Wednesday, August 29, 2007

PCI Compliance as a Service

I recently came back to work at one of my former stomping grounds to develop and implement a PCI Compliance as a service to support our existing E Commerce customers and to assemble the components to offer PCI Compliance as a service to new customers, focusing on Level 2, Level 3, and Level 4 organizations.

The offering is two phases:

PCI Readiness audit

Because I am not a QSA, I will come in and perform a 5 day audit of your existing systems and report the results back to you. Only you. From this activity will come a full tactical remediation plan that can be implemented in your data centers or mine (I have 16 around the world). In many cases in 30 days or less, before you incur another monthly fine.


The Tactical Remediation Plan (TRP) outlines a project plan, based on current state and identified gaps, that gets implemented in one of two ways – on your premises or mine.

The execution on your premises is the same as what I have done in ours – which is to deploy a set of technologies to support a fully audited and proactively enforced process and enviroment. I have a relationship with QSAs who know what I can deliver and will certify the solution and the environment at the end of the deployment.

The components of the solution will require an investment of hardware, software, and services to provide knowledge transfer at the low end to full remote management, Executive dashboards for real time reporting, and other complimentary services you can choose based on resource expertise and availability.

The second option is to spin up an environment in one of my SAS-70 Type II data centers and provision the technologies to cover the requirements of PCI that are not covered by the SAS-70 audits. I will give you the SAS-70 audit results to hand off to your auditors as part of the package whether the systems are affected by PCI or not. Same technologies and processes, and I bring the networking, application, and compliance expertise to the table on an ongoing basis. There are also SLA’s, and additional services that I will bring to bear if the need is there. I will do as much or as little as you need.

This second option has been the most popular for two key reasons – it is paid for as an operating expense, so there is no capital expense investment and it stays off balance sheet. The second is that the expertise acquisition required to deliver a solution is cost prohibitive for most Level 3 and 4 organizations, so this is a financially viable option for leaner shops being able to tap into a broad knowledge and resource base. It is a single monthly number for infrastructure, services, and auditing, including the on-site QSA certification in my data centers. Fixed costs.

A third reason people want to talk to me is that although they may be a Level 2, 3 or 4, they want to play at a Level 1 operation to strengthen their relationships with customers, and be proactive about mitigating risks, and being a Level 1 because of a breach.

The costs vary based on how non-compliant you are and what your infrastructure looks like. If I can help, and save you money in fines or operations I will spell out how much. If I can’t I’ll let you know sooner rather than later so we can both pursue other avenues.

Send an email to to learn more or to discuss your situation.

Labels: , ,

Monday, August 27, 2007

My PCIStuff 'Playbook'

For anyone trying to wrap their brains around how to implement a PCI compliant solution for their infrastructure, email me. I will send you the spec on what I have developed for two companies and was compensated to see it implemented (it exceeded the spec).

It is not a detailed step by step, 'buy this product', or 'implement it using this company' or other very specific how to (that's why people pay me). But it works, is not expensive, and I can offer a compliant solution as a service to keep it off balance sheet.

Please tell me who you work for and how I can help in the email. I keep track of this stuff for my own tracking. I did this with my identity management playbook and it wound up in the hands of folks all over the world and helped me establish some new relationships.


Thursday, August 09, 2007

Have you been Compromised?

I was reading Michael Dahn's blog, and saw a link to where you can type in credential information and find out if you (or your identity) have been bought & sold lately.

My devil's advocate came out (I'm a security guy at heart) and reared its head and immediately thought - if I set up a similar site, register a few domain names with some misspellings or use meta data from the legit site, I could in fact set up a very simple identity data capture site, claim it's more secure than Stolen ID Search because I require more information (like a CC#, zip code, etc.) and guess what - I'm in business as an identity thief. If someone stole this idea let me know, it's not that hard...

Wednesday, August 08, 2007

Oracle's Database Vault

I had the chance to sit down with Oracle yesterday and discuss what their role in PCI compliance was and was pleasantly surprised when the topic of their Database Vault product came up.

The thrust of the offering is to encrypt and protect data at rest so that your DBA's don't know your financial results before the CFO does. It will take protection from the port of the app into the column level and this is pretty slick for a number of reasons:

1. It gives fine grained access control and auditability inside the database where all the juicy information is stored.

2. It will encrypt and fuzz the data so that you can only see subsets (i.e. last four of a social security number, etc.) of the data tied to a recored (PAN).

3. It is a proactive policy based mechanism for where the sensitive data is, and goverened by policy so once policy is set, access to data is too.

The one question I asked that has serious ramifications (good ones) was - is the Database vault product considered and validated as an application layer firewall for databases. No answer yet, but I'll keep the community updated.

Labels: , , ,