Test and Trace

Test and Trace

In the UK, the government has rolled out the Test and Trace system. According to the website (https://www.gov.uk/government/publications/coronavirus-covid-19-testing-privacy-information/testing-for-coronavirus-privacy-information-quick-read–2) you will be sent a text or email alert with your test result.  The results will indicate whether you have Covid-19 and therefore you and your household can take appropriate action.

If you have Covid-19 you will be invited and can voluntarily take antibody tests and donate blood plasma.  But fundamentally you will be expected to self-isolate.

So far nothing unusual.

Personal Data

It later mentions who is the data controller (Department of Health and Social Care – DHSC) and mentions the type of details they may need include personal data such as name, date of birth, gender and more. This includes special GDPR type data such as ethnicity too.

The laboratory will analyse your test and your test result will be shared with NPEx, but do not worry, NPEx only have your specimen ID. NPEx will then pass you result to NHS Business Services Authority to inform you of your result.

What they will also do is regularly contact you by phone and text to monitor that you are self-isolating.  You have three chances to respond.  If you do not, your local authority is informed to investigate. There are some reasonable excuses not to self-isolate.

However, if they feel your excuse is not reasonable and it suggests you are not complying, then your details are then passed to local police forces.

The fine for a criminal offence is £1,000. Repeated offence up to £10,000.

Ready To Sign Up?

So, what impact will this have?  For some, this sharing of personal data with police may deter some people from being tested.  For some, there a numerous fears that could be put into someone’s mind. How do I get the kids to school?  How do I do my food shopping as there are no deliveries? How will the business cope without me?  How do I get income to cover my expenses this month?

Modern Technology?

The UK test and trace system was rolled out earlier in this year and had a shaky start.  There were reports of test and trace agents sitting around not making calls – I know this is true and I personally know this, as I have seen the training on Zoom and staff with my own eyes. I even helped an individual by buying their headphones and extension network cables (as the service provider did not provide this for work), before a whole of myriad of people were then fired within the first couple of weeks of the Test and Trace system officially “in use”.

Let us not forget the Excel spreadsheet that resulted in 16,000 coronavirus cases being unreported (https://www.bbc.co.uk/news/technology-54423988).

Is using CSV file format really the best way to analyse such results and interchange data in this modern age?  I dread to think how they are exchanging our personal data with the Police!

Hope they do better and remember…

Security is not a compromise.

5G What Can We Learn

5G What Can We Learn

We live in a word that is dependent on tech.  I’m going to generalise , but before Covid, when I look around in restaurants, bars or social gatherings many of us have our heads down (alas I am a culprit too). Heads down unhappy? No, heads down seeing what exciting video, news or popup WhatsApp/Facebook/Text message would appear.

I’m not one to look at dancing cat videos, but many of us are streaming music and full movies on Netflix or Amazon Prime.  The point being is that we are demanding devices with larger capacity and fundamentally faster download speeds.

At the time of writing, working remotely is the norm.  Businesses who were reluctant on their employees working from home suddenly need their employees to have decent Internet speeds. People can tether on their mobile phones at 4G speeds, which may sometimes exceed their home broadband landline speeds.

We want more!

There is always a lot of buzz announcing 5G in a country. Why not, 5G could reach up to 100x faster than 4G. This delivers what we need an interconnected society. 5G is the thing right?

Great, when does it arrive?

Implementing any opportunity has its risks and 5G is no exception. 5G will require deployment in a country’s mobile networks. News from the BBC suggest that Huawei failed to tackle security flaws in its equipment.  We were already aware that there were vulnerabilities, but it suggests even recently that the National Cyber Security Centre (NCSC) saw no evidence of improvement.

It states “The report acknowledges that while our software transformation process is in its infancy, we have made some progress in improving our software engineering capabilities”

What does that mean?  That is so concerning for such a huge company.

I do not know the extent of its “infancy”, but as an assessor/auditor and putting my software developer hat on, it’s not that hard to implement security considerations in the software development process. Traditional stages may include Requirements stage, Design stage, Coding stage and Testing stage that can include security considerations. For example, what security requirements do we need? How do we design with threat modelling? How are we coding with secure coding guidelines and training and testing securely with vulnerability scanners and penetration testing methodologies?

Even with agile methods, you can still implement security considerations and checkpoints.

Document what you do and do what you document.

The report also highlighted “poor coding practices” and a “range of evidence” employees were not following Huawei’s own practices and guidelines – putting my assessor hat on, it’s a fail.

So what can we learn from this?

There are several things we can take away as lessons learned. First, ensure whenever you are engaging with a third party that you really do your due diligence. It’s not just about whether they have business insurance and appropriate size of company, but also have you considered how that third company handles information (perhaps your information), how they will design your software, how will they implement technology etc.

Secondly, whether you are outsourcing your software development to a third party or have in-house development, ensure that there is a formalised development process in place with suitable considerations for developing software and checkpoints to ensure software is not rushed out the door with known vulnerabilities. Document what you do and do what you document.

Third, whenever you have your systems tested from a vulnerability or penetration test perspective, remember that application testing is separate from network testing. Be clear in your scope what is to be tested.  As it is harder to break through network defences, attackers are leveraging vulnerabilities in software to get in.

Hope that helps and remember…

“Security is not a compromise”.

Exploited car loan

Exploited car loan

A colleague sent me a Facebook link, so I thought to share.

A car dealer James Glen Car Sales in Airdrie had a customer who wanted to buy a new car – a £40,000 Porsche.  That customer was based in London. Perhaps that may sound unusual being so far away, but I know a few other people who have purchased cars far away from them.  So, for some of you, this may not sound unusual.

But here’s the thing, the customer said they worked for BB Ltd, but the customer did not want to see the car and only wanted to know what the tyres were like and this is where something does not seem right.

OK, so what happened next?  Well, the dealer received the £40,000 from BBL Ltd to pay for the car.

Did you spot the flaw? 

If not, then just try for a few more seconds before reading on. 

The dealer feeling cautious phoned their bank to check the funds.  The funds were legitimate and could not be withdrawn.

Funds were legitimate, what was the flaw?

The money was transferred from BBL Ltd (not BB Ltd). 

What happened was that the customer asked for an invoice (so had bank details), went online for the dealers date of birth and business address and applied for a bounce back loan in the dealer’s name, for the exact amount of £40,000 to make it look like it was for the car.

The money does belong to the dealership, but actually because the car dealership actually borrowed a loan! The dealer now owns £40,000 to the bank. If the car was sold, the dealer would have lost the car, making it a total of £80,000.

What is a bounce back loan?

Any small business can claim up to £50,000 and (here is where the flaw was exploited) it can be done quickly and easily. Fill out the form with your details and the money can be sent to your account quickly.

What happened to the customer?

The customer was going to send proof the customer actually sent the money, but they never did.

The original car video here on Facebook:  https://www.facebook.com/watch/live/?v=768150723925568&ref=watch_permalink

Lessons learned

The reason for my post is sometimes in our security world there are little things businesses can check to see if things are false. This especially applies to fake emails wanting you to click on those malicious links.  Things to watch out for include:

  • Small things such as spelling mistakes.
  • The domain name does not look right.
  • Unusual behaviour.

If you have not read so far, I’d encourage you to read my article to help you help prevent malware infections:   https://michaelhopewell.co.uk/covid-19-and-malware-infections/

Hope that helps and remember…

“Doing security is not a compromise.”

Until next time.

#cyberattack, #cybersecurity, #dataprotection, #datasecurity, #datasecuritybreach, #gdpr, #gdprcompliance, #informationsecurity, #infosec, #pcidss, #personaldata, #security, #Covid19, #bouncebackloan

Test and Trace unlawful?

Test and Trace unlawful?

All over the world, there are methods and programmes in place to track and trace people with particular virus. In this case, Coronavirus (Covid-19).  The UK is still learning valuable lessons and was in the process of developing a mobile application for test and trace.

Reports from websites (such as https://www.bbc.co.uk/news/technology-53466471) indicate that the Department of Health has admitted to the Open Rights Group (ORG) that it failed to conduct a Data Protection Impact Assessment (DPIA). 

Let us refer to the ICO’s website statement:

“You must do a DPIA before you begin any type of processing that is “likely to result in a high risk”.

Strictly speaking, doing a DPIA at the beginning of a project is not mandatory. However, surely a DPIA should have been performed prior to any processing?  The nature of such innovative technology is to collect name, date of birth, postcodes, who they live with, places they visited, names and contact details of other people who were in close proximity.  Therefore, how can you design a system without a DPIA?   As a software developer in a previous life, one of the things we learn is that it is better to get requirements in at the earliest opportunity because it costs more money down the software development lifecycle to fix problems.  One of the things I teach people is to get your functional AND SECURITY requirements in place. Using techniques such as threat modelling and embedding security considerations should be the normality nowadays (alas, I keep on dreaming).

You must do a DPIA before you begin any type of processing that is “likely to result in a high risk

The government is arguing there is no evidence of data being used unlawfully.  ORG is stating that DPIA is a legal requirement that has not been produced.  Who should we believe?  If it is shown no DPIA was done by the time it was rolled out, all I can think about is rolling my eyes and question how can anyone design and focus on rushing a pilot app and then think “oh, maybe we should think about doing a DPIA”.

One thing I do find curious is that the ICO confirmed to the BBC it was providing guidance as a “critical friend”. What does that mean?   I do not know the extend of co-operation, but I would be surprised if ICO were working with the government instead of acting as an independent regulator.

I’m sure there is more to come in the consequence months and when the world has Covid-19 under control.  There will be lots of lessons learned. It’s just a shame that we could not learn from other countries in previous years who experienced previous forms of Coronavirus.

Sadly, often it is the case where I’m called into a business where they are now thinking about security, this “thing called GPDR” or “PCI DSS”.  I take a deep breath in, smile and away we go on their security or compliance journey.

And remember… Doing security is not a compromise.

Was it worth $1.14m?

Was it worth $1.14m?

During these dark times during Covid-19 we are hearing more stories of cyber attacks. The result of cyber attacks can vary, but as we know it affects one of the elements of the security trio (Confidentiality, Availability and Integrity). One such entity fell foul recently.

The University of California San Francisco (UCSF) was in a race to stop malware from spreading.  Why?  Because this malware seemed to encrypt data.

By encrypting data, this affected UCSF in the following ways:

  • Accessing information they urgently need to help develop a cure for Covid-19.
  • Risking sensitive personal information on the dark web.
  • Stress and hassle to negotiate with attackers.

UCSF were in negotiations with the Netwalker criminal gang.  This is not an isolated case and all over the world negotiations are happening.   Like any criminals, it is advised not to negotiate because they can simply do it again and know it is a numbers game.  Someone will pay up at some point.

Fundamentally, UCSF is reported to have made billions, so the attackers upped their ransom to $3m.

The decryption software was provided and the data the attackers had were removed off the dark web.  One problem is that they will have a “promise” from the attackers the data would be deleted.

Come on… why would attackers do that?  Their incentive is to attack to gain monetise their exploits in the first place.

How can we protect ourselves?

Attackers need a way into your system. Often, this may be in the form of an email that if a staff members click on the links may inadvertently download malware on your systems and so then it begins….

Just remember that being a University, it is not just employees that we would need to worry about. It is the thousands of students that access the University computers and it is not surprising educational entities struggle with protecting their systems.

What is the most valuable commodity in the world?

UCSF finally paid, albeit a lower amount than what was asked at $1.14m in Bitcoin. But this is a lessons to us all.  Let us remind ourselves what is the most valuable commodity in the world? Gold? Oil? As you have guessed it, it is information.

Just imagine if your business, whether you a solo-entrepreneur, medium size business or large scale business, we all suffer one thing which is the weakest chain in security – people. You need make the users of your systems aware of the dangers of cyber criminals and ensure usage policies are sufficient.

And finally, backup, backup, backup! By regularly performing backups of your data, this will at least provide damage limitation.

And remember…. Security is Not A Compromise!

Stay safe.

#StayHomeSaveLives#cybersecurity , #infosec#informationsecurity#security#datasecurity#datasecuritybreach#personaldata#gdprcompliance#dataprotection#pcidss#gdpr#cyberattack#dataprivacy

What Is Passive Income?

What Is Passive Income?

Before we begin. I am not a financial advisor. I have been trained by wealthy people who have helped me become financially free. This is just my own opinion, but secrets leave clues.

Since I was very little, I was always interested in how things worked.  At the age of 11, I started programming and all the way up through my career in security I was still programming.  My job as a programmer was to my life easier and to make my colleagues life easier.  Automate as many repetitive manual entries or calculations to free up their time, so they can do other things or have a nice long break.

I remember programming somebody’s task where it took them 2 days of manual calculations and tasks, into 3 seconds.  16 hours of saving for the company? Not quite, it just means my colleague can focus on other things to do.

The point is, throughout my life it was a mantra how can I do things quicker, easier or better.

I remember one time I was stuck in a rut in a previous company. Here is my timetable.

Every weekday, rinse and repeat. No real life, no time for family, no time for myself. Ask yourself, can you relate to this diagram?

That moment…

I worked really hard and I wanted to be recognised with a higher salary. I wanted to get that nice white crisp envelope with that letter to congratulate me for a good job and here’s the increase in your salary.

That day came when I got a white crisp envelope and with a big grin I was thinking “This is it… this is it”. I opened the letter… “this isn’t it”. The letter said the company were making me redundant.

Boom! I was so disappointed and realised I was just a number. The question I asked myself was “who was in control of my life, me, or the company?”   I would encourage you to ask yourself that question right now.

If you want to change it and take back control of your life, you need passive income.

What is passive income?

In short, you have monthly expenses to pay and here are just some items as examples:

Liabilities Monthly Expenses Monthly cost
Residential House House Mortgage £600
  Fuel to travel  
  Council taxes £120
  Presents £20
Mobile Subscription Mobile Phone £40
Internet Subscription Internet  
    Total Expenses: £2,000

In this example, you will end up with a rough estimate of total expenses of £2,000.

Let’s say you only have your wage coming in: £3,750

Assets Monthly Income Monthly cost
None. Wage £3,750
    Total Income: £3,750

The difference between your income (£3,750) and expenses (£2000) is £1,750 that is your “leftover money” (also it is your “cashflow”, but not yet considered “passive cashflow”), but what do you with your leftover money? 

  • A lot of people spend it and it is gone. 
  • A lot of people save it in the bank account, but because of inflation the power of that £1 or 1$ if you prefer is going down over time (i.e. the costs of goods/services goes up over time, but that £1 or 1$ is just a pound or dollar so you cannot buy the same amount).

Either way, the money is losing value.  You have spent you hard-earned time for money.

Passive income is the other way where you use the money to work hard for you. Spend money for time.

Let’s say you get a rental property and this could make you an additional £250 per month, let’s see what this difference means. As it is something making you money, it goes into the asset column and we update the income it gives you.

Assets Monthly Income Monthly cost
  Wage £3,750
3-bed buy to let. Rental £250
    Total Income: £4,000

As your expenses may stay around the £2,000, your leftover money is now:

  • Income (£4,000) – Expenses (£2000) = £2,000 leftover (so the increase is £250 as we said earlier).

It’s not lifechanging, but it is a start. And also, that £250 is “passive” (which means it takes little or none of your time to manage). It is passive income.

But let’s assume you go above your monthly expenses. 

Now, let’s take it further so that you have enough income from your passive income investments. Let’s assume that you have passive income is just about covering your total monthly expenses (in this case, just your investments and without a wage you have £2,100 which is more than all expenses at £2,000).

Liabilities Monthly Expenses Monthly cost
Residential House House Mortgage £600
  Fuel to travel  
  Council taxes £120
  Presents £20
Mobile Subscription Mobile Phone £40
Internet Subscription Internet  
    Total Expenses: £2,000

Assets Monthly Income Monthly cost
  Wage £3,750
3-bed buy to let. Rental £250
3-bed buy to let. Rental £400
8-flats Rental £1,600
    Total Income: £2,100

This means that technically, you are “financially free”. In reality, you have gained “financial security”, so you can look after yourself if things turn bad in the short term.

Let’ say instead of £100 difference per month, you had £1,000, £2,000 or more in difference. You can have a more fruitful life. More time with family, more holidays, more time with hobbies etc.

For most people at my age, they will have to retire at 68. I would expect this to go up if the average life expectancy age keeps creeping up.  Do you want to retire and then start enjoying life at 68? I know I do not!

So how do I start?

I would encourage you to start looking at some passive income methods.  There are so many out there, it is difficult to really know what are truly passive (remember taking up little or none of your time). Here is a list that I feel are great right now:

Strategy Summary
Rent Property Rent property for a steady stream of monthly passive income.
Affiliate Marketing Refer people to products and services and you get a commission.
Dropping/Dropship Business You take money from your customer You pay a service provider to deliver the goods/service to the customer directly. You keep the difference between money from the customer and money you paid out to the service provider.
Create YouTube Channel Money from adverts.
Create royalties Money from people buying your goods, such as music, DVDs, books.

So, I hope that inspires you to get started. I’d really like to know how you get on. 



Tell me what you are doing about your passive income.  What do you need help with?  If you have any questions, feel free to leave a comment on our social media.

Help your friends and family. Share this with them.

And lastly, security is not a compromise!

To Commercial Service Or Not To Commercial Service…

To Commercial Service Or Not To Commercial Service…

A business owned by Kent County Council was struck. Commercial Services Group (CSG) was compromised which meant that, unlike the name, some systems were out of commercial service.

From what is currently made public, £800,000 worth of Bitcoin ransom was requested, again showing another successful ransomware attack. However, no ransom was paid. Some of the information was then leaked to the Internet.

CSG confirmed no personal data was lost, which is good.  “Only” business and corporate information was compromised. However, the company is now firefighting to get its systems back online.

With an annual revenue of circa £350million and with 700 staff, this attack is a big hit as CSG offers commercial services to authorities, emergency services and schools, utilities, and more. It is not a good time during Covid-19.

It bears the hallmarks…

A statement made that the ransomware attack managed to avoid 3-levels of professional IT security. What does that even mean? A spokesperson mentioned that it “bears the hallmarks of starting with a phishing email that was used to introduce a virus that then compromised the network for further attack”. Well that’s kind of the idea if you want to get through the techie defences by hacking the human.

And KCS says it will “take learning from the incident” as it took over four weeks for the majority of systems affected to be put back online. That’s quite of a long time in terms of an incident response plan and if they were testing their plan at least annually.

KCS was informed from the ICO that no legal action would be taken against it. Case is closed.

What can we all learn from this?

#StayHomeSaveLives, #cybersecurity , #infosec, #informationsecurity, #security, #datasecurity, #datasecuritybreach#personaldata#gdprcompliance#dataprotection#pcidss#gdpr#cyberattack#dataprivacy



If you are struggling with understanding the “Scope” of your cardholder data environment (CDE), refer to the PCI SSC scoping guidance document (https://www.pcisecuritystandards.org/documents/Guidance-PCI-DSS-Scoping-and-Segmentation_v1.pdf). This is to help entities appropriately scope their cardholder data environment for PCI DSS.

Why publish?

Many entities still struggle with determining the scope for various factors, which may include:

  • Many interpretations of adequate segmentation.
  • Motivations for reducing scope.

Why scope is important?

Scoping is still a hot topic. Improper scoping may result in not identifying cardholder data (CHD) or intended/accidental cardholder data leakage. An unidentified cardholder data area is a desirable area for hackers and may lead to a breach.

The scope for PCI DSS includes systems within the cardholder data environment (CDE) that process, store or transmit CHD, connect to the CDE, or impact the security of the CDE.

Conversely, bad interpretations can lead to over scoping which is unnecessary and results in ineffective use of resources.

The first stage is to identify the critical people, processes and technology in-scope. Only then can you apply the relevant PCI DSS requirements. Believe me, this is never ever a trivial exercise and again we emphasise the need for good interpretation.

What is in-scope for PCI DSS?

We can be here for a long time, so I’m just going to summarise the document:

  • CDE system: The system processes, stores or transmits cardholder data (CHD); OR a system is in the same network (e.g. VLAN) as systems that store, process or transmit CHD.
  • Connected-System OR a security-impacting system: Something that connects inside to the CDE, or could impact the security of the CDE.

Sometimes the above may be too generic to apply security controls. Here is a possible category method of what in-scope for your PCI DSS assessment by categorising them:

  • Type 1a (Systems that process, store or transmit CHD): This should be self-explanatory. These are systems whereby cardholder data is present and could be stolen.
  • Type 1b (Systems inside the CDE): These systems are in the same network segments as Type 1 systems and can be used as an attack vector to steal cardholder data.
  • Type 2a (Connected To): Systems directly accesses the CDE via controlled access boundary systems (e.g. firewalls, routers etc.). These systems establish a connection into the CDE or receive communication from the CDE.
  • Type 2b (Connected To): Systems that indirectly accesses the CDE via controlled access boundary systems (e.g. an administrator workstation that indirectly uses a jump server).
  • Type 2c (Impacts Security of CDE): Any system that could impact the CDE, such as systems that control access, segmentation, patch distribution, logging and monitoring tools.

Controlled access

Controlled access from say “zone A” into the CDE does not mean the network is fully segmented. However, this also does not mean every single system component in zone A is in scope! It means that these communications are more secure than uncontrolled systems. These restricted communications should be considered in-scope.

Any segmentation controls to fully restrict access must be penetration tested at least annually as per PCI DSS requirement 11.3.4 to ensure segmentation is still effective.

The following statement is interesting:

“It is important to understand the risks and impacts if connected-to system components are excluded or overlooked from PCI DSS scope.”

The way I read this is if a connected-to system is excluded from PCI DSS scope, the risk and impact should be determined first. Let’s consider this scenario:

  • A large bank whereby there are 15,000+ user workstations all connecting into a virtualised environment.
  • The virtualised environment supports the core banking system (that may process CHD) and non-CHD processing systems.
  • A smaller proportion of 2,000 only access the core banking system via secured applications or secured browser (HTTPS), presented on their desktop via role-based access virtualised system.

The virtualised environment is in-scope as it supports the core banking system and card-processing applications.  Does the 15,000+ workstations connecting into the virtualised environment mean all 15,000+ workstations are in scope?  Maybe “yes” as each workstation is accessing the virtualised environment hosting the CDE, but maybe “no” as controls may be in place to restrict the presentation of access and applications on the desktop where the user role requires it.

Shared services

There are some systems components that may provide a service to the corporate network and CDE. I consider these “management systems”, which provide management or security functions such as:

  • Directory and authentication (Active Directory, LDAP, AAA etc.)
  • SMTP
  • Anti-virus
  • Logging and monitoring
  • Bastion Host/Jumpbox

For this reason, you do not want the full corporate network being able to communicate with these management systems – these management systems / shared services should be in their own management zone:

  • Only those components within the management zone can then connect into the CDE.
  • Corporate LAN can connect to the management zone / shared services.

Administrator workstations are categorised as a “Connected To” device, perhaps see Type 2b above and are in-scope for PCI DSS review.

Who is responsible for determining scope?

We must reminds ourselves that the assessor is independent. The responsibility for determining the scope is the entity being assessed. The entity should confirm the people, process and technology in scope and retain documentation how this was determined. The assessed entity is responsible for annually determining the scope.

The assessor trusts, but verifies this to confirm the scope is defined and documented properly. However, should the scope not be correct, the assessor must work with the entity to determine the correct scope prior to the assessment to determine boundaries and applicable requirements.


Scoping will always be down to interpretation and the scoping guidelines published from the PCI SSC will help. Therefore, the opinions in this document are mine alone. You need to work with your assessor to determine their interpretation of the standard and scoping. Please see key findings below:

  • Connected-to systems has more clarity of what is in-scope. Any systems to be excluded for scope and must be evaluated and risk assessed.
  • Administrator workstations connecting directly or indirectly to the CDE are always in-scope.
  • Important to note no solution eliminates all PCI DSS requirements. The applicability of requirements depends on the system function.
  • Review the types/categories of systems in scope and review third party access against this.
  • All segmentation controls must be penetration tested at least annually.

Finally, even if your environment may in principle seem a typical environment, your scope is likely to be different because of different people, processes and technology. What is your scope? I will put on my QSA hat on and say “It depends”!

Did you find this post useful? Feel free to share and link to this article.

You Need Documentation?

You Need Documentation?

A gap assessment is reviewing how a system or process is against your checklist/benchmark, in order to identify any gaps.

Whenever doing a gap assessment, in my experience there is always going to be one general area a company is almost certainly lacking.  It’s that dreaded word (and not just dreaded by programmers only)… Yes, it’s documentation!

NOTE: My apologies to programmers. I used to be (and I still am though scrappy now) a programmer. I know how you feel. I felt the same way. I hated documentation. But I’ve seen the light being on the other side of the fence and it’s for the greater good. Trust me.

Companies are generally missing documentation and whenever doing PCI-related assessments documentation is key. We have a problem.

Never fear, this is easier to fix that expected as in many cases the companies are doing things in a PCI DSS (or other PCI-type assessment) compliant manner, but it’s just not documented. Often, I find they do not understand the difference between a policy, process and procedure and don’t know where to begin.

PCI policies, processes and procedures?

PCI DSS v3.0 is great as it clearly spells out in the reporting requirements whether a documented policy, or documented process/procedure is required. My suggestion is you do them all in a certain order as follows:

  •  Write your policy: Business rules and guidelines – the high level objectives you want to meet. Don’t include the how (process/procedure).
  • Write your process: These are the activities to produce a specific output.
  • Write your procedure: These are the underlying tasks that result in your process being fulfilled.

I still do not understand, can you give me an example?

As an example:

Policy: All system components must be hardened according to their respective hardening guides.

So let us assume you have firewalls. You need your own firewall hardening guide.

  • Process: Prevent internal addresses coming from the outside.
    • Type command XXXXXXXXXX (task/procedure)
    •  Type command XXXXXXXXXX (task/procedure)
  • Process: Remove the default password.
    • Type command XXXXXXXXXX (task/procedure)
    • Type command XXXXXXXXXX (task/procedure)

There are many ways to write your documentation, and I’d encourage you to split them into appropriate documents.

NOTE: In the past I’ve seen some companies just have few large documents just to satisfy PCI DSS – please split the documents up that is workable for your business.


Your document is not intended to be read by everyone. The document has an intended audience, so make it clear by writing an introduction. For example:

“The scope of this document applies to firewall administrators.”

Roles and Responsibilities?

Of course, PCI DSS wants to know the roles and responsibilities. For example:

“Firewall administrators are responsible for applying this hardening document to all firewalls prior to installation into the production environment. All firewall administrators will need written approval before installing any firewall into the production system. Firewall administrators are required to test all firewalls after making changes to firewalls.

The owner of this document is the <insert title> who will ensure this document is kept up to date.”


You need to demonstrate that you update documents at specific times as addressed by the PCI DSS. There are some ways to meet this. I strongly encourage you to use a versioning table. Consider including:

  • Version
  • Last modified date
  • Changes made
  • Reviewed/approved

You will then be able to demonstrate how frequently it was reviewed:

Hint: Stick in a policy somewhere to confirm the frequency:

“This document will be reviewed every x months”

(where x is the frequency required)

So, what is the benefit of this framework?

  • Confirms roles/responsibilities: Personnel know who is responsible for what device/process/system.
  • Mitigates ambiguity in configuration: Follow the step by step procedures as detailed in the documents and in principle your system components should be hardened to the same level.
  • Faster implementation: Often, you can copy/paste the commands into your system components and execute the command. This reduces human error/typos.
  • Reviews: You can demonstrate required review periods and updates made according to your business or changes to the standards.


In summary, documentation is a key element to passing an assessment. Documentation determines correct business objectives, correct and consistent configuration, clear roles and responsibilities and also Business As Usual (maintain compliance by following compliant practices in a timely manner).

This is not an easy task to do, but once you got it, you won’t need to rewrite it again! But remember, documents will need to be demonstrated to be reviewed at various times throughout the year in order to maintain compliance.


  • Document your policy
  • Document your procedure
  • Document your tasks to meet your procedure(s)
  • Include a scope section
  • Include a roles/responsibilities section
  • Include a version table
  • Document the frequency to review and update the document.

Once you have written your documents (and had them checked), go and relax. You deserve it!

If you still need policies, simply subscribe to my newsletter. Then get in contact.




Point-To-Point Encryption (P2PE) – What’s the Point?

Point-To-Point Encryption (P2PE) – What’s the Point?

I’ve been reading some recent online posts and recent questions from some of my clients. Despite the information available people are not clear whether Point-To-Point Encryption (P2PE) is for them and apprehensive to roll out such P2PE solutions. On the other end, some merchants see it as a “silver bullet” and jumping as quickly as possible to implement a P2PE solution and in my opinion have not clearly understood what this means to them.

This is just a quick post to help you and your business understand what P2PE means for your business and hopefully aid you evaluate the P2PE option for your business. With any change we need to evaluate the benefit and drawbacks.

How does the PCI-validated P2PE solution benefit me as a merchant?

Remember that you are not mandated to use a P2PE solution. As a merchant, we need to remind ourselves that our objective is working towards and maintaining PCI DSS compliance. In the “As Is” situation, you are eligible for completing an SAQ or undertaking a formal assessment, you will have a set of questions/requirements to answer. Depending on your business you may have constraints (business reasons or technology reasons) where you cannot satisfy all the PCI DSS requirements directly.

More often, it is that it is simply not cost-effective to meet all those requirements directly and your business may not have the resources available to maintain PCI DSS compliance. So this is where P2PE helps, whereby by using a PCI-P2PE validated solution you have a level of assurance that the cardholder data is protected from end-to-end (that is protected from terminal all the way to the P2PE solution provider). As weakness lies in People, Process and Technology the main risk is to the endpoint (the terminal) and people – most importantly for a merchant this means that if a P2PE solution is implemented correctly, the network between the terminal and solution provider is taken “Out Of Scope”. Therefore, for P2PE SAQ and formal validation of merchant environments using P2PE, the set of questions is far less, less complicated and more maintainable. Weighing up the original capital expenditure (Capex) and business As Usual (BAU) operational expenditure (OPEX) costs for using a P2PE solution may be more cost-effective and pragmatic that meeting all the original PCI DSS requirements as applicable – using P2PE could be for you as a merchant.

The disadvantage of P2PE as a merchant?

First, I must say if a merchant chooses to use a P2PE solution, this DOES NOT mean they have outsourced their responsibility – they still have a set of responsibilities as per the SAQ P2PE or formal assessment as applicable (ask a QSA about this).  Merchants are obliged to follow the P2PE Implementation Manual (PIM). If implemented correctly and all applicable requirements (such as those within an SAQ P2PE are met), then it can be deemed the network out of scope accordingly.

Secondly, the PIM contains details about understanding how to manage terminals, such as keeping a frequent inventory that is often ignored. Merchants will need to have a process in place to track all the terminals in use, not in use, in transit etc. This may not be as simple as it seems and takes some thought and working with any third parties including logistics service providers or logistics staff.

Actions for merchants:

  • Undertake a gap analysis for the current scope. Where possible, engage with a PCI QSA to ensure an accurate gap analysis.
  • Review the solutions/controls to remediate the outstanding PCI DSS requirements.
  • Explore P2PE solution providers and how much CAPEX and OPEX for P2PE terminals. Compare this to the cost to remediate and operate without P2PE.

How does providing a P2PE solution benefit me as a service provider?

Service providers have a tough time. In short, this means evaluating the P2PE domains. A question that needs to be posed is whether or not the additional rental uplift to charge per month for providing a P2PE-validated solution vs a non-validated solution to worthwhile – this question can only be answered by the service provider. What I can say is that service providers are underestimating the workload involved. Service providers must work closely with third parties for example any key injection facilities, CAs/RAs, application developers, decryption environment providers and ensure proper key management, monitoring and reporting mechanisms much more than the normal expectation. For service providers providing large terminals estates, the effort could be worthwhile.


4-5 years ago, I was a fan of what was back then deemed “End-To-End Encryption” (E2EE). Coupled with tokenisation, this can be a good way to reduce the scope for compliance, which can lead to:

  • Less resources required as the network is not in scope.
  • Less cost compared to maintaining all the original applicable PCI DSS requirements.
  • More focus on people and security awareness training.

P2PE is similar to E2EE, but a validated solution to more rigorous requirements as per the P2PE standard.

I am still a fan and I would like to see more solutions on the market. However, due to the uplift in becoming a P2PE service provider we still see few providers (I personally know the effort as I have successfully gone through the journey and validated a P2PE entity listed on PCI SSC website). However, those service providers who do become listed will have a competitive advantage.

Did you find this post useful? Feel free to share and link to this article.