News & Events

One Compliance Blog

Recruit-A-Criminal!

We’re currently recruiting within the business, it’s a positive sign, it means that we are growing and able to take on even more clients. We’re hoping that the new recruit will add a new dimension to us by introducing their own thoughts and experiences. This is what we hope. Hope. I hate “hope”. Hope isn’t a particularly measured approach. Rick Page famously wrote a book entitled “Hope is Not a Strategy” and an old boss of mine used to say “hope is for Christians”. I don’t like to live life in “hope” I prefer to have

Read More »

Time is Running out for E-Commerce Merchants Running Magento Version 1.x

E-Commerce merchants who are still using Magento version 1.x as their on-line shopping cart will soon run out of time to move to a supported version! When Magento version 2.0 was released back in November 2015, E-Commerce merchants and developers were informed that Magento version 1 had a limited shelf life and would become obsolete. The initial end of life date given was November 2018, however push back from developers and merchants alike resulted in a revised end of life date of June 2020. As an experienced Information Security Consultant and PCI QSA one of the

Read More »

Cyber Criminals, Furlough and the PCI DSS

The UK went into lockdown on March 23rd 2020  and the government introduced to us a new word “furlough”. Of course, 99.9% of us had never heard of this before but many welcomed the fact that they would be able to sit at home on 80% of their wage. It was also on this momentous day that the wizened old man, Woodstradamus, made his prediction that cyber criminals wouldn’t be furloughed and they would carry on doing what they do. Only it wasn’t that bold of a prediction, it was actually like betting on the Harlem

Read More »

PCI DSS v3.2.1 Regular Tasks

To maintain PCI DSS compliance, there are a number of tasks which must be conducted on a regular basis. I’ve taken the liberty of collating all of these regular tasks into one table.  Where the frequency of a task is “regular” or “periodic”, I have made a recommendation based upon my experience as a QSA.  Dependant upon the environment and threat landscape, it could be justified for these indeterminate frequencies to shift in either direction. Note that this table assumes a SAQ-D equivalent environment with all PCI DSS controls being in-play.  The shape of the regular

Read More »

1984 or Greater Good?

I’m not going to use the “U” word. I refuse to. It’s already overused so I’ll go with:  we are in exceptional times and, after 7 weeks, I guess, we’re all at a point where we’d all like to get back to how things were as quickly as possible. A Pipe dream, perhaps. To proceed and work with the “new normal”, which, for the purposes of this piece, I’d like for us to suspend some disbelief and imagine this to be how things were in, say, 2019, we need a vaccine.  In the absence of these

Read More »

Keep Safe

Many of us are having home working thrust upon us due to the pandemic which has led to changes for everybody. This means more pressure upon an already creaking IT department which means that security is not featured as poignantly on the to do list as it usually is. Unfortunately, cyber criminals and opportunists are helped rather than hindered by the lockdown and we are already seeing spikes in basic attacks such as phishing. The BBC has published an article pertaining to the same https://www.bbc.co.uk/news/technology-51838468. A breach/compromise could not only affect the integrity of client and business

Read More »

United We Stand, Divided We Fall

Tonight’s one of those nights where I’m burning the candle at both ends but before I sign off and hit the hay, I’ve had the thought “who will get breached tonight?”. Let’s be honest, there’s always somebody and when it’s a high-profile case the jungle drums start beating and platforms such as LinkedIn are awash with sneers and jibes and industry vendors start dreaming up rumours about why these organisations were breached (it usually has something to do with them not using that particular vendors tech). Now, I’m probably being a little cynical because it’s late

Read More »

Lies, damned lies and PCI DSS compliant E-Commerce hosting and service provision

As a PCI DSS Qualified Security Assessor, I’ve had this conversation far too many times now. Many hosting providers make claims of PCI DSS compliance, however when trying to verify that compliance we are met with obfuscation and frustration. I have seen so many certificates, ASV scan reports, merchant attestations and other documents which service providers hold up to claim PCI DSS compliance that it just isn’t funny anymore. Ultimately, it is the Merchant that has responsibility for PCI DSS compliance. It is the Merchant who owns the contract with the acquiring bank. It is the

Read More »

Recruit-A-Criminal!

We’re currently recruiting within the business, it’s a positive sign, it means that we are growing and able to take on even more clients. We’re hoping that the new recruit will add a new dimension to us by introducing their own thoughts and experiences. This is what we hope. Hope. I hate “hope”. Hope isn’t a particularly measured approach. Rick Page famously wrote a book entitled “Hope is Not a Strategy” and an old boss of mine used to say “hope is for Christians”. I don’t like to live life in “hope” I prefer to have

Read More »

Time is Running out for E-Commerce Merchants Running Magento Version 1.x

E-Commerce merchants who are still using Magento version 1.x as their on-line shopping cart will soon run out of time to move to a supported version! When Magento version 2.0 was released back in November 2015, E-Commerce merchants and developers were informed that Magento version 1 had a limited shelf life and would become obsolete. The initial end of life date given was November 2018, however push back from developers and merchants alike resulted in a revised end of life date of June 2020. As an experienced Information Security Consultant and PCI QSA one of the

Read More »

Cyber Criminals, Furlough and the PCI DSS

The UK went into lockdown on March 23rd 2020  and the government introduced to us a new word “furlough”. Of course, 99.9% of us had never heard of this before but many welcomed the fact that they would be able to sit at home on 80% of their wage. It was also on this momentous day that the wizened old man, Woodstradamus, made his prediction that cyber criminals wouldn’t be furloughed and they would carry on doing what they do. Only it wasn’t that bold of a prediction, it was actually like betting on the Harlem

Read More »

PCI DSS v3.2.1 Regular Tasks

To maintain PCI DSS compliance, there are a number of tasks which must be conducted on a regular basis. I’ve taken the liberty of collating all of these regular tasks into one table.  Where the frequency of a task is “regular” or “periodic”, I have made a recommendation based upon my experience as a QSA.  Dependant upon the environment and threat landscape, it could be justified for these indeterminate frequencies to shift in either direction. Note that this table assumes a SAQ-D equivalent environment with all PCI DSS controls being in-play.  The shape of the regular

Read More »

1984 or Greater Good?

I’m not going to use the “U” word. I refuse to. It’s already overused so I’ll go with:  we are in exceptional times and, after 7 weeks, I guess, we’re all at a point where we’d all like to get back to how things were as quickly as possible. A Pipe dream, perhaps. To proceed and work with the “new normal”, which, for the purposes of this piece, I’d like for us to suspend some disbelief and imagine this to be how things were in, say, 2019, we need a vaccine.  In the absence of these

Read More »

Keep Safe

Many of us are having home working thrust upon us due to the pandemic which has led to changes for everybody. This means more pressure upon an already creaking IT department which means that security is not featured as poignantly on the to do list as it usually is. Unfortunately, cyber criminals and opportunists are helped rather than hindered by the lockdown and we are already seeing spikes in basic attacks such as phishing. The BBC has published an article pertaining to the same https://www.bbc.co.uk/news/technology-51838468. A breach/compromise could not only affect the integrity of client and business

Read More »