News & Events

One Compliance Blog

Time is Running out for E-Commerce Merchants Running Magento Version 1.x

E-Commerce merchants who are still using Magento version 1.x as their on-line shopping cart will soon run out of time to move to a supported version! When Magento version 2.0 was released back in November 2015, E-Commerce merchants and developers were informed that Magento version 1 had a limited shelf life and would become obsolete. The initial end of life date given was November 2018, however push back from developers and merchants alike resulted in a revised end of life date of June 2020. As an experienced Information Security Consultant and PCI QSA one of the

Read More »

Cyber Criminals, Furlough and the PCI DSS

The UK went into lockdown on March 23rd 2020  and the government introduced to us a new word “furlough”. Of course, 99.9% of us had never heard of this before but many welcomed the fact that they would be able to sit at home on 80% of their wage. It was also on this momentous day that the wizened old man, Woodstradamus, made his prediction that cyber criminals wouldn’t be furloughed and they would carry on doing what they do. Only it wasn’t that bold of a prediction, it was actually like betting on the Harlem

Read More »

PCI DSS v3.2.1 Regular Tasks

To maintain PCI DSS compliance, there are a number of tasks which must be conducted on a regular basis. I’ve taken the liberty of collating all of these regular tasks into one table.  Where the frequency of a task is “regular” or “periodic”, I have made a recommendation based upon my experience as a QSA.  Dependant upon the environment and threat landscape, it could be justified for these indeterminate frequencies to shift in either direction. Note that this table assumes a SAQ-D equivalent environment with all PCI DSS controls being in-play.  The shape of the regular

Read More »

1984 or Greater Good?

I’m not going to use the “U” word. I refuse to. It’s already overused so I’ll go with:  we are in exceptional times and, after 7 weeks, I guess, we’re all at a point where we’d all like to get back to how things were as quickly as possible. A Pipe dream, perhaps. To proceed and work with the “new normal”, which, for the purposes of this piece, I’d like for us to suspend some disbelief and imagine this to be how things were in, say, 2019, we need a vaccine.  In the absence of these

Read More »

Keep Safe

Many of us are having home working thrust upon us due to the pandemic which has led to changes for everybody. This means more pressure upon an already creaking IT department which means that security is not featured as poignantly on the to do list as it usually is. Unfortunately, cyber criminals and opportunists are helped rather than hindered by the lockdown and we are already seeing spikes in basic attacks such as phishing. The BBC has published an article pertaining to the same https://www.bbc.co.uk/news/technology-51838468. A breach/compromise could not only affect the integrity of client and business

Read More »

United We Stand, Divided We Fall

Tonight’s one of those nights where I’m burning the candle at both ends but before I sign off and hit the hay, I’ve had the thought “who will get breached tonight?”. Let’s be honest, there’s always somebody and when it’s a high-profile case the jungle drums start beating and platforms such as LinkedIn are awash with sneers and jibes and industry vendors start dreaming up rumours about why these organisations were breached (it usually has something to do with them not using that particular vendors tech). Now, I’m probably being a little cynical because it’s late

Read More »

Lies, damned lies and PCI DSS compliant E-Commerce hosting and service provision

As a PCI DSS Qualified Security Assessor, I’ve had this conversation far too many times now. Many hosting providers make claims of PCI DSS compliance, however when trying to verify that compliance we are met with obfuscation and frustration. I have seen so many certificates, ASV scan reports, merchant attestations and other documents which service providers hold up to claim PCI DSS compliance that it just isn’t funny anymore. Ultimately, it is the Merchant that has responsibility for PCI DSS compliance. It is the Merchant who owns the contract with the acquiring bank. It is the

Read More »

Ransomware Mitigation Fundamentals

With the Travelex ransomware situation in the news, it is important for all information security folks to review ransomware mitigation strategies and be sure that plans are in-place should the worst happen. Firstly, there is not, and is unlikely to be any further detail on the Travelex situation.  Any speculation as to what and how it happened is unhelpful and unnecessary.  I have no doubt that Travelex will currently be unpicking their situation, and have all appropriate resources in place to remediate their problems. For the purposes of this blog, we are going to look at fundamental mitigation techniques

Read More »
Password Book

Is a present really a present?

The January blues are in full-flow around the nation and not only am I in a grump but I’m being massively ungrateful to boot! Allow me to explain. This year, we moved to lovely new serviced offices and to prove that I’m not always in a crank, we participated in Secret Santa with the other companies who share office space here. Of course, I went all out (if you know, you know!) and in return I was given some chocolates and a notebook. Now, I love chocolate and I can never have enough notepads as I try and make

Read More »

One Compliance are now CREST Accredited for Penetration Testing

We are pleased and extremely proud to announce that we have achieved CREST accreditation for our Penetration Testing services, an internationally recognised endorsement of our robust network security testing methodologies. CREST provides independent, verifiable third-party assessments of security testing businesses in the UK and across the world and gives clients a demonstrable level of assurance that the security testing processes and procedures being deployed meet the highest professional standards. Achieving the CREST accreditation required a rigorous assessment of our company business processes, data security and security testing methodologies. We at One Compliance have always striven to

Read More »

Time is Running out for E-Commerce Merchants Running Magento Version 1.x

E-Commerce merchants who are still using Magento version 1.x as their on-line shopping cart will soon run out of time to move to a supported version! When Magento version 2.0 was released back in November 2015, E-Commerce merchants and developers were informed that Magento version 1 had a limited shelf life and would become obsolete. The initial end of life date given was November 2018, however push back from developers and merchants alike resulted in a revised end of life date of June 2020. As an experienced Information Security Consultant and PCI QSA one of the

Read More »

Cyber Criminals, Furlough and the PCI DSS

The UK went into lockdown on March 23rd 2020  and the government introduced to us a new word “furlough”. Of course, 99.9% of us had never heard of this before but many welcomed the fact that they would be able to sit at home on 80% of their wage. It was also on this momentous day that the wizened old man, Woodstradamus, made his prediction that cyber criminals wouldn’t be furloughed and they would carry on doing what they do. Only it wasn’t that bold of a prediction, it was actually like betting on the Harlem

Read More »

PCI DSS v3.2.1 Regular Tasks

To maintain PCI DSS compliance, there are a number of tasks which must be conducted on a regular basis. I’ve taken the liberty of collating all of these regular tasks into one table.  Where the frequency of a task is “regular” or “periodic”, I have made a recommendation based upon my experience as a QSA.  Dependant upon the environment and threat landscape, it could be justified for these indeterminate frequencies to shift in either direction. Note that this table assumes a SAQ-D equivalent environment with all PCI DSS controls being in-play.  The shape of the regular

Read More »

1984 or Greater Good?

I’m not going to use the “U” word. I refuse to. It’s already overused so I’ll go with:  we are in exceptional times and, after 7 weeks, I guess, we’re all at a point where we’d all like to get back to how things were as quickly as possible. A Pipe dream, perhaps. To proceed and work with the “new normal”, which, for the purposes of this piece, I’d like for us to suspend some disbelief and imagine this to be how things were in, say, 2019, we need a vaccine.  In the absence of these

Read More »

Keep Safe

Many of us are having home working thrust upon us due to the pandemic which has led to changes for everybody. This means more pressure upon an already creaking IT department which means that security is not featured as poignantly on the to do list as it usually is. Unfortunately, cyber criminals and opportunists are helped rather than hindered by the lockdown and we are already seeing spikes in basic attacks such as phishing. The BBC has published an article pertaining to the same https://www.bbc.co.uk/news/technology-51838468. A breach/compromise could not only affect the integrity of client and business

Read More »

United We Stand, Divided We Fall

Tonight’s one of those nights where I’m burning the candle at both ends but before I sign off and hit the hay, I’ve had the thought “who will get breached tonight?”. Let’s be honest, there’s always somebody and when it’s a high-profile case the jungle drums start beating and platforms such as LinkedIn are awash with sneers and jibes and industry vendors start dreaming up rumours about why these organisations were breached (it usually has something to do with them not using that particular vendors tech). Now, I’m probably being a little cynical because it’s late

Read More »