments, released on 19th June 2017, reported a doubling of debit and credit card purchases in the last 10 years. The volume of card transactions reached 16.4 billion in 2016, an increase of 146% from 2006, even though the […]
May 17th 2017. Today, Sysnet Global Solutions a leading provider of cyber security and compliance solutions to the payments industry, announced that it has partnered with Elavon Merchant Services to develop Secured Pro; a managed PCI compliance validation and cyber security service that offers enhanced protection against fraud and payment security breaches. “A new […]
Requirement 11.2.2 of the Payment Card Industry Data Security Standard, otherwise known as the ASV scanning requirement, affects a significant number of businesses. These businesses need to engage an Approved Scanning Vendor (ASV to run external vulnerability scans quarterly. It can be difficult for these companies to understand what ASV external vulnerability scanning is, […]
Most businesses have to comply with multiple information security related standards and regulations. In our experience the average is 3. These can include but are not limited to PCI DSS, GDPR, ISO 2700, Sarbanes Oxley, HIPAA, Cyber Essentials, POPI and even audits by clients.
On March 9th 2017, we officially launched our new US Customer Contact Centre in Atlanta, Georgia. Both Commissioner Pat Wilson of the Georgia Department of Economic Development and Gabriel Moynagh, CEO at Sysnet cut the ribbon to officially launch the opening of the new centre. The launch proved to be a great success and was attended […]
March 9th, 2017, Dublin, Ireland / Atlanta, Georgia. Today, Commissioner Pat Wilson of the Georgia Department of Economic Development officially opened Sysnet’s new customer contact centre located at 1001 Perimeter Summit Boulevard. Sysnet Global Solutions is a leading provider of cyber security and compliance solutions to the payments industry. The new centre will provide services […]
In May last year, in advance of the introduction of the PCI DSS v3.2 SAQs (Self-Assessment Questionnaires) we created a downloadable fact sheet to explain in detail the impact of the updated Standard on the SAQ types.
Information Security is complex. Understanding risk and implementing appropriate mitigating controls, be they technical or otherwise, is a challenge for organisations of any size. There is no getting away from that, but witchcraft?
With its expanded content, fully revised diagrams of the e-commerce implementation methods and inclusion of case studies the 2017 guidance is a useful reference for merchants and services providers alike.
Let us first summarise the applicability and intent of SAQ A. This self-assessment questionnaire is applicable to entities that outsource their e-Commerce payment channel payment processing to a PCI DSS compliant third party.
Conducting an outreach campaign can be tricky to get right as well as resource heavy. Responding to market conditions while also proactively engaging your customers through their preferred channels can be difficult to achieve successfully. It can make sense to outsource, however often providers are not specialised or experienced enough in conducting an outreach security and compliance […]
By Natasja Bolton, Senior Acquirer Support QSA Since the earliest iterations of the PCI DSS, the standard has included the requirement for scoping and has referenced network segmentation as a method of reducing the scope, cost and difficulty of a PCI DSS assessment. For just as long organisations, QSAs and ISAs have been seeking further guidance […]
The PCI DSS v3.2 Self-Assessment Questionnaires requires that all merchants have an Incident Response Plan, regardless of their size, volume of transactions or the extent to which they have outsourced the handling of payment card data. This is to make sure they can respond effectively in the event of a breach that could impact payment […]
by Leon van Aswegen, Senior Consulting Manager In the last two years, the PCI P2PE Standard has gained in popularity amongst Acquirers, Solution Providers, Merchants and their assessing QSAs. This is because PCI P2PE Solutions provide independently assured protection for account data from the point of capture, reducing where and how PCI DSS […]
The end of October marked the one year anniversary of EMV. As expected there have been a few highs and lows during this time. The transformation has overall been successful with fraud largely dropping and consumer adaptation at a high, however small to medium businesses still have a way to go in relation to getting […]
In a previous article, written by Sysnet’s Paul Prior, Paul mentioned how he believed that a change was necessary in the industry. A move away from using non-compliance fees as a mechanism to drive engagement and compliance. He highlighted that most of Sysnet’s clients are evangelising the importance of PCI DSS, however not […]
By Paul Prior, Senior Vice President Client Engagement In light of the upcoming US presidential election, it occurred to me that it would be fun (and worthwhile) to reflect on a previous campaign message from a different Clinton in the context of our business. In 1992, James Carville was the campaign strategist for Bill Clinton who […]
By Natasja Bolton, Senior Acquirer Support QSA Back in June, Sysnet reported on SHA-1 based certificates and why support was ceasing. In that article we also examined the potential impact on ecommerce businesses. Recently, the PCI Security Standards Council (PCI SSC) has released their own guidance on SHA-1 in the form of a Frequently Asked […]
Money can buy many things, however relationships is a trickier one. It involves behavioural traits that can’t always be easily defined and controlled. However the reality is that customer relationships are a key component of what drives business. Many organisations can get caught up in the detail of their products and services. Neglecting to […]
By Jason McWhirr, Information Security Consultant What is the PCI DSS Prioritised Approach? Merchants with more complex payment systems or payment processes that do not fit into the shortened SAQs (A, A-EP, B, B-IP, C & P2PE) are required to complete SAQ D or may require an on-site assessment (for merchants with larger amounts of […]
By Jason McWhirr, Information Security Consultant When it comes to processing cardholder data, many businesses these days will often use more than one method. Whether they are using a point of sale (POS) device or taking online payments one thing is clear, all payment card data must be protected by implementing the security controls in […]
Security and compliance is a lot like having to do taxes, it’s a chore. Most businesses understand that it is important to be secure and compliant, but the complexity and time that it can take can indeed be off putting. In fact some businesses turn to accountants to look after their compliance with standards such […]