Test and Trace

Test and Trace

In the UK, the government has rolled out the Test and Trace system. According to the website (https://www.gov.uk/government/publications/coronavirus-covid-19-testing-privacy-information/testing-for-coronavirus-privacy-information-quick-read–2) you will be sent a text or email alert with your test result.  The results will indicate whether you have Covid-19 and therefore you and your household can take appropriate action.

If you have Covid-19 you will be invited and can voluntarily take antibody tests and donate blood plasma.  But fundamentally you will be expected to self-isolate.

So far nothing unusual.

Personal Data

It later mentions who is the data controller (Department of Health and Social Care – DHSC) and mentions the type of details they may need include personal data such as name, date of birth, gender and more. This includes special GDPR type data such as ethnicity too.

The laboratory will analyse your test and your test result will be shared with NPEx, but do not worry, NPEx only have your specimen ID. NPEx will then pass you result to NHS Business Services Authority to inform you of your result.

What they will also do is regularly contact you by phone and text to monitor that you are self-isolating.  You have three chances to respond.  If you do not, your local authority is informed to investigate. There are some reasonable excuses not to self-isolate.

However, if they feel your excuse is not reasonable and it suggests you are not complying, then your details are then passed to local police forces.

The fine for a criminal offence is £1,000. Repeated offence up to £10,000.

Ready To Sign Up?

So, what impact will this have?  For some, this sharing of personal data with police may deter some people from being tested.  For some, there a numerous fears that could be put into someone’s mind. How do I get the kids to school?  How do I do my food shopping as there are no deliveries? How will the business cope without me?  How do I get income to cover my expenses this month?

Modern Technology?

The UK test and trace system was rolled out earlier in this year and had a shaky start.  There were reports of test and trace agents sitting around not making calls – I know this is true and I personally know this, as I have seen the training on Zoom and staff with my own eyes. I even helped an individual by buying their headphones and extension network cables (as the service provider did not provide this for work), before a whole of myriad of people were then fired within the first couple of weeks of the Test and Trace system officially “in use”.

Let us not forget the Excel spreadsheet that resulted in 16,000 coronavirus cases being unreported (https://www.bbc.co.uk/news/technology-54423988).

Is using CSV file format really the best way to analyse such results and interchange data in this modern age?  I dread to think how they are exchanging our personal data with the Police!

Hope they do better and remember…

Security is not a compromise.

5G What Can We Learn

5G What Can We Learn

We live in a word that is dependent on tech.  I’m going to generalise , but before Covid, when I look around in restaurants, bars or social gatherings many of us have our heads down (alas I am a culprit too). Heads down unhappy? No, heads down seeing what exciting video, news or popup WhatsApp/Facebook/Text message would appear.

I’m not one to look at dancing cat videos, but many of us are streaming music and full movies on Netflix or Amazon Prime.  The point being is that we are demanding devices with larger capacity and fundamentally faster download speeds.

At the time of writing, working remotely is the norm.  Businesses who were reluctant on their employees working from home suddenly need their employees to have decent Internet speeds. People can tether on their mobile phones at 4G speeds, which may sometimes exceed their home broadband landline speeds.

We want more!

There is always a lot of buzz announcing 5G in a country. Why not, 5G could reach up to 100x faster than 4G. This delivers what we need an interconnected society. 5G is the thing right?

Great, when does it arrive?

Implementing any opportunity has its risks and 5G is no exception. 5G will require deployment in a country’s mobile networks. News from the BBC suggest that Huawei failed to tackle security flaws in its equipment.  We were already aware that there were vulnerabilities, but it suggests even recently that the National Cyber Security Centre (NCSC) saw no evidence of improvement.

It states “The report acknowledges that while our software transformation process is in its infancy, we have made some progress in improving our software engineering capabilities”

What does that mean?  That is so concerning for such a huge company.

I do not know the extent of its “infancy”, but as an assessor/auditor and putting my software developer hat on, it’s not that hard to implement security considerations in the software development process. Traditional stages may include Requirements stage, Design stage, Coding stage and Testing stage that can include security considerations. For example, what security requirements do we need? How do we design with threat modelling? How are we coding with secure coding guidelines and training and testing securely with vulnerability scanners and penetration testing methodologies?

Even with agile methods, you can still implement security considerations and checkpoints.

Document what you do and do what you document.

The report also highlighted “poor coding practices” and a “range of evidence” employees were not following Huawei’s own practices and guidelines – putting my assessor hat on, it’s a fail.

So what can we learn from this?

There are several things we can take away as lessons learned. First, ensure whenever you are engaging with a third party that you really do your due diligence. It’s not just about whether they have business insurance and appropriate size of company, but also have you considered how that third company handles information (perhaps your information), how they will design your software, how will they implement technology etc.

Secondly, whether you are outsourcing your software development to a third party or have in-house development, ensure that there is a formalised development process in place with suitable considerations for developing software and checkpoints to ensure software is not rushed out the door with known vulnerabilities. Document what you do and do what you document.

Third, whenever you have your systems tested from a vulnerability or penetration test perspective, remember that application testing is separate from network testing. Be clear in your scope what is to be tested.  As it is harder to break through network defences, attackers are leveraging vulnerabilities in software to get in.

Hope that helps and remember…

“Security is not a compromise”.

Exploited car loan

Exploited car loan

A colleague sent me a Facebook link, so I thought to share.

A car dealer James Glen Car Sales in Airdrie had a customer who wanted to buy a new car – a £40,000 Porsche.  That customer was based in London. Perhaps that may sound unusual being so far away, but I know a few other people who have purchased cars far away from them.  So, for some of you, this may not sound unusual.

But here’s the thing, the customer said they worked for BB Ltd, but the customer did not want to see the car and only wanted to know what the tyres were like and this is where something does not seem right.

OK, so what happened next?  Well, the dealer received the £40,000 from BBL Ltd to pay for the car.

Did you spot the flaw? 

If not, then just try for a few more seconds before reading on. 

The dealer feeling cautious phoned their bank to check the funds.  The funds were legitimate and could not be withdrawn.

Funds were legitimate, what was the flaw?

The money was transferred from BBL Ltd (not BB Ltd). 

What happened was that the customer asked for an invoice (so had bank details), went online for the dealers date of birth and business address and applied for a bounce back loan in the dealer’s name, for the exact amount of £40,000 to make it look like it was for the car.

The money does belong to the dealership, but actually because the car dealership actually borrowed a loan! The dealer now owns £40,000 to the bank. If the car was sold, the dealer would have lost the car, making it a total of £80,000.

What is a bounce back loan?

Any small business can claim up to £50,000 and (here is where the flaw was exploited) it can be done quickly and easily. Fill out the form with your details and the money can be sent to your account quickly.

What happened to the customer?

The customer was going to send proof the customer actually sent the money, but they never did.

The original car video here on Facebook:  https://www.facebook.com/watch/live/?v=768150723925568&ref=watch_permalink

Lessons learned

The reason for my post is sometimes in our security world there are little things businesses can check to see if things are false. This especially applies to fake emails wanting you to click on those malicious links.  Things to watch out for include:

  • Small things such as spelling mistakes.
  • The domain name does not look right.
  • Unusual behaviour.

If you have not read so far, I’d encourage you to read my article to help you help prevent malware infections:   https://michaelhopewell.co.uk/covid-19-and-malware-infections/

Hope that helps and remember…

“Doing security is not a compromise.”

Until next time.

#cyberattack, #cybersecurity, #dataprotection, #datasecurity, #datasecuritybreach, #gdpr, #gdprcompliance, #informationsecurity, #infosec, #pcidss, #personaldata, #security, #Covid19, #bouncebackloan

Test and Trace unlawful?

Test and Trace unlawful?

All over the world, there are methods and programmes in place to track and trace people with particular virus. In this case, Coronavirus (Covid-19).  The UK is still learning valuable lessons and was in the process of developing a mobile application for test and trace.

Reports from websites (such as https://www.bbc.co.uk/news/technology-53466471) indicate that the Department of Health has admitted to the Open Rights Group (ORG) that it failed to conduct a Data Protection Impact Assessment (DPIA). 

Let us refer to the ICO’s website statement:

“You must do a DPIA before you begin any type of processing that is “likely to result in a high risk”.

Strictly speaking, doing a DPIA at the beginning of a project is not mandatory. However, surely a DPIA should have been performed prior to any processing?  The nature of such innovative technology is to collect name, date of birth, postcodes, who they live with, places they visited, names and contact details of other people who were in close proximity.  Therefore, how can you design a system without a DPIA?   As a software developer in a previous life, one of the things we learn is that it is better to get requirements in at the earliest opportunity because it costs more money down the software development lifecycle to fix problems.  One of the things I teach people is to get your functional AND SECURITY requirements in place. Using techniques such as threat modelling and embedding security considerations should be the normality nowadays (alas, I keep on dreaming).

You must do a DPIA before you begin any type of processing that is “likely to result in a high risk

The government is arguing there is no evidence of data being used unlawfully.  ORG is stating that DPIA is a legal requirement that has not been produced.  Who should we believe?  If it is shown no DPIA was done by the time it was rolled out, all I can think about is rolling my eyes and question how can anyone design and focus on rushing a pilot app and then think “oh, maybe we should think about doing a DPIA”.

One thing I do find curious is that the ICO confirmed to the BBC it was providing guidance as a “critical friend”. What does that mean?   I do not know the extend of co-operation, but I would be surprised if ICO were working with the government instead of acting as an independent regulator.

I’m sure there is more to come in the consequence months and when the world has Covid-19 under control.  There will be lots of lessons learned. It’s just a shame that we could not learn from other countries in previous years who experienced previous forms of Coronavirus.

Sadly, often it is the case where I’m called into a business where they are now thinking about security, this “thing called GPDR” or “PCI DSS”.  I take a deep breath in, smile and away we go on their security or compliance journey.

And remember… Doing security is not a compromise.

Was it worth $1.14m?

Was it worth $1.14m?

During these dark times during Covid-19 we are hearing more stories of cyber attacks. The result of cyber attacks can vary, but as we know it affects one of the elements of the security trio (Confidentiality, Availability and Integrity). One such entity fell foul recently.

The University of California San Francisco (UCSF) was in a race to stop malware from spreading.  Why?  Because this malware seemed to encrypt data.

By encrypting data, this affected UCSF in the following ways:

  • Accessing information they urgently need to help develop a cure for Covid-19.
  • Risking sensitive personal information on the dark web.
  • Stress and hassle to negotiate with attackers.

UCSF were in negotiations with the Netwalker criminal gang.  This is not an isolated case and all over the world negotiations are happening.   Like any criminals, it is advised not to negotiate because they can simply do it again and know it is a numbers game.  Someone will pay up at some point.

Fundamentally, UCSF is reported to have made billions, so the attackers upped their ransom to $3m.

The decryption software was provided and the data the attackers had were removed off the dark web.  One problem is that they will have a “promise” from the attackers the data would be deleted.

Come on… why would attackers do that?  Their incentive is to attack to gain monetise their exploits in the first place.

How can we protect ourselves?

Attackers need a way into your system. Often, this may be in the form of an email that if a staff members click on the links may inadvertently download malware on your systems and so then it begins….

Just remember that being a University, it is not just employees that we would need to worry about. It is the thousands of students that access the University computers and it is not surprising educational entities struggle with protecting their systems.

What is the most valuable commodity in the world?

UCSF finally paid, albeit a lower amount than what was asked at $1.14m in Bitcoin. But this is a lessons to us all.  Let us remind ourselves what is the most valuable commodity in the world? Gold? Oil? As you have guessed it, it is information.

Just imagine if your business, whether you a solo-entrepreneur, medium size business or large scale business, we all suffer one thing which is the weakest chain in security – people. You need make the users of your systems aware of the dangers of cyber criminals and ensure usage policies are sufficient.

And finally, backup, backup, backup! By regularly performing backups of your data, this will at least provide damage limitation.

And remember…. Security is Not A Compromise!

Stay safe.

#StayHomeSaveLives#cybersecurity , #infosec#informationsecurity#security#datasecurity#datasecuritybreach#personaldata#gdprcompliance#dataprotection#pcidss#gdpr#cyberattack#dataprivacy

What Is Passive Income?

What Is Passive Income?

Before we begin. I am not a financial advisor. I have been trained by wealthy people who have helped me become financially free. This is just my own opinion, but secrets leave clues.

Since I was very little, I was always interested in how things worked.  At the age of 11, I started programming and all the way up through my career in security I was still programming.  My job as a programmer was to my life easier and to make my colleagues life easier.  Automate as many repetitive manual entries or calculations to free up their time, so they can do other things or have a nice long break.

I remember programming somebody’s task where it took them 2 days of manual calculations and tasks, into 3 seconds.  16 hours of saving for the company? Not quite, it just means my colleague can focus on other things to do.

The point is, throughout my life it was a mantra how can I do things quicker, easier or better.

I remember one time I was stuck in a rut in a previous company. Here is my timetable.

Every weekday, rinse and repeat. No real life, no time for family, no time for myself. Ask yourself, can you relate to this diagram?

That moment…

I worked really hard and I wanted to be recognised with a higher salary. I wanted to get that nice white crisp envelope with that letter to congratulate me for a good job and here’s the increase in your salary.

That day came when I got a white crisp envelope and with a big grin I was thinking “This is it… this is it”. I opened the letter… “this isn’t it”. The letter said the company were making me redundant.

Boom! I was so disappointed and realised I was just a number. The question I asked myself was “who was in control of my life, me, or the company?”   I would encourage you to ask yourself that question right now.

If you want to change it and take back control of your life, you need passive income.

What is passive income?

In short, you have monthly expenses to pay and here are just some items as examples:

Liabilities Monthly Expenses Monthly cost
Residential House House Mortgage £600
  Fuel to travel  
  Council taxes £120
  Presents £20
Mobile Subscription Mobile Phone £40
Internet Subscription Internet  
    Total Expenses: £2,000

In this example, you will end up with a rough estimate of total expenses of £2,000.

Let’s say you only have your wage coming in: £3,750

Assets Monthly Income Monthly cost
None. Wage £3,750
    Total Income: £3,750

The difference between your income (£3,750) and expenses (£2000) is £1,750 that is your “leftover money” (also it is your “cashflow”, but not yet considered “passive cashflow”), but what do you with your leftover money? 

  • A lot of people spend it and it is gone. 
  • A lot of people save it in the bank account, but because of inflation the power of that £1 or 1$ if you prefer is going down over time (i.e. the costs of goods/services goes up over time, but that £1 or 1$ is just a pound or dollar so you cannot buy the same amount).

Either way, the money is losing value.  You have spent you hard-earned time for money.

Passive income is the other way where you use the money to work hard for you. Spend money for time.

Let’s say you get a rental property and this could make you an additional £250 per month, let’s see what this difference means. As it is something making you money, it goes into the asset column and we update the income it gives you.

Assets Monthly Income Monthly cost
  Wage £3,750
3-bed buy to let. Rental £250
    Total Income: £4,000

As your expenses may stay around the £2,000, your leftover money is now:

  • Income (£4,000) – Expenses (£2000) = £2,000 leftover (so the increase is £250 as we said earlier).

It’s not lifechanging, but it is a start. And also, that £250 is “passive” (which means it takes little or none of your time to manage). It is passive income.

But let’s assume you go above your monthly expenses. 

Now, let’s take it further so that you have enough income from your passive income investments. Let’s assume that you have passive income is just about covering your total monthly expenses (in this case, just your investments and without a wage you have £2,100 which is more than all expenses at £2,000).

Liabilities Monthly Expenses Monthly cost
Residential House House Mortgage £600
  Fuel to travel  
  Council taxes £120
  Presents £20
Mobile Subscription Mobile Phone £40
Internet Subscription Internet  
    Total Expenses: £2,000

Assets Monthly Income Monthly cost
  Wage £3,750
3-bed buy to let. Rental £250
3-bed buy to let. Rental £400
8-flats Rental £1,600
    Total Income: £2,100

This means that technically, you are “financially free”. In reality, you have gained “financial security”, so you can look after yourself if things turn bad in the short term.

Let’ say instead of £100 difference per month, you had £1,000, £2,000 or more in difference. You can have a more fruitful life. More time with family, more holidays, more time with hobbies etc.

For most people at my age, they will have to retire at 68. I would expect this to go up if the average life expectancy age keeps creeping up.  Do you want to retire and then start enjoying life at 68? I know I do not!

So how do I start?

I would encourage you to start looking at some passive income methods.  There are so many out there, it is difficult to really know what are truly passive (remember taking up little or none of your time). Here is a list that I feel are great right now:

Strategy Summary
Rent Property Rent property for a steady stream of monthly passive income.
Affiliate Marketing Refer people to products and services and you get a commission.
Dropping/Dropship Business You take money from your customer You pay a service provider to deliver the goods/service to the customer directly. You keep the difference between money from the customer and money you paid out to the service provider.
Create YouTube Channel Money from adverts.
Create royalties Money from people buying your goods, such as music, DVDs, books.

So, I hope that inspires you to get started. I’d really like to know how you get on. 



Tell me what you are doing about your passive income.  What do you need help with?  If you have any questions, feel free to leave a comment on our social media.

Help your friends and family. Share this with them.

And lastly, security is not a compromise!

To Commercial Service Or Not To Commercial Service…

To Commercial Service Or Not To Commercial Service…

A business owned by Kent County Council was struck. Commercial Services Group (CSG) was compromised which meant that, unlike the name, some systems were out of commercial service.

From what is currently made public, £800,000 worth of Bitcoin ransom was requested, again showing another successful ransomware attack. However, no ransom was paid. Some of the information was then leaked to the Internet.

CSG confirmed no personal data was lost, which is good.  “Only” business and corporate information was compromised. However, the company is now firefighting to get its systems back online.

With an annual revenue of circa £350million and with 700 staff, this attack is a big hit as CSG offers commercial services to authorities, emergency services and schools, utilities, and more. It is not a good time during Covid-19.

It bears the hallmarks…

A statement made that the ransomware attack managed to avoid 3-levels of professional IT security. What does that even mean? A spokesperson mentioned that it “bears the hallmarks of starting with a phishing email that was used to introduce a virus that then compromised the network for further attack”. Well that’s kind of the idea if you want to get through the techie defences by hacking the human.

And KCS says it will “take learning from the incident” as it took over four weeks for the majority of systems affected to be put back online. That’s quite of a long time in terms of an incident response plan and if they were testing their plan at least annually.

KCS was informed from the ICO that no legal action would be taken against it. Case is closed.

What can we all learn from this?

#StayHomeSaveLives, #cybersecurity , #infosec, #informationsecurity, #security, #datasecurity, #datasecuritybreach#personaldata#gdprcompliance#dataprotection#pcidss#gdpr#cyberattack#dataprivacy



If you are struggling with understanding the “Scope” of your cardholder data environment (CDE), refer to the PCI SSC scoping guidance document (https://www.pcisecuritystandards.org/documents/Guidance-PCI-DSS-Scoping-and-Segmentation_v1.pdf). This is to help entities appropriately scope their cardholder data environment for PCI DSS.

Why publish?

Many entities still struggle with determining the scope for various factors, which may include:

  • Many interpretations of adequate segmentation.
  • Motivations for reducing scope.

Why scope is important?

Scoping is still a hot topic. Improper scoping may result in not identifying cardholder data (CHD) or intended/accidental cardholder data leakage. An unidentified cardholder data area is a desirable area for hackers and may lead to a breach.

The scope for PCI DSS includes systems within the cardholder data environment (CDE) that process, store or transmit CHD, connect to the CDE, or impact the security of the CDE.

Conversely, bad interpretations can lead to over scoping which is unnecessary and results in ineffective use of resources.

The first stage is to identify the critical people, processes and technology in-scope. Only then can you apply the relevant PCI DSS requirements. Believe me, this is never ever a trivial exercise and again we emphasise the need for good interpretation.

What is in-scope for PCI DSS?

We can be here for a long time, so I’m just going to summarise the document:

  • CDE system: The system processes, stores or transmits cardholder data (CHD); OR a system is in the same network (e.g. VLAN) as systems that store, process or transmit CHD.
  • Connected-System OR a security-impacting system: Something that connects inside to the CDE, or could impact the security of the CDE.

Sometimes the above may be too generic to apply security controls. Here is a possible category method of what in-scope for your PCI DSS assessment by categorising them:

  • Type 1a (Systems that process, store or transmit CHD): This should be self-explanatory. These are systems whereby cardholder data is present and could be stolen.
  • Type 1b (Systems inside the CDE): These systems are in the same network segments as Type 1 systems and can be used as an attack vector to steal cardholder data.
  • Type 2a (Connected To): Systems directly accesses the CDE via controlled access boundary systems (e.g. firewalls, routers etc.). These systems establish a connection into the CDE or receive communication from the CDE.
  • Type 2b (Connected To): Systems that indirectly accesses the CDE via controlled access boundary systems (e.g. an administrator workstation that indirectly uses a jump server).
  • Type 2c (Impacts Security of CDE): Any system that could impact the CDE, such as systems that control access, segmentation, patch distribution, logging and monitoring tools.

Controlled access

Controlled access from say “zone A” into the CDE does not mean the network is fully segmented. However, this also does not mean every single system component in zone A is in scope! It means that these communications are more secure than uncontrolled systems. These restricted communications should be considered in-scope.

Any segmentation controls to fully restrict access must be penetration tested at least annually as per PCI DSS requirement 11.3.4 to ensure segmentation is still effective.

The following statement is interesting:

“It is important to understand the risks and impacts if connected-to system components are excluded or overlooked from PCI DSS scope.”

The way I read this is if a connected-to system is excluded from PCI DSS scope, the risk and impact should be determined first. Let’s consider this scenario:

  • A large bank whereby there are 15,000+ user workstations all connecting into a virtualised environment.
  • The virtualised environment supports the core banking system (that may process CHD) and non-CHD processing systems.
  • A smaller proportion of 2,000 only access the core banking system via secured applications or secured browser (HTTPS), presented on their desktop via role-based access virtualised system.

The virtualised environment is in-scope as it supports the core banking system and card-processing applications.  Does the 15,000+ workstations connecting into the virtualised environment mean all 15,000+ workstations are in scope?  Maybe “yes” as each workstation is accessing the virtualised environment hosting the CDE, but maybe “no” as controls may be in place to restrict the presentation of access and applications on the desktop where the user role requires it.

Shared services

There are some systems components that may provide a service to the corporate network and CDE. I consider these “management systems”, which provide management or security functions such as:

  • Directory and authentication (Active Directory, LDAP, AAA etc.)
  • SMTP
  • Anti-virus
  • Logging and monitoring
  • Bastion Host/Jumpbox

For this reason, you do not want the full corporate network being able to communicate with these management systems – these management systems / shared services should be in their own management zone:

  • Only those components within the management zone can then connect into the CDE.
  • Corporate LAN can connect to the management zone / shared services.

Administrator workstations are categorised as a “Connected To” device, perhaps see Type 2b above and are in-scope for PCI DSS review.

Who is responsible for determining scope?

We must reminds ourselves that the assessor is independent. The responsibility for determining the scope is the entity being assessed. The entity should confirm the people, process and technology in scope and retain documentation how this was determined. The assessed entity is responsible for annually determining the scope.

The assessor trusts, but verifies this to confirm the scope is defined and documented properly. However, should the scope not be correct, the assessor must work with the entity to determine the correct scope prior to the assessment to determine boundaries and applicable requirements.


Scoping will always be down to interpretation and the scoping guidelines published from the PCI SSC will help. Therefore, the opinions in this document are mine alone. You need to work with your assessor to determine their interpretation of the standard and scoping. Please see key findings below:

  • Connected-to systems has more clarity of what is in-scope. Any systems to be excluded for scope and must be evaluated and risk assessed.
  • Administrator workstations connecting directly or indirectly to the CDE are always in-scope.
  • Important to note no solution eliminates all PCI DSS requirements. The applicability of requirements depends on the system function.
  • Review the types/categories of systems in scope and review third party access against this.
  • All segmentation controls must be penetration tested at least annually.

Finally, even if your environment may in principle seem a typical environment, your scope is likely to be different because of different people, processes and technology. What is your scope? I will put on my QSA hat on and say “It depends”!

Did you find this post useful? Feel free to share and link to this article.

You Need Documentation?

You Need Documentation?

A gap assessment is reviewing how a system or process is against your checklist/benchmark, in order to identify any gaps.

Whenever doing a gap assessment, in my experience there is always going to be one general area a company is almost certainly lacking.  It’s that dreaded word (and not just dreaded by programmers only)… Yes, it’s documentation!

NOTE: My apologies to programmers. I used to be (and I still am though scrappy now) a programmer. I know how you feel. I felt the same way. I hated documentation. But I’ve seen the light being on the other side of the fence and it’s for the greater good. Trust me.

Companies are generally missing documentation and whenever doing PCI-related assessments documentation is key. We have a problem.

Never fear, this is easier to fix that expected as in many cases the companies are doing things in a PCI DSS (or other PCI-type assessment) compliant manner, but it’s just not documented. Often, I find they do not understand the difference between a policy, process and procedure and don’t know where to begin.

PCI policies, processes and procedures?

PCI DSS v3.0 is great as it clearly spells out in the reporting requirements whether a documented policy, or documented process/procedure is required. My suggestion is you do them all in a certain order as follows:

  •  Write your policy: Business rules and guidelines – the high level objectives you want to meet. Don’t include the how (process/procedure).
  • Write your process: These are the activities to produce a specific output.
  • Write your procedure: These are the underlying tasks that result in your process being fulfilled.

I still do not understand, can you give me an example?

As an example:

Policy: All system components must be hardened according to their respective hardening guides.

So let us assume you have firewalls. You need your own firewall hardening guide.

  • Process: Prevent internal addresses coming from the outside.
    • Type command XXXXXXXXXX (task/procedure)
    •  Type command XXXXXXXXXX (task/procedure)
  • Process: Remove the default password.
    • Type command XXXXXXXXXX (task/procedure)
    • Type command XXXXXXXXXX (task/procedure)

There are many ways to write your documentation, and I’d encourage you to split them into appropriate documents.

NOTE: In the past I’ve seen some companies just have few large documents just to satisfy PCI DSS – please split the documents up that is workable for your business.


Your document is not intended to be read by everyone. The document has an intended audience, so make it clear by writing an introduction. For example:

“The scope of this document applies to firewall administrators.”

Roles and Responsibilities?

Of course, PCI DSS wants to know the roles and responsibilities. For example:

“Firewall administrators are responsible for applying this hardening document to all firewalls prior to installation into the production environment. All firewall administrators will need written approval before installing any firewall into the production system. Firewall administrators are required to test all firewalls after making changes to firewalls.

The owner of this document is the <insert title> who will ensure this document is kept up to date.”


You need to demonstrate that you update documents at specific times as addressed by the PCI DSS. There are some ways to meet this. I strongly encourage you to use a versioning table. Consider including:

  • Version
  • Last modified date
  • Changes made
  • Reviewed/approved

You will then be able to demonstrate how frequently it was reviewed:

Hint: Stick in a policy somewhere to confirm the frequency:

“This document will be reviewed every x months”

(where x is the frequency required)

So, what is the benefit of this framework?

  • Confirms roles/responsibilities: Personnel know who is responsible for what device/process/system.
  • Mitigates ambiguity in configuration: Follow the step by step procedures as detailed in the documents and in principle your system components should be hardened to the same level.
  • Faster implementation: Often, you can copy/paste the commands into your system components and execute the command. This reduces human error/typos.
  • Reviews: You can demonstrate required review periods and updates made according to your business or changes to the standards.


In summary, documentation is a key element to passing an assessment. Documentation determines correct business objectives, correct and consistent configuration, clear roles and responsibilities and also Business As Usual (maintain compliance by following compliant practices in a timely manner).

This is not an easy task to do, but once you got it, you won’t need to rewrite it again! But remember, documents will need to be demonstrated to be reviewed at various times throughout the year in order to maintain compliance.


  • Document your policy
  • Document your procedure
  • Document your tasks to meet your procedure(s)
  • Include a scope section
  • Include a roles/responsibilities section
  • Include a version table
  • Document the frequency to review and update the document.

Once you have written your documents (and had them checked), go and relax. You deserve it!

If you still need policies, simply subscribe to my newsletter. Then get in contact.




Which PCI DSS SAQ is Right For Me?

Which PCI DSS SAQ is Right For Me?

So has your acquirer/merchant bank has asked you to complete a Self-Assessment Questionnaire (SAQ)? Are you confused which SAQ to complete? Don’t know where to start?

… Don’t worry. You’re not alone!

Since PCI DSS 3.0, there has been further SAQs introduced, which can add further confusion.

In the beginning…

A lot of merchants do not realise why their acquirer is asking for your SAQ. So let’s recap a little behind the scenes of what is going on, so you, as the merchant have a little more insight into the reasons why SAQs are being asked for.

As a merchant, you have agreed a contract with your merchant bank (the “acquirer”). Somewhere in that contract it is likely to state you will satisfy/maintain PCI DSS compliance.

It’s a FINE time… don’t you think?

Acquirers must report on a frequent basis the security position of all their merchants to the payment brands (VISA, MasterCard, JCB, Discovery and Amex). If they cannot report this security position to the brands, then your acquirer may receive a financial penalty (basically a big fine). So hopefully you can see that it is your acquirer’s best interest to get this information from you to avoid the fine!

  Payment Brand >>> Acquirer >>> Merchant

Your acquirer may have a right to pass this fine onto you, the merchant and therefore you may have had warning letters to say you must report your status, otherwise you may get fined. Does this sound familiar?

So hopefully you can see the first problem – your acquirer does not know your security posture. To do this, you must complete your SAQ, which reports to them your security posture – in short, how PCI DSS compliant you are. The second question is which SAQ are you eligible for? We discuss them below.

HINT: The main risk is to processing, storing or transmitting of cardholder data electronically. This means cardholder data traversing electronically through your networks and therefore the more that you do electronically over your network, the harder is the SAQ.  If you store cardholder data electronically, then this data is at a higher risk of being stolen – if you store cardholder data electronically, go to SAQ D (if you are eligible to fill out a SAQ).

SAQ A – “the outsourcing model”

In short, this applies to Card-Not Present (CNP) merchants (e-Commerce or mail order/telephone order) who have fully outsourced ALL cardholder data processing functions to a PCI DSS compliant service provider.  This means you do not process, store or transmit any cardholder data at all on your merchant systems or merchant premises.

Examples may include:

  • Football clubs who have outsourced all payment functions to a call centre or other third parties to take payment.
  • An online store who has outsourced all online payment functions to a PCI DSS compliant service provider*.

* Be careful as it could be SAQ A/EP depending on how it is processed online – ask your acquirer or a Qualified Security Assessor (QSA) for help.

SAQ A/EP – “Payment taking outsourced, but we host the website bit”

Introduced under PCI DSS v3.0, this applies to e-Commerce merchants who rely on third parties for payment taking, but you have a website that could impact the security of the payment taking (someone can hack your web machine and change where payments are taken or how payments are taken). Like SAQ A, this means you do not process, store or transmit any cardholder data at any point on your merchant systems or merchant premises.

Example is you own the web machine, host the website, but maybe you do a “silent order post” (silent order post is a long discussion outside of this post)

SAQ B – “Ye Olde Plain Ol’ Telephone System (POTS)”

I love this one. Classic one whereby you process card data via:

  • A standalone payment terminal that connects to your telephone line to process payments.
  • Or in the rare occassion your payment terminal does not work you use an imprint machine (remember those machines whereby you physically get the card and create a carbon copy for example)?
PCI DSS imprint machine

The imprint machine “Ker-chunk”

 SAQ B/IP – “The Networked Terminal”

In short, the telephone terminals are being replaced with those terminals you plug into your network (IP-based terminals). This means you do not store cardholder data electronically.

Examples include lots of retailers such as supermarkets. Because the terminals are connected to networks, these terminals tend to process data very quickly.

SAQ C – “The payment application SAQ”

Self-explanatory. you use payment applications to process cardholder data. This excludes payment applications through Internet browsers… that’s the next one, SAQ C/VT. Also note your systems do not store cardholder data electronically.

SAQ C/VT – “The Virtual Terminal”

This is where you enter cardholder data one at a time through a Internet-based browser application/website. The application/website is hosted by a PCI DSS compliant service provider. Also note your systems do not store cardholder data electronically.

P2PE-HW – “Silver bullet for de-scoping”

Well maybe it is not the silver bullet, but many merchants look to this, as they simply do not feel the overhead of maintaining a collection of PCI DSS controls is pragmatic for their business. In essence, if you use a terminal that has been P2PE validated then the bits between your terminal and your payments processor may be deemed “out of scope” and therefore the long list of associated PCI DSS controls are no longer applicable*. Also note your systems do not store cardholder data electronically.

NOTE: P2PE requirements comes with its additional requirements that may be difficult to maintain.

SAQ D – “you’re a rogue”

This is where you don’t fit in to the other SAQs. It’s most likely that you’ll be storing cardholder data).

The main discussions I hear from merchants is a misunderstanding between SAQ A to SAQ A/EP. If this sounds familiar, seek advice from your acquirer and/or a QSA. There are ways to drop you down from SAQ A/EP to SAQ A and actually you can apply specific actions relatively quickly to achieve this, but the question is whether a business is open minded to change how the website works.

I hope you understand the reporting obligations of the acquirers to the payment brands and why they keep asking you to complete a SAQ. 

Phew! That’s pretty much the end of this long post. Well done if you’re still reading this. I hope you received some value out of this. If you have, share this website link with others.