Good Contents Are Everywhere, But Here, We Deliver The Best of The Best.Please Hold on!
SEARCH
SHOP
  • Your Cart Is Empty!
Your address will show here +12 34 56 78

The fintech sector has brought consumers an endless stream of modern offerings that have enabled them to ditch several outdated banking and lending products.

Companies now have advanced B2B payment solutions at their fingertips, and online financial solutions have never been more convenient – largely thanks to the progress made by fintech startups.

But, despite being on the cutting edge of digital financial products, young fintech companies are at a disadvantage in a wildly important arena: data security.

Table of Contents

What is Data Security?

The Importance of Cyber Security in Fintech

Data Security Challenges Faced by Fintech Startups

Modern Fintech Data Security: Trends and New Innovations

With limited resources, growing compliance regulations around the world, and a constantly-evolving list of increasingly dangerous cyber threats, fintech startups face a uniquely difficult uphill battle.

And, with data breaches continuing to leer as an ever-present security threat, fintech firms are turning to new and advanced approaches to data privacy.

But, first, what do we mean when we talk about data security for startups?

What is Data Security?

Data security is the process of protecting digital assets – like information stored in a database – from unauthorized access by unapproved actors.

When we refer to data security, we’re simply talking about the set of standards and technologies that protect your business’ data. These days, data security is a fundamental aspect of IT at any modern organization.

From encryption and tokenization to cloud storage, data security technologies run a wide spectrum – and a number of advances have been made in recent years. This progress has been in response to, though not quite as speedy as, the growing sophistication of large-scale cybersecurity threats – like data breaches.

In the healthcare sector, for example, Black Book Market Research found that 96% of healthcare IT professionals agreed that data security attackers are outpacing their medical enterprises.

Healthcare data breaches will cost the industry $4 billion by the end of the year. Next year, by Black Book’s estimates, will be even worse.

And that’s just the healthcare sector.

Organizations from all industries are vulnerable to data breaches – especially in the age of ID verification, endless online payment methods and 1-click purchasing.

Even multinational tech giants have fallen prey, in extremely public ways. Yahoo just reached a $117.5 million class-action settlement with the victims of its infamous 2016 data breach.

That announcement came on the heels of a $700 million settlement that Equifax reached to deal with the aftermath of a 2017 data leak that exposed the Social Security numbers of almost 150 million consumers.

We could keep going down the list – data breaches happen, and they happen to organizations with ample resources invested in information security.

What about smaller organizations?

The Importance of Cyber Security in Fintech

Financial technology companies have revolutionized the way that consumers bank, how startups reach their customers and how businesses all over the world can run more smoothly.

Fintech investments took off in the past five years – providing us with simple alternatives to slow, conventional financial solutions.

Advances in the industry has brought us instant P2P payments, purely-online banking, seamless B2B solutions, innovative lending approaches and products that many businesses and consumers can’t even imagine living without at this point.

But the global fintech ecosystem’s consistent growth, potency and complexity make it inescapable that some solutions won’t be secure enough to guard against sensitive data exposure. It’s likely that these vulnerabilities will keep getting identified by attackers, then exploited.

This is a harsh reality that modern businesses are realizing – and starting to invest against.

We can see this when we look at application security spending. Businesses are pouring money into protecting their applications and the data flowing through them.

According to Market Research Future (MRFR), the worldwide application security market is expected to reach a staggering $9.64 billion by 2023 – up from just $2.56 billion in 2017. That’s an annual growth rate (CAGR) of 24.95%.

Within this market, SMEs are estimated to be the fastest growing investors in application security, when broken down by type of organization.

Unfortunately, when it comes to data privacy and protecting sensitive information, fintech startups face a unique set of challenges that make growing their core business an even more difficult endeavor than it already is.

Data Security Challenges Faced by Fintech Startups

In the world of securing sensitive data and avoiding data breaches, younger organizations in the fintech space have it especially hard.

Why is that so?

  1. Reliance on sensitive user information

These days, fintech and data analytics go hand-in-hand. From robo advisors to AI-powered saving apps, data-driven technologies have been at the heart of the fintech revolution.

With fintech products deeply intertwined in modern retail banking, asset and wealth management, capital markets and insurance, organizations in this space are inevitably going to have to handle and store sensitive information from your users.

From ID verification to processing credit card payments, large volumes of sensitive data will make its way onto the databases of fintech organizations. The mere possession of such sensitive consumer information puts them both at risk of sensitive data exposure and places them within the scope of any number of data privacy laws.

  1. New, updating and evolving data privacy laws

The nature of how fintech startups do business make it so that a lot of sensitive data hits their systems, which attracts the interest of government regulators – who are increasingly focused on protecting consumer data.

In the last few years, governmental regulatory institutions around the globe have started to take greater steps in protecting the rights of consumers when it comes to their personal information.

From Europe’s General Data Protection Regulation (GDPR), effective since 2018, to the soon-to-be-implemented California Consumer Protection Act (CCPA), businesses are suddenly needing to juggle compliance certifications for new regulatory frameworks.

Not only that, but fintech companies that accept or process credit card transactions have already been saddled with the burden of needing to maintain compliance with PCI DSS – a set of requirements that are aimed at preventing credit card fraud.

  1. Limited resources for securing personal data

To successfully prevent data breaches and – simultaneously – meet the complex requirements set forth by legal frameworks like the GDPR, the CCPA and PCI DSS, you’re going to need a team of information security experts and compliance specialists that can create data flow maps, secure your networks and sensitive data storage solutions, ensure that you’re meeting regularly compliance rules… the list goes on.

Conglomerates have the resources to put towards a large-scale data security effort, but fintech startups have much less at their disposal.

  1. Increasingly sophisticated cyber threats

As mentioned above, even some of the most widely-recognized tech brands have suffered from data breaches. From increasingly sneaky malware to highly-targeted phishing attacks, which skyrocketed 250% higher last year, there are simply too many ways for threat actors to gain access.

It just takes one team member on the wrong end of a phishing campaign to trigger a sensitive data exposure event – which can ruin a startup-stage business overnight.

And it’s not just unauthorized malicious actors that fintech startups need to be worried about, as there are threats coming from all angles – even some unexpected ones.

According to Verizon’s Insider Threat Report, 57% of database breaches involved some kind of insider threat from within an organization. Add that to the possibility of accidental sensitive data sharing and ransomware attacks, and covering all your bases becomes a costly and complex endeavor.

Modern Fintech Data Security: Trends and New Innovations

Thankfully, advances in the realm of data security have sprung up in recent years, helping relieve much of this pressure faced by fintech startups that need to secure their sensitive data.

From tokenization to data encryption, fintechs have employed a number of tried-and-true data security methods. Even with innovative approaches like these, however, data breaches are still a probable threat.

If sensitive data is stored in your database, there is a chance it will be exposed, and there are several avenues through which this could happen.

Fortunately, VGS has been securing fintech startups’ sensitive data for years using a next-generation data security approach that enables businesses to evade storing sensitive information on their systems altogether – while still enabling businesses to reap all the benefits of the original data.

This approach is called data aliasing, which is a technique that redacts sensitive information in real-time and replaces it with a synthetic data alias, enabling organizations to offload their data security responsibilities entirely by keeping the original data off their systems.

Businesses simply put their data security burden in the hands of VGS, which takes care of all sensitive data collection, storage and transfer on their behalf.

With their systems significantly freed from sensitive data, businesses’ data security and compliance scope is drastically minimized – enabling them to spend time focusing on innovating their products instead of designing a complex data privacy policy.

 

This article was originally posted on Very Good Security.
0

The Truth About Scope And Compliance Risk


The hard-to-face reality is that billions of personal records are exposed each year. A commonly used, yet incomplete solution, is tokenization. Tokenizing sensitive data does not eliminate the need to achieve and certify PCI DSS compliance.

In order to completely descope from PCI, a business can partner with a data custodian (VGS) that handles 100% of data capture and vaulting – removing any compliance risk and completely avoiding data leaks.

Massive data leaks, at this point, are becoming a frequent occurrence – with headlines regularly popping up highlighting cybersecurity disasters that have impacted millions of consumers.

Earlier this summer, news of a cybersecurity disaster rattled North American consumers. The highly-publicized Capital One data breach of 2019 led to the sensitive data exposure of 100 million Americans and 6 million Canadians – including hundreds of thousands of social security numbers and bank account numbers.

Similarly, in July, we learned about the whopping $700 million settlement as a result of the Equifax data breach. Now, years later, the 147 million customers impacted by that disaster all get a piece of that pie.

It only seems like a matter of time until the next multi-million-dollar data breach settlement will be announced, and another consumer data-handling organization will have their feet publicly held to the fire.

From the improper configuration of web applications to the massive security risk involved in cloud storage generally, companies have wisely been seeking alternatives to storing their own sensitive user data and opening themselves up to data breach risk.

The rise of tokenization

In order to reduce data leakage risk as much as possible, many tech organizations have leveraged a method called tokenization. It’s a way to limit storing plain text sensitive data within a company’s own systems by using “tokens” to replace private user information like medical data or credit card numbers.

Unlike encryption, where a mathematical equation can “solve” the data replacement and reveal the original sensitive information, tokenization is not reversible. With no mathematical relationship to the original data point, tokenization is widely considered to be a safe way of transmitting and storing critical information.

However, tokenizing sensitive data does not eliminate the need to achieve and certify PCI DSS compliance – although it can reduce the number of system components to which PCI DSS compliance would apply.

With tokenization, sensitive data is mostly hidden. But, there are two points where tokenized data still remains within the scope of PCI DSS compliance: the data vault and the original point of capture.

 

Even when organizations store and use tokens instead of raw sensitive data, the original data is within PCI scope because they’re still within the cardholder data environment. In this environment, a business is still responsible for any leaked data.

 

But what if businesses could offload this data risk fully, and enjoy the benefits of tokenization while keeping all the original data completely off their own systems?

 

Descoping entirely

In order to completely descope from PCI DSS compliance, a business can partner with a data custodian that handles 100% of data capture and vaulting – removing any compliance risk and completely avoiding data leaks.

VGS is an innovative data custodian that takes on their clients’ compliance risk, securely storing all sensitive data and removing businesses from PCI scope in full.

By leveraging synthetic data ‘aliases,’ which are generated in real-time to protect all sensitive customer information, VGS empowers businesses to use customer data just as they did before – but never actually touch the sensitive data themselves.

Startups that work with VGS remove their compliance risk and avoid the potential risk associated with data breaches because there’s nothing to steal in the first place.

By partnering with a data custodian, organizations can completely descope their systems and win over new customers with the peace of mind that their sensitive personal data is in safe hands.

When businesses implement VGS solutions to handle their sensitive data, they instantly inherit VGS’s best-in-class security posture, which enables them to fast-track their certifications like PCI, SOC2 and others.

With data security as one less thing to worry about, organizations can focus their time and resources on growing their core businesses.

This article was originally published in Very Good Security.

0

Security

Many companies hesitate to upgrade or change their Accounts Receivable System simply because they feel they can continue to achieve the same results using the same systems and processes as they did five years ago. If you are a smaller company just looking to send a few automated dunning letters and have your AR team identify which invoices are past due, there may be no reason to change. But if your company wants to improve free cash flow and cash conversion cycles, you must be sure your AR system is driving efficiencies in your processes – if you hope to grow without spending significant dollars on headcount.  

In today’s collections environment understanding your customer data is one of the most critical elements in your collections process. If you can’t identify customer payment trends or tendencies, it makes it nearly impossible to predict company cash flow. “Cash is King” which all Controllers and CFOs would agree that if you don’t have enough operating cash flow, you can’t grow your business and you can’t really measure the success of your company.  If your current AR system does not have this DATA readily available at the click of a button, you are behind the times and driving inefficiencies. Here are five examples of inefficiencies that should lead you to re-analyze your current AR system and decide whether it is time for an upgrade. 

1. More Than 1 Hour Required To Generate Reports 

If your AD HOC reports take you more than 1 hour to prepare for management. Today’s premier AR systems have the ability to sort existing customer data and provide essential reporting in a matter of seconds. I see too many managers spending multiple days to prepare an important report for upper management that could easily be prepared quickly and accurately with a better AR Tool. This is not an efficient use of a managers time, which is probably already stretched to the point of frustration. These types of specialized reports only take managers away from managing their teams, so it is important that these reports are readily available.

2. AR System Can’t Identify Non-Paying Customers 

If your AR system can not easily identify why your customers are not paying you, it is time to re-evaluate if your current system is the right one for you. This is critical information for the business to improve your internal processes, to reduce delays long term, and get your customers to pay you sooner and ultimately reduce your DSO. 

3. AR System Cannot Provide Estimated Payment Times 

If your AR system can not provide you quickly additional expected payments over a period of time (monthly/ quarterly). This is a common ask from Controllers and CFOs, especially at the end of the quarter or month to help predict cash flow and progress towards cash targets. If your system is not up to date, often what happens is managers then need to reach out individually to each collector to get updates on promise to pay dates and reasons for delays to provide any accurate information back to upper management. This project could take days to get this information, when again this information could be provided in a matter of seconds. Some collections systems can even use customers historical payment data and trends and predict payment dates based on how they have paid you in the past. This allows collections teams to be more efficient to help them prioritize and really focus on who they need to follow up with for payment and identifying high risk customers. 

4. Cannot Provide Strategic and One Time Dunning Campaigns

If your company only has the ability to run a dunning campaign based on the number of days past due, and does not allow you to target specific customers types including by region, invoice amount, new customers or high/low risk customers, it may be time to look for a new AR System. Automated Dunning Campaigns targeting specific customer types are critical to allow the collections team to focus on more complicated and time consuming customer issues, while still increasing your cash flow. Many companies need a one time dunning campaign to target a specific customer type. For example, you may want to run a campaign that targets customers who pay by check to help move them over to ACH for faster payments. If your system can’t provide that, you are behind the times in your collections processes and hurting your potential cash flow.

5. Cannot Identify High Risk Past Due Accounts Quickly 

If your current AR Tool does not allow your collections team to identify certain high risk past due accounts quickly, it may be time for a new AR Tool. Some collectors have a hard time identifying what they should focus on a daily, weekly, or even on a monthly basis. Most premier AR Tools allow management to help prioritize collection accounts for their collectors daily and assign specific tasks and work-lists to their collectors. This is critical in helping to drive desired performance from your collections teams to achieve your best results. 

Conclusion: Spend Less Time Reporting, More Time Generating Cash 

If your collections department is spending endless hours preparing manual reports, you are only hurting your company cash flow. I think all managers would agree that they would rather have their collectors focus on collections rather than endless manual reporting. By upgrading your AR systems, your cash flow improvement will be significant enough to allow you to plan for growth and save significant dollars on headcount.

This article was originally published on Tesorio.

0

When evaluating the security of an application and data model ask the questions:

  • What is the sensitivity of the data?
  • What are the regulatory, compliance, or privacy requirements for the data?
  • What is the attack vector that a data owner is hoping to mitigate?
  • What is the overall security posture of the environment, is it a hostile environment or a relatively trusted one?

 

Data When threat modeling, consider the following common scenarios:

 

Data at rest (“DAR”)

In information technology means inactive data that is stored physically in any digital form (e.g. database/data warehouses, spreadsheets, archives, tapes, off-site backups, mobile devices etc.).

  • Transparent Data Encryption (often abbreviated to TDE) is a technology employed by Microsoft SQL, IBM DB2 and Oracle to encrypt the “table-space” files in a database. TDE offers encryption at the file level. It solves the problem of protecting data at rest by encrypting databases both on the hard drive as well as on backup media. It does not protect data in motion DIM nor data in use DIU.
  • Mount-point encryption: This is another form of TDE is available for database systems which do not natively support table-space encryption. Several vendors offer mount-point encryption for Linux/Unix/Microsoft Windows file system mount-points. When a vendor does not support TDE, this type of encryption effectively encrypts the database table-space and stores the encryption keys separate from the file system. So, if the physical or logical storage medium is detached from the compute resource, the database table-space remains encrypted.

 

Data in Motion (“DIM”)

Data in motion considers the security of data that is being copied from one medium to another. Data in motion typically considers data being transmitted over a network transport. Web Applications represent common data in motion scenarios.

  • Transport Layer Security (TLS or SSL): is commonly used to encrypt internet protocol based network transports. TLS works by encrypting the internet layer 7 “application layer” packets of a given network stream using symmetric encryption.
  • Secure Shell/Secure File Transport (SSH, SCP, SFTP): SSH is a protocol used to securely login and access remote computers. SFTP runs over the SSH protocol (leveraging SSH security and authentication functionality) but is used for secure transfer of files. The SSH protocol utilizes public key cryptography to authenticate access to remote systems.
  • Virtual Private Networks (VPNs) A virtual private network (VPN) extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.

 

Data in Use (“DIU”)

Data in use happens whenever a computer application reads data from a storage medium into volatile memory.

  • Full memory encryption: Encryption to prevent data visibility in the event of theft, loss, or unauthorized access or theft. This is commonly used to protect Data in Motion and Data at Rest. Encryption is increasingly recognized as an optimal method for protecting Data in Use. There have been multiple approaches to encrypt data in use within memory. Microsoft’s Xbox has a capability to provide memory encryption. A company Private Corepresently has a commercial software product cage to provide attestation along with full memory encryption for x86 servers.
  • RAM Enclaves: enable an enclave of protected data to be secured with encryption in RAM. Enclave data is encrypted while in RAM but available as clear text inside the CPU and CPU cache, when written to disk, when traversing networks etc. Intel Corporation has introduced the concept of “enclaves” as part of its Software Guard Extensions in technical papers published in 2013.
  • 2013 papers: from Workshop on Hardware and Architectural Support for Security and Privacy 2013
  • Innovative Instructions and Software Model for Isolated Execution
  • Innovative Technology for CPU Based Attestation and Sealing

 

Where do traditional data protection techniques fall short?

 

TDE: Database and mount point encryption both fall short of fully protecting data across the data’s entire lifecycle. For instance: TDE was designed to defend against theft of physical or virtual storage media only. An authorized system administrator, or and unauthorized user or process can gain access to sensitive data either by running a legitimate query and , or by scraping RAM. TDE does not provide granular access control to data at rest once the data has been mounted.

TLS/SCP/STFP/VPN, etc: TCP/IP Transport layer encryption also falls short of protecting data across the entire data lifecycle. For example, TLS does not protect data at rest or in use. Quite often TLS is only enabled on Internet facing application load balancers. Often TLS calls to web applications are plaintext on the datacenter or cloud side of the application load-balancer.

DIU: Memory encryption, Data in use full memory encryption falls short of protecting data across the entire data lifecycle. DIU techniques are cutting edge and not generally available. Commodity compute architecture has just begun to support memory encryption. With DIU memory encryption, data is only encrypted while in memory. Data is in plaintext while in the CPU, Cache, written to disk, and traversing network transports.

 

Complimentary or Alternative Approach: Tokenization

We need an alternative approach that address all the exposure gaps 100% of the time. In information security, we really want a defense in depth strategy. That is, we want layers of controls so that if a single layer is fails or is compromised another layer can compensate for the failure.

Tokenization and format preserving encryption are unique in the fact they protect sensitive data throughout the data lifecycle/across a data-flow. Tokenization and FPE are portable and remain in force across mixed technology stacks. Tokenization and Format preserving encryption do not share the same exposures as traditional data protection techniques.

How does this work? Fields of sensitive data are cryptographically transformed at the system of origin, that is during intake. A cryptographic transform of a sensitive field is applied, producing a non-sensitive token representation of the original data.

Tokenization, when applied to data security, is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no extrinsic or exploitable meaning or value. The token is a reference (i.e. identifier) that maps back to the sensitive data through a tokenization system.

Format preserving encryption takes this a step further and allows the data element to maintain its original format and data type. For instance, a 16-digit credit card number can be protected and the result is another 16-digit value. The value here is to reduce the overall impact of code changes to applications and databases while reducing the time to market of implementing end to end data protection.

 

In Closing

 

Use of tokenization or format preserving encryption to replace live data in systems results in minimized exposure of sensitive data to those applications, stores, people and processes. Replacing sensitive data results in reduced risk of compromise or accidental exposure and unauthorized access to sensitive data.

Applications can operate using tokens instead of live data, with the exception of a small number of trusted applications explicitly permitted to detokenize when strictly necessary for an approved business purpose. Moreover: in several cases removal of sensitive data from an organization’s applications, databases, business processes will result in reduced compliance and audit scope, resulting in significantly less complex and shorter audits.

 

This article was originally published in Very Good Security.

0

Running a business in the digital age is no easy feat. This is especially true nowadays, when consumer data security is at the forefront of the conversation.

Data breaches have hit even some of the biggest multinationals out there, enabling the exposure of sensitive user data and compromising the privacy and trust of their customers. When it’s payment card data that leaks on a large scale like this, the damage goes far beyond consumer confidence.

Table of Contents

Individual customers’ financial lives can be severely hurt when their sensitive data gets into the wrong hands.

That’s why it’s incredibly crucial to secure cardholder data, which is what PCI DSS aims to do.

Like many compliance programs, the Payment Card Industry Data Security Standard (PCI DSS) is designed to ensure a more stable and secure vendor, which leads to a more reliable payment card industry overall. PCI DSS ensures that you, your fellow merchants, and all the stakeholders in the payment card industry are held to a rigorous industry standard for security.

But what about your business – do you need to be PCI DSS compliant?

If you store, process, or transmit cardholder data, the short answer is yes, but let’s go over a few things for you to understand exactly why this data security regulation is so vital and why it’s so important for your business.

What is PCI DSS?

All merchants and service providers that process payment card information must comply with PCI DSS, which is a set of controls and obligations that reduce the likelihood of cardholder data being compromised.

To put it simply: PCI DSS is a set of requirements that businesses who touch payment card data must follow as part of an industry-wide program against credit card fraud and loss.

The most recent DSS version from the Security Standards Council (SSC), which is a consortium of payment card brands like Visa and MasterCard, contains 12 requirements that merchants and service providers must implement.

A dozen boxes to tick doesn’t sound too difficult, right?

Not so fast: within these 12 requirements are hundreds of sub-requirements. Installing firewalls, encrypting cardholder data, performing patch management and maintaining traceable records are just a few of the requirements for PCI DSS compliance, many of which are complex and can require an entire cross-functional team to tackle.

Some of these requirements may be especially difficult for smaller organizations to meet, particularly without any expert help.

Who needs to comply with PCI DSS requirements?

So, how do you know if your business needs to worry about attaining and maintaining compliance?

PCI DSS applies to any organization, without regard to size, value, or number of transactions, if that organization collects, transmits, maintains, or transfers cardholder data. Anyone who transacts a major brand card such as American Express, Discover, MasterCard or Visa must comply with the PCI DSS requirements.

In other words, if payment card data touches your network at any point, you must comply.

For smaller organizations out there, the journey to reaching full PCI DSS compliance without any help may seem incredibly daunting – but failing to fulfill the requirements can and does lead to hefty consequences.

What happens when you don’t comply with PCI DSS?

Like GDPR and CCPA requirements, non-compliance is not an option for PCI DSS requirements. While it is technically not a law, like GDPR and CCPA both are, businesses agree to adhere to PCI requirements when they engage in any activity related to the payment card industry.

Failure to comply with PCI DSS could cost you dearly, particularly if you ever have a breach of payment card data. The penalties for non-compliance range from sizable monetary finesto getting your ability to process payment cards revoked – both of which can be detrimental for an early-stage company.

These can be just the tip of the iceberg compared to the total financial harm caused by non-compliance.

From there, businesses may have to pay to inform every individual impacted by the data breach, reissue cards, pay legal fees – the list goes on. The fines for non-compliance are just the start, and don’t even factor the brand damage a data leak causes and the loss of consumer trust that follows. Brand image is, in fact, one of the biggest vulnerabilities when it comes to data security.

According to research from the Ponemon Institute, 61% of Chief Marketing Officers believe that the largest cost of a security incident is the erosion of brand value.

Not only should you, as a business leader, want to maintain a secure cardholder data environment (CDE) for your customers, but you should also want to avoid the liability of not implementing these compliance requirements.

The question, therefore, should not be “is PCI compliance mandatory” (it is), but rather “why would you take the risk of not implementing it?”

Understanding that PCI DSS compliance is absolutely vital is the first step – but how would a business go about becoming compliant?

The DIY approach to PCI compliance

To build a PCI compliant network you will, at a minimum, need to follow the following steps.

Step one: Download and review the PCI DSS details from the Security Standards Council and study it. There are resources that will help you understand how to comply. Read through them and understand the challenges ahead.

Step two: Conduct a risk assessment to determine the robustness of the controls and how you will mitigate the risks. Not every control applies to every environment. Use your risks to find the gaps you need to fill. It can be helpful to work with an expert for this step. Budget-busting solutions often exceed the needs of most smaller businesses, but untrained personnel often struggle to identify which controls do not apply, or how to compensate for them.

Step three: Determine which of your current resources can be leveraged for one or more of the controls indicated by your risk assessment. Identify any gaps that will require new resources, including servers, routers, communication equipment, physical security, and full-time employees.

Step four: Create a project plan with budget and timeline/milestones. Be careful with how long you take to get compliant, as your risks don’t drop until you are compliant. For many smaller businesses, this process will take 3-6 months, usually requiring significant consultation from experts as well as costly technology, including firewall(s), access control systems, vulnerability scanning services or tools, and more.

Step five: Gather your resources and build or rebuild your network. It is likely you will need at least one full-time employee to manage your network for PCI DSS compliance.

Step six: Test and verify that your controls reduce the risks you identified as expected. Controls do not always work as intended, since technology changes rapidly, so the method you chose a few months ago may have been circumvented in the intervening time.

Step seven: Go live with your solution and hope it works as designed. It might not but you will tweak it until it does.

Step eight: Have your system audited by a Qualified Security Assessor listed on the PCI Security Council website. You won’t really know how well you have done until you are audited (that is unless you have a breach, in which case, you did poorly).

Step nine: Revise your controls or infrastructure based on the audit findings.

Once all nine steps are completed, constant vigilance, testing and reworking are required on a regular basis.

The human resources and funding required to complete all of the above is, unfortunately, out of reach for many younger companies.

For this reason, many small-and-medium-sized organizations opt to work with a trusted third-party data security partner to manage all their PCI compliance needs.

The easiest and fastest path to PCI compliance

Rather than have a cross-functional team undertake the arduous process of gaining PCI DSS compliance the DIY route, the fastest and simplest way to become compliant is to make sure payment card data never touches your business’ servers.

But how can you possibly transact payment cards and run an online business without ever touching cardholder data?

The solution is an innovative approach called data aliasing, during which sensitive user data – like cardholder information – is redacted in real time and replaced with a synthetic data alias so that none of the original data ever passes through your system.

Data aliasing is the foundation of Very Good Security’s Zero Data solutions, which enable businesses to collect, store and transmit any sensitive data they want without ever coming into possession of it.

This effectively removes most of your business systems from PCI DSS compliance scope, so your burden is drastically reduced – and your risk of data breaches plummets to almost zero.

Very Good Security offers nearly instant compliance for smaller merchants and service providers upon integration. For organizations that are PCI Level 1, either because of transaction volume or because their bank or partners require it, compliance can be achieved in as few as 21 days.

By taking the DIY path, the same result can take several months – after you’ve already poured a substantial amount of human and financial capital into securing your databases and processes.

Very Good Security is a completely scalable solution that grows with your business, and can take your PCI burden off your plate almost entirely.

Interested in descoping your company’s networks from PCI requirements and achieving compliance the simple way? Try a demo of VGS by clicking here.

This article was originally posted on Very Good Security.
0

Security

Essentially, a middle man. When dealing with computers the concept is largely the same. A web proxy is simply a bit of software that will relay a HTTP request for you.

What is a Proxy

Google defines a proxy as

the authority to represent someone else

HTTP Proxies are an essential component when using the internet day to day – load balancers, routers, content accelerators, content protection systems, these are all simple examples of web proxies and they all act as intermediaries to send your HTTP requests where they need to go, anonymize requests, handle routing of traffic, speed up the net, and many other uses.

When it comes down to it, most web proxies fall into two camps:

  1. Reverse Proxies – A reverse proxy is usually an internal-facing proxy used as a front-end to control and protect access to servers on a private network. A reverse proxy commonly also performs tasks such as load-balancing, authentication, decryption or caching.
  2. Forward Proxies – A forward proxy is an Internet-facing proxy used to retrieve from a wide range of sources.

Let’s look at these two types in more detail

What is a Reverse Proxy

You’re probably using a reverse proxy in order to view this content. When you make a request to the server that serves this blog post it will pass through a load balancer. This load balancer is a type of reverse proxy. Reverse proxies will sit in front of one of more servers and distribute requests to these servers. Common examples of these would be Nginx’s proxy_pass module, HAProxy, Squid, and AWS’ ELB.

Reverse proxy receives a request from a client on the Internet and retrieves the requested resources from one of more servers that sit behind it. To the client there is no knowledge required of the servers (often called upstream servers) that serve the original content and they can be changed as required without any outside knowledge. The reverse proxy handles that information.

As part of this handling of the request the reverse proxy will often provide additional value such as terminating SSL, performing authentication and/or authorization, accelerating (caching or compressing) content or rewriting the request and/or response.

The word “reverse” in the name reverse proxy has no special meaning, it’s just used as the inverse of forward proxy which actually has a meaning as you’ll read shortly.

What is a Forward Proxy

Forward proxies are commonly used to control traffic leaving networks. When you send a request via the proxy it will “forward” your request on to the requested website, hence the name “Forward Proxy”.

A common job of a forward proxy is to both control access to the internet by inspecting certain attributes as the request passes through it. If you’re on a corporate network and they prohibit you from going to a social network such as facebook.com, this will often be the job of a forward proxy. The forward proxy is able to inspect the host of the request and, since on a corporate network traffic is often mandated to flow through the proxy, it will deny any requests that use the prohibited host.

A similar implementation to the above will scan outbound content of the payload as it passes through the proxy. This can be used for a variety of data protection applications e.g., for data loss prevention; or scan content for malicious software.

Another common use-case for a forward proxy is to anonymize where the request originally came from.

Forward proxy sits in between requests from the user to the internet. As such, when the forward proxy sends a request to a host the host computer will see the IP address of the forward proxy, not of the user. This is commonly used to perform IP anonymization and is a major feature of VPNs.

Layer 7 versus layer 3

Most of the time ‘proxy’ refers to a layer-7 application on the OSI reference model. However, another way of proxying is through layer-3 and is known as Network Address Translation (NAT). The difference between these two proxy technologies is the layer in which they operate, and the procedure to configuring the proxy clients and proxy servers.

Layer-7 proxies are more suitable if you’re inspecting the content of the payload to perform routing or otherwise manipulating the payload.

 

This article was originally posted on Very Good Security.

0