May 2013 Newsletter

Penetration Testing Experts

Shorts are on, sandals brushed down and summer is here! Unfortunately for us QSAs, someone had a bright idea of issuing a June deadline for both Level 1 and Level 2 Merchant PCI DSS Compliance and summer tends to be the busiest time of the year for us. We are also busy making suggestions and improvements for PCI DSS v3.0, which should be available for review in October.
Our training course schedule kicks off again in June and we have recently formally launched our RoC Review Service.
Level 4 Merchants continue to struggle, as do the acquiring banks that are trying to manage them and fraud statistics have shown a year on year rise.  Something isn't working. At ISSAwe are lobbying hard to ensure the government takes Cyber Security Skills seriously and arm the next generation with sufficient weaponry and know-how to help defend against the growing cyber-threat from terrorists and state actors alike.
I hope you enjoy the newsletter – any feedback would be more than welcome – please feel free to get in touch.Stay secure!


Tim Holman
CEO 2-sec
President ISSA-UK

Choosing the right QSA

It is well known there is a low barrier of entry for a security company to become a certified QSA Company (QSAC). As long as a reasonable amount of security experience can be documented and an annual fee paid, the resultant QSA examinations are trivial to pass.  This unfortunately leads to a market that is awash with inexperienced auditors, that have made some very expensive decisions on behalf of entities whom have had to demonstrate validation against the standard.  We would recommend you consider the following starting points prior to engaging a QSAC…  read more here.

Between a RoC and a hard place?

A Report on Compliance (RoC) is an EXTREMELY IMPORTANT piece of paper.  By signing the Attestation of Compliance, an Officer of your Company has just confirmed that everything within the RoC is valid, including the scope.  The onus is not on the QSA to confirm your environment is compliant, it is on the Company Officer to confirm that everything the QSA has said is accurate.  As most Company Officers are not security experts, then is it even appropriate that they sign it off in the first place?  You only need to look at the data breaches of TJ Maxx, Heartland, Sony Entertainment et al to realise the QSA is never found culpable should things go wrong.  Read more here.

2-sec Training Courses

Advanced PCI DSS Training Course
June 13-14 2013 London, UK – LAST REMAINING PLACES

Our PCI DSS Training Course returns on June 13-14 2013 in London, that brings those familiar with PCI DSS up to a level where they can gain and maintain PCI DSS Compliance within their organisations. This is an intermediate/advanced course, suited to those that have existing information and data security knowledge. For further information, please click here.

Incident Response Planning – NEW
June 21 2013, London, UK
September 17 2013, London, UK
November 8 2013, London, UKWe have recently launched a series of Incident Response Planning courses, led by Adrian Wright, ISSA-UK VP of Research, CEO at Secoda and past CISO of Reuters.  With over 20 years experience of managing corporate information security and risk, Adrian brings real-life experience of critical security incidents to the table.  Delegates will learn how to plan for, and deal with incidents when they happen.  The course is suited both to security best practice and of course those responsible for PCI DSS Section 12.9 (Incident Response Plan).  For further information, please click here.

June 27 2013, London, UK
September 19 2013, London, UK
November  2013, London, UKAs part of our mission to improve knowledge transfer and make it available to all, we have developed a one day training workshop in Cyber Threat Awareness for Executives. Click here for further information.

Upcoming Events

With April and Infosec out of the way, May looks to be a quiet month for events, but here is our pick of events over the next few weeks.

16 May, Bristol – ISSA-UK Regional Event

17 May, Sussex – Community Golf Challenge

4-5 June, London – Information Security and Cyber Crime Summit

13 June, London – ISSA-UK London Chapter Meeting

PCI Professionals LinkedIn Group

Mad for PCI?  Can't get enough?  With almost 800 members our LinkedIN group is going strong.  Click here to join.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top