Pages

Friday 29 June 2018

PCI DSS

People following this blog have been reading about the various hurdles I've had to jump in order to become, and remain, PCI DSS complaint.

I used to have to fill in a huge form each year, with a couple of hundred questions. And then, every three months, they would test my server to check that it was secure to their exacting standards. And if it failed (which happened whenever a new threat emerged, like "Poodle" or "Heartbleed"), I'd have to work out why, and make changes to the version of Apache, or the version of Openssl, or to the configuration, or whatever.

Well, all that has completely changed!

Last week, I got a letter from Barclays, telling me that if I didn't get PCIDSS complaint by September, it would cost me an extra 0.3% per transactions. "Oh dear," I thought, then I realised that this might put up the amount I pay them by about 5%. And that's the worst case scenario!

So I stopped worrying, and filled in their online form, which I was surprised to discover was only about a dozen simple questions. Then I waited a week while they got around to processing it.

Today, I got the phone call. I was asked several questions, which duplicated the questions I'd already filled in, and I don't know why they did that. And then the lady on the call said "That's fine, you're compliant for a year." What about the quarterly security test?" I asked. "No need," she said.

So I went to the Barclay's web site, and sure enough, I'm compliant until this time next year.

They've abolished the server test.

My server tests out as A+ on the Qualys test, so I'm not worried about that. But this means that they've abolished the server test for other people too, and I don't know how many others.

Why?

Have they stopped caring about computer security? Surely not.

Friday 22 June 2018

Spam from China

In my de-spammer, I have a category of email I call "non-roman". This is all email in alphabets that I cannot read. Maybe it's spam, maybe it isn't, but if I can't read it, I'll never know.

In the last week or so, there has been a huge rise in spam in Chinese. This is only part of what arrived in the last several hours. Over the same time period, there were only 24 spams that weren't in Chinese.


Monday 11 June 2018

IPv6

IPv4 is the old familiar Internet Protocol, You get addresses like 12.34.56.121, four numbers in the range 0 to 255. That means there are 2 to the power 32 possible IP addresses.

When this was designed, that sounded like a lot, enough for indefinite use. This is 4 billion addresses, which is enough for half the people on the planet. Plenty, yes? No. They didn't anticipate the huge popularity of the internet, and it turns out that these 4 billion addresses are not enough. And there is an IP address shortage.

Enter IPv6

This consists of eight numbers instead of four. Which is 16 billion billion addresses. And that should be enough for a long time.

But.

Everyone uses IPv4 today. And people keep saying "We have to move to IPv6" because we've run out of IPv4 addresses.

And they've been saying that for seven years now.

So today, I decided to start making a move. Step one, talk to TalkTalk, to get some IPv6 addresses, and for them to route them to my connection. So I contacted TalkTalk.

 Huh.

They don't do IPv6. In April 2017, their Chief Operating Officer said that they will in future. But in the 14 months since then, there's been a deafening silence. And when I asked their tech people, they said they don't do IPv6 and didn't know when they might.

So I explained that when my contract comes up for renewal, the existence of IPv6 support will definitely be a factor in which service provider I choose.

I can't believe that they haven't done this yet.

Saturday 2 June 2018

Barclays Merchant Services, and VAT

Six months ago, BMS (Barclays Merchant Services) changed over to a new accounting system. So when the first new bill arrived, in a totally different format from the old bill, I compared the old with the new, and I found a major discrepency. Previously, they had been charging me £50-£60 VAT each month. Suddenly, the VAT number was £5.

So I called them up. Either the old figure was inflated, or the new figure was too low. It took them about six months to look into it, and eventually, I got a nice refund from them.

I wondered, then, what they would do about all their other customers. Now I know. I just got a form letter from them, explaining about this.

This blunder must have cost them a lot.

TLS 1.2

From a few weeks from now, data transfer with Barclaycard must use the encryption of TLS 1.2. This is a good idea, because it's currently the strongest protocol available.

Wow. I remember when the only way to do this, was for me to print everything out on paper, and trundle down to the bank with it. They would ship it off to their data center, and someone there would type it all in!

So anyway. I upgraded my systems to TLS 1.2 six months ago. But I got a reminder from them, and, suddenly nervous about whether it was all working right, I phoned them up to check. They checked my recent uploads, and confirmed that I was indeed using TLS 1.2

But I wonder how many companies are going to be caught short by this.