Feed on
Posts
Comments

Category Archive for 'Compliance'

I know that a bunch of you have started to look at the new data protection directive. If you have spent some time with it, you probably have read that if you encrypt your data properly you don´t need to inform your customers of a data breach. This is of course good news for encryption […]

Read Full Post »

PCI Policy struggle

The last months I have been helping a client to become PCI DSS-compliant again. I have to say that the new standard really emphasising the policy. Everything you do needs to be in a policy. I can appreciate why everything needs to be in a policy but when the QSA asks for strict wording it […]

Read Full Post »

PCI 3.1

And yet another version of the PCI standard. Not that many changes this time but of course there are always a few. Most notably is that you should now effectively use TLS 1.2 and nothing less. Oh, and don´t forget to write a standard and a policy. Otherwise you´ll fail. There must be someone on […]

Read Full Post »

I was approached by a data centre locally here in Sweden that asked me regarding a contact they have with a company that needs to be PCI DSS compliant. Apparently the company had outsourced their entire infrastructure to the data centre but kept their architecture unit and application management in-house. The question I received was […]

Read Full Post »

The events currently unfolding at a large car producer points at a specific problem within security: The fears of letting other know. In many organizations today security has a somewhat impenetrable workflow. The board is briefed by the CSO or CIO with only a minimum off information according to “need to know”. Non-security personnel have […]

Read Full Post »

What on earth is AML Security architecture? I sometimes get the question how you create a security architecture for AML (Anti Money Laundering) and I´ll try to answer it here. A loose definition is that AML is a set of regulation dictating that you have to make sure your financial institution does not take part […]

Read Full Post »

Security architecture is sometimes just a number of words glued together with some pictures or to be more explicit the power of security architecture lies in the visualisation of fully defined words. Some words that commonly need both definition and explanations are: Threat, Vulnerability and Risk. Threat: 1. An expression of an intention to inflict […]

Read Full Post »

PCI DSS is an interesting and demanding standard. Small retailers seldom have the time or resources to actually handle it correctly. This still doesn´t mean that they are not a target. With large retailers becoming PCI DSS compliant the focus for the crooks is shifted towards where it is easier to conduct a hack. In […]

Read Full Post »

Watching skimming at Mallorca

You go on vacation to get some rest and relaxation. Still, being the curious individual that I am, I cannot just put my biggest hobby on hold, security. Sitting at a restaurant I watch the crowd in a few stores and suddenly I saw something peculiar. When taking payments of every fourth client or so […]

Read Full Post »

L4

So you are a level 4 merchant and think PCI DSS is nothing you need to worry about? Think again! Lately attacks have moved from the bigger targets to smaller L3 and L4 merchants, mainly because they haven´t focused on security to the same extent as a larger organisation has. This means that even if […]

Read Full Post »

Next »