Tuesday, 28 August 2007

So what’s PCI and what’s it got to do with ILP?

That’s PCI as in “Payment Card Industry” – and specifically the PCI Data Security Standard (PCI DSS). Basically the big credit card companies (Visa, MasterCard, American Express etc) got together and created a new set of standards to deal with card fraud. The aim of PCI is to force organisations like merchants and service providers (basically anyone that handles, transmits or stores card details) to protect the card data properly. For anyone who doesn’t comply, there’s fines, and potentially the card companies are threatening to block people from processing their card data altogether – a big deal if you’re a retailer or anyone who depends on credit cards.

A worthwhile industry initiative to combat fraud? Or a shameless attempt by the banks to push the risk and responsibility onto others?

Whatever you think of PCI, there’s many, many companies that need to comply. And taking auditable steps to stop credit card information leaking is an important part of the puzzle – ILP is really a must-have if you need to comply with PCI.

The deadlines for compliance are complicated depending on what you do and where you are, but 30th September 2007 is an important date for many US-based companies, and really everyone ought to be compliant or nearly there already.

The official page isn’t really the most helpful, but here’s a great blog that helps with PCI, and an interesting recent discussion on Slashdot.

Thursday, 16 August 2007

Wednesday, 15 August 2007

Mobile doesn’t have to mean unsafe

I know from talking to customers and colleagues that mobile devices cause all sorts of security headaches. It’s all very well having your desktops and laptops locked down and secure, but no company can ignore Blackberries and other mobile devices. And keeping laptops of remote workers properly updated and set up with security software is notoriously difficult.

This article in Network World has some useful perspectives, but I think it misses the most important point. If you put your email security and data loss prevention technology onto the email server, not the mobile device, then you’re protected for any messages that go through the server – whether users have sent them from desktops, laptops, PDAs, or whatever. Simple but effective.

Tuesday, 7 August 2007

Data breach laws to come to the US

The USA is working to push through a national law on data breaches, which is a major shift away from the existing mix of state laws and other regulations. Currently, the requirements for disclosure and the definitions of what counts as personal information vary from state to state, making it tricky to comply if you do business nationwide.

The new laws aren’t yet defined and there’s a lot of complexity to wade through, but the bottom line is that US firms are going to have to take protecting information even more seriously in the future. The indications are the laws are only going to get stricter, and enforcement more enthusiastic.

There’s more detail in this Computerworld article, which has an excellent round-up of existing US and European Union laws and their evolution.

Wednesday, 1 August 2007

Insert naval pun here

It’s an old (ish) story, but I couldn’t resist linking to The Register and one of its prime candidates for headline of the year, “Smut-swapping sailors leak secret missile specs“. The Reg’s story is safe to read at work, but is a lesson on what happens when classified missile data gets mixed up with indecent images. I, of course, hope that none of you reading this have inadvertently sent out the wrong information with indecent images, but there is probably a fair percentage of you who have just plain sent the wrong information to the wrong person by mistake.