Of late, a number of high profile data thefts – prompted by the hacking of The Sun newspaper’s customer database and the Sony Playstation Network – have made people more aware than ever of the issue of online data security and how they can protect themselves with a few basic precautions.
It will only be a matter of time before consumer’s attention is turned to the security surrounding some of our most sensitive information – our debit and credit card details that are processed every time we make a purchase.
Each and every time a transaction is made, the consumer voluntarily hands over his or her details to a multitude of companies involved in processing, authorising and recording the transaction: the merchant, the merchant’s bank, the cardholder’s bank, settlement banks, the credit card processing company and all the companies used by these entities to manage their networks, data processing and storage.
We have no option but to provide our credit or debit card details to retailers and online merchants on a daily basis, but any unauthorised access to this data would allow fraudulent purchases to be made with ease.
Even with this risk profile there is no legislation enforcing security for the processing of card data.
Not yet a legal mandate
The Payment Card Industry Data Security Standard (PCI DSS) exists to ensure each of these organisations meets specified criteria related to handling this data, but this is enforced by credit card issuers: it’s not a legal mandate.
“For as long as the PCI Data Security Standard is not a legal requirement, some card data processing organisations will undoubtedly try to find a low cost way of achieving certification,” suggested Ray Welsh, head of marketing at The Bunker (which delivers ‘ultra secure’ managed hosting, cloud computing, collocation and outsourced IT from within Europe’s most secure data centres).
“They’ll be considering certification as a cost that needs to be kept at a minimum rather than an investment in its end users. In time, this will result in shortcuts being taken and unnecessary risks introduced.”
According to Welsh the standard doesn’t need to be tougher, but the enforcement of it does.
“Do we really need to wait for the inevitable Enron-style breach before being forced into a knee-jerk and rushed introduction of a Sarbanes-Oxley equivalent for credit card data?”
Protecting a user’s card details means building credit and debit card processing systems with security in mind from the ground up and investing in this rather than treating standards such as PCI DSS as a mere box-ticking exercise applied retrospectively to an existing system with the minimum resource possible.
Welsh added: “Only if all the entities in the payment chain are legislated to adopt security that combines the highest levels of physical, human and digital security as specified in the PCI standard can it be considered to be truly secure and incidents averted.”
The Bunker and CNS announce IT security partnership
The Bunker is pleased to announce a partnership to offer CNS’ COMPLIANCEngine and payment card industry (PCI QSA) compliance services alongside its own ultra secure data centres.
The partnership will enable both companies to offer a range of complimentary services, from consultancy and network-auditing processes and accreditation to QSA, CESG, CHECK and CLAS standards through to colocation, managed hosting and cloud computing in ex-military nuclear bunker data centres.
Simon Neal, the director of data centre services at The Bunker, told SMT Online: “The Bunker needed independent and certified personnel to assist us with delivering PCI DSS and GSx CoCo (IL3) certified solutions. We were particularly impressed with CNS’ COMPLIANCEngine, a comprehensive suite of software and services which has already significantly reduced the time to certification for several of our clients. The company’s levels of innovation and in-depth understanding of security standards, as well as its approach to delivering certified solutions, has been exceptional.”
Kevin Dowd, the director of security assessment and founder of CNS, commented: “We’re delighted to be able to offer our PCI accreditation services to The Bunker’s clients, as well as our COMPLIANCEngine”.
He continued: “We developed the concept for this service after years of auditing to a full range of regulation and governance requirements. We realised that we needed a tool which could audit a network once and provide the information for many controls, so we built one”.
CNS’s COMPLIANCEngine managed service (www.compliancengine.com) was built in response to the increasing levels of IT compliance regulation across all industries. It works for any industry or in-house standard by automating compliance-specific functions such as build validation, log management (SIEM), vulnerability assessment, configuration and patch management.
It can also be customised according to a client’s applications, systems, IT estate and risk management methodology.
CNS is a specialist IT security and networking consultancy. Established in the City of London in 1999, it’s wholly owned by its employees and directors.
Customers vary in size, from FTSE 100 and large public sector organisations to SMEs. They’re all united in the understanding of the importance of digital information to their businesses, in their desire for pragmatic, knowledgeable help in securing their systems and data and in meeting their connectivity requirements.
CNS is a PCI DSS Qualified Security Assessor (QSA), CESG CHECK and CLAS Consultancy and ISO 27001 lead luditor providing advisory, project and managed information assurance and compliance services.
The Bunker achieves ISO 27001 re-certification
The Bunker is also proud to announce its re-certification to the ISO 27001 Information Security Management System standard for a further three years.
The Bunker first achieved ISO 27001 accreditation in March 2008 and has continued to demonstrate its commitment to continuous monitoring, reviewing and improvements to its ISMS.
For The Bunker, ISO 27001 shows a systematic approach to the continuous evaluation of its security systems and a coherent and comprehensive approach to security management and risk mitigation.
Peregrine Newton, CEO at The Bunker, explained: “Certification by the British Standards Institution reinforces the company’s utmost commitment to provide its customers with secure services that use industry respected Best Practices. Our successful re-certification demonstrates to our customers, partners, staff and investors that we remain strongly committed to adopting and enforcing the highest standards in our Information Security Management System.”
He added: “With The Bunker’s unique facilities, ISO 27001 certification and our team of technical experts on-hand 24/7, we can provide an incomparable service to all our customers who look for the highest security standards in their data management.”
ISO/IEC 27001:2005 is the only auditable international standard which defines the requirements for an Information Security Management System (ISMS). The standard is designed to ensure the selection and implementation of adequate and proportionate security controls for information assets.
The Bunker provides ultra secure data centre and managed services solutions to some of the world’s leading payment gateways such as Moneybookers and Commidea
