Volume 1 Issue: 7
|
December 2007 |
|
Welcome to the last 2007 issue of The Aegis. As the year comes to a close, the team at The Aegenis Group gathered some thoughts on the past year. Also, the recent movement on the Payment Application Data Security Standard (PA DSS) has provided significant food for thought as the new year dawns. As always, The Aegenis Group encourages you to forward this newsletter to anyone that might be interested in the information that it contains.
All of us at The Aegenis Group wish you and yours a happy, healthy and safe Holiday Season! |
The Year in Review
The Aegenis Group had an exciting 2007
The Aegenis Group was founded in December 2006 with the goal of providing education and risk management services to the payments industry. It has been an exciting year of growth and opportunity. In our first year in business The Aegenis Group has:
- Trained over 6000 people representing over 500 merchants and service providers on the PCI DSS
- Trained over 1200 Qualified Security Assessors (QSA)
- Renewed contract with the PCI SSC as the trainer of QSAs
- Increased our staff by 50%
- Developed and introduced 3 new services
- Spoke at over 10 different events
- Published 10 Articles in 4 different magazines
- Created an industry forum for discussion of compliance and security issues
We want to take the opportunity to say a big "Thank You!" to everyone who has helped make The Aegenis Group the leader in training and education within the payments industry. We are excited at the prospect for 2008 and expect continued growth.
Have a Great Holiday Season and a Happy New Year!
|
|
|
| The Aegenis Group Hosts Regulatory Compliance Forum
Discussions to include FACTA, Breach Notification Laws and More |
The Aegenis Group recently added a discussion board on Regulatory Compliance to its PCI Answers Forum. The move comes in response to the frequent questions and discussions surrounding new and pending legislation and its impacy on the Payments Industry. The forum will be moderated by Dr. Heather Mark, PhD, CISSP, CIPP. Dr. Mark has a PhD in public policy from Auburn University and has served on the ETA Government Relations Committee. She frequently writes and speaks on issues regarding data security and privacy legislation and its impact on the payments industry.
The forum can be found by clicking this link.
|
| Vendor Wishlist for 2008
What do companies want from their vendors in the new year?
|
In 2007, compliance was the name of the game and every other vendor claimed their product would comply with just about everything, including the building codes for installing a kitchen sink. As 2008 approaches we find the term "GRC" popping up as companies try to tie together Governance-Risk-Compliance for a trifecta of sales terms. Instead of branding and marketing, a movement is growing that calls for product vendors to educate their customers about their product and the specific issues that merchants or service providers may be facing. Here's a short wish list for product vendors in 2008.
1) Educate me! Having a logo that says your product makes me compliant is nice but it's no longer a differentiating factor. I need to choose between 10 vendors that all claim the same thing. I also need to make sure I'm choosing a product that will solve our problem and not get me fired for implementing. What I want as a consumer is for my vendor to know more about my compliance issues than I do. I want their web site and marketing materials to educate me about the issues I know and those I am yet to encounter.
2) Never over commit and under deliver! I don't care if your product cannot bake me bread in the morning, I just want to know what it's true capabilities are so I can make educated comparisons. Maybe your product compliments another I already have, but I won't know that if you tell me it solves all the world's problems. I would home vendors in 2008 have a crystal clear message about specifically what their product can and cannot do. This lends itself to my vendor understanding the compliance and risk areas first (see above.)
3) Define the space you support! Nothing makes me feel better about choosing a vendor and knowing they will be around than seeing them define the space they support. I want my vendors to be the movers and shakers who define the standard and explore uncharted waters. I want my vendor to own the conversation surrounding their product space and talk to me about it.
4) Be connected! It is especially important with new vendors that I know they are connected and supported by people I know and trust. Word of mouth is stronger now more than ever, and I will make decisions based on the words and recommendations of those I know and trust. I want my vendor to connect and collaborate with others I know, so my decision grounded and secure.
|
Aegenis Tips & Tricks
Payment Application Data Security Standard Deadlines
The major shift in payment compliance for the latter part of 2007 has been to put the security spotlight on payment applications. PCI DSS has passed the tipping point with greater numbers of large (Level 1) and medium sized businesses (Level 2) validating their compliance. On the heels of this success, it is well known that commonly used payment applications have the greatest impact on driving compliance for the remaining merchant population (Level 3-4).
To build critical mass in this arena, Visa Inc. has been working to codify the Payment Application Best Practices (PABP) and qualifying validated payment applications for several years. Recently the PCI Security Standards Council (SSC) disclosed their adoption of the PABP under a new name of the Payment Application Data Security Standard (PA-DSS). With the adoption of this new standard, the individual card brands will be tasked with enforcing validation against the standard.
Visa has already drafted a timetable for building critical mass, which is outlined in the following schedule:
1. Newly boarded merchants must not use known vulnerable payment applications, and VisaNet Processors ("VNPs") and agents must not certify new payment applications to their platforms that are known vulnerable payment applications (deadline: 1/1/08)
2. VNPs and agents must only certify new payment applications to their platforms that are PABP-compliant (deadline: 7/1/08)
3. Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PABP-compliant applications (deadline: 10/1/08)
4. VNPs and agents must decertify all vulnerable payment applications (deadline: 10/1/09)
5. Acquirers must ensure their merchants, VNPs and agents use only PABP-compliant applications (deadline: 7/1/10)
The next phase of PCI compliance is going to be driven by not only a secure infrastructure but also leveraging secure third-party payment applications. It is important to stay informed of both card brand and acquirer enforcement programs and deadlines. |
|
| |
|
| Industry Events and Happenings |
|
National Retail Federation 97th Annual Convention and Expo - January 13-18, 2008 in New York, NY
NACHA Global Payment Strategies 2008 January 22-23, 2008 Belgium
BAI Transpay Conference and Expo February 5-7 Grapevine (Dallas), TX
| |
|
About The Aegenis Group
The Aegenis Group is dedicated to helping companies navigate the choppy waters of data security, information risk, and privacy regulation. The Aegenis Group believes that the ability to understand not just the regulatory mandates themselves, but their total impact on the business environment can act as a compelling tool for business enablement. From understanding the ways in which your products and services can protect sensitive data to making the right compliance decisions for your business environment, The Aegenis Group can assist your company in facing the risks associated with an increasingly complex landscape of the business world.
Sincerely,
The Aegenis Group
|
|
|
|
| Read Articles by The Aegenis Group |
|
The Aegenis Group are frequently writers, as well as speakers in the industry. Here are links to recent articles written by Principals of The Aegenis Group:
Dr. Mark frequently writes for Transaction World. Access her articles here.
|
| Miss an Issue of The Aegis? |
| The Aegenis Group now posts archived versions of the newsletter on the website. To see past issues of The Aegis, click here. |
|
|
|
