Sysnet

Call out for more Twitter Followers

noreply@blogger.com (Unknown) — Fri, 23 Sep 2011 11:08:00 +0000

Start following us @Sysnetgs on Twitter for useful links to up to date industry related news!!

New Facebook Company Page - Sysnet Global Solutions

noreply@blogger.com (Unknown) — Fri, 23 Sep 2011 11:07:00 +0000

Just launched our new company page on FB - Would REALLY appreciate some 'Likes' for our FB page. Thanks in advance!! http://www.facebook.com/pages/Sysnet-Global-Solutions/244306142246419

PCI DSS in the Retail Sector

noreply@blogger.com (Unknown) — Wed, 17 Aug 2011 10:23:00 +0000

The 6 leading worldwide major payment card brands established the Payment Card Industry Data Security Standards (PCI DSS) as a standard to protect cardholder data from malicious attacks. Due to the numerous ways the retail sector processes card payments; it is not surprising that they are a prime target for attack from the criminal fraternity. Retail merchants vary in size ranging from individual self-employed traders that may use a single payment terminal, to the larger retail giants such as supermarkets with networked estates of 30,000+ terminals. Additionally, Retailers often provide mail and telephone order delivery channels, where call centre staff will have access to large amounts of cardholder data.

Furthermore, with the Internet being the fastest growing retail sector, many merchants are turning to this sales channel to attract a wider audience for their goods and services – however if systems are not fully secure, they could find themselves vulnerable to remote attacks from anywhere in the world.

‘If the scope is not complete it could result in a breach of cardholder data’

PCI DSS compliance in practice
The following are some critical areas that are typical for a retail environment, but may be overlooked:

Merchant Receipts: Although many new terminals now print the PAN truncated (displaying the first 6 and last four digits), older terminals may print the full PAN on merchant receipts. Therefore, merchant receipts are in scope. Furthermore, other physical media such as chargeback forms and physical faxes may be present. Any media containing the PAN must be handled, stored and disposed of in a secure manner. Ensure your organisation does not simply leave transaction receipts in public areas or place them in plastic bin bags to be thrown away; they should be treated the same as cash.

Sales/Customer Services Team: If the merchant maintains an electronic point of sale system, the equipment may be vulnerable to ‘keyloggers’ either by hardware (connected to the keyboard and hidden from view behind the PC) or by malicious software (installed deliberately or accidentally) may capture keystrokes.

Call Recordings: If calls are recorded. Storing the PAN in an encrypted format is permitted, however the storage of any CVV (sensitive authentication value) is prohibited by PCI DSS and must not be recorded.

Post-authorisation: Storing sensitive authentication data post-authorisation is strictly prohibited by PCI DSS. Ensure sensitive authentication data is not stored after authorisation.

Video Monitoring: Most CCTV footage is destroyed after a month, however under PCI DSS requirements access mechanism logs should be retained for at least 3 months.

Indirectly Connected Devices: Any machines not involved in cardholder data processes, but are logically connected to devices that do process, store or transmit cardholder data will be in scope.

Terminal/POS Responsibility: POS systems usually are mounted on underlying operating systems such as Windows 98, 2000, XP or later and should be included within an organisations PCI DSS project scope . However, this is often not considered.

Private Networks: ‘Private’ networks provisioned by a service provider may actually be shared. Ensure that the perimeter device to the private network is not connecting out over the Internet.

‘PCI DSS is achievable with guidance and an effective roadmap’

Achieving PCI DSS compliance
Sysnet recommends that rather than taking the ‘traditional’ route and performing a gap analysis as the first step to achieving PCI DSS compliance, it would be more beneficial to conduct an initial scoping exercise – this will review all systems, which will shape the extent of the PCI DSS project.

A scoping exercise offers options to manage the size of the project by offering ‘as is’ and ‘what if’ scenarios to clearly demonstrate how change to the process impacts the scope. The organisation then has the opportunity to choose the option they feel is most appropriate to their situation and their business.

By adopting this approach, a significant reduction in the overall cost of the compliance exercise can be achieved, simply by reducing the number of systems, locations and employees who are subject to PCI DSS requirements. This will also make compliance review a more manageable process.

Sysnet have often achieved ten-fold reduction in the costs of an organisation’s initial and on-going compliance due to the adoption of this methodology. Although PCI DSS may seem a long and daunting process, with good planning and a clear road map supported by a experienced and pragmatic QSA partner, compliance can be achieved.

This will also put the business in a stronger position as there will be a greater understanding of how systems work within the organisation, and also the identified potential risk areas. Business should also consider that the financial and reputational costs of a data breach could be far higher than the implementation of a PCI project.

‘A commitment to protecting customer’s cardholder data 24/7 365 days a year’

Maintaining PCI DSS compliance
Once the people, processes and technology are in place, re-assessment should become far easier. Many businesses use PCI DSS as an opportunity to introduce new hardware and operating systems, and merge disparate business processes – it is therefore essential that a full scoping review is undertaken prior to engaging in any major project development. A commitment to PCI DSS is a commitment to protecting customer’s cardholder data 24/7, 365 days a year.

How can Sysnet help?
Sysnet QSA consultants have significant experience with helping organisations attain and remain compliant with the PCI DSS. We have worked closely with many high profile organisations and have a wealth of experience in dealing with a varied range of payment applications that are currently being used.

Due to the challenges faced in this area Retail merchants should find the most time and cost effective route to compliance. Sysnet can assist with this by reducing the number of systems, locations and employees subject to PCI DSS compliance which will ultimately reduce the overall cost of achieving and maintaining compliance.

For further information on our PCI compliance services, please contact one of our Sales representatives by calling +353 (0)1 495 1300 or by completing our Online Enquiry Form or Request a Call Back Form.

PCI DSS compliance challenges for the Hospitality Sector

noreply@blogger.com (Unknown) — Wed, 17 Aug 2011 10:16:00 +0000

PCI DSS requirements are a confusing array of demands that take time, resource and money to meet. Within the hospitality sector there are numerous challenges to be faced, some of which can have straight forward answers whereas others may require more innovative solutions.

The hospitality sector is particularly vulnerable to cardholder data breach due to the various mechanisms used to facilitate bookings and payments. In an industry where customer service is of the utmost importance there have been a number of high profile data compromises which have seriously affected the brand credibility of the organisations involved.

PCI DSS compliance in practice
Businesses trading in the hospitality arena, and falling within the scope of PCI DSS should be aware of the following critical areas:-

Call recordings which include cardholder data are within the scope of PCI DSS. This must be addressed in any compliance project;

Storage of the Primary Account Number (PAN) on paper is still within the scope of compliance. Is your organisation taking steps to protected card data on paper or remove it all together? Have you confirmed whether your payment applications in use are PA DSS certified or have any plan to become certified?

Does your company use pre-authorisation for incidental charges, or are you storing sensitive authentication data? This is strictly prohibited by PCI DSS;

Storage of cardholder data within a booking and/or room management system often significantly increases the number of systems within the scope of PCI DSS.
It might sound strange but the key to PCI DSS compliance is not meeting the requirements. In fact, direct remediation of issues in order to achieve compliance is often the most complex and costly way of getting there! Companies seeking compliance should first seek to reduce their compliance scope to the smallest possible footprint. Sysnet have often achieved ten-fold reduction in the costs of a n organisation’s initial and on-going
compliance.

Sysnet recommends that rather than taking the ‘traditional’ route and performing a gap analysis as the first step to achieving PCI DSS compliance, it would be more beneficial to conduct a scope reduction exercise. This would provide blueprints of how your card payment processing systems could look based upon different scope reduction options.

By adopting this approach, a significant reduction in the overall cost of the compliance exercise can be achieved, simply by reducing the number of systems, locations and employees who are subject to PCI DSS requirements. This will also make compliance review a more manageable process. Following on from the above exercise you will receive various options by which the scope of compliance could be reduced.

The recommendations will also provide insight as to how the scope of compliance may look once that solution, process or approach has been implemented. For example, on completion of the scope reduction exercise you would need to complete the appropriate Self Assessment Questionnaire (SAQ). This provides you with the flexibility of choosing the solution that fits your business.

Maintaining PCI DSS compliance
True information security can only be achieved through the implementation of a comprehensive data security programme. It needs to be continually updated to reflect industry best practices such as PCI DSS or ISO 27001 and accommodate the need for continuous workforce education and the implementation of proven technologies to protect data assets.

A comprehensive data security programme is one that involves all areas of the business with the aim of securing valuable business information from the moment it enters the organisation until it leaves or is destroyed. The three most vital business components that need to be addressed are people, processes and technology.

People: People are often viewed as the weak link in the information security chain. Education is critical to ensuring your employees are familiar with your business security policies and procedures and that they know exactly what is expected of them when it comes to protecting the information assets of the business.New employees should receive information security training on induction with mandatory periodic refresher courses for existing employees.

If your business is part of a wider group or franchise, take advantage of group training events and materials. Franchise owners should ensure consistency across all locations by providing such training aids and group policies.

Processes: Many security weaknesses manifest themselves in poor information security management processes and insure system architecture. A thorough analysis of policies and procedures is required to ensure that your business operates in a secure manner.

Simple steps that can be taken include the identification of information that isn’t required by the business as well as the reduction of the number of applications and systems that store or transmit sensitive data. Taking these steps can also go a long way towards reducing the scope and costs of compliance audits.

Technology: Poorly implemented technology solutions can pose significant risks to data security. A thorough analysis of existing as well as proposed systems and their implementation is critical to identifying how suitable and capable a technology for your organisation’s needs.

You can also reduce the burden of protecting information within your business by choosing appropriate partners who take on the responsibility of managing the data. However, the merchant retains compliance responsibility if functions are outsourced. Technologies such as tokenisation and end-to-end encryption greatly reduce the scope of information security requirements.

Merchants should be aware that as of July 2012, MasterCard has mandated that all European merchants and service providers using 3rd party payment applications must use PA DSS compliant applications. Full listings of compliant providers are available on the Security Standards Council’s website, http://www.pcisecuritystandards.org/.

How can Sysnet help?
Sysnet’s QSA consultants have significant experience with helping organisations attain and remain compliant with the PCI DSS. We have worked closely with many high profile organisations and have a wealth of experience in dealing with a varied range of payment applications that are currently being used.

Sysnet have taken this experience and built an extensive knowledge base which help us to better assist you with the challenges you face.

For further information on our PCI compliance services, please contact one of our Sales representatives by calling +353 (0)1 495 1300 or by completing our Online Enquiry Form or Request a Call Back Form.

PCI DSS compliance challenges for the E-commerce Sector

noreply@blogger.com (Unknown) — Wed, 17 Aug 2011 10:01:00 +0000

The Internet is the fastest growing retail sector, and it is therefore not surprising that many merchants are turning to this sales channel to maximise sales potential. Also barriers to entry are far lower, allowing many start-up and fledgling businesses an opportunity to commence trading with minimal capital outlay –however if systems are not fully secure, they could find themselves vulnerable to remote attacks from anywhere in the world. With a wider range of goods available, there has been a significant increase in the number of customers using their payment card online, with more card data being transmitted and stored via the Internet.

It is not surprising therefore, that the E-commerce sector faces numerous challenges in order to protect itself from the growing threats from malicious individuals and organised crime looking to identify and exploit weaknesses in the payment process. The 6 leading worldwide major payment card brands established the Payment Card Industry Data Security Standards (PCI DSS) as a standard to protect cardholder data from such attacks.

The PCI DSS contain 12 requirements that are grouped within 6 core principles. If an organisation processes, stores or transmits cardholder data they will be in scope for PCI DSS. All E-commerce systems will need to be considered. In many circumstances, business owners in this industry do not have the resources or the technical knowledge to help reduce the risk of a data breach. Nevertheless, even large E-commerce merchants with skilled personnel also suffer breaches, one merchant was responsible for the loss of over 50 million card numbers.

‘If the initial scope is not sufficiently detailed, it could result in a breach of cardholder data’

PCI DSS compliance in practice
The first part of any PCI DSS compliance assessment is scoping. Without a thorough analysis of cardholder data flows (physical or electronic), a PCI project could miss vital areas, for example legacy systems, or over-engineer systems upgrades because the process wasn’t fully understood. The following are some critical areas that are typical for E-commerce environments, but could be overlooked:

Log Files: Many E-commerce systems conduct online authorisations, with the full PAN being stored once the transaction has been completed. PCI DSS requires that PAN must be made unreadable (truncation, hashing, tokenised or by using strong encryption). Places that potentially could store this type of data, but are often overlooked include transaction files, debug files, back-up files, history files or application logs.

Software Development: Companies who have developed their own web applications should
employ a developer who has experience in secure coding practices. It is essential that the coding is secure, as a line of insecure code could facilitate an entry point for a malicious user. An often overlooked area is the use of third party tools/libraries/scripts. Vulnerabilities in third party code may open a backdoor to E-commerce systems to drop malicious files or provide an entry point for an unauthorised user to steal database information containing cardholder data and/or other sensitive information.

Off-the-shelf packages: Organisations using third party payment applications are reliant on the security of these applications. Smaller retailers may purchase E-commerce systems which are in fact open source websites with minor modifications. These packages are often attacked as the underlying source code is publicly available and provides information on the security mechanism (or lack of) used. This may open holes within the E-commerce system to plant viruses, trojans or even worse, provide a malicious user with an opportunity to directly query databases that may contain a collection of cardholder and other sensitive customer information.

Third Parties: A merchant is responsible for any agent they engage on their behalf. If an organisation relies on a third party to collect cardholder data, the third party must undergo a PCI DSS assessment, and if the third party is not PCI DSS compliant then the merchant is not compliant either.

Post-authorisation: Storing sensitive authentication data (CVV/CV2) post-authorisation is strictly prohibited by PCI DSS. Indirectly Connected Devices: Any machines not involved in cardholder data processes but are logically connected to devices that do process, store or transmit cardholder data will be in scope. situation and their business. Although PCI DSS seems a long and daunting process with good planning and a clear road map, supported by an experienced and pragmatic QSA partner, compliance can be achieved. This will also put the business in a stronger position as there will be a greater understanding of how
systems work within the organisation, and also the identified potential risk areas. Business should also consider that the financial and reputational costs of a data breach could be far higher than the implementation of a PCI project.

‘PCI DSS is achievable with guidance and an effective roadmap’

Achieving PCI DSS
Some companies may first conduct a gap analysis and then remediate the problems. Sysnet recommends an initial scoping exercise is undertaken - this will review all systems, which will shape the extent of the PCI DSS project. It will also highlight areas of current risk that potentially could be removed with replacement systems or secure enhancements.

A scoping exercise offers options to manage to the size of the project by offering ‘as is’ and ‘what if’ scenarios to clearly demonstrate how change to the process impacts the scope. The organisation then has the opportunity to choose the option they feel is most appropriate to their

‘A commitment to protecting customer’s cardholder data 24/7 365 days a year’

Maintaining PCI DSS compliance Once the people, processes and technology are in place, re-assessment should become far easier. Many businesses use PCI DSS as an opportunity to introduce new hardware and operating systems, and merge disparate business processes – it is therefore essential that a full scoping review is undertaken
prior to engaging in any major project development. A commitment to PCI DSS is a commitment to protecting
customer’s cardholder data 24/7, 365 days a year.

How can Sysnet help?
Sysnet’s QSA consultants have significant experience with helping organisations attain and remain compliant with the PCI DSS. We have worked closely with many high profile organisations and have a wealth of experience in dealing with a varied range of payment applications that are currently being used.

For further information on our PCI compliance services, please contact one of our Sales representatives by calling +353 (0)1 495 1300 or by completing our Online Enquiry Form or Request a Call Back Form.

Sysnet Global Solutions officially launch new eBook entitled 'The PCI DSS Anthology'

noreply@blogger.com (Unknown) — Tue, 05 Jul 2011 09:22:00 +0000

Read it now at http://www.sysnetglobalsolutions.com/ebook.html

Data Breaches – Compulsory Disclosure?

noreply@blogger.com (Unknown) — Tue, 28 Jun 2011 14:43:00 +0000

EU Justice Minister Viviane Reding, has recently announced that she is formulating a policy that will mandate any business trading in the EU or who targets EU residents, to notify their customers, and the regulatory authorities, if they suffer a data breach. The intention being to ensure that all businesses handling sensitive data take their obligations seriously.

This action follows the recent spate of attacks on some high profile organisations, where millions of personal data records were subject to data hacks.

Following the introduction of the EU e-privacy directive on 26th May 2011, Telecoms, and Internet Service Providers are already subject to mandatory data breach disclosure, and the Minister is now seeking to widen these powers to include all sectors.

The legislation has the power to impose penalties and legal sanctions for any infringement and it is expected that these strong ’incentives‘, will encourage businesses to conduct serious risk assessments regarding their storage of sensitive personal data, and implement appropriate security measures to protect the confidentially and integrity of this information.

It should also be noted that the UK Information Commissioner has regulatory powers to investigate and penalise in cases of deliberate and persistent misconduct.

With all of the increasing media and regulatory interest in data security, how does a business go about protecting its’ key assets, particularly customer databases and avoid a data breach?

How can Sysnet Global Solutions help?
Sysnet offers a Security Assessment service, which provides a unique and flexible approach encompassing Incident Response, Audit, Computer Forensics and Penetration testing.

The assessment will be tailored to the individual needs of the business, and can include reviews of encryption, wireless networking, portable device security, contingency plans, security awareness, system configuration and premises vulnerabilities.

If a business takes card payments, they will fall under the requirements of the Payments Card Industry – Data Security Standards (PCI-DSS) – However the Sysnet Security Assessment service goes into far more detail, so that the customer can feel confident that they are in control of their security position.

Additionally Sysnet offer an on-demand, computer incident response service, whereby in the event of an incident, Sysnet can be on call ready to provide advice and visit the affected site to help contain the incident, offer guidance and if required, conduct a forensic investigation. This service is pre-arranged and also includes an initial visit to the site to help assist in highlighting security vulnerabilities, and offering remediation planning to overcome these weaknesses.

Whilst no business can be wholly safe from a data incident, by following the guidance given by the Sysnet CFS team, businesses can reduce their exposure to receiving such an attack, but also will be in a far better position to respond in a positive and speedy manner, to ensure continuance of trading and minimisation of brand and reputational damage.

Another key area is the storage of unencrypted card data - under PCI-DSS all card data should be securely deleted from computer systems, or if deemed necessary for operational requirements, then the information needs to be stored in a suitable encrypted format. In all too many cases, when a forensic investigation is undertaken following a data breach, card information is located in clear text.

This can be due to a number of circumstances, forgotten databases, legacy systems deemed out of scope for PCI accreditation, or back-up files converting encrypted information into readable format. Whatever the reason, storing unencrypted data will heighten the risk, and invalidate any PCI compliance certification.

To mitigate operating with such vulnerability, Sysnet are able to offer their Cardholder Data Discovery Service, which can scan server, PCs, and storage media for unencrypted card numbers. Once the scan has been completed, and if any residual information has been identified, we can safely erase the data, help prevent it from being stored or if preferred, give guidance as to how the records can be held securely to conform to the PCI-DSS.

Sysnet bring the pragmatic mindset of a forensic investigator together with knowledge of real world hacking to give you the edge in security management. For more information please contact us by calling 0844 562 3147 (UK) or +353 (0)1 495 1300 (Rest of the World) or by completing our Online Enquiry Form or Request a Call Back Form

Sysnet to present at IPSO Data Breach Awareness Workshop on June 14th

noreply@blogger.com (Unknown) — Fri, 10 Jun 2011 09:13:00 +0000

Sysnet Global Solutions, a leading worldwide provider of information security and assurance services, will present at the Irish Payment Services Organisation (IPSO) Data Breach Awareness Workshop on June 14th 2011. The event, which takes place in Dublin, will educate and inform delegates of the need to proactively plan and test data breach scenarios. The result being that, in the event of a data breach, the correct actions are taken and the financial and reputational loss are minimised.

Ian Wright, Senior Consultant and Benn Morris, Manager Computer Forensic & Security at Sysnet Global Solutions will present on the topics of describing an incident, overview of the internal and external threats and preparing and planning for a data breach. Ian Wright has over 30 years experience in the banking industry. For the last 5 years he was Head of Fraud for a major UK acquirer. He brings a unique insight into the issues faced by merchants and card processors. After working for West Yorkshire Police Hi-Tech Crime Unit, Benn Morris moved into the private sector conducting forensic investigations, incident response and security assessments for many high profile corporate organisations.

Also presenting at the event are Úna Dillon, Head of IPSO Card Services and Detective Sergeant Matthew Sheridan, Garda Bureau of Fraud Investigations.

The briefing will take place at the Radisson Blue Hotel, Golden Lane, Dublin 2, and will commence at 10.00am and will conclude at 1.00pm.

To register a place at this workshop, please click here or go to the IPSO website www.ipso.ie and follow the link.

Sysnet launch Newsletter, Sysnet Secure

noreply@blogger.com (Unknown) — Tue, 17 May 2011 10:07:00 +0000

Sysnet officially launch their newsletter, Sysnet Secure. To celebrate the launch, an iPad will be won as a prize by one lucky reader.

To view the newsletter, please click here.

Common Cyber Crimes facing the Payments Industry

noreply@blogger.com (Unknown) — Wed, 11 May 2011 08:33:00 +0000

There is little doubt that an Account Data Compromise (ADC) would be detrimental to the operational effectiveness of any business. However, to organised criminal groups it can be an easy way in which to generate funds for criminal gain. In the 21st century, it can be easier for a criminal gang to commit cyber crimes, such as raiding the credit card details of a poorly maintained website, than to raid a high street bank.

The favoured methodology of website hackers is to exploit poorly written and unsecured websites and then seek to locate the credit card information held within. By focusing on weaker websites in this way, and ensuring that the total level of card fraud is not too high, many of the hackers simply take the ‘low hanging fruit’ and go unnoticed until it is too late.

Often exploiting the same common vulnerability across multiple different hosts, for example an authentication weakness in a popular shopping cart, allows the hacker to simply trawl the Internet for those websites that use that shopping cart to exploit and collect the reward. No organisation wants to fall foul to cyber crimes and therefore in order for them to protect themselves against a potential information security breach, certain steps should be taken to reduce susceptibility to the most common types of breaches.

Legislation
The unlawful access to a system that is used by a merchant is on the whole in breach of section 1 of the Computer Misuse act and in the real world, stealing of cardholder data is more than likely to be associated with the stealing of PII (Personally Identifiable Information). Therefore, once a data breach has occurred, it can easily escalate from an exercise where the card brands are requesting their card numbers to be returned, to the local law enforcement agency mounting a personal data loss investigation.

Cardholder data breaches, that are the result of cyber crimes, are increasing raising interest within the various law enforcement and data protection agencies around the EU. Although currently each member state takes a different view on how to deal with the consequences of cyber crimes, growing public awareness on the issue could see law enforcement take a heavier, more legal based role in the near future.

Protecting Your Organisation
There are no hard and fast rules to ensure that your website is safe and secure from the persistent threat of cyber crimes. However, there are some actions that organisations can take to help avoid large fines for the misuse and loss of cardholder data. Below are 10 helpful tips for organisations seeking to become more proactive;

Get PCI DSS compliant. Look at your merchant agreement with your acquirer, it will state that you need to be PCI DSS compliant;

Plan, Plan, Plan – you don’t know when the event might happen but an incident response plan and regular testing of this plan will pay dividends in the event of a breach;

Suppliers - know who your suppliers are and also what cardholder data they may or may not be processing on your behalf. They will need to be PCI DSS compliant and could easily be your weak point in the protection of cardholder data;

PFI Company – if there is a breach, one may be turning up at your door and asking questions that you might not immediately know the answer to. Pre-appointing a PFI and talking to them about what happens in a breach will iron out any potential problems;

PR Response - should the worst happen and your businesses’ reputation is on the line, have a pre-planned public response; a response prepared beforehand is far better than a response drafted in the heat of the moment;

Policy – one of the easiest ways to mitigate the risk that a breach represents is to ensure that policies and procedures are robust enough to reduce the chance of a cardholder breach and also have the flexibility to respond if a breach occurs;

Data Protection – the legal and compliance authorities are becoming more interested in ensuring that the cardholder data that merchants process and the personal information they obtain is kept within the realms of the merchant, and does not get into the hands of the hackers. Whilst the card brands could fine an organisation for the miss-use and/or loss of cardholder data, the data protection authorities can also stop a merchant processing cardholder data;

Acquisition of evidence – should an external party be required to investigate a breach, a lot of time, energy and effort can be saved by allowing the external investigative party to investigate and acquire the data. The more that the data is tampered with before a forensic investigation is carried out, the less information can be found out about what actually happened;

Check your liabilities – ensure that you have the correct contracts; it may be that your 3rd party has provided you with a ‘managed’ firewall but what does that mean? You may only find out when a hacker has already taken your customer’s cardholder information away;

Don’t Panic –If the worst should happen, act with a clear head and don’t make rushed decisions that could affect the outcome at a later stage.

For further information on our Incident Response, Forensic Security or PCI Forensic Investigator Consultancy Services, please contact one of our Sales representatives by calling 0844 562 3147 (UK) or +353 (0)1 495 1300 (Rest of the World) or by completing our Online Enquiry Form or Request a Call Back Form.

noreply@blogger.com (Unknown) — Fri, 22 Apr 2011 11:26:00 +0000

The UK Data Protection Act (1998) requires any organisations that receives, transmits, stores or processes personal information to comply with the eight basic principles contained in Schedule 1 of the Act.

The essence of the eight principles can be summarised as follows:

Personal data shall be processed fairly and lawfully

Personal data shall be obtained only for lawful purposes

Personal data shall be adequate, relevant and not excessive

Personal data shall be accurate and kept up to date

Personal data shall not be kept longer than necessary

Personal data shall be processed in accordance with the rights of data subjects under this Act

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing

Personal data shall not be transferred to a country or territory outside the EU except in specific instances where equivalency of safe-harbour applies

Compliance with the Data Protection Act is a legal requirement for all organisations operating in the United Kingdom which collect, store or process personally identifiable information. Ensuring ongoing compliance with the Act is therefore an essential management activity for any company or organisation which engages is the abovementioned activities.

In addition to potential penalties that may be imposed by the courts or the Information Commissioner’s Office, most modern organisations are reliant on their brand reputation to attract and retain customers and partners in the private sector or to achieve their organsational or statutory goals in the public sector.

As such a breach of data privacy could have far wider consequences than any sanction imposed by the Information Commissioner or any other regulatory body and could compromise a key commercial relationship or prejudice your organisation’s ability to win and retain customers.

Achieving compliance with the Data Protection Act should begin with the selection of an expert third party advisor and is achievable through a regime of analysis and assessment, training and awareness initiatives, organsational support and policy implementation all of which need to be underpinned by appropriate technological architectural and infrastructure investments.

In conjunction with the expert advisor, the next step will be assess your organisation against the eight principles of Schedule One of the Act and determine a remediation plan that will close off any shortcomings identified in the most pragmatic and cost efficient manner.

This is usually achieved by a process involving the following steps:

Scoping of private data environment

Gap analysis and assessment of current level of compliance

Remediation phase to address identified gaps

Re-assessment and issue of Report on Compliance

The expert advisor will also recommend how best to deal with subject data requests by data subjects whose personal data your organisation controls.

How can Sysnet Global Solutions help?
Sysnet has a team of information security consultants whom are well versed in the governance, risk and compliance of personal data. Sysnet is able to provide advice on how to protect your data as well as distributing this data in a safe and a secure manner. Our consultants have strong experience in dealing with data protection issues and how the movement and the storage of data can impact your business operational tasks. Not only can Sysnet provide consultancy advice on how to protect your data but also what to do if there is a data breach and how best to contain any unfortunate events that may happen.

For further information on our Information Security Services, please contact one of our Sales representatives by calling +353 (0)1 495 1300 or by completing our Online Enquiry Form or Request a Call Back Form.

Overview of the main changes between v1.2.1 and v2.0 of the PCI DSS

noreply@blogger.com (Unknown) — Tue, 08 Mar 2011 09:31:00 +0000

Prior to its release, the latest version of PCI DSS has sparked debate as to whether there would be significant changes to the standard.

PCI DSS v2.0 was officially released in October 2010 and demonstrated that changes had been made mainly for clarity to maintain the quality of assessments. There have been numerous changes, many of which seek to be more specific around test procedures that are required. The other main changes to the standard are highlighted below:

Scoping;
Inclusion of Virtualisation;
Storage;
Time Synchronisation;
Scanning;
Wireless and IDS/IPS;
Evolving Requirements: Applications.

Each of these areas will be broken down below to cover the high level salient changes that have occurred to the PCI DSS.

Scoping
As with any PCI DSS assessment, it is important that proper scoping is conducted. Changes have been made to ensure that the scope has been clearly defined with emphasis on the following points:

Requirement to identify all locations of cardholder data flow;
Explicit requirement for merchants / service providers to identify and explicitly define all of the locations and flows of cardholder data annually before they begin their assessment;
Documentation must be presented that shows how the PCI DSS scope was confirmed and the scoping results so that the assessor can review and accept as evidence if appropriate;
Consider all areas of stored electronic and physical media containing cardholder data. This should include (but not be limited to) databases, mail orders, faxes, call recordings, emails, temporary files and log files;
“System components” also include any virtualisation components.

Main impact:

Organisations may need to be more proactive and spend more time understanding where cardholder data is processed, stored or transmitted;
Expect the QSA to spend more time verifying the scope, specifically the data flows and storage locations;
Expect to be asked to present evidence of how the controls are adequate to segment the scope, and prove that testing has been conducted outside of this scope to ensure that there is no additional pollution.

Virtualisation
Virtualisation is now officially recognised and therefore all virtualised system components should be reviewed to determine whether they are in scope for PCI DSS. If they are in scope, then the PCI DSS controls will apply depending on the context of the components. For example:

Virtualised servers would require all PCI DSS requirements applicable for servers;
Virtualised firewalls and routers would require all PCI DSS requirements applicable for firewalls and routers;
Virtualised system components would require all PCI DSS requirements applicable for that particular type of system component.

Main impact:

Including virtualised system components within the scope should not come as a surprise. If virtualisation technologies have not been included in the scope before, then your QSA may spend time reviewing the setup and corresponding documentation for that component;
Sysnet have always applied the requirements in this manner, so there should be minimal uplift to any customers engaged with our QSA’s.

Storage
Emphasis has been made to prevent access to both truncated and hashed versions of the PAN as well as the PAN itself. With special tools, it takes a trivial amount of time and effort to use these two elements to generate a PAN.

Review the following:

Implementation of controls to ensure that the hashed and truncated values cannot be correlated to reconstruct the original PAN;
Whether you need to keep both truncated and hashed versions –if you don’t need it, don’t store it.

Main impact:

Adding additional controls may provide additional expenses;
It may prove difficult to add additional controls depending on your implementation;
Storage of both versions may be by design currently, and making this change may prove difficult. Further work would need to be conducted to understand the risk and impact around any change.

Time Synchronisation
It is important to ensure that your clocks are accurate, in order to aid any forensic work. To support this, there must be clear and documented processes for distributing time through your cardholder data environment.

Previously there has been a bias towards using NTP. In the new standard references to any particular technology is removed.

Whatever time synchronisation you decide to use, make sure you use approved sources and have the distribution of time documented appropriately.

Main impact:

Flexibility to use other time synchronisation technologies that may be more suitable for your environment;

Scanning
This is a very important area to consider. PCI DSS requirement 11.2 is now split into further subtests to explicitly conduct internal (11.2.1) and external (11.2.2) test procedures for vulnerability scanning. Why? In many cases organisations may rely on external vendors to conduct external testing. This change may indicate that organisations fall into trouble when required to demonstrate internal testing.

Don’t neglect internal scanning. Remember to:

Conduct internal testing at least on a quarterly basis;
Conduct internal rescans until there is a passing scan;
Document scanning procedures and provide document evidence of the outcome of both internal and external scans.

Main impact:

For those who have not conducted internal testing you should start this process as soon as possible. Failure to demonstrate the required internal testing evidence could jeopardise your next PCI compliance review.

Wireless and IDS & IPS
Organisation should not neglect the fact that rogue wireless devices are easy to implement and therefore post a significant threat. A few changes have been made:

PCI DSS requirement 2.1.1 is split into further test procedures, but something is missing? There is no reference to WPA (or in fact any wireless technology);
PCI DSS requirement 11.1 includes “physical/logical inspections of system components and infrastructure”;
PCI DSS v2.0 mandates that IDS/IPS may be configured to monitor the perimeter and all critical points within the cardholder data environment.

Main impact:

Organisations will need to give consideration to moving to WPA2 some serious thought. Or they will need to bolster the current wireless implementations with enterprise level security rather than just using Pre-Shared Keys (PSK). A better position may be to, ask yourself “Is sending cardholder data over wireless the best way”. Again, if you don’t need it then don’t use it;
Physical/logical inspections of system components provides greater flexibility to meet the test procedures, especially for small organisations with few resources, who currently may not be knowledgeable in using specialist wireless scanning and IDS/IPS software;
Wireless IDS/IPS systems at critical points in the CDE, may mean less system management overheads and potentially less false positives.

Evolving Requirements
Two extra requirements that PCI DSS v2.0 has included to spice things up will keep those involved with software development and patching busy:

PCI DSS requirement 6.2 not only requires the ability to identify security vulnerabilities, but also to assign a risk ranking;
PCI DSS 6.5 has been refined as a reminder that the requirements apply to all software and not just web applications. Furthermore, 6.5.6 requires addressing of “High” risk vulnerabilities, which have been identified using the new risk ranking processes in PCI DSS requirement 6.2.

Main impact:

Organisations must start developing risk ranking processes at their earliest opportunity;
This risk ranking could also work in your favour. The standard risk ranking provided by the vendors may not be appropriate within your environment. This may allow additional time for testing and scheduled rollout rather than reactionary installation;
Organisations will be required to spend time demonstrating proper secure software development lifecycle for all internally-developed applications within scope for PCI DSS.

How will v2.0 impact on organisations seeking to attain/retain PCI DSS compliance?
To the relief for most organisations, PCI DSS will have minimal impact. The changes made have been for clarity of the test procedures and in recognition of advancing technology and threats. The main points are:

Organisations should properly scope where their cardholder data is. It is difficult to secure the data if it is not known where it is;
Expect your QSA to spend more time verifying the scope, reviewing the current technologies (which may now be considered not fit for purpose) and gathering evidence.

Will there be future updates to the PCI DSS?
The PCI DSS now uses a three-year life cycle and the next standard should be released around October 2013. The following diagram is taken from the official Lifecycle for Changes to PCI DSS and PA-DSS demonstrating the phases of the three year cycle.

Based on PCI DSS v2.0, it is envisaged that the new version will:

Have further improvements in scoping;
Clarifying assessment procedures;
Include considerations for advances in technology as well as threats;
Other areas as we do not yet know what the future holds.

Final reminder to organisations
It is imperative that organisations focus on their business processes and not just the technology. All organisations must understand they are obliged to protect customers cardholder data –PCI DSS applies all year and it is not just for the assessment.

As advances are made to technology, standards and regulations, organisations must not stand still. All organisations should consider undergoing QSA lead “health-checks” throughout the year to accommodate and review the impact of the change, in order to assist them with remaining PCI DSS compliant.

For further information on our PCI compliance services, please contact one of our Sales representatives by calling +353 (0)1 495 1300 or by completing our Online Enquiry Form or Request a Call Back Form.

PCI DSS Overview

noreply@blogger.com (Unknown) — Thu, 03 Mar 2011 12:59:00 +0000

The Payment Card Industry Standard (PCI DSS) is a compliance standard that governs the processing, storage or transmission of cardholder data. PCI DSS applies to any organisation which processes, stores or transmits cardholder data. Organisations can be classified as a merchant or service provider. An important point to note is that the standard is not just an IT compliance standard it effects all areas of an organisation.

PCI DSS Background
The PCI DSS was founded in December 2004 by 5 major card brands – Visa, MasterCard, American Express, Discover and JCB. The ongoing maintenance and updates to the standard are performed by the Payment Security Standards Council (PCI SSC), an independent organisation, joint funded by all the participating card brands and participating organisations. The PCI DSS is now on its 4th major release which is now at v2.0.

It is important to note that compliance is not a legal requirement but it is driven by the contractual agreements between merchants and acquiring banks that cannot be ignored.

PCI DSS Requirements
The PCI DSS are broken down into 6 domains that have various sections and associated requirements within each section which are as follows:

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security

Why should an organisation comply with the PCI DSS?
There are a number of benefits of attaining PCI DSS compliance;

Provides your customers with assurance that card transactions will be handled securely by your organisation

Level 1 service providers who achieve PCI DSS compliance can ask to be added to the Visa and

MasterCard lists of approved service providers

Avoidance of financial penalties which are divided into two areas:

Non–Compliance Costs

Data Breach Costs Can include:

o Fines levied by your acquirer for the cardholder data breach

o Elevation to a level 1 merchant, increasing your ongoing compliance costs

o The need to have an onsite QSA assessment which will add significant overhead to the demonstration of compliance

o Consultancy costs for forensic assessments & remediation advice

o Potential liability for consequential losses due to the card data breach

o The fines which may be levied for non-compliance are potentially unlimited

Common Misconceptions
The following are common misconceptions in relation to PCI DSS compliance;

You can’t fully outsource all your PCI DSS accountability although you can outsource most of the responsibility for the provision of services; remember some areas of the standard will ALWAYS remain in scope.

Using a PA DSS compliant application – or a PCI PTS compliant PED does not automatically make your company PCI DSS compliant

A PCI DSS assessment/ SAQ completion is just a snap-shot. Compliance with PCI DSS must be maintained at all times, and evidence of this needs to be available

PCI DSS is NOT an IT compliance standard, it affects all facets of an organisation

Sysnet Global Solutions attains Approved Payment Forensics Investigator (PFI) status

noreply@blogger.com (Unknown) — Wed, 02 Mar 2011 11:44:00 +0000

Sysnet Global Solutions, a leading worldwide provider of information security and assurance services, today announced that they have attained the status of approved Payment Forensics Investigator (PFI), confirmed by the PCI Security Standards Council (PCI-SSC). Sysnet are now listed on the PCI-SCC website as approved PCI Forensic Investigators;
www.pcisecuritystandards.org/approved_companies_providers/pfi_companies.php

The PCI Security Standards Council’s PFI program establishes and maintains the rules and requirements regarding eligibility, selection and performance of companies that provide forensic investigation services to ensure they meet PCI Security Standards. The PFI program aims to help simplify and expedite procedures for approving and engaging forensic investigators. The PFI list will replace the previous ‘QFI’ list as of March 1, 2011. After March 1, the card brands will only accept forensic reports from companies that are on the PFI list.

With the growing threat of credit card fraud across the globe and more aggressive tactics shown by organised criminal groups, if an Account Data Compromise (ADC) does occur and an investigation is required, Sysnet are well equipped to minimise the potential loss and ensure that the affected organisation is back to trading in a safe, compliant manner as soon as possible.

“This achievement is the result of the cumulative effort of a number of people at Sysnet and we are delighted that we are now on the PFI list” said Nick Prescot, Senior Consultant of the Data Forensics team at Sysnet Global Solutions “Whilst we wish that no organisation suffers a data compromise, we can now demonstrate that the Sysnet approach to quality, dedication and thoroughness will ensure that, should the worst happen, the end result will be an organisation that is not only above and beyond the requirements of today’s compliance but also well prepared for the future.”

In preparing and rehearsing against potential account data compromises, Sysnet Global Solutions offer incident management workshops, intelligence briefings on the latest trends, briefings on best practice in securing personal data, guidance on how to deal with the legal aspects of an investigation and insurance services that enable organisations to be best prepared in the event of a data compromise.

“This is a very important achievement for Sysnet” said Gabriel Moynagh, General Manager at Sysnet Global Solutions “Our PFI status compliments the extensive range of products and services we currently provide and further increases our ability to assist our clients in protecting vital business information assets.”

For further information on our PFI Consultancy Services, please contact one of our Sales representatives by calling +353 (0)1 495 1300 or by completing our Online Enquiry Form or Request a Call Back Form.

Sysnet to present at the Vendorcom PCI & Payment Security Retailer Breakfast Briefing

noreply@blogger.com (Unknown) — Wed, 23 Feb 2011 10:18:00 +0000

Sysnet Global Solutions, a leading worldwide provider of information security and assurance services, will present at the Vendorcom PCI & Payment Security Retailer Breakfast Briefing on March 1st 2011. The event, which takes place in London, will address the information security issues faced by merchants.

The briefing will take the form of short presentations that will provide attendees with up-to-date information that will help improve the security of payment data and move PCI to a business as usual process.

“The data forensics team at Sysnet are very excited to be part of the Vendorcom breakfast briefings” said Nick Prescott, Senior Consultant – Data Forensics, at Sysnet Global Solutions, “Cyber warfare is a relatively new and growing phenomenon and no more so than within the realms of cardholder data. We are passionate about educating, preventing and, when an unfortunate event happens, responding to incidents and ensuring that all businesses affected from a breach emerge from an incident with a renewed confidence in security.”

The presentations will be followed by a Questions & Answers session, during which the speakers will be joined by Nick Heape of Visa Europe and Phil Jones of Barclaycard.

The briefing will take place at the Herschel Room, 76 Portland Place, London, W1B 1NT and will commence at 8.00am and will conclude at 10.30am.

To register a place at this briefing, please go to the following link: www.vendorcom.com/register.php?event_id=78

PCI & Payment Security Retailer Breakfast Briefing – Tuesday 1st March, London

noreply@blogger.com (Unknown) — Tue, 15 Feb 2011 10:26:00 +0000

and supported by BARCLAYCARD & VISA EUROPE

Sysnet Global Solutions is proud to be supporting – and speaking at – the Vendorcom PCI & Payment Security Retailer Breakfast Briefing on March 1st and we’d be delighted if you could join us.

This briefing will take the form of short, punchy, focused presentations that will provide you with up to date, accurate information that will help you improve the security of your payment data, move PCI to a business as usual process and ensure that you keep both the business and the customer happy; all this – and not a sales pitch in sight!!

In this briefing, with the help of both ourselves and Tripwire, Vendorcom will be looking at the business impact of PCI & Payment Security:

What is the cost of compliance (versus non compliance)?
How do you work with your suppliers to minimise the risk of a security breach?
If you are breached, what steps can you take to minimise the impact both directly on your customer and on your brand?

Following these presentations, there will also be a Q&A panel, where the speakers will be joined by Nick Heape of Visa Europe and Phil Jones of Barclaycard. This is the opportunity to ask ourselves and the rest of the expert panel your unanswered PCI & Payment Security questions. There will also be time after the session to stay on, ask any additional questions that may not have been answered in the group session – and to network with your peers, the panellists and the Vendorcom team.

It may not always feel like it, but as an industry we are here to help – please take advantage of us!!

Please Note: This briefing is FREE to attend

Agenda:

0800 - 0830 Registration, Breakfast & Networking

0830 - 0840 Welcome & Introduction
Paul Rodgers, Chairman – Vendorcom

0840 - 0905 The True Cost of Compliance

Tripwire have recently completed research into the True Cost of Compliance to determine the full costs associated with an organisation’s compliance efforts. This presentation will highlight the recently released benchmark study of multinational organisations providing a clear understanding of the differences between compliance and non-compliance costs incurred when complying with laws, regulations and policies.
Mike Shanahan, Account Director - Tripwire

0905 – 0930 The Security Breach: Guarding Against and Reacting To!

The PCI DSS is designed to help us guard our business against security breaches – that’s all well and good, but how do we work better with suppliers to ensure that they’re working to reduce our risk as well? And if the worst happens and we are breached, what is the best course of action? In essence, this session will encourage you to prepare for a breach, know how to limit your exposure to the risk of a breach and understand what best to do in the event of an account data compromise.
Nick Prescot, Senior Consultant, Forensics – Sysnet Global Solutions

0930 – 1000 Q&A Panel

What do you really want to know? What is the most burning question you have about PCI & Payment Security that remains unanswered? Now is your chance to ask it!!
Mike Shanahan (Tripwire), Nick Prescot (Sysnet), Nick Heape (Visa Europe), Phil Jones (Barclaycard), Paul Rodgers (Vendorcom)

1000 – 1030 Coffee & Networking

Your time away from the business is precious, we recognise that, and that’s why we’ve kept this session short and snappy! However, we also know that there’s never enough time to answer everybody’s questions in an open session – and indeed there may well be questions that you don’t want to ask in an open session.

So, the Vendorcom team, our speakers and our panel will all be staying on for coffee after the session so that, if you want to, you can spend an extra few minutes/half an hour, asking questions and taking the opportunity to share experiences with your peers – who knows what additional nuggets of information you could pick up that might just help your business!

Date: Tuesday 1st March 2011

Time: 0800 (for a prompt 0830 start) – 1000 (with opportunity to stay on through to 1030 to ask additional questions/network)

Venue: Herschel Room, 76 Portland Place, London, W1B 1NT

Map: Click here
Nearest Underground Station: Regents Park (Bakerloo Line), Great Portland Street (Circle, Hammersmith & City, Metropolitan Lines)

Cost: This event is FREE to attend

Registration: To confirm your place at this event: Register Here

We hope that you will be able to join us, Vendorcom and Tripwire on 1st March.

Sysnet Global Solutions announces appointment of new Regional Manager for North America

noreply@blogger.com (Unknown) — Tue, 08 Feb 2011 11:10:00 +0000

Sysnet Global Solutions, a leading worldwide provider of information security and assurance services, today announced the appointment of Bill Hodge as Regional Manager for North America with immediate effect. Bill will be based in Knoxville, Tennessee.

In this role, Bill will oversee Sysnet’s North American based business activities with an emphasis on new business development and client relationship management.

“We are very pleased to welcome Bill to the company” said Tom Moynagh, Managing Director at Sysnet, “Bill has considerable experience in the Information Security industry having provided consultancy, audit and risk assessment services to businesses operating in a wide variety of industries. We look forward to working with Bill and to the further development of our US based business.

“I am delighted that Sysnet have identified North America as a key region for business growth.” said Bill Hodge, Regional Manager for North America “This is a critical time for many organizations as they struggle to both maintain regulatory compliance and protect their businesses whilst also adhering to strict budget controls. I am confident that Sysnet can provide the best value services to assist such organisations in meeting all of these requirements.”

Bill graduated from East Tennessee State University with Bachelor and Masters Degrees after serving in the United State Marine Corps. He also holds AAS in Computer Science from the Pellissippi State Technical Community College, and has earned the CISA and CISSP certifications.

Further key personnel appointments for the North American region are expected in the near future.

Sysnet announces relocation of headquarters to accomdate business expansion

noreply@blogger.com (Unknown) — Mon, 31 Jan 2011 11:40:00 +0000

Sysnet Global Solutions, a leading worldwide provider of information security and assurance services, today announced that due to significant business expansion they have relocated their Dublin headquarters to 4th Floor, The Herbert Building, The Park, Carrickmines, Dublin 18.

“We are very pleased to announce the relocation of our Dublin based headquarters to accommodate our growing workforce” said Gabriel Moynagh, General Manager at Sysnet Global Solutions “During the past year we significantly increased our staff numbers to support recently announced client wins, including two major banking clients. The majority of new hires have been to support our Compliance Managed Services solution that provides PCI DSS merchant portfolio compliance validation for banking and other acquiring organisations. Similar growth is expected during 2011 with further new client announcements to follow.”

PCI DSS is a set of comprehensive requirements for enhancing the security of payment account data, transactions and processing systems. It was developed by the founding payment brands of the PCI Security Standards Council, and has been adopted by third party processors and merchant acquirers globally to combat cardholder data fraud.

Sysnet’s new headquarters will cater for both its current and future business expansion requirements. The company also recently opened their new UK based office at Davidson House, Forbury Square, Reading, RG1 3EU Tel. +44 (0)118 900 1510.

The importance of PCI Compliance

noreply@blogger.com (Unknown) — Fri, 10 Dec 2010 09:43:00 +0000

Before the PCI DSS was established, various card brands set up their own security programmes in order to protect card holder data and identity theft due to ongoing data compromises occurring at numerous levels.

In 2006, the five major card brands (Visa, MasterCard, American Express, Discover Card and JCB) then decided to unify their policies and procedures under one universal standard that was called the Payment Card Industry Data Security Standard (PCI DSS). The PCI council governs the payment industry and ensures that all entities accepting, storing or transmitting credit card data adhere to the PCI DSS. The aim is to reduce the number of security breaches and protect the card brands.

PCI DSS can help organisations to;

• protect valuable customer information including payment card details
• protect against the loss of valuable business information and the cost associated with data compromise
• protect against the negative publicity associated with a data breech
• ensure continued customer confidence in the use of payment cards

How does an organisation attain PCI compliance?

An organisation can attain PCI compliance by conforming to the 12 security requirements set out within the PCI DSS. Depending on their merchant level an organisation that is accepting, storing or transmitting card data can become PCI DSS compliant by either submitting a validated Self-Assessment Questionnaire (SAQ) or by undergoing an onsite assessment with a Qualified Security Assessor (QSA).

The merchant level depends on the volume of transactions that they are handling per annum. An organisation that is handling 6 million transactions or more must have an onsite assessment carried out each year by a QSA as well as quarterly network scans.
However, an organisation that is handling 20,000 to 6 million transactions per year can fill out an SAQ but must also undergo quarterly scans of their external network in order to conform to PCI compliance. For organisations handling less than 20,000 transactions per year, they must also undergo quarterly scans on their network and complete an SAQ.

If an organisation that is handling card data from one of the PCI council member brands falls victim to a security breach, they can incur a significant fine and be banned from handling future credit card payments for any of the five major card brands.

For further information on our PCI compliance services, please contact one of our Sales representatives by calling +353 (0)1 495 1300 or by completing our Online Enquiry Form or Request a Call Back Form.

Sysnet appoints new Sales Director

noreply@blogger.com (Unknown) — Wed, 17 Nov 2010 11:14:00 +0000

Sysnet Global Solutions, a leading worldwide provider of information security and assurance services, today announced the appointment of Paul McNamara as Sales Director with immediate effect.

Paul McNamara brings a wealth of experience and knowledge to Sysnet, having spent more than 14 years in sales roles with companies such as Google and BT. At Sysnet, Paul will be responsible for overseeing regional sales activity and for the achievement of the company’s global sales objectives.

“We are very pleased to welcome Paul to the company, his experience and expertise will drive the consolidation of our global sales effort as the business continues to enjoy a considerable level of growth across all regions.” said Gabriel Moynagh, General Manager at Sysnet Global Solutions.

“I am delighted to join Sysnet and I look forward to getting to know our clients and their businesses. As Sales Director, my responsibility is to ensure our clients continue to receive the most appropriate and best value information security compliance and risk mitigation solutions” said Paul McNamara, Sales Director at Sysnet Global Solutions “I am also looking forward to the challenge of ensuring that the business continues to enjoy in the future, the success it has experienced to date.”

Paul holds a BSc. in Management from Trinity College, Dublin and an Advanced Diploma in Marketing from the Dublin Institute of Technology.

For further information, please visit our website at www.sysnetglobalsolutions.com

Sysnet appoints new Head of Professional Services

noreply@blogger.com (Unknown) — Thu, 28 Oct 2010 13:05:00 +0000

Sysnet Global Solutions, a leading worldwide provider of information security and assurance services, today announced the appointment of Andrew Dalrymple as Head of Professional Services with immediate effect.

Andrew has gained significant experience within the information security industry having held a number of senior roles with organisations such as NCC Group Plc, Global Secure Systems Ltd, Dimension Data Plc and Computer Associates (CA) Inc in the UK and South Africa. He has significant experience in the audit and assurance space with an emphasis on PCI-DSS, IS0270001 and Data Privacy and has consulted across a wide range of industry sectors.

“Following our recent announcement regarding the appointment of a new Chief Technical Officer, we are pleased to advise that we have now further strengthened our core management team with the appointment of Andrew Dalrymple as Head of Professional Services.” said Gabriel Moynagh, General Manager at Sysnet Global Solutions. “Andrew is a highly qualified, experienced professional and we are very pleased to welcome him to the company.”

“I’m very happy to have this opportunity to join Sysnet and I look forward to working with such a highly skilled and dedicated professional service team.” said Andrew Dalrymple, Head of Professional Services at Sysnet Global Solutions.

Andrew, who studied at Rhodes University in South Africa, is an IS0270001 Lead Auditor and holds the CITP, CISA, CISM and CGEIT certifications.

For further information, please visit our website at www.sysnetglobalsolutions.com

Call Recording, PCI DSS & the Pitfalls

noreply@blogger.com (Unknown) — Tue, 19 Oct 2010 15:35:00 +0000

Many organisations that use voice recordings within the Contact Centre do so because it is required for business reasons, such as agent training or confirmation of verbal contractual agreements that are carried out over the telephone channel when selling services.

Depending upon the transaction type, regulatory requirements to keep any recordings (for varying periods of time) for playback apply. For businesses, particularly in the financial services and retail sectors, further requirements apply due to the fact that when purchase transactions are completed over the telephone using payment cards, certain data needs to be protected.

For organisations that are required to record telephone conversations and also take payment card details over the phone the recording and storage of this data can become a PCI compliance issue.

Typically the call recording will record the whole conversation including the Primary Account Number (PAN) and the three or four digit security code (CAV2, CVC2, CVV2 or CID). In addition to the considerations required around the call recordings, enhanced processes and procedures are required for all of other stages involved in and around the initial call.

There are many things to be considered when recording a call containing cardholder data, it is vital to quickly determine what data needs to be protected, for what length of time and depending upon what analytical tooling is in place within your business; the appropriate management and protection of this information is paramount. It is worth noting that some of the largest fraudulent activities that occur are often from within the organisation, so it is imperative to ensure that voice recording is looked at from both a technology and a user process perspective, as they go hand in hand.

Some things to consider

1. Is a formal Security Awareness Training programme in place and being maintained?
2. Have you developed and implemented a set of PCI DSS compliant Policies?
3. Are the call recordings stored securely?
4. Is your network securely maintained and protected against attack?
5. Do you maintain and secure a detailed set of auditable logs?

Where technology exists to prevent recording of these data elements, such technology should be enabled. If these recordings cannot be data mined, storage of CAV2, CVC2, CVV2 or CID codes after authorisation may be permissible as long as appropriate validation has been performed. This includes the physical and logical protections defined in PCI DSS that must still be applied to these call recording formats.

What this means:
Essentially, the Card Verification Value (CVV) must not be retained post authorisation. In any event, and only as a last resort, where a CVV is retained it must be held subject to additional security controls to meet the intent of the Standard, but always via a compensating control.

Before any such compensation control can be implemented it must be verified by a Qualified Security Assessor (QSA) in turn approval must be obtained for the compensation control from the acquiring bank.

How can Sysnet help you?
Sysnet Global Solutions is a QSA providing a range of services and solutions that enable organisations to become and remain compliant with the standard. We have developed tailored packages to address the specific requirements of organisations who must comply with the requirements discussed in this document.

For further information on our Information Security Services, please contact one of our Sales representatives by calling +353 (0)1 495 1300 or by completing our Online Enquiry Form or Request a Call Back Form.

Alternatively, for a full list of contact details for our worldwide offices and Business Development Managers, please click here.

Sysnet appoints new Chief Technical Officer

noreply@blogger.com (Unknown) — Tue, 19 Oct 2010 15:25:00 +0000

Sysnet Global Solutions, a leading worldwide provider of information security and assurance services, today announced the appointment of Gabriel McDermott as Chief Technical Officer with immediate effect.

Gabriel McDermott brings a wealth of experience and knowledge to Sysnet having worked with companies at varied stages of development from start-ups to established businesses across a variety of sectors. Gabriel’s strengths lie in his ability to provide leadership both managerial and technical to cross function teams with specific product targets. As CTO, Gabriel will oversee the next phase of Sysnet’s technology platform development that will future proof the company’s ability to consistently deliver unrivalled service to its existing client base and greatly enhance the speed to market for new clients.

“We have created a number of senior management roles due to the exceptional growth experienced in recent times.” said Gabriel Moynagh, General Manager at Sysnet Global Solutions “This appointment is essential to our strategic development and we are very happy to welcome Gabriel to the company.”

“I’m very excited about working with the new product development team at Sysnet and I look forward to further developing the company’s long term technical strategy in line with the strategic business development objectives.” said Gabriel McDermott, Chief Technical Officer at Sysnet Global Solutions.

Gabriel holds an honours BSc. Degree and PhD in Computer Science from University College Dublin.

For further information, please visit our website at www.sysnetglobalsolutions.com

Sysnet announce appointment of new Regional Manager for Africa

noreply@blogger.com (Unknown) — Tue, 19 Oct 2010 15:24:00 +0000

Sysnet today announced that they have appointed Angie Marriner as their new African Regional Manager due to phenomenal growth within this region over the past 12 months.

Angie will oversee all business activity in Africa on behalf of Sysnet. Angie has a strong project management background in the Information Security Assurance industry, having worked within the industry for a number of years.

“We are delighted that Angie is joining Sysnet’s South African office as our new Regional Manager. We believe that Angie’s experience and skill set will be beneficial to Sysnet in gaining a stronger foothold within the African region” said Tom Moynagh, Managing Director at Sysnet.

“I am delighted to be joining a company that is rapidly expanding globally and one that is targeting Africa” said Angie Marriner. “As a native South African, I believe that there is a lot of potential within the African region for Sysnet to expand further”.

“As a result of economic growth within the African region, there has been a significant increase in the number of business transactions which has led to more sensitive information being stored, processed and transmitted by organisations. This has inevitably led to an increased demand for Information Security Assurance related services such as Documentation Review, PCI DSS audits, PCI DSS training etc. I believe that Sysnet Global Solutions are well positioned to deliver a high quality level of information security services to African organisations in the future” said Angie Marriner.

Sysnet have also appointed a number of Qualified Security Assessors for South Africa and are in the final stages of recruiting a Business Development Manager who will work closely with Angie in her role as Regional Manager. Further key hires are expected in the near future as Sysnet continues to expand in this region.

For further information, please visit our website at www.sysnetglobalsolutions.com

Sysnet expands Dublin Office following two major Banking wins

noreply@blogger.com (Unknown) — Tue, 19 Oct 2010 15:24:00 +0000

Sysnet Global Solutions today announced that they hope to increase their support staff by up to 35 people following the acquisition of two major banking clients in recent months. Sysnet will deliver PCI DSS merchant portfolio compliance validation for both clients.

PCI DSS is a set of comprehensive requirements for enhancing the security of payment account data, transactions and processing systems. It was developed by the founding payment brands of the PCI Security Standards Council, and has been adopted by third party processors and merchant acquirers globally to combat cardholder data fraud.

The PCI DSS programme the banks will implement provides a complete suite of services including an online portal, merchant helpline and associated services supported by a clear compliance policy and charging structure.

“This is another very significant achievement for Sysnet, the company has grown rapidly in the last year and these latest client acquisitions will most likely see us add another 35 support people to our staff base.” said Tom Moynagh, Managing Director at Sysnet Global Solutions.

For further information, please visit our website at www.sysnetglobalsolutions.com