Well rarely does an entire country entice me to start ranting (and at this point I'll point out I am in fact Australian) but by crikey Australian technology hasn't really moved in the last 5 years.
Now I appreciate this is a sweeping statement and I'll point out that the technology I'm talking about primarily is media based - mobile / web / internet. I have also had the benefit of living in London for the better part of 10 years so I've been at the hub of what is going on.
What I don't understand is why is it that for a nation that was at the forefront of new media ten years ago are we now in a position where nothing has shifted for the last 5. SMS is still massively underutilised and the idea of an SMS shortcode in Australia is a joke - 8 digits is only 2 shorter than a mobile number so is hardly short! Indeed everything to do with mobile is still more expensive, slower and less polished than we are used to in Europe. I went to Vodafone when I got here and asked for a pay as you go sim card for my phone that had pay as you go data on it... I was met with blank stares - Telstra and Optus were both the same.
General Internet access is similarly expensive and slow compared to what we are used to in Europe. Given a relatively modern telecommunications infrastructure, why telcos are flogging the ADSL route instead of fibre / cable begs the question of why so many roads were dug up in the capital cities to facilitate this in the late 80s and early 90s.
What is also interesting is the lack of FOSS out here. Linux is relatively popular but no where like it is in Europe. Indeed corporate America has it's laser telescopic sight firmly trained on the Australian market and even getting Linux hosting is no where as simple as getting a site hosted on a windows server. Linux certification and knowledge is still seen as a specialist skill.
Overall I'm disappointed that Australia hasn't maintained it's lead in internet technologies. In part people like me are to blame for starting our careers here and then being drawn to the brighter lights of the UK and the US where visas are easily come by, pay levels are higher and the ability to work on cutting edge technologies are plentiful.
Perhaps we are on the verge of a change in Australia and I hope that some of the ground lost can be regained over the next five years.
Showing posts with label PCI DSS. Show all posts
Showing posts with label PCI DSS. Show all posts
Thursday, 31 January 2008
Saturday, 1 December 2007
PCI DSS will wreak havoc on SMEs
One of my clients was asking me about PCI DSS certification today. Coincidentally I also received our letter about compulsory compliance to the PCI DSS standard.
Both of us are what are termed "Level 4 Merchants" - that is we process less than 20,000 card transactions through the company in a year. Arguably Level 4 Merchants will probably account for the largest number of business globally as they will incorporate pretty much every SME in PCI compliant countries that takes a card as a form of payment (according to Visa about 27 million businesses).
The standard itself is a worthy document - a dozen set in stone compliancy rules to which businesses have to adhere. Most of it is common sense like settin your password on your router to something non-default, make sure card details are encrypted if they are to be stored, that sort of thing. Most businesses in the SME world would, in fact, actually be compliant - mostly because they don't store data.
Here's the rub though. Barclaycard sent both my client and I a letter basically saying you have two options on compliance: First you do it yourself or otherwise you get someone to help you (and of course they recommend a company SecurityMetrics to help you do it all - at a discounted rate of course).
Obviously the first thing I did was go to the security metrics site and request a quote. As a Level 4 Merchant it will cost me merely $699 per year to be assessed quarterly. However they can tell me do do things to get me up to spec which is then going to cost me more again. At the end of it they give me a pass or fail certification and their audit is completely subjective.
After that I went and downloaded the whole specification and read it through twice. Every point I made a note against.
Typically, this isn't a document for the feint of heart. I'm lucky first in that I'm a techie and second that I did my formative programming years in a bank specialising in what was then the forerunner of InfoSec. There is not a single line of "plain english" in the whole thing.
A couple of non-techies I've shown it to got about a page in before giving up. Your average 1-5 employee company owner doesn't have a hope. Thus he'll end up paying $699 per year for what is essentially insurance.
Even amongst Level 1 Merchants, understanding and compliance are two different things as you can see on Evan Schuman's great article about recent stats to come out of the Level 1 camp.
Big companies have the resources to deal with this sort of stuff and they are also more likely to be saving data on customers so for them it is crucial. Whilst no less crucial for small businesses, the fact that a store owner who only takes card payments for people when they are physically in his shop will still have to go through this audit is patently ridiculous.
BarclayCard are indemnifying themselves by playing the FUD card with comments like:
Indeed I had a card machine problem last week and the support officer at BarclayCard stated:
In the end businesses will have to make their own mind up about how to best deal with this new "virtual legislation" that is being thrust upon us. To me the whole thing reeks of the rise of the SEO industry piggybacking off Google's search technology.
In reality the biggest source of credit card fraud is that caused by skimming details through offline processes such as mail order (which I had done to me recently and my bank caught it on the other end within a day) or else identity theft whereby a new card is created in someone else's name.
None of the procedures outlined by the PCI DSS standard deal with these very real and growing issues - all they are doing are lining the pockets of consultant sharks that will feed on the SMEs who don't know any better and penalising the merchants for actually trying to conduct business.
Both of us are what are termed "Level 4 Merchants" - that is we process less than 20,000 card transactions through the company in a year. Arguably Level 4 Merchants will probably account for the largest number of business globally as they will incorporate pretty much every SME in PCI compliant countries that takes a card as a form of payment (according to Visa about 27 million businesses).
The standard itself is a worthy document - a dozen set in stone compliancy rules to which businesses have to adhere. Most of it is common sense like settin your password on your router to something non-default, make sure card details are encrypted if they are to be stored, that sort of thing. Most businesses in the SME world would, in fact, actually be compliant - mostly because they don't store data.
Here's the rub though. Barclaycard sent both my client and I a letter basically saying you have two options on compliance: First you do it yourself or otherwise you get someone to help you (and of course they recommend a company SecurityMetrics to help you do it all - at a discounted rate of course).
Obviously the first thing I did was go to the security metrics site and request a quote. As a Level 4 Merchant it will cost me merely $699 per year to be assessed quarterly. However they can tell me do do things to get me up to spec which is then going to cost me more again. At the end of it they give me a pass or fail certification and their audit is completely subjective.
After that I went and downloaded the whole specification and read it through twice. Every point I made a note against.
Typically, this isn't a document for the feint of heart. I'm lucky first in that I'm a techie and second that I did my formative programming years in a bank specialising in what was then the forerunner of InfoSec. There is not a single line of "plain english" in the whole thing.
A couple of non-techies I've shown it to got about a page in before giving up. Your average 1-5 employee company owner doesn't have a hope. Thus he'll end up paying $699 per year for what is essentially insurance.
Even amongst Level 1 Merchants, understanding and compliance are two different things as you can see on Evan Schuman's great article about recent stats to come out of the Level 1 camp.
Big companies have the resources to deal with this sort of stuff and they are also more likely to be saving data on customers so for them it is crucial. Whilst no less crucial for small businesses, the fact that a store owner who only takes card payments for people when they are physically in his shop will still have to go through this audit is patently ridiculous.
BarclayCard are indemnifying themselves by playing the FUD card with comments like:
To date these penalties have not been passed on to any Level 4 Merchants, but from 30th April 2008 your business will be liable for PCI DSS penalty charges and costs associated if you fail to comply or have a data compromise.What the PCI DSS standard fails to deal with however is systematic failure of employee behaviour. It doesn't deal with issues such as people skimming cards if they are taken out of sight nor does it deal with employees writing details down on a piece of paper and passing them on when dealing with mail order, nor does it deal with phishing scams.
Penalty charges can be considerable (in excess of £100,000) so, to protect your business, it is vital that your prepare for PCI DSS compliance by 30th April 2008 and continue to maintain compliance in the future.
Indeed I had a card machine problem last week and the support officer at BarclayCard stated:
Just write the details down on a piece of paper and process them laterHardly a piece of advice that should be followed to maintain security.
In the end businesses will have to make their own mind up about how to best deal with this new "virtual legislation" that is being thrust upon us. To me the whole thing reeks of the rise of the SEO industry piggybacking off Google's search technology.
In reality the biggest source of credit card fraud is that caused by skimming details through offline processes such as mail order (which I had done to me recently and my bank caught it on the other end within a day) or else identity theft whereby a new card is created in someone else's name.
None of the procedures outlined by the PCI DSS standard deal with these very real and growing issues - all they are doing are lining the pockets of consultant sharks that will feed on the SMEs who don't know any better and penalising the merchants for actually trying to conduct business.
Subscribe to:
Posts (Atom)
