PCI in a box

by Blake Huebner @ . September 1, 2010 . 4:30PM

Step 1 – Cut a hole in the box….

As a recent former PCI QSA (Qualified Security Assessor), it really frustrates me how many products out there that claim they will make you PCI compliant.
Directly in our market space, we have organizations claiming 90%+ compliance out of the box or compliant in xx days. Honestly, this is such a marketing gimmick. But customers fall for it.

Let’s take a look at both of these scenarios:

1. 90%+ compliance out of the box.
Let’s assume there is a PA-DSS application in place and no web facing applications. The customer is a SAQ D, which is pretty typical. Requirement 9 is primarily concerned with physical security. With 26 questions in Requirement 9, and 222 questions in a SAQ D; one is already at 88% for the starting point. So you are indicating, as a remote service provider, you able to classify and shred data and distribute and surrender badges, all without a physical presence? Really? We haven’t even addressed requirement 12 yet. Unfortunately, those that are not in the know believe this propaganda.

2. Compliant in xx days
A service provider cannot guarantee compliance in xx days. First, there are too many variables to implementation, mainly the customer itself. If a customer drags their feet on initiatives beyond a service provider’s control, there is no way to meet the timeline. In addition, compliance for PCI is not a point in time; PCI must be “operationalized”. The SAQ and ASV scans are point in time validation points, but a merchant must maintain this throughout the year.

This type of marketing makes our industry look bad as a whole. As a merchant, you are not becoming more secure with the claims that some service providers are making. While they may offer a decent solution, do not have the expectation that these service providers are the silver bullet. Service providers can assist in compliance but it is the merchant that is responsible for their own compliance. Don’t choose a solution just so you can check a box once a year. As a merchant, be concerned with having a secure environment and compliance will follow. In the long run, your organization will be better off.

Now back to my to SNL short viewing.

Spot Critical Holes in your Infrastructure with a Vulnerability Assessment

by Kristyan Mjolsnes @ http://www.secureconnect.com . August 10, 2010 . 5:10PM

Contrary to popular belief, it really isn’t enough to become secure. If you are serious about maintaining your business for the long run, you will have to maintain security — something that is completely different. Maintaining security can get complicated in a world where new security threats are on the horizon all the time, but it’s something that can get easier if you have the right tools.

If you’re serious about securing the important assets of your business, you will need to first start by using a vulnerability assessment to spot critical holes in your infrastructure. From there, you will be able to see exactly what is insecure at the moment, and then fix those problems.

Naturally, you can also take a different approach with a vulnerability assessment by contracting an outside company to not just run the vulnerability assessment for you, but also to generate an action plan based on the report generated from the assessment. This is a great way to delegate your security tasks without worrying about having an insecure system.

No matter what path you ultimately choose, you will need to get started today by getting the vulnerability assessment and seeing if there are any critical holes in your infrastructure. Contact us today!

Better Merchant Compliance without Stress

by Kristyan Mjolsnes @ http://www.secureconnect.com . July 26, 2010 . 12:22PM

Whether you’ve been in business for a little while or you’re just getting started, there’s one area that you probably already find a bit frustrating: PCI compliance. It is a topic that tends to get ignored because many business owners feel that it takes too long to really achieve compliance and have the misconception that it’s an extremely costly venture. However, this isn’t the case at all — it’s quite possible to achieve compliance without incurring all the stress and debt that have become misconstrued throughout the retail industries.

The best way to achieve better merchant compliance is to see what areas need to be fixed in the first place. Completing a vulnerability assessment and looking at any problems within your current system is the best way to make sure that you have a better grasp on any problems already present in the system.

From there, you can apply comprehensive solutions that cover the basic components of great security, such as round-the-clock monitoring as well as strong firewall protection.

So, if you really want to achieve better merchant compliance, you would do well to pay attention to the advice offered here — contact an expert like SecureConnect who can provide you with the foundation of security and the assurance of compliance.

Making POS Security an Absolute Truth

by Kristyan Mjolsnes @ http://www.secureconnect.com . July 20, 2010 . 8:56AM

One of the most important keys of a retail establishment is the point of sale (POS). Indeed, maintaining a POS is one of the biggest factors in how much growth you can expect in the company. After all, if you aren’t able to generate sales, you can’t move your company forward.
 
Yet maintaining a POS is more than ensuring that the system is actually turned on. You will need to make sure that your system is actually updated properly and that POS security is maintained at all times. If your system can be compromised, it could pose serious consequences for your business from numerous directions.

Thankfully, it’s quite possible to build a strong POS security plan that’s actually realistic. The focus here is to make POS security an absolute truth within the organization, to the point where no one can look at your system and see that you don’t have the right security policies in place.

To pull that off, you may want to bring in an external company that can use their expertise in credit card security as well as POS security to ensure that you are well protected. If you take this route, you will definitely be well on your way to making POS security truly an absolute truth within your organization — get started today!

SecureConnect – The Best Managed Security Solution

by Kristyan Mjolsnes @ http://www.secureconnect.com . July 19, 2010 . 12:09PM

In a business, managing resources and personnel are the two key components that lead to higher profits — when handled effectively, of course. Indeed, if you can maintain the resources that you have as well as handle the personnel on hand to take care of various components of your business, then you will be one step closer to the stable organization that you deserve.

If you are processing payments on your own, you will want to make sure that you are keeping PCI compliance at the top of your list. In a nutshell, PCI compliance is all about protecting sensitive cardholder data and keeping t out of the hands of unauthorized parties.

If you’re not a technical person, then the task of achieving and maintaining PCI compliance can be pretty stressful. Thankfully, it doesn’t have to be that way at all. Indeed, you can actually handle your security needs in a straightforward and automatic way as long as you know what tools to invest in.

One solution that stands head and shoulders above the competition is SecureConnect — a comprehensive suite that takes the matter of security completely out of your hands. You can rest easy knowing that a true stress-free solution is at your disposal, monitoring your network for any potential threats and providing a solid barrier to keep unauthorized users and malicious tools out of your network.

So, if you’re a non-technical person that’s concerned about security, you will definitely want to give SecureConnect a look!