Month: January 2019

Book Review: Artemis

One of the things under New Year Resolution would be to read at least one book per month.

When I was back in college days, there were years where I targeted 30 books read per year. That’s an average of 2.5 books per month! And back then I wasn’t keen to pursue technology or anything, I was trying to pursue a career in literature. So the books read weren’t your typical books. The books tackled were War and Peace, Crime and Punishment, David Copperfield (not the magician, but the book by Dickens), all of Thomas Hardy’s (not the actor, but the English novelist and poet) works and so on. I recall reading several translations of Les Miserables in the university’s library and wasting away in one corner when I was supposed to be studying something else.

Obviously life doesn’t work out the way you plan, so after that period, reading has been limited to just online stuff and magazines. This year, as every year, starts with amazing resolutions and one of it is to get back on track to read BOOKS , specifically those related to our work and industry. And specifically those that has actual papers and does not consist of me staring into a screen.

So, to make life easy, I start off the year with Artemis which is completely unrelated to our work and industry but works as a warm up to reading more related books.

Artemis is written by Andy Weir, the guy that wrote The Martian, which was turned into a film starring Matt Damon as the guy stuck in Mars for God knows how many days. The Martian was a good film. I didn’t read the book, so I thought, OK, let’s pick this one up.

Artemis is the sort of book that you could probably read through within a few days, which was exactly what I did. It’s about a girl, on a moon colony, sabotaging something, getting into a murder plot, escaping, and doing a lot of stuff and then lives happily every after. On the moon.

I think the story isn’t great. The writing isn’t great. But the tech in there is pretty cool. Half the book is about expositions on how we can possibly live on the moon. It’s like Andy wanted to write a thesis on living on the moon but thought, “Heck it, it’s just too damn boring and I already made trillions from the Martian, so I’m just going to write some sort of story on top of my thesis.” It’s exactly what it is. This isn’t new. When I was younger, I wanted to write a book about programming and hacking (I thought I was a good hacker back then, but I thought wrong) and I drafted an idea of putting in a story and having little boxes within the novel to explain the technical terms that the protagonists are talking about. It’s like writing a book on PCI-DSS and then on top of it, make a story of how a merchant is swindling billions from a bank and then going through the 12 requirements to escape life and death situations. Um. Yes.

So Andy writes about the girl, but actually, it just doesn’t sound like a girl. It sounds like a middle aged male nerd like me describing what I think a 24 year old millennial girl will be thinking. It’s a very weird sensation in the novel. I read it and sometimes I get lost in the exposition like how many kPA it is on the outer hull of the moon base (what?) or how we can light fire in vacuum to weld something, or how we get oxygen from aluminium or whatever – and then suddenly the voice in the novel goes, “Hey I am a sexy girl.”

Wha-?

There was a scene where the protagonist reminded me she giggles like a girl, and that she looked like a tramp. Or that she took a lot of ‘shots’ on her face. Don’t get me wrong, I suppose, I would write a girl like that, but I am not a girl. I don’t think girls think like this, unless your name is Chastity Chandelier starring in XXX Twin Peaks. So no, the voicing is very weird. The pacing is also very strange. It’s like Andy couldn’t decide if he wanted this to be comedy or drama. In the middle of a life and death situation, the girl can make jokes.

The final third of the book is not great. The climax is very jumbled, the way how everything resolves itself is unbelievable and it’s like Andy decides that he had to submit the story on a deadline and he just went like, WTF, here it is. I mean “spoiler ahead” – the final third is about how she saves the entire city of Artemis from being chloroformed and everyone in the city has fainted. Huh? And when they woke up, nothing happened. Nothing. Even with a toddler, or baby being knocked out by chloroformed and minutes away from dying wakes up and continues to watch Thomas and Friends without being brain-damaged.

And speaking of which, writing science fiction is always tricky because at best you are writing something that is in the future. Like maybe 30 – 50 years from now. Why do the people still reference the same thing as the people in 2018? Like Buster Keaton or present day things. Wouldn’t they have something that had occurred 10 – 15 years from now, a new cultural phenomenon that would have happened and the writer should reference it? It doesn’t have to make sense to us. It just had to make sense to the narrator. And often times, the narrator breaks the fourth wall by suddenly out of nowhere, accuses us (the reader) of pretending to know what a niqab is or laughing when she said she sucked a water nipple from her space suit. Honestly, I wasn’t even thinking about it. Get on with the story, Andy!

Conversations between the characters are also very weird. It’s like some sort of high school reunion at the end, when the characters poke fun at each other while sabotaging a nuclear reactor or something, and the father of the heroine grunts disapprovingly. I think The Martian was a success because the conversations were basically in the head of the hero. He was alone. Here, the heroine has 2,000 people in the city to converse with and none of these conversations were realistic.

At one point, I just decided that I better hurry up and finish it before it becomes one of those ‘unfinished’ novels for me. It was during the climax scene where we are not supposed to know what happened, whether she made it or not etc. She suddenly, in the middle of very tense scene, made the statement like: “Meanwhile elsewhere, the other guy at another location was doing this and this, because he TOLD ME ABOUT IT later when all this was over.”

Hah? Got such thing meh? Stories in first person narrative is very tricky because there is no other POV (point of view) of other characters you can take. So Andy cheats here. He explains what happened elsewhere and how the heroine knows about it was that this story was conveyed to her AFTER everything was over, which means, she is narrating everything based on past events. It basically either states the writer can’t give a damn anymore, lazy writing, or is just going like: Hey, this is going to be a Hollywood Blockbuster even if I write that a purple octopus came out of the moon and ate the rover….this is what the term “Jump the Shark” means. This scene jumped the shark for me.

However, if you really want interesting ways that the moon could eventually be colonised, it’s an interesting read. If you want a good story, probably not. If you want a story that might turn into a hollywood blockbuster, then yes, maybe. But this is a tough read, not in terms of actual reading (it flows very simply), but in terms of the storyline.

Andy does get a lot of interesting stuff out in terms of his Thesis on Colonising the Moon. But it’s a miss in terms of actual story and protagonists.

FAQ on SAQs Once Again

Over the past few months, we have been absolutely busy with a fair amount of work. One of the things that we  have seen an uptick are merchants coming to us requesting PCI compliance. We have had some small ones, big ones and mega huge companies coming to us, but the trajectory discussion is always the same:

a) Bank wants us to do PCI

b) Bank says we are Level 2 Merchant because they say we store card data

c) Can you audit and certify us ?

I don’t blame them actually because their core isn’t PCI. Heck, most of them aren’t even into payment systems! Unlike service providers where they have a fair bit of knowledge of how payment via credit card functions, most merchants are basically: OK, give us the EDC and let’s make some money. Or set me up on my e-commerce and let’s get it done.

The Banks are obviously not helping by giving half-baked information on PCI-DSS. And PCI-SSC isn’t helping by making PCI so….confounding to the lay person.

So, here are some basic FAQs on SAQs (Self Assessment Questionnaire)

a) What Level Merchant are we?

This depends on your volume of card data being processed. Many assume that it’s more than 6 million volume (not value) transactions a year that puts you to Level 1, but actually this is defined by individual card brands. That 6 million is more popular because that’s what Visa and Mastercard go by. Amex goes by different volumes. A nice chart here can get us started:

b) Wait. We were told to be level 2 because we store credit card.

That unfortunately is not that accurate. Type of levels are defined by your volume transactions. This determines HOW you get PCI – either by a 3rd party ROC audit (level 1), a 3rd party validation on your SAQ (Level 2), or self signed SAQ (Level 3 and 4).

Whether you store credit card or not, that has nothing to do with your credit card volume. Remember – for PCI, as long as you store, process and transmit credit card, you get hit with compliance.

c) So if we are just transmitting credit card in high volume, we could be considered level 1 or 2 without STORAGE?

Yes, of course. It’s highly possible that you do not store credit card but trillions of card data flow through you, then yes, technically you would be level 1. You don’t store, which is good, but you have high volume, which determines your level, and that determines how you get PCI (either audited by 3rd party of self signed in SAQ)

d) But what if I have LOW volume but store credit card? Don’t I get bumped up into level 2 or level 1?

In theory, no. If you have low volume, then your level could be 3 (for e-commerce) or 4. Then once your level is determined and you know how to validate PCI, you need to decide what to validate to. That’s where the different types of SAQ come in. If you store credit card, you immediately have to use SAQ D, which is tough and have 340++ questions to whet your appetite over. If you do not store, then you need to understand which SAQ (there are 9 types) to apply – it could be A (which has the least questions) or C-VT (which has more, but less than SAQ D) etc. An example for A would be an e-commerce entity fully outsourcing all payment processes and pages to a PCI compliant provider.

e) So you are saying, I could be a level 1 merchant doing SAQ A because I fully outsource my payment? What do I need to do then?

If you are level 1, SAQ is out of the window. You need to get a QSA in to do a full Report on Compliance. But you can use SAQ A as an internal guideline to prepare for the audit of course, because basically the auditor will be utilising those controls if they determine that you are truly SAQ A.

f) What do you mean by “Truly SAQ A”?

In the auditing world, we can’t take your word that you are really saying what you are. It’s not that you are dishonest, it might be that there are processes you are not aware of that might for instance cause you to store data and that makes you ineligible for SAQ A. Just sayin’.

g) So basically, I can go and tell my bank they are wrong to force me to be Level 1 or 2 just because I store credit card?

Yes and No. Because those level volumes are guidelines. At the end, its the bank that’s taking a risk at you so they get the final say of what levels you need to eventually be.

h) So what’s the POINT?! 

The point is that a lot of banks have no idea on this, so they dump you into SAQ D even when your volume doesn’t add up. Or they think that you are Level 1 or 2 just because you store credit card. Both are disadvantageous to you because you end up doing more than what PCI requires. The point here is for you to head back to the bank with this information and confirm with them if they are aware of these requirement and that they are purely requiring you to go through MORE than what is required by PCI just based on their internal risk assessment of your business.

i) At the end, we are still at the same place. The Bank is telling us what to do.

Yes, but you can now reason with them further. Because if they are the only bank asking for this, merchants might look for other banks to be their acquirer. It’s business. So, at least now you know!

j) So can we go through all the SAQ types now with you?

Not really because this article is too long and I have lunch to go to. Next time maybe! Have a great 2019!

© 2024 PKF AvantEdge

Up ↑