We started 2024 strong by announcing the addition of Diana Edreva to our team. Diana comes from a solid background in Information Security, holding a Bachelor’s degree focused on Computer and Information Systems Security, and a Master’s degree in Cybersecurity and Digital Forensics. Diana is currently a PhD candidate in Cybersecurity as well. She has a keen interest in modern security practices and was eager to dig deeper into payment security compliance.
Over the last few months, Diana has been working side by side with us, immersing herself in PCI standards and preparing for a new exciting role. We are thrilled to share that she has recently passed her PCI Qualified Security Assessor examination, officially making her the fourth QSA in our team. Diana is already working closely with FinTech companies, helping them to streamline their PCI DSS compliance efforts and improve their payment environments.
“Becoming a QSA is incredibly exciting,” Diana shared. “Learning about the account data flows and various architectures and security principles was absolutely astounding. However, I definitely wouldn’t be able to pass the bar if it wasn’t for the amazing mentorship of my more experienced colleagues and learning the intricacies of PCI.”
When discussing her new role, she noted:
“There is a wide variety of skills and knowledge required in order to master the craft of being a QSA, so being a Jack of all trades is kind of a must. Joke aside, I still have a long way to go until I can stand tall just like the rest of my team, but I am positive I’ll get there.”
As Diana embarks on this new chapter, we are confident that becoming a QSA is just the beginning of a remarkable trajectory. We are eager to support her growth and see her help many FinTechs achieve their compliance goals.
If you want us to elevate your own PCI DSS journey, or learn more about the standard, don’t hesitate to reach out.
At 7Security, we believe every success should be celebrated – from completing yet another successful project or hearing good news from our clients… to, in this case, having the pleasure of calling one of our colleagues a Qualified Security Assessor for the first time!
Yasen Georgiev, who joined us earlier this year as Information Security Auditor, recently added the QSA title under his belt, and we cannot be happier for him. Yasen is now officially part of our QSA team and will be working closely with fintechs, helping them maintain their PCI DSS compliance.
‘PCI DSS is a unique standard’, shared Yasen, ‘it’s not fully technical; there are many controls related to people – the way employees implement and follow their security policies. I find the human factor here very intriguing. What also thrills me is not just assessing a company’s compliance with the standard but seeing various architectures and solutions in the process. I especially enjoy the consulting part of my role – sharing my know-how and providing support where needed. It’s great to offer the client an angle they haven’t thought about that ends up saving them costs and effort in managing their PCI environment. It’s my personal contribution to the fintech industry.’
‘I can’t say becoming a QSA was an easy journey’, added Yasen, ‘It had its challenges, but throughout the whole process, I felt supported by my colleagues at 7Security, and I learned a lot from them and the PCI Council training. At 7Security, we are adept in cloud technologies and the ways they simplify compliance, especially for startups who are going through their first PCI DSS. I feel lucky to be working next to people with such vast experience and interests in modern cloud solutions. Here, I can put my skills to good use, but I am also challenged daily to learn and grow.’
We wish Yasen many exciting projects. We are confident we will have plenty of occasions to share more success stories about him in the future.
The last few weeks I’ve been busy with the various in-person events I attended (first Money20, thenDigiPay2021), but I’m not complaining. It’s energizing to speak in front of a live audience, while also reaching people online. On the 8th of October, I participated inNext Difi 2021, a hybrid event, dedicated to banking and fintech innovation, digital finance, cybersecurity, blockchain, and more.
I had the pleasure to moderate the Banking and fintech innovation, and cyber security and risk management panel. I enjoyed intriguing discussions with members of DSK, Acronis, and Sirma Business Consulting. They shared exciting insights, so make sure you watch the recording (link below 😉 ).
Moderating a panel with DSK, Acronis, and Sirma Business Consulting
I also participated in the Innovative Technologies, New Players, and Transformed Business Models panel, where I gave a presentation on Card Payments Security Standards. In particular, I discussed the PCI DSS, 3DS, and PIN security standards. I shared an overview of what they are, who needs them, and what common misconceptions most people have about them.
A big ‘thank you’ to b2b Media for organizing the event and for inviting me to participate. See you again on the Fifth Edition!
A full recording of Next Difi 2021 can be found here:
It’s confirmed: live events are slowly making their long-awaited comeback, and they have become so much better! Just a few weeks ago, we attended Money20/20, where we were hyped to see our fintech friends in person and to find many new ones.
To give a flying start to October, we also attended DigiPay Conference 2021on the Ist of the month. DigiPay is the event when it comes to secure and convenient digital payments in Bulgaria, and was packed with professionals from the payment and banking sector, who brought us up to speed with the newest fraud and security trends in digital payments.
To begin with, the audience enjoyed a valuable panel on Open Banking, where banks and fintech companies discussed the challenges they meet in its face, the new solutions it presents, and the extent to which the payment sector is, or isnot, utilizing the new opportunities.
Speakers then discussed digital payments in regards to identification and customer journey, where we observed valuable insights and statistics, as well as exciting innovations to look out for.
To get a more elaborate overview of the Real Time Fraud Prevention panel and the related Live Demonstrations panel, I sat down with their moderator – our CEO and Founder, Pavel Kaminsky.
Pavel, overall, how did you find the organization of the event and the topics discussed?
I think it went great. We had around 100 people attending in person, and around 200 joining online. The panels were organized in a logical way, with enough time for discussion and for the audience to participate and ask questions. I noticed the panels are getting more exciting compared to previous years – the audience is more involved, the professionals – more detailed, and the issues raised – truly relevant. The moderators were handling things well and contributed to the discussions. Catching up with friends in-between panels was also awesome.
What about the panel you moderated?
It was the best one : )
Haha, no doubt there. Care to elaborate, though? Could you tell the readers more about the topics that were discussed?
Sure. I moderated Real Time Fraud Prevention panel. We had six speakers, who had prepared strong presentations that I observed with interest. We saw the newest trends in cybercrime when it comes to online payments, including the ways cybercriminals are bypassing the 3D password, which was added as a multi-factor authentication scheme, but is already exploited by cybercriminals.
Speakers then discussed how difficult it is to combat fraud in real time transactions, as instant payments = instant fraud, and how trying to prevent all fraud types and tools is an unrealistic approach. Instead, being able to adapt to current threats, adopting flexible case management, not relying solely on AI, and focusing on threats most relevant to one’s organization proves to be a much wiser strategy according to our speakers.
I was curious to also see a seminar, demonstrating a bank-level payment security program, which not only focuses on compliance and software but also on training employees and constantly testing their knowledge in practical ways. Such dedication to security is very impressive.
Towards the end of the panel, the audience found out how DeFi can be a more secure payment solution, mostly because there’s no centralized control, therefore no opportunity for human error. At the same time, we were reminded we shouldn’t see DeFi as 100% safe. Unfortunately, there are exploitation risks involved, that shouldn’t be underestimated.
To finish off, the panel concluded with a blockchain talk, discussing how blockchain solves many cybersecurity issues, but it presents new ones, and we already have examples of scams. This summarized the panel nicely – we concluded that there are no perfect solutions to solve all security issues, and while blockchain and other innovations can greatly reduce risk, it is never eliminated.
After that, I moderated a second panel with live demonstrations, where speakers gave the audience a live show for fraud prevention and showed them current trends in phishing attacks.
That was a nice summary, thank you. Besides the lack of a magical pill for payment security fraud, I noticed another ongoing theme that came up in all the talks – the human factor.
Yes, absolutely. All security and fraud prevention experts highlighted that we shouldn’t forget that on both ends of technology we have a human being. Compliance with established security standards and investing in good software solutions are important. However, focusing solely on getting more certificates and buying the most expensive product will not prevent your employee from making a costly mistake, or your customer from clicking on a fraudulent link.
Cybercriminals have realized for a long time now that trying to attack an organization is not easy, but attacking its customers often is. What came up over and over again throughout the panel is that many fintechs and banks fail to educate their employees and customers on how to recognize and report fraud, and how to carry out safe digital transactions.
As I mentioned, I was impressed by the dedication of some of the speakers, who presented us with the ways they keep their employees educated on cybersecurity. Unfortunately, overall I rarely see an organization that really focuses on the human factor when creating a security program. I sincerely hope the panel raised awareness on that.
Correct me if I’m wrong – this is a topic you have been discussing for a while now?
Yes, and I was glad it came up during the panel, because underestimating the human factor is a serious flaw of most payment organizations, and it’s vital to talk about it more. I’m more than happy to help all my clients achieve compliance with PCI DSS and consult them on how to follow the requirements, but it’s no less important for them to teach their users not to click on suspicious links and recognize and report fraud.
Indeed! Any final remarks?
I’d like to say thanks to Raya Lecheva – the main person to ‘blame’ for DigiPay, along with all the organizers and participants who made it happen. Being able to meet in person, discuss, network, and simply communicate with such inspirational professionals within our industry, was invaluable. I’m already looking forward to DigiPay 2022, bigger and better.
This update emerges after over seven and a half years since the original document came into play in March 2011. It is definitely an improvement on the progenitor, inasmuch as it provides detail where said progenitor didn’t. And rightly so. Although, technically speaking, not much has changed and VoIP still runs over UDP, these days we are witnessing a new, tighter integration of these systems with everything else. Including but not limited to CRMs, billing, mailing, customer reward schemes, customer behavior tracking systems, etc.
WHY DOES IT MATTER?
It matters because these systems may have some sort of access to card data. Or, simply because when PCI DSS says your VoIP is in scope, you need to look at all these other systems that are connected to the network or can impact the security of the CDE, scratch your head, and think of magic words, such as “segmentation”.
HOW IS VoIP A CHANNEL FOR ATTACK VECTORS?
Well, it is an unlikely channel, or rather, not overtly popular yet, but a channel nevertheless. UDP provides a nice stateless connection that can be (and is) used to disguise malicious code in streaming sessions. The reason we don’t hear much about these types of attacks is they probably just haven’t gained speed yet, or even worse, businesses are simply not aware they are happening.
Telephone systems touching card data have always been required to be in the scope of PCI DSS. Up until now, they have largely been neglected or avoided altogether. In light of all we said so far, it is evident this needs to change. There are a number of pointers in the guide that are prone to raise an eyebrow, seemingly because they would ask the business to bear the brunt of some more stringent and resource-consuming alterations to technology, people, and process in their organizations.
Yet, with telephony systems in scope of PCI DSS, now more than ever, and the new detail provided in the November 2018 release of Supplement, owners and QSAs alike are faced with the need to come up with clever and doable ways to segment their VoIP systems, where possible, so they comply with PCI DSS without it costing them an arm and a leg.
Pavel, overall, how did you find the organization of the event and the topics discussed?