Compliance3 partners with PCI Security Standards Council

COMPLIANCE3 TO PARTNER WITH PCI SECURITY STANDARDS COUNCIL TO HELP SECURE PAYMENT DATA WORLDWIDE As Council’s Newest Participating Organization Compliance3 to Contribute to The Development of PCI Security Standards FOR IMMEDIATE RELEASE London, December 11th 2017  –  Compliance 3, a UK based consultancy with extensive experience in assisting companies to achieve and maintain PCI DSS compliance in Contact Centres, announced today that it has joined the PCI Security Standards Council (PCI SSC) as a new Participating Organization. Compliance3 will work with the PCI SSC to help secure payment data worldwide through the ongoing development and adoption of the PCI Security Standards. The PCI SSC leads a global, cross-industry effort to increase payment security by providing flexible, industry-driven and effective data security standards and programs. The keystone is the PCI Data Security Standard (PCI DSS), which provides an actionable framework for developing a robust payment card data security process and preventing, detecting and mitigating criminal attacks and breaches. As a Participating Organization, Compliance3 adds its voice to the standards development process and will collaborate with a growing community of more than 800 Participating Organizations to improve payment security worldwide. Compliance3 will also have the opportunity to recommend new initiatives for consideration to the PCI Security Standards Council and share cross-sector experiences and best practices at the annual PCI Community Meetings. “In an era of increasingly sophisticated attacks on systems, PCI Security Standards and resources help organizations secure payment data and prevent, detect and mitigate attacks that can lead to costly data breaches,” said Mauro Lance, Chief Operating Officer of the PCI Security Standards Council. “By joining as a Participating Organization,...

Oops!

The media has been awash with sensationalist stories of ‘cyber attacks on the NHS’. This is, of course a misrepresentation of the facts. NHS trusts have fallen victim of a piece of insidious ‘ransomware’ that, according to Europol – and reported on the BBC News website here – have infected more than two hundred thousand victims in one hundred and fifty countries. Other reports suggest as many as nine million computers in nearly two hundred countries. The malware – known as ‘Wannacry exploited a ‘back door’  known as ‘EternalBlue’ that the New York Times described as “a vulnerability that was discovered and developed by the National Security Agency (NSA).” Microsoft issued security patches to its current operating systems a few months ago when ‘EternalBlue’ had been leaked by a hacking group known as the Shadow Brokers. Of course, as we have reported here in the past, older operating systems such as Windows XP, Server 2003 and Vista are no longer publicly supported, and so no fixes were offered. On Saturday May 13th Microsoft took the unexpected step of releasing  an ‘out of bounds patch’ for unsupported operating systems such as Windows XP and Server 2003 meaning that people now are able to patch rather than having to attempt upgrades to newer system in order to be secured against this worm. Sunday’s British newspapers reported that a British InfoSec specialist – Malware Tech – had halted the initial attack by identifying and activating a ‘kill switch’ that sought a hitherto unregistered domain. Somewhat worryingly, ‘Wannacry2’ has been identified ‘in the wild’ that has no such kill switch. The threat remains. Lessons to...

BCC’s digital survey results

The British Chambers of Commerce (BCC)  today published the results of its digital survey that suggested that, of the more than 1,200 businesses surveyed across the UK, some 20% had been hit by a cyber-attack in the last 12 months. It further reported that 42% of larger firms (those with over 100 staff) had been the victim of a cyber attack, compared with 18% of smaller ones. The BCC’s survey revealed that 21% of businesses believe the threat of cyber-crime is preventing their company from growing, while fewer than a quarter (24%) of businesses have cyber security accreditations in place.   Dr Adam Marshall, Director General of the British Chambers of Commerce (BCC), said: “Firms need to be proactive about protecting themselves from cyber-attacks. Accreditations can help businesses assess their own IT infrastructure, defend against cyber-security breaches and mitigate the damage caused by an attack. It can also increase confidence among the businesses and clients who they engage with online.” Referring to next year’s GDPR legislation Dr Marshall added: “Businesses should also be mindful of the extension to data protection regulation coming into force next year, which will increase their responsibilities and requirements to protect personal data. Firms that don’t adopt the appropriate protections leave themselves open to tough penalties.” Compliance3 have been working with businesses to ‘devalue data‘ and ‘take risk off the table‘. Data Security can be complicated and expensive, and the hackers are both clever and motivated. By effective de-scoping, even if your company is hacked, then personal and payment data need not be compromised. If you take payments online or over the telephone, we can...

Personal Data Breach at Wonga

It’s been a bit quiet of late on the data breaches front, although the suspicion has to be that, while data breaches are continuing, they just haven’t yet been detected. The Republic of Ireland’s Data Protection Commissioner – Helen Dixon – announced on April 11th that some 2,224 data security breaches were reported in 2016. That’s an average of more than six breaches reported per day, in a nation of just over four and a half million people. Here in the UK, it was announced on April 9th, that the payday loan company Wonga had suffered “illegal and unauthorised access to the personal data of some of our customers”. It’s thought that the personal details of around 245,000 UK customers and 25,000 polish customers may have been compromised. Wonga’s website (here)claims that they are “still working to establish the full details. However, we believe it may include one or more of the following: your name, e-mail address, home address, phone number, the last four digits of your card number (but not the whole number) and/or bank account details and sort code.” The fact that full payment card details were not compromised means that Wonga will escape card scheme penalties under PCI DSS, but they are likely to face a hefty penalty from the UK Information Commissioner. Talk Talk were fined a record £400,000 in 2015 for a data breach that affected almost 157,000 customers. Under next year’s GDPR legislation – which is still coming, regardless of Brexit – the penalty would have been up to 4% of the previous year’s global turnover. That would amount to just over £3m –...

End of Support for Windows Vista

Microsoft have announced (here) that, after April 11th this year, “Windows Vista customers will no longer receive new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates from Microsoft.” Microsoft Vista was released on 30th January 2007; to put that date in perspective, Amy Winehouse ‘Back to Black’ was the number one album. Vista came five years after the release of Windows XP, and was in turn replaced in October 2009 by Windows 7. At its peak some 19% of Windows Users were running Vista, while XP retained 63% of the desktop market. Today, Vista’s market share remains around 0.78%, but that’s still nearly 10 million PCs worldwide. Of course, the PCI DSS Standard has this covered in sections 6, 11.2 and 11.3. The PCI Security Standards Council – when Windows XP reached End of Service (EOS) in 2014 – stated that “PCI DSS Requirements 6.1 and 6.2 address the need to keep systems up to date with vendor-supplied security patches in order to protect systems from known vulnerabilities. Where operating systems are no longer supported by the vendor, OEM or developer, security patches might not be available to protect the systems from known exploits, and these requirements would not be able to be met.” The PCI Security Standards Council’s FAQ can be found here: As Microsoft themselves said in July 2014 “Payment Card Industry (PCI) policies will not be met with an operating system that is EOS.” All this, of course, relates to a Merchant’s Cardholder Data Environment. We at Compliance3 specialise in helping our customers de-scope their data environments by ensuring that customers’ card...