By: StrongBox

StrongBox — Thu, 10 Dec 2009 22:08:34 +0000

I recently participated in a seminar on Secure Commerce Payment Data-Enterprice Payment Security which was hosted by Bill Zujewski-V.P.Product Marketing at ATG, Dave Glaser- V.P. Global Services at Cybersource and Chris Pogue- Sr. Security Consultant at Trustwave. The focal point of discussion was security of data in relation to the Order Management Lifecycle.
To share my impressions briefly-I guess the main point of the seminar was that the PCI compliance regulations are merely a way to reduce the amount of fraud that is out there, but unless the data will actually be somehow completely eliminated the risk of theft and fraud will always exist- that is regardless if a company is PCI compliant or not. Therefore, as Mr. Dave Glaser said- it is time for a NEW approach- to work on ELIMINATING the data rather than CONTAINING IT. He called the containment approach that is practiced today
- ” sub-optimal”.
I guess one may say then, that the PCI regulations of today are implemented as a part of an ongoing process that is desperately trying to solve the “sensitive data pollution” issue and we will see many other attempts in the near future to prevent the “leaks” from happening.
In me humble opinion,following PCI policies and regulations is one thing, however how to implement and change our data handling daily habits is another.
How many of us REALLY do wash our hands after being out? Well the statistics show that unfortunately most of us DO NOT, yet I believe we all know about germs and how easily they spread and that the prevention of the spread of germs can be limited if we would follow one simple procedure- namely: washing our hands regularly. If I we would apply this tendency in human nature to simply “ignore danger” by not washing hands, to the way of handling sensitive data, the outlook for fraud prevention as long as it is handled by us, is …well, not very positive.
Having a certificate of being “secured” from data fraud, is not and will not be enough.
I believe that the success of data security lies in “hands” of each individual business owner, and it’s up to him/her to change the “data hygiene habits”. This can be done by implementing a secure business etiquette, using the correct and safe commerce /merchant payment solutions, secure processing companies, secure shopping carts and secure back-office softwares-that is, of course, in combination with implementation of good old-fashioned common sense. There are solutions that can ease the safety “routine” so why not use them?.

StrongBox

By: slakin.net | mattsn0w.com » I’ll do anything! Absolutely anything! – mckeay.net blog post

Sun, 08 Nov 2009 20:05:33 +0000

[...] (a stand alone sysadmin like myself) he linked to a great security blog mckeay.net where I read this post. I found it oh so amusing as I’ve seen the same sort of thing at [...]

By: PCI Security

PCI Security — Fri, 06 Nov 2009 21:40:06 +0000

Your comment on policies is true. I think it is easy to meet the requirements on paper, but quite often the bigger challenge is proving you have adopted them.
PCI compliance can be difficult to attain/maintain for some organisations as it requires a major cultural shift and committment from all levels.

By: Interesting Information Security Bits for 11/05/2009 | Infosec Ramblings

Interesting Information Security Bits for 11/05/2009 | Infosec Ramblings — Thu, 05 Nov 2009 23:50:31 +0000

[...] principle. I’ll ask mommy and if I don’t get the answer I want I’ll ask daddy. Network Security Blog >> I’ll do anything! Absolutely anything! Tags: ( general [...]

Comments on: I’ll do anything! Absolutely anything!

By: StrongBox

By: slakin.net | mattsn0w.com » I’ll do anything! Absolutely anything! – mckeay.net blog post

By: PCI Security

By: Interesting Information Security Bits for 11/05/2009 | Infosec Ramblings