Time is Running out for E-Commerce Merchants Running Magento Version 1.x
E-Commerce merchants who are still using Magento version 1.x as their on-line shopping cart will soon run out of time to move to a supported version! When Magento version 2.0 was released back in November 2015, E-Commerce merchants and developers were informed that Magento version 1 had a limited shelf life and would become obsolete. The initial end of life date given was November 2018, however push back from developers and merchants alike resulted in a revised end of life date of June 2020. As an experienced Information Security Consultant and PCI QSA one of the
Cyber Criminals, Furlough and the PCI DSS
The UK went into lockdown on March 23rd 2020 and the government introduced to us a new word “furlough”. Of course, 99.9% of us had never heard of this before but many welcomed the fact that they would be able to sit at home on 80% of their wage. It was also on this momentous day that the wizened old man, Woodstradamus, made his prediction that cyber criminals wouldn’t be furloughed and they would carry on doing what they do. Only it wasn’t that bold of a prediction, it was actually like betting on the Harlem
PCI DSS v3.2.1 Regular Tasks
To maintain PCI DSS compliance, there are a number of tasks which must be conducted on a regular basis. I’ve taken the liberty of collating all of these regular tasks into one table. Where the frequency of a task is “regular” or “periodic”, I have made a recommendation based upon my experience as a QSA. Dependant upon the environment and threat landscape, it could be justified for these indeterminate frequencies to shift in either direction. Note that this table assumes a SAQ-D equivalent environment with all PCI DSS controls being in-play. The shape of the regular
1984 or Greater Good?
I’m not going to use the “U” word. I refuse to. It’s already overused so I’ll go with: we are in exceptional times and, after 7 weeks, I guess, we’re all at a point where we’d all like to get back to how things were as quickly as possible. A Pipe dream, perhaps. To proceed and work […]
Keep Safe
Many of us are having home working thrust upon us due to the pandemic which has led to changes for everybody. This means more pressure upon an already creaking IT department which means that security is not featured as poignantly on the to do list as it usually is. Unfortunately, cyber criminals and opportunists are […]
United We Stand, Divided We Fall
Tonight’s one of those nights where I’m burning the candle at both ends but before I sign off and hit the hay, I’ve had the thought “who will get breached tonight?”. Let’s be honest, there’s always somebody and when it’s a high-profile case the jungle drums start beating and platforms such as LinkedIn are awash […]
Lies, damned lies and PCI DSS compliant E-Commerce hosting and service provision
As a PCI DSS Qualified Security Assessor, I’ve had this conversation far too many times now. Many hosting providers make claims of PCI DSS compliance, however when trying to verify that compliance we are met with obfuscation and frustration. I have seen so many certificates, ASV scan reports, merchant attestations and other documents which service […]
Is a present really a present?
The January blues are in full-flow around the nation and not only am I in a grump but I’m being massively ungrateful to boot! Allow me to explain. This year, we moved to lovely new serviced offices and to prove that I’m not always in a crank, we participated in Secret Santa with the other companies who share […]
Ransomware Mitigation Fundamentals
With the Travelex ransomware situation in the news, it is important for all information security folks to review ransomware mitigation strategies and be sure that plans are in-place should the worst happen. Firstly, there is not, and is unlikely to be any further detail on the Travelex situation. Any speculation as to what and how it happened […]
One Compliance are now CREST Accredited for Penetration Testing
We are pleased and extremely proud to announce that we have achieved CREST accreditation for our Penetration Testing services, an internationally recognised endorsement of our robust network security testing methodologies. CREST provides independent, verifiable third-party assessments of security testing businesses in the UK and across the world and gives clients a demonstrable level of assurance that the security testing […]