Happy New Year!!!
Posted in Uncategorized on Dec 31st, 2007
Lets see what next year means for us. Most probably it will be Anti Money Laundring and PCI DSS for the full year but one never know. C U all next year! Jesper
Monthly Archive for December, 2007
PCIDSS: Could you get a Small Business Server compliant?
Posted in Compliance on Dec 31st, 2007
Susan Bradley, a Microsoft Small Business Server MVP, wrote a blogentry regarding if you could get a SBS server compliant. She concludes that it is more or less impossible due to requirment 2.2.1 Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate servers) and […]
The need for a national identity
Posted in Security Architecture on Dec 30th, 2007
In a swedish newspaper a police has vented his thoughts regarding the easy way to commit identity fraud in sweden. The fraud was commited in a very simple way. A person had registered a mobile phone number in another persons name and then applied for SMS-loans that should be transfered to any bank account. The […]
PCIDSS: Is hashing really safe?
Posted in Compliance on Dec 29th, 2007
One of the requirements states that if you hash the PAN it is regarded as destroyed (safe). This was true before but with the rise of rainbowtables for breaking password hashes ordinary hashing could not be regarded as safe anymore. With ordinary I mean using a hash algorithm is unreversible and produces the same result […]
To reason with an auditor
Posted in Compliance on Dec 25th, 2007
During my years working in this field I have seen all different kinds of approaches to compliance and more specific the auditor. More or less all ways could be beneficial but one. Never ever try to fool or trick the auditor. The best way to get stuff past the auditor is to be transparant and […]
PCIDSS: How to be compliant without firewalls
Posted in Compliance, Security Architecture on Dec 16th, 2007
A customer asked me today how they should argument with their auditor to make them compliant even if they do not have firewalls. It is a very intriguing question due to the fact that firewalls are regarded as the only thing that actually hinders every system from beeing included as System Components. But where there […]
PSD: Fine for not handling AML
Posted in Compliance on Dec 16th, 2007
On a swedish economy news site an article regarding fines for a bank not complying with AML (Anti Money Laundring) was published. It is quite interesting to know that the fines are rather substantional. According to the article the fines will be around 100 000€. With fines of that magnitude banks have to start working […]
PSD: Risk Management
Posted in Compliance, Security Architecture on Dec 3rd, 2007
In the same article and point as in my previous entry risk management is mentioned. This is a very important function in any kind of security architecture. Without sound risk analysis you cannot produce any kind of security due to the fact that you do not know what the risks are. The directive in this […]
PSD: Clear responsibility
Posted in Compliance on Dec 3rd, 2007
To be able to comply with PSD there are quite a lof of criterias that has to be fullfilled. One is the fourth point of article 10: Granting of authorization. It states that there has to be a clear chain of responsibility for all parts of the payment service business. It all breaks down to […]
PSD: Payment Service Directive
Posted in Compliance, Security Architecture on Dec 3rd, 2007
PSD, Payment Service Directive is a very interesting directive from EU regarding opening up for payment flows all over EU. Read more here: http://register.consilium.europa.eu/pdf/en/07/st03/st03613-re02.en07.pdf This of course will create changes in the current systems on how money is tranfered within EU today. From my point of view the possible need for changes in the security […]