TECHNOLOGY
Things to Know in 2023
New developments in commerce and payment technology are often accompanied by new rules and regulations to protect businesses and consumers.
Updating to PCI DSS (Payment Card Industry Data Security Standard) is critical for the many business environments that adhere to this standard. PCI DSS is a current standard developed by the world’s credit card companies to reduce costly breaches of consumer and banking data. Understanding PCI DSS compliance can be overwhelming for business decision-makers. Pci technology services describe everything you need to know about PCI DSS compliance, how to protect your business and your customers, and provide them with the appropriate level of security because PCI-compliant service is a secure solution that is important in our time and that provides complete security of payments made daily on the Internet. PCI DSS stands for Payment Card Industry Data Security Standard and defines requirements for the safe and secure reception, storage, processing, and transmission of cardholder data during credit card transactions to prevent fraud and misuse of data.
Who Needs a PCI DSS Compliance Certificate?
While there is technically no such thing as “PCI certification,” merchants, service providers, banks, and other businesses of all sizes that process credit card payments must demonstrate current PCI compliance. There are four levels of PCI compliance. Each tier has its requirements that organizations must review to ensure they are compliant. The level of classification of a company depends on the total annual volume of operations that these companies perform, so it is important to understand the subtleties of compliance with this standard, and various nuances, so that such a simple question as what is PCI compliance does not arise. Non-compliance with the current PCI standard often comes at a cost. If your business is not PCI compliant, you risk data leaks, fines, card replacement costs, expensive audits and business investigations, significant damage to your brand, and more.
What is PCI DSS Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) requires all merchants to securely and securely accept, store, process, and transmit cardholder data (also known as customer credit card information) during credit card transactions. Provider ID providers that accept payment cards must follow PCI compliance rules to prevent data leakage. Requirements range from establishing organizational and office data security policies to removing card data from processing systems and payment terminals. Providers are also responsible for protecting sensitive customer authentication data. Organizations that collect, process, store or transmit payment card transactions must adhere to and maintain a rigorous audit process for compliance with the applicable PCI standard. It is important to note that entities involved in credit card transactions should never store sensitive credentials after authentication. As you can imagine, achieving and maintaining compliance with the current PCI standard can be a complex process. PCI compliance includes methods of strengthening security controls, hiring third-party consultants to install critical software and hardware, and signing contracts that accept the bank’s terms of annual compliance with the current PCI standard. This may include, for example, conducting an annual self-assessment.
PCI DSS (Payment Card Industry Data Security Standard) describes a security standard created by payment institutions such as the credit card industry. One of the default targets is an organization called a dealer, that is, one that provides non-cash payment services using electronically transmitted data (terminals). Legally, the responsibilities of service providers are defined by the Payment Services Act, but PCI DSS standards are generally not covered by current legislation. However, this standard has the status of good practice and can be used as a precautionary measure. According to the guidelines issued by the PCI standard, merchants are required to protect data related to payment cards or online payments, also subject to appropriate controls. Data protection is achieved through various measures, such as network security, encryption during payment and data transmission, the use of appropriate access mechanisms, network monitoring and testing, and reporting unauthorized device access attempts and events. As can be seen from the above, there is a risk that confidential information about account holders may be stolen, for example, due to the negligence of employees or intentional actions by third parties. Disclosing cardholder data or violating PCI-DSS security requirements may result in fines from the payment institution. You should consider the potential risk of legal liability for damages and potential liability for illegal behavior with user payments.
Certification Requirements
What are the requirements to be PCI-DSS certified? The standard consists of 12 requirements divided into 6 control objectives. Establish and maintain network security. You must install and maintain a firewall configuration that protects cardholder data without default passwords or manufacturer settings. Protect the confidential data of the cardholder – it is important to protect the stored data of the cardholder, to encrypt data transmission over public networks. Maintain a payment management program – use regularly updated anti-virus software and develop secure systems and applications. Apply strict access control measures – restrict access to cardholder data to organizations with a business need, assign a unique identifier to each user, and limit physical access to cardholder data. Regular monitoring and testing of the network – thorough checking of security systems and processes, control of access to network resources, and data of cardholders. Adherence to the information security policy – this process should be carried out based on the security policy of employees and suppliers. PCI DSS Compliance Audit – To obtain PCI DSS certification, you must undergo an audit for compliance with the requirements of the above standards. Each certificate is issued for 12 months. After this period, the company must repeat the inspection and pass it successfully, only after you receive a certificate of compliance with the current PCI standard. PCI DSS compliance audits can be conducted by internal or external certified security auditors. It depends on the number of transactions made by accepted payment cards and the total amount. The final goal of the audit is to assess the compliance of the implemented solution with PCI DSS requirements.
History of the Payment Card Industry Data Security Standard
The Payment Card Data Security Standard (PCI DSS) was created in 2006. At the same time, the Internet has become an indispensable and valuable tool for businesses of all sizes. With the advent of the Internet era, companies that decided to use the power of the Internet began to introduce their payment processing systems and connect them wirelessly to physical and virtual terminals. During this time, consumers have become accustomed to using credit cards for both online and offline purchases. The key importance of these security standards is essential to understanding how and why the PCI standards were developed. These new business opportunities expose businesses and consumers to increased cyber risks and create more opportunities for fraudsters to criminally steal credit card information from unsecured networks and payment systems.
In response to the increasing number of thefts of sensitive customer data, five major credit card brands (Visa, MasterCard, Discover, American Express, and JCB) have implemented the current Payment Card Industry Data Security Standard (PCI DSS) to prevent costly breaches of banking and consumer data. With this ruling and the advent of the PCI Security Standards Council, PCI compliance has become a key aspect of security regulation for the credit card payment industry. To effectively help manage compliance standards, payment brands have also created an independent body called the PCI Security Standards Council. This solution was aimed at monitoring threats and improving the industry’s threat management tools through enhanced PCI security standards and effective training of security professionals.
The key point is that credit card companies have identified PCI compliance as a self-regulatory requirement. This means that they transfer responsibility to service providers and organizations for compliance at all stages of the payment processing lifecycle. While the board is responsible for setting standards and setting requirements for service providers, such as PCI-compliant practices, self-assessment questionnaires (SAQs), or checklists, payment brands are responsible for enforcing them among themselves. Before we get into PCI compliance standards, it’s important to note that while credit cards are generally secure, credit cards are becoming more secure with new regulations and standards such as the EMV chip card. But even the biggest brands can face a serious credit card data breach. Whether you’re a large company or a small subsidiary, you’ve probably heard the term PCI DSS before. Maintaining PCI compliance helps effectively protect your business from hackers who can obtain sensitive cardholder data and use it to impersonate or steal it.
What Are the Current PCI Compliance Levels and Requirements?
If you accept a payment card from any of the five credit card companies (American Express, Discover, JCB, MasterCard, and Visa), you must comply with the various PCI levels defined by the transaction. A large number of small businesses do not meet the minimum requirements. Note that not all compliance reporting requirements are the same. This may vary depending on the transaction amount. For example, high-volume vendors must partner with an Internal Security Assessor (ISA), a Qualified Security Assessor (QSA), and a Certified PCI Scan Vendor (ASV).
There are four different levels of compliance. These levels define the requirements for which suppliers are responsible. The PCI Board considers a passing score to be 100% compliance with the criteria. Because of this complex responsibility, many large companies work with PCI compliance consultants to select standards and ways to meet these requirements to the level of PCI compliance. You are not alone in your ignorance of PCI compliance rules and the consequences of non-compliance. If your business is not PCI compliant, a breach can expose you to risks such as data leakage, fines, card replacement costs, costly audits and business investigations, trademark infringement, and more. Approximately 30% of small businesses say they are unaware of the penalties for not complying with PCI DSS 3.0. Fines are less common, but they can be devastating to your business. Banks can often pass these costs on to sellers and respond to breaches and defaults by terminating contracts or increasing transaction fees. How much does PCI compliance cost? Depending on the nature and size of your business and your level of compliance, establishing and maintaining a PCI-compliant business can be an expensive process. The cost usually ranges from:
Tier 4: $65-$75 per month
Your costs include regular network or website scanning by an approved analytics vendor (ASV), a self-assessment questionnaire (SAQ) completed by you or your staff, and confirmation of compliance.
Tier 3: $1,250 or more per year
The cost includes regular scanning with ASV and increases depending on the size of the computer network and the number of IP addresses. This also includes the cost of an annual self-assessment and certificate of compliance.
Tier 2: $10,000 or more per year
The cost includes regular scanning with ASV and increases depending on the size of the computer network and the number of IP addresses. This also includes the cost of an annual self-assessment and certificate of compliance.
Tier 1: $50,000 or more per year
The fee includes regular network scanning by an accredited scanning provider, an annual compliance report by a qualified security auditor, and a certificate of compliance.
Beware of fraudulent service providers who charge exorbitant fees but are only partially PCI compliant. Get PCI-compliant software at no additional cost, with no monthly or long-term commitments.
TECHNOLOGY
Next-gen chips, Amazon Q, and speedy S3
AWS re:Invent, which has been taking place from November 27 and runs to December 1, has had its usual plethora of announcements: a total of 21 at time of print.
Perhaps not surprisingly, given the huge potential impact of generative AI – ChatGPT officially turns one year old today – a lot of focus has been on the AI side for AWS’ announcements, including a major partnership inked with NVIDIA across infrastructure, software, and services.
Yet there has been plenty more announced at the Las Vegas jamboree besides. Here, CloudTech rounds up the best of the rest:
Next-generation chips
This was the other major AI-focused announcement at re:Invent: the launch of two new chips, AWS Graviton4 and AWS Trainium2, for training and running AI and machine learning (ML) models, among other customer workloads. Graviton4 shapes up against its predecessor with 30% better compute performance, 50% more cores and 75% more memory bandwidth, while Trainium2 delivers up to four times faster training than before and will be able to be deployed in EC2 UltraClusters of up to 100,000 chips.
The EC2 UltraClusters are designed to ‘deliver the highest performance, most energy efficient AI model training infrastructure in the cloud’, as AWS puts it. With it, customers will be able to train large language models in ‘a fraction of the time’, as well as double energy efficiency.
As ever, AWS offers customers who are already utilising these tools. Databricks, Epic and SAP are among the companies cited as using the new AWS-designed chips.
Zero-ETL integrations
AWS announced new Amazon Aurora PostgreSQL, Amazon DynamoDB, and Amazon Relational Database Services (Amazon RDS) for MySQL integrations with Amazon Redshift, AWS’ cloud data warehouse. The zero-ETL integrations – eliminating the need to build ETL (extract, transform, load) data pipelines – make it easier to connect and analyse transactional data across various relational and non-relational databases in Amazon Redshift.
A simple example of how zero-ETL functions can be seen is in a hypothetical company which stores transactional data – time of transaction, items bought, where the transaction occurred – in a relational database, but use another analytics tool to analyse data in a non-relational database. To connect it all up, companies would previously have to construct ETL data pipelines which are a time and money sink.
The latest integrations “build on AWS’s zero-ETL foundation… so customers can quickly and easily connect all of their data, no matter where it lives,” the company said.
Amazon S3 Express One Zone
AWS announced the general availability of Amazon S3 Express One Zone, a new storage class purpose-built for customers’ most frequently-accessed data. Data access speed is up to 10 times faster and request costs up to 50% lower than standard S3. Companies can also opt to collocate their Amazon S3 Express One Zone data in the same availability zone as their compute resources.
Companies and partners who are using Amazon S3 Express One Zone include ChaosSearch, Cloudera, and Pinterest.
Amazon Q
A new product, and an interesting pivot, again with generative AI at its core. Amazon Q was announced as a ‘new type of generative AI-powered assistant’ which can be tailored to a customer’s business. “Customers can get fast, relevant answers to pressing questions, generate content, and take actions – all informed by a customer’s information repositories, code, and enterprise systems,” AWS added. The service also can assist companies building on AWS, as well as companies using AWS applications for business intelligence, contact centres, and supply chain management.
Customers cited as early adopters include Accenture, BMW and Wunderkind.
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. Explore other upcoming enterprise technology events and webinars powered by TechForge here.
TECHNOLOGY
HCLTech and Cisco create collaborative hybrid workplaces
Digital comms specialist Cisco and global tech firm HCLTech have teamed up to launch Meeting-Rooms-as-a-Service (MRaaS).
Available on a subscription model, this solution modernises legacy meeting rooms and enables users to join meetings from any meeting solution provider using Webex devices.
The MRaaS solution helps enterprises simplify the design, implementation and maintenance of integrated meeting rooms, enabling seamless collaboration for their globally distributed hybrid workforces.
Rakshit Ghura, senior VP and Global head of digital workplace services, HCLTech, said: “MRaaS combines our consulting and managed services expertise with Cisco’s proficiency in Webex devices to change the way employees conceptualise, organise and interact in a collaborative environment for a modern hybrid work model.
“The common vision of our partnership is to elevate the collaboration experience at work and drive productivity through modern meeting rooms.”
Alexandra Zagury, VP of partner managed and as-a-Service Sales at Cisco, said: “Our partnership with HCLTech helps our clients transform their offices through cost-effective managed services that support the ongoing evolution of workspaces.
“As we reimagine the modern office, we are making it easier to support collaboration and productivity among workers, whether they are in the office or elsewhere.”
Cisco’s Webex collaboration devices harness the power of artificial intelligence to offer intuitive, seamless collaboration experiences, enabling meeting rooms with smart features such as meeting zones, intelligent people framing, optimised attendee audio and background noise removal, among others.
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. Explore other upcoming enterprise technology events and webinars powered by TechForge here.
TECHNOLOGY
Canonical releases low-touch private cloud MicroCloud
Canonical has announced the general availability of MicroCloud, a low-touch, open source cloud solution. MicroCloud is part of Canonical’s growing cloud infrastructure portfolio.
It is purpose-built for scalable clusters and edge deployments for all types of enterprises. It is designed with simplicity, security and automation in mind, minimising the time and effort to both deploy and maintain it. Conveniently, enterprise support for MicroCloud is offered as part of Canonical’s Ubuntu Pro subscription, with several support tiers available, and priced per node.
MicroClouds are optimised for repeatable and reliable remote deployments. A single command initiates the orchestration and clustering of various components with minimal involvement by the user, resulting in a fully functional cloud within minutes. This simplified deployment process significantly reduces the barrier to entry, putting a production-grade cloud at everyone’s fingertips.
Juan Manuel Ventura, head of architectures & technologies at Spindox, said: “Cloud computing is not only about technology, it’s the beating heart of any modern industrial transformation, driving agility and innovation. Our mission is to provide our customers with the most effective ways to innovate and bring value; having a complexity-free cloud infrastructure is one important piece of that puzzle. With MicroCloud, the focus shifts away from struggling with cloud operations to solving real business challenges” says
In addition to seamless deployment, MicroCloud prioritises security and ease of maintenance. All MicroCloud components are built with strict confinement for increased security, with over-the-air transactional updates that preserve data and roll back on errors automatically. Upgrades to newer versions are handled automatically and without downtime, with the mechanisms to hold or schedule them as needed.
With this approach, MicroCloud caters to both on-premise clouds but also edge deployments at remote locations, allowing organisations to use the same infrastructure primitives and services wherever they are needed. It is suitable for business-in-branch office locations or industrial use inside a factory, as well as distributed locations where the focus is on replicability and unattended operations.
Cedric Gegout, VP of product at Canonical, said: “As data becomes more distributed, the infrastructure has to follow. Cloud computing is now distributed, spanning across data centres, far and near edge computing appliances. MicroCloud is our answer to that.
“By packaging known infrastructure primitives in a portable and unattended way, we are delivering a simpler, more prescriptive cloud experience that makes zero-ops a reality for many Industries.“
MicroCloud’s lightweight architecture makes it usable on both commodity and high-end hardware, with several ways to further reduce its footprint depending on your workload needs. In addition to the standard Ubuntu Server or Desktop, MicroClouds can be run on Ubuntu Core – a lightweight OS optimised for the edge. With Ubuntu Core, MicroClouds are a perfect solution for far-edge locations with limited computing capabilities. Users can choose to run their workloads using Kubernetes or via system containers. System containers based on LXD behave similarly to traditional VMs but consume fewer resources while providing bare-metal performance.
Coupled with Canonical’s Ubuntu Pro + Support subscription, MicroCloud users can benefit from an enterprise-grade open source cloud solution that is fully supported and with better economics. An Ubuntu Pro subscription offers security maintenance for the broadest collection of open-source software available from a single vendor today. It covers over 30k packages with a consistent security maintenance commitment, and additional features such as kernel livepatch, systems management at scale, certified compliance and hardening profiles enabling easy adoption for enterprises. With per-node pricing and no hidden fees, customers can rest assured that their environment is secure and supported without the expensive price tag typically associated with cloud solutions.
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. Explore other upcoming enterprise technology events and webinars powered by TechForge here.
How the TikTok Algorithm Works in 2024 (+9 Ways to Go Viral)
Blog Post Checklist: Check All Prior to Hitting “Publish”
How to Use Keywords for SEO: The Complete Beginner’s Guide
How To Protect Your People and Brand
How to Craft Compelling Google Ads for eCommerce
Google Started Enforcing The Site Reputation Abuse Policy
Elevating Women in SEO for a More Inclusive Industry
How to Brainstorm Business Ideas: 9 Fool-Proof Approaches
The Ultimate Guide to Email Marketing
Advertising on Hulu: Ad Formats, Examples & Tips
-
PPC5 days agoHow the TikTok Algorithm Works in 2024 (+9 Ways to Go Viral)
-
SEO6 days agoBlog Post Checklist: Check All Prior to Hitting “Publish”
-
SEO4 days agoHow to Use Keywords for SEO: The Complete Beginner’s Guide
-
MARKETING5 days agoHow To Protect Your People and Brand
-
PPC7 days agoHow to Craft Compelling Google Ads for eCommerce
-
SEARCHENGINES6 days agoGoogle Started Enforcing The Site Reputation Abuse Policy
-
MARKETING6 days agoElevating Women in SEO for a More Inclusive Industry
-
PPC6 days agoHow to Brainstorm Business Ideas: 9 Fool-Proof Approaches
You must be logged in to post a comment Login