SRC Security Research & Consulting GmbH: Generation change at the top

After almost 25 years of successful management of the company by Gerd Cimiotti, the foundations are now being laid for a generational change in the management of SRC — and thus for the next 25 years. With effect from August 1, 2024, Markus Schierack will be appointed to the management board of SRC Security Research & Consulting GmbH, Bonn.

As Managing Director of the payment transaction institute VÖB-ZVD Processing GmbH (“Pagateq”), he has been responsible for business development, payment transactions, finance and regulatory affairs, among other things. Markus Schierack brings many years of experience in strategic development and transformation in the area of payment transactions to his new role. The corporate finance specialist has held various positions within the Deutsche Bank Group in recent years. Among other things, he actively supported various strategic M&A transformation projects of the bank’s private customer business in the Group Development department of Deutsche Postbank AG and at Deutsche Bank and positioned Pagateq as a BaFin ZAG-licensed payment service provider with its own identity within Deutsche Bank Group.

Gerd Cimiotti, who has been Managing Director of SRC since 2001, will actively support the generational change and the handover to Markus Schierack until 2025 and will then retire from management: “One of the biggest challenges for medium-sized companies is the successful generational change. At SRC, Markus Schierack is the next generation to take on overall responsibility for the company. I am very confident that Markus will not only lead SRC Security Research & Consulting GmbH into a good economic future, but will also keep the special values of our company alive,” explains Cimiotti.

The time frame was deliberately set to allow for a gradual transition. The SRC shareholders’ meeting would like to take this opportunity to thank Mr. Cimiotti for his trusting cooperation and his successful and tireless efforts to develop SRC into a leading IT security competence center.

Markus Schierack already knows SRC very well from his role as Chairman of the SRC Shareholders’ Meeting and will now join the Management Board on August 1. Markus Schierack is looking forward to the challenge that he wants to master together with the employees at SRC: “My heart beats for the company and I have already had the opportunity to get to know SRC well through my work as a representative of a shareholder of SRC Security Research & Consulting GmbH.”

The 43-year-old will be supported by Randolf Skerka, who will be responsible for SRC’s auditing business in the future. The current Head of Sales at SRC has been familiar with the company and the auditing business in particular for many years from various roles at SRC. “For me, teams with strong personalities are always important in order to master upcoming challenges. I am therefore grateful to have Randolf Skerka at my side as an extremely experienced sparring partner,” says future Managing Director Markus Schierack.

About SRC Security Research & Consulting GmbH

SRC is the joint competence center of the German banking industry for IT security. SRC was founded in 2000 with the support of the four credit industry publishers (Bank-Verlag GmbH, DG-Nexolution eG, S‑Payment GmbH and VÖB ZVD-Processing GmbH) and the leading associations of the German credit industry represented on the company’s advisory board (Bundesverband deutscher Banken e.V., Bundesverband der Deutschen Volksbanken und Raiffeisenbanken e.V., Bundesverband Öffentlicher Banken Deutschlands e.V., Deutscher Sparkassen- und Giroverband e.V.).

In April 2001, Gerd Cimiotti joined the company’s management and led the expansion of SRC into a leading IT security service provider in Europe. With more than 120 employees, SRC is not only one of the top addresses when it comes to technical innovations in payment, but SRC also offers a comprehensive IT security and audit program to support customers all over the world.

The plan for the future is to further expand both business areas and take advantage of the emerging market opportunities. The new management team led by Markus Schierack is an important prerequisite for this. The smooth transition in management from Gerd Cimiotti to Markus Schierack also ensures the necessary continuity.

SRC and DAkkS accreditation according to ISO/IEC EN 17025: An important step towards EUCC

SRC Security Research & Consulting GmbH kann einen weiteren bedeutenden Erfolg verzeichnen: Die erfolgreiche Akkreditierung durch die Deutsche Akkreditierungsstelle (DAkkS) nach DIN EN ISO/IEC 17025. Dieser Schritt unterstreicht nicht nur die Kompetenz und Zuverlässigkeit unseres Prüflabors für Common Criteria (CC), sondern bereitet uns auch auf die Einführung der EUCC (European Common Criteria) vor, eine wichtige Entwicklung in der europäischen Cybersicherheitslandschaft.

Bedeutung der DAkkS-Akkreditierung

Die Akkreditierung nach DIN EN ISO/IEC 17025 ist ein klares Zeichen für die Professionalität und den Anspruch von SRC, erstklassige Prüfdienstleistungen anzubieten. Sie bestätigt, dass unser CC-Prüflabors den international anerkannten Standards entspricht und vertrauenswürdige, konsistente Ergebnisse liefert.

Vorbereitung auf die EUCC

Die EUCC stellt das auf den Common Criteria basierende europäische Zertifizierungsschema dar, soll die Sicherheitszertifizierung von IKT-Produkten in Europa verbessern. Mit unserer DAkkS-Akkreditierung ist SRC nun bestens gerüstet, um die Herausforderungen der EUCC zu meistern und eine führende Rolle in der IT-Sicherheitszertifizierung in Europa zu übernehmen. Die EUCC erweitert die Anforderungen der bisherigen Common Criteria und wird künftige Zertifizierungen in der EU grundlegend prägen.

Unser Engagement für Qualität und Genauigkeit

Mit dieser Akkreditierung demonstriert SRC sein Engagement für höchste Qualitätsstandards und Unparteilichkeit in unseren Labortätigkeiten. Wir sind stolz darauf, diesen Meilenstein erreicht zu haben und freuen uns darauf, unseren Kunden weiterhin Dienstleistungen auf höchstem Niveau anzubieten.

Bei weiteren Fragen stehen unser Sales-Team Ihnen jederzeit zur Verfügung!

SRC joins the German IT Security Association (TeleTrusT)

SRC joined the German IT Security Association (TeleTrusT).

The Bundesverband IT-Sicherheit e.V. (TeleTrusT) is a competence network comprising domestic and foreign members from industry, administration, consulting and science as well as thematically related partner organisations.

Due to the permanently changing requirements in the field of IT security, it is important for SRC that its experts regularly inform themselves about and exchange information on new necessities, techniques, processes and regulations.

TeleTrusT offers particularly good conditions for this, since in addition to the exchange of experts from the business world, contact is also established with politics and science.

SRC will contribute its wide-ranging expertise to the various working groups of TeleTrusT and thus give further significance to the status of IT security in Germany and Europe.

Our December blog post on PCI DSS v4.0: Targeted Risk Analysis

The year is drawing to a close — and so is PCI DSS v3.2.1.

The PCI Security Standards Council (PCI SSC) has just published new documents on the new concept of “Targeted Risk Analysis” — so let’s take this as an opportunity to take a closer look at the topic.

Targeted Risk Analysis – what is it?

PCI DSS v4.0 aims to enable more flexibility. One of the tools for this is the so-called “Targeted Risk Analysis”.

Targeted risk analyses differ from the company-wide risk analyses that were required in PCI DSS v3.2.1. They look at the specific risks for a very specific use case.

In PCI DSS v4.0, targeted risk analyses appear in two places:

Some requirements of the standard call for targeted risk analyses to determine how often a certain regular control should be carried out.
In addition, the targeted risk analysis is part of the so-called “customized approach”, which allows you to implement a requirement in your own way, deviating from the literal implementation.

We will focus on the first case here, as we will dedicate a separate blog entry to the customized approach in February.

Where is it required?

A targeted risk analysis is required for the following PCI DSS requirements:

5.2.3.1: If an organization has evaluated that system components are not commonly affected by malware and therefore do not require an anti-malware solution, then it must be checked at regular intervals to ensure that this is still the case. The frequency of these checks must be determined in a targeted risk analysis.
5.3.2.1: If regular malware scans are used, their frequency must be determined in a targeted risk analysis.
7.2.5.1: Often there are not only user accounts that are used by people, but also technical user accounts that are used by systems or applications. Their access rights must be checked regularly. The frequency of these checks must be determined in a targeted risk analysis.
8.6.3: Passwords for the aforementioned technical user accounts must be protected. The frequency of password changes and password complexity must be determined in a targeted risk analysis.
10.5.1.2.1: Payment devices (payment terminals) at the point of interaction must be inspected regularly to detect tampering or substitution. The frequency and type of inspections must be determined in a targeted risk analysis.
11.4.2.1: Security-critical logs (security events and logs from systems that come into contact with account data, have security functionality or are otherwise critical) must be reviewed at least daily in order to detect conspicuous activities promptly. The frequency of the review for all other logs must be determined in a specific risk analysis.
11.3.1.1: If high-risk or critical vulnerabilities are discovered during internal vulnerability scans, they must be remedied. For lower-rated vulnerabilities, a targeted risk analysis must determine how these are to be addressed.
11.6.1: E‑commerce payment pages must be regularly checked with a mechanism for detecting changes and tampering. This mechanism must be applied at least every seven days – otherwise a lower frequency must be justified with a targeted risk analysis.
12.10.4.1: The staff responsible for responding to security incidents must be trained in this. The frequency of this training must be determined in a targeted risk analysis.

How to perform the targeted risk analysis

How the targeted risk analysis should be carried out is defined in requirement 12.3.1 of PCI DSS v4.0. This stipulates that the analysis must first identify at least the following points:

The assets to be protected. Of course, those always comprise the account data itself, but other assets such as systems or passwords can also be relevant.
The threats against which the corresponding PCI DSS requirement is intended to protect.
To determine the corresponding threats, it is helpful to consult the “Customized Approach Objective” of the corresponding or higher-level PCI DSS requirement, as this objective often already specifies the threats against which the requirement is intended to protect.
Factors that contribute to the probability of occurrence and/or the impact of the realization of the aforementioned threats.

Let’s get specific and take requirement 9.5.1.2.1 as an example.

Here, both the account data and the payment devices are assets to be protected.

The “Customized Approach Objective” of the overarching requirement 9.5.1.2 is that the tampering of devices, unauthorized substitution of devices, or the attachment of skimming devices cannot be carried out without timely detection.

Typical threat scenarios would therefore be, for example

Attackers install skimming devices that read data input.
Attackers pretend to be service technicians or employees of the device provider and replace the payment device with a manipulated payment device, which then reads account data and forwards it to the attackers.
Attackers steal a payment device on which data could be temporarily stored in the case of offline transactions.
Attackers manipulate the payment device in such a way that its security functionality is weakened (e.g. encryption switched off).

Factors that can have an impact on the realization of these threats are, for example:

How easily accessible is the payment device to customers and third parties? Is it securely attached?
Is the payment device permanently attended / under supervision?
How well qualified and trained is the staff on site?
Are the payment device and the data in it protected against tampering, and is this proven by PCI PTS validation of the device and/or PCI P2PE validation of the entire solution?
How heavily frequented is the payment terminal? (This can have an influence on whether it is a particularly worthwhile target for the attacker.)
Has the device provider provided recommendations in their documentation on how frequently the devices should be checked?

The factors then result in the analysis that determines how often an activity must be carried out in order to minimize the probability of the threats occurring.

Factors and results of the targeted risk analysis must be documented.

At least every 12 months, each targeted risk analysis must be reviewed to check whether it is still applicable. If there have been changes in the factors or in their evaluation, the risk analysis must be updated accordingly.

Assistance

As with every PCI DSS v4.0 requirement, the first thing worth looking at is the “Guidance” column to the right of the requirement in the standard itself.

In addition, the PCI SSC published three supporting documents on 28 November 2023:

Information Supplement PCI DSS v4.x: Targeted Risk Analysis Guidance,
PCI DSS v4.x Sample Template: Targeted Risk Analysis for Activity, and
PCI DSS v4.x Sample Templates to Support Customized Approach (in which, as mentioned above, targeted risk analyses are also required).

And as always, you are welcome to ask SRC’s PCI DSS experts for support.

Outlook

This is the last post on PCI DSS v4.0 for this year. We will continue our monthly blog series next year — you can look forward to the following topics then

January: Changes in e‑commerce: What’s changing in Self-Assessment Questionnaire A?
February: Customized Approach
March: Changes in e‑commerce: Integrity protection of payment pages

Happy New Year, and take care!

The BSI Situation Report 2023: Secure Your Business – Discover Our Solutions.”

The latest Situation Report from the Federal Office for Information Security (BSI) for the year 2023 paints a picture of the German cybersecurity landscape that reveals both challenges and calls to action. As digitalization progresses in all areas of life, the complexity and number of cyber threats are increasing.

Specific IT security threats in 2023

Particularly, ransomware attacks aimed at encrypting company data and demanding ransoms are becoming more sophisticated and are affecting not only large corporations but also increasingly smaller and medium-sized businesses as well as public institutions.

Another prominent topic of the report is the potential misuse of Artificial Intelligence (AI). With the rapid development of AI technologies and their applications, new possibilities for attacks emerge. AI-powered attacks, including deep fakes and manipulated chatbots, represent a serious threat that can undermine not only information security but also societal stability.

Geopolitical tensions, especially the conflict in Ukraine, further demonstrate that cyberattacks are increasingly being used as a means of warfare and political influence. These developments are not limited to state actors but also affect the economy and civil society. The BSI emphasizes that security in cyberspace is no longer just a matter of technical defense but requires a collective societal effort.

The BSI’s recommendation to strengthen “cyber resilience” reinforces the necessity of being proactive and preventive. This means that companies and authorities must not only react to attacks but also improve the resilience of their systems in advance.

This is where the expertise of SRC GmbH comes in, a company that specializes in security needs in the digital age.

How SRC can help establish cyber resilience

Risk analysis and prevention: SRC offers individual risk analyses to help companies identify and address vulnerabilities before they can be exploited.
Security architecture and design: By designing robust security architectures, SRC helps ensure that their clients’ systems can withstand advanced threats.
Training and awareness: SRC organizes training for employees to increase awareness of cybersecurity and ensure that security policies are understood and followed.
Regulatory compliance and standards: SRC advises on regulatory requirements and helps companies meet legal and normative standards.
Innovation and technology consulting: With expertise in modern technologies such as blockchain and AI, SRC develops innovative solutions that are not only secure but also forward-looking.
Emergency planning and response: In the event of a cyberattack, SRC assists with rapid response and deployment of emergency plans to minimize damage and maintain business operations.

Use the insights from the BSI Situation Report 2023 as a decisive impulse to specifically review and optimize your cybersecurity measures – SRC GmbH is ready to work with you to strengthen critical security areas and build resilience against current and future cyber threats.

PCI DSS v4.0 approaches – we support your preparation

PCI DSS is a mature standard that defines requirements for secure processing of card data of the international payment brands.
Version 3 of PCI DSS, which has been valid since 2014 — with various updates -, will finally expire at the end of March 2024 and will be replaced by the new version 4.0.

We take the final steps to PCI DSS v4.0 migration with you. Please make use of our offers:

1. Monthly blog articles highlighting one PCI DSS v4.0 topic at a time

September 2023: Timeline for the PCI DSS v4.0 migration – What are my next steps?
October 2023: Evidences in PCI DSS assessments
November 2023: Roles and responsabilities
December 2023: Targeted Risk Analysis
January 2024: Changes in e‑commerce: What’s changing in Self-Assessment Questionnaire A?
February 2024: Customized Approach
March 2024: Changes in e‑commerce: Integrity protection of payment pages
You will find further topics updated here.

2. Free webinars summarizing the changes from PCI DSS v3.2.1 to v4.0 again

Webinar on the full PCI DSS scope (January 2023)
Webinar for card-present merchants with SAQ B‑IP or P2PE scope (January 2023)
Webinar for e‑commerce merchants with SAQ A scope (January 2023)

You find an overview about the current webinars here.

3. PCI DSS v4.0 workshops tailored to your needs, in which we specifically present and discuss the requirements that are relevant to you.

4. A gap-analysis of your environments and processes. You will receive a list of all open items for PCI DSS v4.0 compliance in your company.

5. Consultancy packages of your choice. You can call up quotas at any time if you have specific queries — by telephone, e‑mail, web conference, or in meetings on site.

Please feel free to contact Mrs Jana Ehler via e‑mail for further inquiries.

Intensive seminar | Basic knowledge of IT basics and security measures for non-IT specialists on 15 November 2021

Intensive seminar (online)
Basic knowledge of IT basics and security measures for non-IT specialists

Bank IT in particular is required to protect sensitive information and data with a high level of security and at the same time make it available to authorised persons. To achieve this, information security officers, data protection officers, IT officers and other bank employees must coordinate closely. Despite different professional backgrounds, a common “language” must be found. To do this, it is advantageous to be able to visualise the conceptual world of IT in the context of its processes and interrelationships. This is the only way to succeed in an interdisciplinary exchange with IT experts about IT security measures and their effects in the company and its diverse internal and external communication structures.

The intensive seminar “Basic knowledge of IT basics and security measures for non-IT experts” provides the necessary knowledge about information technology and security measures. The target group is non-IT specialists in credit institutions.

The speaker Florian Schumann is IT manager at SRC Security Research & Consulting GmbH. In this position, he is responsible for the continuous development of IT. He is also a consultant for information security and a qualified auditor according to § 8 (a) BSIG for critical infrastructures.

Module 1: IT terms and basics

Networks
Communication media and protocols
Basic IT security measures in networks
Basic IT security measures in data centres
Backup & Restore
Virtualisation
Concepts of user administration

Module 2: Encryption

Symmetrical and asymmetrical procedures
key management
Signature
Authentication (e.g. multi-factor authentication according to PSD2) and integrity assurance

In addition, participants will receive an overview of new technologies and trends, e.g. big data, cloud, artificial intelligence, special features of mobile working / home office. The intensive seminar offers sufficient space to reflect on the upcoming challenges for security.

Intensive seminar (online)

Basic knowledge of IT basics and security measures for non-IT specialists
on Monday, 15 November 2021, 10:00 a.m. to 5:00 p.m.

To registration

-

Information Security Management Systeme (ISMS) – myths, misconceptions and misconceptions

There are several myths, misconceptions and misconceptions surrounding Information Security Management Systems (ISMS) that can lead to incorrect assumptions or inadequate implementations.

In our latest blog article, we would like to briefly introduce some of them:

Myth #1: ISMS is only for large enterprises

It’s a common misconception that an ISMS is only for large enterprises. In fact, organizations of all sizes can benefit from an ISMS as it helps to become aware of threats, mitigate risks and meet compliance requirements. Regardless of the size of the organization, an effective ISMS helps address information security in all aspects of business operations, which ultimately helps strengthen overall business success and promote trust.

Myth #2: ISMS is just a technical matter

There is often a misconception that an ISMS is all about technical measures. However, the primary focus is on information and processes. Through these, both the technical and other organizational aspects, such as policies, procedures, training and awareness programs, then come into consideration. In other words, an effective ISMS requires a holistic approach that involves people, processes and technology to ensure and improve the security of information in the organization.

Myth #3: An ISMS is a one-time task

An ISMS is not merely a one-time task. While it is sometimes assumed that an ISMS can be implemented once and then operated on the side, it is actually a continuous process that requires constant monitoring, review and improvement to keep pace with changing threats and business needs. This process fosters an enduring culture of information security in the organization that is focused on proactive risk mitigation and constant adaptation to new security challenges.

Myth #4: Conformance guarantees security

Conformance to standards such as ISO 27001 does not automatically mean that an organization is fully protected. An ISMS should be viewed as a continuous improvement process that goes beyond mere compliance. It’s about creating awareness of information security throughout the organization, improving the ability to respond to changing threats, and ultimately establishing a sustainable security culture.

Myth #5: ISMS is for marketing purposes only

While sales and marketing departments certainly won’t disagree, an effective ISMS primarily helps organizations mitigate risk, meet compliance requirements, and build trust with customers and partners. Overall, such a system promotes a security-conscious culture and improves business practices.

Would you have known?

By clearing up these myths, misconceptions and misconceptions, organizations can gain a better understanding of how to effectively implement and use an ISMS to protect their information and drive business success.

We at SRC Security Research & Consulting GmbH can actively support you in the process from consulting to certification, feel free to contact us.

Contact us:
Christoph Sesterhenn
E‑Mail

Application areas of Digital Identities: Digitally representing — and protecting — physical identities

Application areas of digital identities:

Digitally representing — and protecting — physical identities

With the current development of the European Regulation on Electronic Identification and Trust Services (eIDAS), a recognised and secure digital identity can come about throughout Europe. Digital identities have been commonplace for a long time — from email accounts to social media to digital official transactions: The use of digital services requires proof of identity. The necessary identification and authentication is linked to different levels of protection, depending on the service used. Companies that want to offer services for which digital identities are necessary — for employees, partners and customers — must know the requirements.

A digital identity is the digital representation of a physical identity. The latter can be a person, but also an institution, a machine or a server. In the health sector, practices, hospitals or pharmacies, for example, can receive a digital identity. In this context, it represents a collection of attributes in electronic form that characterise a natural or legal person — this can be name, address and date of birth, but also user name or email address. A digital ID must be unique, otherwise it cannot be assigned; the process of initial identification is transferred to the digital — for initial identification it requires registration; recognition is achieved through authentication. From a social perspective, there are three forms of identities: real, self-constructed and anonymous, with the latter playing a sometimes controversial role on social media, for example.

Possible uses of digital identities

Digital identities are necessary as a basis or digital representation for digital services and processes. They are used wherever digital services are offered and are personalised, which requires the collection, storage and processing of data. Digital services have various forms — from social media user accounts, to online accounts in e‑commerce, to online banking or digital official procedures via eGovernment offerings. As with the identity card, the scope of application of a digital identity can go beyond mere identification and, for example, an age check can be possible.

Increasing digitalisation is opening up further possible uses of a digital identity: The European eIDAS (Regulation on Electronic Identification and Trust Services) creates uniform framework conditions for the use of electronic means of identification and trust services across borders here. In 2020, the revision of the eIDAS Directive was launched, and it is currently not yet complete. The goal is to offer a secure EU identity wallet throughout Europe. The eID is thus the virtual equivalent of an identity card. It is supposed to enable identification and authentication, verification of validity by third parties as well as secure storage and representation of identities. In addition, it should make it possible to generate qualified electronic signatures. This digital counterpart to the signature allows legally valid contracts to be concluded on a digital level.

The eIDAS also stipulates that EU member states must make the digital identity available to citizens; the envisaged acceptance obligation may also contribute to the elimination of other digital identities. Shopping abroad or picking up a rental car could thus be simplified, as the digital identity makes processes more efficient. This is because digital services are associated with a reduction in costs compared to analogue processes; the user benefits greatly from simpler and more convenient handling, for example, when administrative procedures can be completed from home.

Unlike digital identities via Google or Facebook, the authorities can ensure that data protection is complied with in accordance with the Data Protection Regulation (DSGVO). In the health sector, digital identities on the smartphone are to replace the electronic health card in the future — but this cannot yet be realised.

Security and protection of the user

One possible attack scenario that particularly affects digital identities is theft in the form of impersonation or identity theft. The potential for damage ranges from hate comments on social media to access to and misuse of personal data, such as banking transactions or confidential health data. While the analogue identity card limits misuse by thieves because of the photo on it, the case is different online. The digital identity must therefore be specially protected. Protective measures can be, for example, secure passwords or a two-factor authentication, as it already takes place in online banking, for example, with a password on the one hand and additional TAN generation on an external device on the other. The hardware token in smart cards represents the highest level of security as a certified version.

Standardised trust levels

The level of security depends on the purpose of the digital identity and is regulated in the Implementing Regulation (EU) 2015/1502. For example, in online banking or in the health sector, there are particularly sensitive, personal data that require a high level of protection. The regulation defines three standardised trust levels: low, substantial and high. A low level of protection corresponds to a one-factor authentication, as is common in social networks or forums. Substantial protection is provided by the aforementioned two-factor authentication. However, a high level of protection, for example when health data is involved, must be even more strongly secured, for example with a passport including a photo and biometric features. For example, identification can take place via video-identification or post-identification procedures.

However, the higher the security level, the more complicated its technical implementation. High-priced smartphones, for example, come with certified security components — while lower-priced devices are equipped with inferior biometric sensors that can be easily manipulated or bypassed. They therefore do not have protected memory areas. Smart cards in health cards, on the other hand, can use and store cryptographic key material with their chip processors. In this way, the infrastructures behind them ensure authenticity.

The future potential of digital identities

Digitisation is on the rise, all its services require a digital identity and these are already widespread: On average, every citizen has 90 digital identities. The digital and analogue worlds can merge, for example when access controls in companies are digitalised and require proof of a digital identity, or when the health card is read in as an ID in doctors’ surgeries. Here, media disruptions are perceived as an obstacle, for example when paper documents are to be submitted as scans to health insurance companies. Digital identities and the assignment they allow make the digitisation of such processes possible in the first place. In the area of eHealth, doctors can digitally sign and send invoices and prescriptions, for example.

Companies, in turn, can use digital identities widely for customers and employees, end customers or partners. This means, for example, that holiday applications can be made via a portal. Not to be neglected are also conceivable application possibilities for customer loyalty: After all, digital services that customers use can be used to gain information about their behaviour, which can be used to better tailor and optimise one’s own offer. However, companies must be aware of the different levels of security. User-friendliness is important, but so is digital protection against identity and data theft. If this is not guaranteed, serious consequences can be the result. A consulting firm like SRC GmbH can help here to shed light on solutions — both paid and open source — to check certifications and to ensure conformity and thus legal certainty.

Conclusion

Nothing works on the internet without digital identities — digital services require initial identification of the user and authentication for further use, for example, via passwords with additional TAN generation within the framework of multifactor procedures. The security requirements depend on the type of service and the data used, which is ensured via three levels. Companies that want to use digital services must therefore know the requirements in order to use the application potential for customers, partners or suppliers.

___________________________________________________

Author: Nico Martens, Consultant SRC Security Research & Consulting GmbH

Further information: https://src-gmbh.de/

Press contact:

Patrick Schulze

WORDFINDER GmbH & CO. KG

Lornsenstrasse 128–130

22869 Schenefeld

Phone +49 (0) 40 840 55 92–18

ps@wordfinderpr.com

www.wordfinderpr.com

SRC goes GEAR (Global Executive Assessor Roundtable)!

PCI SSC and SRC

The Payment Card Industry Security Standards Council (PCI SSC) is a global forum that develops and promotes the use of information security standards for secure payments. It is responsible for 15 globally recognized and widely used standards for securing electronic payment processes — from payment card production and issuance to payment at the point of interest or in web & app, to the processing of payments in the background.

SRC has been assessing the use of those information security standards since PCI SSC was founded by means of corresponding assessments and product evaluations. The PCI SSC attaches great importance to the exchange between different stakeholders and uses various committees and activities for this purpose. SRC has so far participated in Special Interest Groups and Task Forces as well as in Community Meetings and Request for Comment phases.

Global Executive Assessor Roundtable

The PCI SSC has been giving experienced assessor companies the opportunity to advise its senior management since 2018 through the Global Executive Assessor Roundtable (GEAR). We are excited that our company has been selected this year to be part of the interfaces between leadership of the PCI SSC itself and leadership of the assessment companies by this responsible membership. This will enable us to contribute our years of experience in a direct way. The nomination is valid for the next two years and gives us the opportunity to play an influential role in the further development of specifications for assessment procedures, new training programs and qualification requirements for future assessors. Other GEAR responsibilities include finding ways to promote assessors’ engagement in emerging and new markets, and optimizing assessors’ skills to add value for payments companies

We are proud to be included in this circle and see it as a recognition of our past performance and relevance in the payments security market. At the same time, we are aware of our responsibility to act as a representative for a large community of assessment companies and take this as an additional incentive for the future.

Link to GEAR: https://www.pcisecuritystandards.org/about_us/global_executive_assessor_roundtable/