Compliance3 partners with PCI Security Standards Council

COMPLIANCE3 TO PARTNER WITH PCI SECURITY STANDARDS COUNCIL TO HELP SECURE PAYMENT DATA WORLDWIDE As Council’s Newest Participating Organization Compliance3 to Contribute to The Development of PCI Security Standards FOR IMMEDIATE RELEASE London, December 11th 2017  –  Compliance 3, a UK based consultancy with extensive experience in assisting companies to achieve and maintain PCI DSS compliance in Contact Centres, announced today that it has joined the PCI Security Standards Council (PCI SSC) as a new Participating Organization. Compliance3 will work with the PCI SSC to help secure payment data worldwide through the ongoing development and adoption of the PCI Security Standards. The PCI SSC leads a global, cross-industry effort to increase payment security by providing flexible, industry-driven and effective data security standards and programs. The keystone is the PCI Data Security Standard (PCI DSS), which provides an actionable framework for developing a robust payment card data security process and preventing, detecting and mitigating criminal attacks and breaches. As a Participating Organization, Compliance3 adds its voice to the standards development process and will collaborate with a growing community of more than 800 Participating Organizations to improve payment security worldwide. Compliance3 will also have the opportunity to recommend new initiatives for consideration to the PCI Security Standards Council and share cross-sector experiences and best practices at the annual PCI Community Meetings. “In an era of increasingly sophisticated attacks on systems, PCI Security Standards and resources help organizations secure payment data and prevent, detect and mitigate attacks that can lead to costly data breaches,” said Mauro Lance, Chief Operating Officer of the PCI Security Standards Council. “By joining as a Participating Organization,...

End of Support for Windows Vista

Microsoft have announced (here) that, after April 11th this year, “Windows Vista customers will no longer receive new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates from Microsoft.” Microsoft Vista was released on 30th January 2007; to put that date in perspective, Amy Winehouse ‘Back to Black’ was the number one album. Vista came five years after the release of Windows XP, and was in turn replaced in October 2009 by Windows 7. At its peak some 19% of Windows Users were running Vista, while XP retained 63% of the desktop market. Today, Vista’s market share remains around 0.78%, but that’s still nearly 10 million PCs worldwide. Of course, the PCI DSS Standard has this covered in sections 6, 11.2 and 11.3. The PCI Security Standards Council – when Windows XP reached End of Service (EOS) in 2014 – stated that “PCI DSS Requirements 6.1 and 6.2 address the need to keep systems up to date with vendor-supplied security patches in order to protect systems from known vulnerabilities. Where operating systems are no longer supported by the vendor, OEM or developer, security patches might not be available to protect the systems from known exploits, and these requirements would not be able to be met.” The PCI Security Standards Council’s FAQ can be found here: As Microsoft themselves said in July 2014 “Payment Card Industry (PCI) policies will not be met with an operating system that is EOS.” All this, of course, relates to a Merchant’s Cardholder Data Environment. We at Compliance3 specialise in helping our customers de-scope their data environments by ensuring that customers’ card...

CNIL Hit Microsoft with a Formal Notice

The Problem Since Microsoft’s release of Windows 10, in July 2015, excessive amounts of personal and usage data have been harboured from its users. Despite customers turning off all settings that may allow Microsoft to send data to their server in the US, user still have no control over this. Windows 10 harbours this information through their Cortana and Bing products. Windows 10 manages to do this by sending any ‘home searches’, ‘live tile’ searches as well as Internet inquiries via an unencrypted http data channel ‘threshold.appcache’. This is worrying as customers are not asked to consent to this. They aren’t even able to turn this feature off. There is also the issue of the unencrypted channel that leaves customers open to malicious actors. CNIL and Microsoft Since the French Data Protection Authority (CNIL) became aware of this seven online observations were carried out in April and June 2016. They have since questioned Microsoft Corporation on this. Microsoft interestingly said nothing to defend or deny the excessive data collection of Windows 10. They responded saying they were happy to comply with the CNIL and “understand the agency’s concerns fully and to work toward solutions that it will find acceptable.” Microsoft also address the reason behind the data being send back to the company’s US servers. They stated it was under the previously applicable ‘Safe Harbour Agreement’. Knowing now these regulations are no longer required they have said they will work towards the new requirements of the ‘Privacy Shield’ Despite these statements, the Chair of the Commission Nationale de l’Informatique et des Libertés (CNIL) issued a formal notice to Microsoft on...

Nulled, Expect the Unexpected

On May 6, 2016 Nulled.IO tag line ‘expect the unexpected’ became a reality for the hacker forum. An unknown hacker broke through the simple MD5 hashing algorithm securing the website and gained access to a 9.45GB file containing all of the websites information. By securing a sensitive website with such a simple algorithm suggests that the forum didn’t follow their tagline themselves! Nulled.io is a forum for hackers where they can trade and purchase leaked information (including stolen credentials), hacking tools and cracks as well as have access to Nulled software. Risk Based Security discovered the hack and found the 3GB compressed file ready to download free on the open Internet. This breach is seen as a gold mine for law enforcement. They now have access to IP addresses, email address and conversations for 473,000 registered users, including information from the seemingly private VIP forums. Risk Based Security noted: “If law enforcement obtains this information, (which no doubt they already have) it can be used to filter out any “suspects” under investigation for possibly conducting illegal activities via the forums. With this being such a comprehensive dump of data it offers up a very good set of information for matching a member ID to the attached invoices, transactions and other content such as member messages and posts.” The breach also means that VIP access for older contents on the site is now deemed as worthless as it is all freely accessible within the download. This clearly impacts Nulled.IO business model. The current site is deemed under temporary unscheduled maintenance, and has been since the breach...

The Future of Customer Data Security and Compliance – Seminar

London – 11th November 2015 Yesterday evening Compliance3 hosted their first seminar ‘The Future of Customer Data Security & Compliance’, kindly hosted by Shepherd & Webberburn in their prestigious offices overlooking St Paul’s Cathedral in London. Around eighty FinTech and Data Security professionals attended and enjoyed beer and pizza. Those present heard a fascinating mix of views and predictions from Ian Dowson from Willam Garrity Associates, Dr Nasir Hussain of Strategy Foresight Partners, David Nordell of New Global Markets, Iain Cameron – formerly of the Department of Trade and Industry, and John Greenwood, one of the founders of  Compliance3. While the recent high profile data breach at Talk Talk was a hot topic of conversation, the presenters spoke at length about global data security challenges, and the real threat of cyber warfare. The event was filmed, and the videos can be viewed here....

Talk Talk hit by major data breach

Once again, a major data breach has hit the headlines, this time it’s Talk Talk. The company claims that ‘there is a chance that… Credit card details and/or bank details’ of up to 4 million customers may be compromised in a ‘significant and sustained cyber-attack’. I wrote here back in July that cyber terrorists were an emerging threat, and the Cyber security consultant and former Scotland Yard detective Adrian Culley told BBC Radio 4’s Today programme that a Russian Islamist group had posted online to claim responsibility for the attacks. He said that hackers claiming to be a cyber-jihadi group had posted data that appeared to be private information from TalkTalk customers’ private information – although he stressed their claim was yet to be verified or investigated. As Daniel Dresner a Lecturer in Information and cyber security and governance at Manchester University’s School of Computer Science observed on BBC ‘Breakfast’ on October 23rd – “There’s four million customers, if they (the hackers) do four million one pound transactions, that’s not a bad haul.” Stephen Orfei the General Manager of the PCI Security Standards Council observed at the PCI Congress in Berlin in 2014 that payment card fraud was like a water filled balloon, you squeeze one place and it appears someplace else. And we all know that Chip & Pin has, since its introduction in 2004, greatly reduced ‘Customer Present’ fraud in the UK. As Stephen Orfei observed the crime isn’t going away, and why steal a single credit card when you can potentially harvest four million? What does this mean to your business? While we acknowledge that the...