Branimir Pacar, Cognosec’s Director of PCI and Payment Services, will be speaking at the Payment Acceptance & Security Conference (PASC) in Manchester on the 17 and 18 May 2017. The conference is designed to help higher and further education institutions meet the challenges of compliance and improve their approach to accepting payments.
On day one of the event, Branimir will take part in a discussion panel focusing on payment security. During his speaking slot on day two, Branimir will explain the important steps in achieving PCI DSS compliance including identifying where organisations hold cardholder data and what is scope of PCI DSS assessment.
Joining the company in 2015, Branimir is currently the Director of PCI and Payment Services, responsible for managing a team of Cognosec security experts who are dedicated to delivering high level PCI services to clients. He is a qualified Security Assessor (QSA), Payment Application QSA (PA-QSA), Certified Information Systems Auditor (CISA) and Certified ISO 27001:2005 Lead auditor.
Branimir has experience of working with clients from numerous industries including financial, gaming, retail and travelling, ranging from small high tech startups to large, well established multinational companies.
PCI Compliance Q&A
We put a short Q&A to Branimir ahead of the event to find out what action(s) an organization needs to implement to help aid the compliance process...
- What are the first steps that an organisation needs to do to begin the PCI compliance process?
The first thing you need to do is admit to yourself you have a problem. In PCI world, that is called cardholder data. The next step is complying with and getting to know the new standard. For some companies this is relatively straightforward and for others, help is needed from a more experienced company, usually a QSA company. - How does an organisation maintain PCI compliance in an ever-changing environment?
PCI DSS is a minimum set of security requirements. I would even say common sense in security. So, theoretically following your ‘security loving heart’ would be enough to maintain compliance. However, reality is a bit different as the majority see PCI as another layer of rules.
A basic prerequisite for maintaining compliance is the awareness of employees. Of course, starting from the top, you need to have management that sees PCI DSS compliance as verification that their organisation has implemented proper security controls. However, everybody in the company needs to realise that it is not so hard to steal somebody's data, but it is not nuclear science to secure it either. - How long does it take for an organisation to become PCI compliant?
From zero days, up to never - It depends where the company is now. Lots of ‘old’ companies with legacy systems really struggle to change their environments on a technical level and on an employee mind set level. In contrast, new start companies implement security by default, including PCI DSS. These ‘old’ companies really struggle to become PCI compliant. Another factor is the size of the company. It’s not easy for a company with thousands of servers, services and applications compared to a company with just a couple of them. But no matter how long it lasts, becoming PCI compliant is a great and worthwhile experience.
You can hear Branimir Pacar’s presentation at the Hilton Manchester Deansgate on Thursday 18 May at 9am. Register for the free event by clicking on the button below.
