There’s always been a discrepancy between banks in their approach to getting their merchants and service providers PCI DSS compliant.

Some have had a very strong focus on PCI DSS compliance while others have been relatively quiet. In theory, there should not have been such a discrepancy. Merchants and service providers should always have had a consistent message so that changing banks to defer PCI DSS compliance was never an option. Was it? Did many or any do it? For some, it definitely would have bought them time in my opinion.

It’s interesting that in 2010 – after deadline after deadline for compliance has passed, that there are so many organisations out there where PCI DSS compliance is just not a priority, (but where you know it should have been – a long time ago). Where you have to further question things is why a company down the road, in the same industry, about the same size, but with a different bank, has been investing heavily and working hard on compliance for 2 years with constant pressure on them from their bank?

To paraphrase a contact of mine in an aforementioned organisation where their bank is doing little; “We know that we should be PCI compliant. We were prepared for some pain a couple of years ago, but it never came. It’s gone cold now. No one’s chasing us and for most parts, it’s been forgotten. It may come back but I can’t see it in the short term”.

Where is the consistency that will bring the greater credibility? It’s only fair that some will question the overall program. How hard are the Card Brands fighting to maintain an interest from the banks?

Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in: Bad Stuff, PCI, PCI DSS

We’ve talked quite a bit about PCI DSS compliance here; ( Generally, we’ve looked at what is going wrong, what can go wrong and from there, what organisations should be considering to do it better. Looking at it from a slightly different perspective here but not wholly new either – we’ve touched on and skirted around this a few times.

While PCI DSS has been a good wake up call for many organisations, there’s a negative side also which doesn’t get much attention – lost in all the talk about the benefits that PCI DSS has provided organisations who’ve previously had weak to non-existent security practices – security strategy based solely on compliance.

It doesn’t work.


Just got back and saw this was confirmed:

CEOs, CIOs and Middle East Gov and Gov Security seems to be the audience.

Should be fun…..there is no slides…….just talk…..they accepted that….(somewhat I think). :) I prefer to just talk……

This will be an all-out session and I hope Bruce S (Keynote) will be there….Pass this link to 20 of your friends and you will receive…magically a new notebook.

It’s been an interesting few months as we’ve seen a rapid rise in the number organisations coming to talk to us about PCI DSS compliance. The really cool thing as mentioned here, is that we are seeing proof that if you approach your PCI DSS compliance projects like we suggested here in this post; “PCI Compliance Projects – The road to nowhere…“, you will have a greater chance for success!

We’ve worked with so many great companies in recent months who’ve taken the advice on-board seriously and have made awesome inroads in regards to their IT security position (and PCI DSS compliance) – most now “compliant”, (….well as compliant as you can get).

On the flip-side, and lets not dwell on this too much, we’ve also seen a few organisations prove that not approaching a PCI DSS compliance project, as recommended in our post, does make for an expensive and very much time-consuming/wasting exercise for all.

A PCI DSS compliance project is what you make of it. You can give up and claim it is impossible, (and close your eyes to the fact that there are others who have done it), or you can make it work. The principles of a successful PCI DSS compliance project are no different to the principles you would adopt to make any other project successful!

Related Links:
- Previous PCI Posts (Uncut)
- Six ways you can bork PCI
- PCI: Choosing your Auditors Carefully

By SGirl:

Who will I upset this time? Though the support far outweighed the few negative comments. But, I digress…..

It is interesting the information that you can find when you look really hard and spend a bit of time to get results.

As a bit of background, to me, IT security is not just all about technical solutions, hacking and latest marketing terms like the “Cloud”. It is also about management, strategy, compliance (not the dirty version). It’s many areas that for some reason, the media don’t really report nor focus upon (unless your compliance means PCI DSS). It’s the less “sexy” part of the industry, but for much, the parts that hit the coalface of the business.

In Australia, there are things happening that you hear little to nothing about – things that are affecting businesses and compliance considerations now. They aren’t being focused upon and far from hot topics like PCI DSS; “Ooh merchants might start being fined soon and let’s start talking about what PCI DSS is, and means to you and how vendor X is going to help you”! We only hear about what a few decide is “sexy” but for most part and as recent conversations here in this blog and forums have shown, what those individuals are deciding as “interesting” seems not to be what is floating the boats of many in the industry. Drazen Drazic gets most of his news from blogs he says.

Let have a look at a few things:


Everyone (schemes, banks, press etc) tries to spread the care factor for any significant data breach of cardholder information.

Reality is that from an individual’s perspective, it really doesn’t matter whether it’s 20 million cards “exposed” or 1. As long as that “1″ does not belong to the individual…….And if does, in most cases, the individual is protected against their losses.

Just a philosophical question/view. :)

How to get PCI DSS compliance right! This is the most awesome piece of journalism that has hit the Internet for a while. If you are one of the thousands of organisations hit by the burden of becoming PCI compliant, look no further than this article for the hot tip on kicking it. For those that have been through it, I bet you wish you had something like this when you were doing it:

Many thanks to Mike for highlighting this one. :-)

The Introduction – Living it Easy

Having worked in more heavily regulated environments such as the banking and finance sector in many Asian countries (for example; Singapore and Japan), compliance pressures through something like the PCI DSS don’t seem nearly as onerous, nor as huge an immediate and ongoing effort on the part of businesses.

Coming from that world/perspective, something like the PCI DSS is not really new and not really that impossible/difficult as it seems to many people in countries like Australia, the US and other parts of the world where regulatory impacts upon IT and IT security have been relatively minimal to negligible.

It is all relative and comes down to the business environment you work in and you are used to. Read on:

We hope any rumours are just that. Anything being announced later this week?

Interesting reference to Heartland being the “exception”. Reality? hmm…..

Posted in: PCI, PCI DSS

From Risky.Biz, Dec’s article on PCI: Six ways you can bork PCI

Makes a load of sense to me but then we’ve been talking this for a long time.

Posted in: PCI, PCI DSS

Older Posts »