Volume 1 Issue: 5
|
October 2007 |
|
Welcome to The Aegis, a monthly newsletter published by The Aegenis Group. As we speak to companies working towards compliance one common theme emerges - the selection of products and services that enable compliance. While this sounds straightforward, it can be a complex undertaking. It is not uncommon to hear companies struggling with this. In this issue, The Aegenis Group offers insights and advice on the selection of appropriate solutions that will achieve your business objectives and support your compliance.
The Aegenis Group encourages you to forward this newsletter to anyone that might be interested in the information that it contains. |
California Governor Vetoes Data Protection Law
Encourages "More Balanced Approach"
In a move that is likely to be loudly applauded by the Payments industry, Governor Arnold Schwarzenegger vetoed California's Consumer Data Protection Law. In vetoing the law, Gov. Schwarzengger stated that the industry "has the contractual ability to mandate the use of these standards, and is in a superior position to ensure that these standards keep up with changes in technology and the marketplace." He further indicated a concern that signing the law could create a conflict between the law and the private sector mandates. The governor also cited the likelihood of increased costs of compliance, particluarly for smaller merchants. |
| The bill had passed both houses of the California legislature so easily that the veto comes as a surprise to many. As of today, no one has indicated that they will try to override the veto, despite the apparent support the measure enjoys. Governor Schwarzenegger is encouraging the legislature to work with the industry to create a bill that serves the objectives of data protection but also works within the landscape of the payments and retail industry.
The veto does not close the door on the issue. The governor has made public his concern about the protection of consumer data. If the legislature reworks the legislation to offer more clarification as to who owns and licenses the data or is more reflective of the realities of the industry, legislation may still be forthcoming. |
| The Holy Grail - Compliant Solutions
The challenges of selecting solutions that enable compliance
|
The term PCI DSS has become ubiquitous. It's commonly referenced in trade publications and in mainstream media. The Harvard Business Review recently published a case study on a data breach that highlighted the importance of PCI compliance. The Wall Street Journal regularly references the standard in a variety articles on an almost weekly basis. With the integration of this term into the public vernacular, there has come a few attendant challenges, as well. Chief among these challenges is the promise of the "silver bullet" solution.
While many vendors have done their due diligence in ensuring that their products do, in fact, support compliance, there are an equal number that make the claim that their product alone can achieve compliance. It is of paramount importance that such claims are not taken at face value. Each environment will interact with a solution a bit differently. What might support compliance in one instance, may not have the same effect if deployed elsewhere. Understanding the capablities of the product and the way in which the product is deployed, managed and how it impacts the security and privacy of the data housed in the environment should be the primary goal of product evaluation.
While it may be tempting to belive the lure of the silver bullet, it should be remembered that these solutions only address the technological aspects of compliance. They do not address two very important aspects of data security (1) proper policies and procedures and (2) the human element of compliance - training staff on the proper policies and procedures for the protection of data and ensuring that those policies are followed. |
Aegenis Tips & Tricks
Payment Applicantion Best Practices and PCI DSS Compliance |
Over the course of the last several years the role of PABP compliant applications in PCI DSS compliance has created a significant amount of confusion. While PABP compliant solutions are important in maintaining compliance with the Payment Card Industry Data Security Standard, their use alone does not denote compliance.
What is PABP?
Visa USA's Payment Application Best Practices (PABP) were developed with a single overriding objective; specifically to prevent the storage of prohibited data such as CVV2 and full magnetic stripe data. The PABP applies to software applications that process, store or transmit data as a part of authorization or settlement. The goal is to minimize the threat to cardholder data by minimizing the amount and type of data that payment applications store by default.
A quick Internet search will identify numerous PABP compliant applications. While most of organizations that have adopted the PABP do a very good job at explaining their support of the PCI DSS, there exists some confusion as to exactly what impact the PABP has on compliance.
Does PABP Compliance Equal PCI DSS Compliance?
In short using a PABP compliant application will not guarantee compliance with the PCI DSS. Additionally, an organization using a PABP application is not compliant simply by virtue of using the validated application. An application that has been validated against the PABP can only provide assurance to the merchant that if implemented and configured according to the directions, the application will not preclude the merchant's compliance with the PCI DSS. It is important to understand this point. Many merchants may confuse the use of PABP compliant applications with being PCI DSS compliant and this is simply not the case. |
| Industry Events and Happenings |
|
Western States Acquirers Association (WSAA) - October 17-18 in Anahiem, CA Mid America Payment Exchange (MPX) - October 29-30 in Overland Park, KS BITS/ American Banker 6th Annual Conference November 5-6 in Miami, FL
Consumer Data Security Executive Meeting - November 15-16 in Las Vegas, NV | |
|
About The Aegenis Group
The Aegenis Group is dedicated to helping companies navigate the choppy waters of data security, information risk, and privacy regulation. The Aegenis Group believes that the ability to understand not just the regulatory mandates themselves, but their total impact on the business environment can act as a compelling tool for business enablement. From understanding the ways in which your products and services can protect sensitive data to making the right compliance decisions for your business environment, The Aegenis Group can assist your company in facing the risks associated with an increasingly complex landscape of the business world.
Sincerely,
The Aegenis Group
|
|
|
| The Aegenis Group's New Office |
|
The Aegenis Group has taken an office in Silver Creek Business Park in Park City, UT. Our new address is 6410 N Business Park Loop Rd, Suite E Park City, UT 84098. We can be reached via our new phone number 435-615-6711. |
| Read Articles by The Aegenis Group |
|
The Aegenis Group are frequently writers, as well as speakers in the industry. Here are links to recent articles written by Principals of The Aegenis Group:
Dr. Mark frequently writes for Transaction World. Access her articles here.
| |
|
|
