However, let’s remember one thing: AETs depend on a vulnerable system inside the target environment.

Let’s be clear, criminals generally don’t need to resort to APT and AET to infiltrate a vulnerable environment: The Verizon DBIR 2011 states that 87% of attacks could be prevented using simple, proactive measures.

APTs (through AETs) are likely to target organisations where they would achieve the most financial or political gain. In my book, this means that the first step would be to understand what the critical assets are and the second one to understand the infrastructure deployed for those critical assets. Predictably, as you may expect it coming from me, the third step should be to protect the assets based on a risk assessment reflecting the organisation’s risk appetite.

So whilst it is a good idea to check whether your intrusion prevention appliances are or will be anti-evasion ready and capable of receiving current AET patches and security updates continuously and dynamically (and again, a lot of good research has been done in this area), look inside first… Have you fixed the basics?

Author: Neira Jones, Head of Payment Security – Barclaycard

Over 200 attendees are predicted to attend to hear valuable insights into Barclaycard’s new Risk Reduction Programme, a valid alternative to the traditional PCI DSS methodology.

Practical and interactive applications of innovative technologies will be demonstrated and explored to help reduce risk and fraud as part of the programme. Furthermore, integral reasons for adopting the Risk Reduction Programme will be presented by 7Safe’s Dan Haagman who will engage the audience to explain key business benefits for merchants, and the common issues that underpin managing compliance.

With a fantastic line up of further speakers including Visa, MasterCard, American Express, and the PCI SSC, the event will provide an exciting opportunity for you to gain knowledge and network with fellow attendees.

Merchants are invited to join us at One Drummond Street, London from 9.30am – 4.00pm on Wednesday 29^th September.

Pre-register: marketing@7safe.com. This event is free but registration is required. Book now to avoid disappointment.

This is a great opportunity for an experienced QSA to join our evolving PCI consultancy and undertake security audits and compliance assessments for a wide range of blue chip merchants and service providers. 

We offer independent expert advice and pragmatic solutions through establishing long-term partnerships with our clients in order to help them meet their transformation challenges with confidence.

Find out more about this exciting opportunity

With speakers including Dan Haagman, (7Safe Co-Founder and Director), Neira Jones (Head of Payment Card Security, Barclaycard), Stanley Skoglund (Senior Vice President, Visa Europe) and Jeremy King (European Managing Director, PCI SSC), many customers have already pre-booked.

“Security Matters” will be using innovative voting technology to enable instant “pulse taking” on topics such as eDiscovery and risk prioritisation.  Results of the surveys will be instant and go live on Twitter.

Additionally, the day will provide a range of new, innovative and award winning technologies that can help you keep your information assets safe.

Customer, prospects and partners are welcome to join us for a highly informative, interactive and thought provoking day at The Royal College of Surgeons from 9.30am-2.00pm in London on Thursday 30th June.

Pre-register: marketing@7safe.com This event is free but registration is required.

PCI DSS v2.0 communicates the Council’s intention to provide effective and efficient data security standards that, when implemented correctly, will protect payment card data.

The good news for organisations that are compliant with the existing standard PCI DSS v1.2.1 is that the changes made within v2.0 do not represent a step change in control requirements, simply evolution that recognises the maturity of the existing standard.

What the new standard does provide is additional flexibility in some areas, additional guidance in others and a reducing in duplication. In short, the new standard helps organisations bring some economies to their PCI DSS compliance through greater clarity.

The good news is that the intent of each requirement has not changed and therefore the underlying control structure implemented by organisations for compliance is not expected to change significantly. Secure technology, policies, procedures and practices to protect payment card data will continue to be required.
Organisations can assert their compliance with the PCI DSS v2.0 with effect from January 2011. For those organisations who are currently working with PCI DSS v1.2.1 they can continue to do so until December 2011. After this date, all organisations will be required to assert compliance with the PCI DSS v2.0.

“Greater clarity, recognition of evolving technologies, improved guidance, and extended lifecycle”*. … that’s the sign of a mature standard – something that business can plan and embed into their regular commercial activities.
Early transition to PCI DSS v2.0 is likely to be the best option for most organisations. Naturally, all new 7Safe engagements undertaken from this stage onwards will focus on v2.0 and for those who are “mid-journey”, our PCI Consultancy team will / have been in touch to discuss how the transition will affect current and on-going works.
*Michael Christodoulides – 5th November 2011

7Safe – Professional QSA Consultancy Services

7Safe is a leading Information Security firm based in Cambridge and London, UK and operates in the PCI DSS space for the provision of QSA Consultancy, Incident Investigation (QFI/QIRA) and PCI Compliance software (7Seec).

Barclaycard – Leading Payment Card Security

Barclaycard as an acquiring bank is industry leading in the field of PCI DSS with operations that drive compliance through its Merchant / Service Provider base and a key focus on reducing credit card fraud in the industry.

Leading acquirer Barclaycard and PCI QSA consultancy 7Safe have formed a partnership in the area of PCI DSS to assist Barclaycard merchants and Service Providers to reach and maintain PCI DSS compliance and to promote payment security best practice throughout the industry. Both Barclaycard and 7Safe are passionate about driving down credit card fraud through: implementing PCI DSS, promoting payment security and investigating fraud through forensics / incident response when it occurs.

Our teams share the same business ethics towards payment security and risk management. We work very closely together as an Acquirer / QSA Consultancy to help our clients manage their payment security risk, help them understand and implement the Payment Card Industry Data Security Standard (PCI DSS) and eventually achieve and maintain compliance. To that end, our teams work together in the following ways through:

As part of this partnership, 7Safe offers preferential rates to Barclaycard customers.
The result of the above is a very effective relationship that benefits our joint client base in a “joined up” manner with the focus on reducing and mitigating the risks of card data security compromises.

Neira Jones – Head of Payment Security, Global Payment Acceptance, Barclaycard
“7Safe has over the years built a very close relationship with the Barclaycard team in the area of PCI DSS specifically and payment security generally. This has effectively helped us reduce the risk of data breaches and support our merchants in their payment security journey.”

“…We value our partnership which includes the provision of PCI DSS compliance and consultancy services to Barclaycard clients..” Dan Haagman – Director of Information Security Services (PCI DSS, Pen Testing, Incident Response & Security Assessments), 7Safe

PCI DSS Events – Acquirer & QSA Combine

7Safe and Barclaycard, as part of their partnership and drive for reduced risk in the payment card industry, hold regular knowledge share and community events on a planned quarterly basis. You do not need to be a Barclaycard or 7Safe client to attend such meetings which are typically held in the City of London.;

For further information, please contact 7Safe’s PCI QSA Consultancy team or visit Barclaycard.

PCI Policy Suite

As Qualified Security Assessors (QSAs) 7Safe has therefore established best practice PCI policy templates to assist our clients with the task of PCI policy completion for PCI DSS compliance. The suite of PCI policies came about through 7Safe clients requiring us to write or customise PCI policy documentation sets during their PCI compliance programme. We believe it is far more cost effective to offer a suite of pre-written documents that can then be customised to each client thus saving time and lowering the cost of compliance.

Customised PCI Policy Templates

Objective, Vendor-neutral PCI consultancy

As we have engaged in PCI compliance projects over the years, it has become very apparent how some providers of PCI consultancy and audit use the PCI Security Standard to leverage third party product sales.

7Safe’s PCI DSS team have strategically set out to remain vendor neutral. Our team therefore only provides or recommends what is absolutely necessary to your core PCI compliance programme including;

Consultancy

Cardholder Data Search

PCI Penetration Testing

PCI ASV Scanning Service

PCI vs Pragmatic Business

7Safe is a PCI DSS QSA (Qualified Security Assessor) and undertakes PCI compliance audits in addition to assisting organisations become and maintain compliance with the standard. We have learned over the years however, that it is a consulting team’s wider skill set that is also important to set the standard in context of the wider organisation and work closely with our clients to ensure that we take a pragmatic view of how organisational change needs to be undertaken. There is a significant danger that a lack of consultancy experience in the field of PCI can result in ineffective spend and un-necessary risk being introduced from a wider perspective.

Our QSA team therefore draws upon the advice from other departments within 7Safe such as the PCI QFI team (who handle breaches of Payment Card data) and our Penetration Testing / Web Application Security department for advice and guidance where complex situations may arise. This team approach, coupled with strong project management experience adds tremendous value to each project and client alike.

PCI DSS – Staying Current

Critical to the success of any PCI compliance business is knowing the industry and staying close to changes. 7Safe is proud to work very closely with the PCI Security Standards Council, the Card Schemes and the UK Acquiring Banks through both our QSA work, partnerships and QFI (breach of credit card data) activity. We regularly attend PCI council community meetings and have regular updates / knowledge share with the Card Schemes and Acquirers.

Core Payment Card Industry DSS Principles and Requirements

Build and Maintain a Secure Network…View Requirements

Protect Cardholder Data…View Requirements

Maintain a Vulnerability Management Program…View Requirements

Implement Strong Access Control Measures…View Requirements

Regularly Monitor and Test Networks…View Requirements

Maintain an Information Security Policy…View Requirements

Most organisations required to achieve and maintain PCI compliance can successfully follow a standard process, which is shown graphically below. The following sections explain this route towards PCI DSS audit and describe how 7Safe supports its clients through the PCI compliance initiative.

PCI Scope & PCI DSS Scoping Workshop

In order to determine which parts of your organisation are relevant to the PCI DSS, an initial scoping workshop is recommended. During this stage, our PCI DSS QSA consultants will work with your team to review the following items:

• Number of sites / offices storing, processing or transmitting payment card data
• Payment systems, card data flows and network diagrams
• The findings from any security reviews already performed

During the initial scoping workshop, a verbal summary of your PCI compliance scope will be prepared and presented / discussed on site at the end of the day. A written PCI DSS scope report will then be prepared and shared with you.

PCI DSS Gap Analysis

A Gap Analysis is an assessment process which enables an organisation to compare its current (actual) situation with its desired (target) situation. It enables 7Safe’s QSA team to measure to what extent the PCI Data Security Standard is currently implemented in your environment, compared to the extent required for compliance.

During this stage, the framework of the PCI DSS Security Audit Procedures v2.0 (which as of the 28^th October 2010 superseded v1.2) will be used.

 7Safe’s primary account number discovery tool, 7Seec will also be deployed during the Gap Analysis in order to verify that there are no unprotected PAN’s and that your PAN security is strong.

Following this stage, a report will be prepared and its accuracy and reasonableness agreed with you. The report will contain details of areas which are compliant and non-compliant, and will list policies, procedures and standards which are required to comply with Requirement 12 of the Standard. The report may also identify opportunities to reduce the impact of the PCI DSS on your business operations.

PCI Compliance & Remediation

Remediation refers to the work required to ensure that your organisation reaches PCI DSS compliance; the actual implementation of protective measures to be undertaken (including Penetration Testing and regular Vulnerability Assessment (ASV), guided by our PCI compliance team and yout Gap Analysis Report. In support of this activity, 7Safe often is asked to provide ongoing Remediation Support consultancy to for example;

• construct procedures
• provide practical advice to resolve issues
• attend progress review meetings
• develop remediation plans
• ensure effect project management towards the end PCI DSS goal
• … and ultimately achieve PCI compliance

PCI Pre-Audit

7Safe strongly recommends a PCI DSS pre-audit (or “readiness”) phase ensure that your organisation is fully prepared for the full audit, with the intention of identifying un-met requirements which may result in loss of expenditure and ultimately audit failure.  This will also give you the opportunity to experience rigorous audit-style verification prior to an actual audit.

PCI DSS Audit & Report on Compliance

In its capacity as a Qualified Security Assessor (QSA) company, 7Safe will carry out an audit on your environment against the PCI DSS.  To validate compliance, all requirements must be met; steps taken in the previous stages will obviously have a major bearing on the audit result.  A Report on Compliance (ROC) will subsequently be produced after rigorous Quality Assurance processes have been adhered to.