Volume 2 Issue: 8
|
August 2008
|
The Payment Card Industry is, to some degree, a victim of inertia. One company debuts webinars as a means of informing merchants of their PCI DSS compliance obligations and the industry accepts that as an acceptable medium for education. Another company might say that, in order to become compliant you must spend hundreds of thousands of dollars and this judgement is often meekly accepted without question. The industry has moved unerringly towards a "risk management through compliance" frame of mind, rather than becoming compliant through risk management. Inertia often leads to complacency, which is the foe of innovation and improvement.This issue of The Aegis is devoted to combating this inertia.
As always, please feel free to forward this newsletter to anyone you feel might be interested.
|
| Aegenis Enhances eLearning Suite
Streaming media added to Aegenis eLearning products
|
In response to growing demand for training, The Aegenis Group has incorporated streaming media capabilities into its eLearning Suite. By adding streaming video and audio, Aegenis offers companies and individuals access to the same trainers used by the PCI SSC and a major card brand. In this way, The Aegenis Group continues to demonstrate its dedication to Empowerment through Education and Expertise. The equitable distribution of information and education serves everyone's interest by raising awareness of security issues and methods by which those issues can be addressed. By employing the Akamai Content Delivery Network (CDN), Aegenis can ensure that the content is as seamless in Nepal as it is in Park City, Utah. Aegenis supports both streaming and live broadcasts.
Click here to sample Aegenis eLearning media.
|
| The Failings of "Risk Management Through Compliance"
Focusing on compliance without assessing risk
Many security companies are promoting the concept of "Risk Management through Compliance." It is not uncommon to hear ASVs and QSAs promote their scanning and Self Assessment Questionnaire (SAQ) programs as providing Risk Management solutions for organizations. The PCI DSS is a relatively static standard. Compliance with the standard is simply that...compliance with a standard. Granted the standard has controls that should be considered as part of a greater overall risk mitigation strategy but simply complying with the PCI DSS, or any other standard for that matter, often leaves organizations exposed to risks beyond those addressed by the standard.
Consider the example of a person who rides a motorcycle. In many states, it is a law that motorcyclists must wear helmets. The law was passed in an effort to protect the riders in the event of an accident. To ride a motorcycle, riders must be in compliance with this particular law. It then begs the question as to whether compliance with this law equals safety? Most readers would likely agree that "safety" on a motorcycle it is seldom as simple as wearing a helmet. While most would likely agree that a helmet is a very important component of rider safety, many additional considerations must be made. A motorcycle road-racer will wear riding gloves, leather pants and jacket, and riding boots to protect them in the event of a high speed crash. By contrast a motocross rider will wear armor chest, and shoulder protection as well as steel toed boots and knee pads to protect her from the effects associated with falling during a motocross race. While both riders wear helmets, each has other specialized equipment designed and implemented to protect against specific risks.
When evaluating the risk to your organization it is recommended that you do not consider only your company's compliance with the PCI DSS, or any other standard. Consider the specific risks to which your organization is exposed, beyond those explicitly enumerated in any given standard. Starting from a "risk first, then compliance" mindset will better serve the organization in the long run.
| |
| Experts, Experts Everywhere!
The cottage industry surrounding compliance in the Payments Industry creates instant experts
|
| A quick search on a major search engine will reveal literally hundreds of self-proclaimed PCI 'experts'. Unfortunately many of these so-called 'experts' are often only superficially knowledgeable of the PCI DSS and most of those have a less than comprehensive understanding of the payment card industry. The Aegenis Group conducts training for one of the major card brands. During the training events, it is not uncommon to hear a merchant, service provider, or bank say: "my QSA said that we must (fill in the blank) to comply with the PCI DSS." More often than not, these recommendations are simply inaccurate interpretations of the standard or the intent of particular requirement. People have no problem asking a second opinion from a doctor when diagnosed with a major illness. It always surprises, however, when an organization will spend millions of dollars on remediation based upon a statement from a single individual with often cursory experience in the industry without seeking a second opinion. The Aegenis Group has spoken with numerous organizations that have each spent hundreds of thousands of dollars on controls and technology that were not required, simply because of a misinterpretation of the PCI DSS. While there are some very good QSAs in the market, the qualification alone does not make one an expert on PCI DSS related issues nor does it imply information security expertise. It is highly recommended that, prior to purchasing technology or implementing controls to address identified compliance issues, organizations conduct their own due diligence and find a second opinion. Spending a little time and money double-checking a recommendation will often pay huge dividends. |
| Aegenis Tips & Tricks
When is a webinar just a webinar?
Webinars serve an extremely important role in today's business world. They are useful tools for sales calls and collaboration for geographically dispersed teams. Of late, though, many companies are offering webinars as means of educating organizations and individuals on issues from security to compliance and beyond. The question though lies in the value of these webinars. There are number of traits that make webinars a difficult medium over which to deliver an educational experience.
1) Learner Interaction - Many of us have attended webinars to which we lent only half an ear. When watching or listening to a webinar, it is fairly easy to become distracted - answering emails or phones or even chatting with someone that has stopped by the desk. In other words, the attendee is not engaged with the material to the point that it can be retained by the listener.
2) Learning Evaluation - The "educational" webinar is a largely passive experience. At the end, there may be some question and answer, provided those haven't been pre-populated by the moderator and speaker. The listener, though, is not called upon to recall or apply the information to which they've been introduced. For that reason, it is difficult, if not impossible, to evaluate what the listener has learned. One must assume that, if the attendee heard the entire presentation, then he or she must have retained and understood it all. Particularly in the arena of customer data protection, this can be a dangerous assumption under which to operate.
3) The Looming Sales Pitch - Because the webinar has become such a ubiquitous sales tool, there is usually a lingering question in the back of the listeners' mind -"When do we hear the sales pitch?" Even if the pitch never materializes, the argument can be made that the anxiety over its likelihood has distracted the listener to the point of diluting the content. If the pitch does appear, be it at the end or the beginning of the presentation, it casts a taint over all of the material in the webinar. Is the information presented slanted to favor the vendor's perspective?
4) The Webinar Subject Matter Expert (WeSME) - The use of the webinar to present informaton has given rise to the WeSME phenomenon. It seems that anyone with webinar capabilities and a cursory understanding of any given subject matter can present themselves as an expert. The result of the WeSME webinar is the dissimenation of inaccurate information. There is significant marketing mileage to be found in hosting webinars on complex subjects. However, it almost seems the more complex the subject, the more "experts" appear to help organizations decipher them.
|
As stated previously, the webinar can be an extremely useful tool in today's business environment. However, it is not well-suited to educating large numbers of people on a subject matter as complex as the PCI DSS, or payments security in general.
|
CPISA/CPISM Exams Scheduled for November
Society of Payment Security Professionals scheduled training and exams in Dallas, TX
|
The Society of Payment Security Professionals has scheduled Certified Payment-Card Industry Security Auditor (CPISA) and Certified Payment-Card Industry Security Manager (CPISM) trainings to be held November 4-7, 2008 in Dallas-Fort Worth. For those that already have the CPISM designation and would like to add the CPISA, the training will be held on November 4 with the exam to be held the morning of November 5. For those seeking CPISA that don't have the CPISM, training will be from November 4-6, with the exam held on November 7th. New CPISM candidates can attend training November 5-6 with the exam on November 7.
Because the CPISA includes all of the material for the CPISM, in
addition to more technically based auditing and assessment questions,
the training will be broken out in the following manner:
Day 1: CPISA Training Module
Days 2& 3: CPISM Training Material
Day 4: CPISM Exam followed by the CPISA Module.
Everyone will take the CPISM exam, with the CPISA candidates completing an extra module for the CPISA certification.
|
| Industry Events and Happenings |
The CSO Executive Seminar Series on PCI Compliance, September 10, 2008, New York City, NY. *Aegenis Presenting*
Payment Card Industry Security Standards Council, North American Community Meeting. September 23-25, 2008, Orlando, FL
World Federation of Direct Selling Associations (WFDSA) World Congress XIII, October 10-12, 2008, Singapore *Aegenis Presenting*
Society of Payment Security Professionals CPISA/CPISM Training and Exam. November 4-7, 2008, Dallas, TX *Aegenis Presenting*
|
| Aegenis Welcomes New VP of Business Development
John Matejka joins to lead sales and business development efforts
|
The Aegenis Group is pleased to announce the addition of John Matejka to the company's leadership team. Mr. Matejka brings deep experience in the financial services industry. Among his many accomplishments, Mr. Matejka holds Series 6, 63, 26 securities licences, Group 1 Insurance license and is a Chartered Retirement Planning Specialist through the College of Financial Planning.
Mr. Matejka has 15 years of sales and marketing experience in financial services and holds a BBA from Texas A&M University.
|
|
|
About The Aegenis Group
The Aegenis Group is dedicated to helping companies navigate the choppy waters of data security, information risk, and privacy regulation. The Aegenis Group believes that the ability to understand not just the regulatory mandates themselves, but their total impact on the business environment can act as a compelling tool for business enablement. The Aegenis Group was founded by experienced members of the Payment Security Industry. Since 2007, The Aegenis Group has trained more than 10,000 people on issues related to the PCI DSS and Payment Security, including every Qualified Security Assessor worldwide. The Aegenis Group is contracted with the Payment Card Industry Security Standards Council to train all Qualified Security Assessors, worldwide. Additionally, The Aegenis Group has conducted on-site educational seminars on behalf of a major card brand, Fortune 500 companies, Big Four consulting firms, Acquiring Banks, Merchants, and others concerned with the protection of consumer data in the Payments Industry.
Sincerely,
The Aegenis Group
|
|
|
|
| Read Articles by The Aegenis Group |
|
The Aegenis Group are frequently writers, as well as speakers in the industry. Their whitepapers can be found here.
Here are links to recent articles written by Principals of The Aegenis Group:
Dr. Mark frequently writes for Transaction World. Access her articles here. Read Dr. Mark's co-authored article in Direct Selling News.
|
| Miss an Issue of The Aegis? |
| The Aegenis Group now posts archived versions of the newsletter on the website. To see past issues of The Aegis, click here. |
|
|
|
