Thursday, June 26, 2008

PCI QSA

This week I've been in Sydney on a training course to become a Qualified Security Assessor (QSA) for the Payment Cards Industry Data Security Standard (PCI-DSS).

The PCI-DSS is a standard jointly devised by VISA, Mastercard, American Express, JCB and Discover that details the security controls that must be in place to protect credit card data from electronic or paper theft. Any company that processes, stores or transmits credit card data is now obliged to be compliant with PCI-DSS, and any company that isn't compliant are at risk of losing their merchant status (ability to accept credit cards) and suffering a fine. As you can imagine, losing merchant status would mean end of business for many companies so this is a very big thing.

As a QSA I will be carrying out audits of the larger merchants and providing a Report on Compliance (ROC) to their aquiring bank to testify whether or not they comply. This is something I have to take very seriously because if I report that a company is compliant and then they get hacked, any fine incurred by the merchant could be passed on to my company if it can be proven that my report was innaccurate. So any company that choses me as their QSA should not expect to get an easy ride!

Only the larger merchants have to be audited by a QSA; smaller merchants can submit a completed Self-Assessment Questionnaire (SAQ) to their bank. However, if the bank is unhappy with the answers in the SAQ they will tell the merchant that they are non-compliant, as many merchants are now discovering.

It's not just merchants that I'll be able to audit either. The banks themselves, classed as Service Providers, and other companies that process payments up the chain from the merchants could also be subject to my microscope.

The requirements of PCI-DSS are quite stringent and for smaller merchants can be highly complex. In the last couple of years I've been helping companies implement compliance programs to meet the requirements of PCI-DSS and accurately complete their SAQ. Becoming a QSA takes me to the next level and authorises me to audit companies on behalf of the Payment Card Industry Security Standards Council. Although I'm a QSA I only retain my status as a QSA whilst working for a QSA Company (QSAC). Vica-versa the company I'm working for will only retain their QSAC status whilst it has QSA's in its employment, which at the moment is me and one other.

I'm not quite there yet, I've sat the course and met all the other requirements, and yesterday I sat the exam, from which I'll get the results in the next 2 weeks. I'm also waiting for my police checks to come back. I'm not expecting any problems (I'll have some explaining to do to my company if I've failed either of them!).

The course itself was quite interesting. I was already familiar with a lot of it as I've been working with the standard for the last 2 years but it did help clarify a lot of questions I had over the grey areas in the standard. I also learnt a few cool tricks such as how to find credit card numbers and a formula that can be applied to discover whether or not a number that you're looking at is in fact a valid credit card number or not. Quite a nice party trick (for a very geeky party!).

I'm on a 6-day hacking course in Canberra next week so that knowledge combined with my PCI knowledge should make me a valuable resource for the Russian Mafia. Just kidding!

Wednesday, June 11, 2008

Taking a Bite of the Apple

I'm now the proud owner of a new Apple MacBook Pro. It's actually the first computer I've bought in about 8 years as I usually just use the laptop provided by work. But now that I'm doing web development work, both at home and at work, I needed something that I could rely on and a machine that wouldn't start dying after having half a dozen windows open.


It's also the first time I've used a mac. After using Windows ever since Windows 3.1 it takes a bit of getting used to because everything is different, but, in most cases I've got to admit it's better on the mac.

The macbook is expensive but I've managed to a deal with work where I get it through salary sacrifice. Doing it this way I don't have to pay GST (10%) and it gets paid out of my pre-tax salary, meaning all together a saving of approx 35%. what's more I can pay it over 3 months. This is the first company I've worked for where they have a policy where you can use your personal laptop as your work laptop (as long as it meets the security requirements) so it works out really well. They've allowed me to purchase a copy of VMware on expenses which means I can now run a copy of Windows XP in a virtual session on my mac, so I can still use the Microsoft Office applications without having to fork out for a copy of Office 2008 for the Mac. Funnily enough, Windows now runs faster on my mac with a load of Mac applications open at the same time than it ever did on my last XP laptop.

Now I'm considering the ultimate accompaniment to my mac - the iPhone 2, which was announced on Monday and is headings it way to Australia on July 11th. I watched Steve Jobs' keynote speech where he announced the worst kept secret of the year. The new iPhone does look pretty good, and finally at a reasonable price ($199).