Month: March 2018

Customer Experience – The Often Missing Link to Services

We had a very interesting encounter this week, and generally wouldn’t have brought this up if not for such a degree of juxtaposition of two similar events that occurred with massive different outcomes.

Firstly, I had a meeting with a vendor at a coffee place called Page 2 in Bangsar Shopping Center. While talking, the barista approached our table and mentioned that she received feedback that the cake (or bread, I can’t recall) was bland or had off-taste. She was so concerned over this and she wanted to know more on how to improve and offered us a waffle for our inconvenience. She was going out of her way to really do two things:

a) Seek feedback openly 

b) Action on customer feedback

It’s really easier said than done. But she did it and I was very impressed. Out of all the thousands of coffee places in Malaysia (and they are mushrooming up), very, very few can actually differentiate themselves. Face it, coffee in Malaysia isn’t exactly the greatest. I walk into Brother Baba Budan in Melbourne and it blows every single coffee place in Malaysia away. So if the product is difficult to differentiate, then we are left with the service, and Page 2 really showed what great service is.

The very next day, we visited another coffee place called Thrvsday in Taman Tun. We were having our weekly team meeting and we usually look for informal cafes or Starbucks or Coffee Beans so that we can all get more informal and creative. As you can imagine, we tend to become more noisy, more boisterous compared to if we had our meeting in the office. Now, I personally have been coming to Thrvsday for many many times, even celebrating Christmas there once with my family. So it wasn’t as if I was first time walking in there. Many business meetings, many personal meetings were spent there for a good part of 2 and half years.

While we were discussing, suddenly, the barista (or the owner, I don’t know) comes to us and basically told us to not talk too loudly as other people wanted to ‘work’. It was very strange, because a cafe generally shouldn’t be treated like a library or a church. You walk into Brother Baba Budan or any great Melbourne Coffee place and you are assaulted with two things: SUPER RICH coffee smell, and voices. Laughter. Loud. Conversations. That’s real coffee culture. Not this strange, Church of England atmosphere that Thrvsday is trying to create. If you want a quiet place to work, go to the library, man.  Unless of course, we have mistakenly walked into a fine dining restaurant that is disguising itself as a coffee place. But that can’t be. Nobu KL wouldn’t have a stray cat sitting in one of their chairs, right? So this can’t be a fine dining restaurant!

So I just told the team to pack up and go find another place for a meeting. Because, no we weren’t going to whisper to each other or pipe down. We are a noisy lot because we have a lot to share, and we make no apologies for it. We came into a cafe expecting good coffee (which wasn’t great in our opinion), and an environment to stoke our creativity, not asking us to quiet down so someone can start praying — sorry, I mean, ‘working’. It’s ridiculous to have a coffee culture that puts boundaries on your customer’s voices. So if I brought my kids there, and they make a ruckus, you gonna tell them off? If I celebrate my friend’s birthday there, and we make a lot of noise, you gonna ask us to shut up? It made no sense to us.

And worse is they don’t even know their customers! I have been going there for almost  30 to 40 times over 2 and a half years period, and they don’t even create any recognition or rapport with their customers! How he could have handled it would be to say: “Sorry, <name> (you need to know my name by now), would it be better if we get you and your team somewhere outside, we can arrange a table, because our cafe unfortunately is very echo-ey. So while I am very sure what you guys have is amazing and we are so glad you are here in our cafe – the voices is making it very difficult for other customers to converse. If you don’t mind, let me arrange a place outside, and you know what – let me give you a coffee for your trouble. On the house.”

Bam. Done. I would have swore my life to his cafe and brought every single one of our staff there to celebrate birthdays and have our overall corporate events there (although I doubt 150 people can fit!). Unfortunately, it wasn’t to be.

I told the team, half serious, half joking: “Well, they are kicking us out!”. This Barista overheard and immediately approached us again and said, “You have something to say to me? Huh? I heard you say I am kicking you out. I just told you guys to be quieter. Why are you so childish, huh?”

I looked at him. He was barely out of puberty, really, he looked so young. In his mind, he must have created a beautiful plot called “Fighting for my honor and putting obnoxious customer in his place.” He must have really thought he was doing something heroic by confronting me and basically telling me off. It was so strange. I’ve never seen anything like this before in my life – that someone would be so brusque and seemingly so contemptuous to customers.

I could have thrown a ruckus in front of him, but I guess it would only feed his fantasy of being heroic further, and maybe he thought he would defend his honour and challenge me to a duel with swords. I don’t know. We had so much work to catch up, so much to do and I just didn’t want to waste anymore time in a place and with a person that well, to put it frankly – wasn’t worth the time and effort, due to other urgent matters we had on our heads. So I just said, “This is your cafe, man, you do what you like.” And I walked off – obviously never to return or to recommend it to anyone else.

Here’s the thing: I would have forgotten about this anyway if not for the degree of contrast that Page 2 had against Thrvsday. On one hand you had an establishment that really cared about customers, who really treats the customer as if we are their last customer. On the other hand, Thrvsday who, well, I don’t know what they were trying to do, but its for such a trivial matter. I could think of a million ways that the confrontational barista could have handled the situation so much better if he was properly trained in customer service. And I guess, herein lies the problem. Most of these so-called service establishment have no clue what is customer experience. They do not understand it because they probably never had a situation before where they had NO customers.

When we started out 8 years ago that’s what we had. ZERO customers. We understood the lack. We understood what it was like to be empty. To be starving for business. And that’s why we are fanatical about our customers today. Customer experience is everything. You may have good products, good solutions, heck, even good coffee, but if you don’t take care of your customers, you don’t deserve to have customers. You don’t deserve to be in the service industry.

So, great lesson from two specialty coffee shops – one that treasured customer experience, and one that, in our own opinion, hopelessly failed. It’s a timely reminder for us too – to never forget our customers and how we can better service them and not neglect the critical importance of customer experience.

At the end, we never want to wish any business badly because we understand the challenge of businesses, and I really, sincerely hope this is an isolated incident for this coffee place.  That our opinion here is an anomaly and that hopefully they have more positives than this single encounter. Unfortunately we won’t know as we won’t be going back there, unless we want to have a library atmosphere for some strange reason. I wish them all the best, though.

Looks like we will be going to Bangsar Shopping Centre more often!

 

Penetration Testing and Vulnerability Scans

In our compliance services, oftentimes, we are tasked to assist our clients in security testing – either conducting those ourselves, or to verify previously conducted tests for compliance purposes. There are many occasions where clients decide to perform the scanning on their own, aside from the obvious option of engaging another party to do this. When we receive the test reports from our client to verify, that’s when the excitement begins.

The fundamental question we often face is, what should a penetration testing report look like? What does a vulnerability scan looks like? This age old question has been haunting PCI-DSS for years, so much so that the council decided to publish a guidance on this, found: https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf

It’s a good read, if not fairly simplified, but it seeks valiantly to answer the question of what is a penetration testing vs vulnerability scans. This is important, because in PCI-DSS, the latter needs to be done quarterly, while the former needs to be done annually. When you multiply that by the costs and number of assets in scope, we could be looking at a decision involving tens of thousands of dollars.

In the document, section 2.1 dives into this and attempts to seek a differentiation between these two. In the basic concept of penetration testing methodology, these two activities serve specific purposes, for instance in the activities of Discovery, Enumeration, Footprinting, Exploitation, Cleanup etc, depending on which approach you take. And while there are many ways to explain the differences, to summarise:

A penetration test can be a vulnerability assessment (or scan, we will use interchangeably for the sake of this article) and beyond, while a vulnerability scan is not a penetration test.

A Penetration test can be initiated with a vulnerability assessment. The result from the vulnerability assessment will be used by the tester to penetrate or perform a more detailed assessment to circumvent controls or exploit the discovered vulnerabilities. In the process, the tester will also use manual methods to “test” the vulnerable system and likely during this process of poking around, discover more vulnerabilities or loopholes in the system that may not be detected during the initial scan. In the presentation of the findings of a penetration testing report, typically the ‘Proof of Concept’ (POC) detailing how the vulnerability was exploited will be documented.

Vulnerability assessment is the process to find out known vulnerabilities by using an (oftentimes) automated method (such as scanning software or scripts) against the targeted system. The result of the scanning will detail down the vulnerabilities, the risk exposures and action that can be taken to remediate these vulnerabilities. There is typically no manual proof of concepts that is done in the penetration test. The objective of a vulnerability assessment is to discover and report known vulnerabilities, not to exploit them.

A penetration test will normally take longer time to complete, i.e. few days, considering the manual verification or activities that need to be carried out to ‘penetrate’ the vulnerabilities. A vulnerability assessment can be completed in a shorter time frame, depending on the size of scope and software installed on the target system and it can be run on automated or scheduled basis. In our vulnerability scans, we also refine the results further by eliminating false positives, such as a patch that might not have been applied, but other secondary controls like virtual patching are in place to mitigate the risks. In either case, these are different activities, and in PCI, we need to understand what is NOT Penetration Testing.

We once received a 250 page report from our client who proudly said this was a professional work done by an outsourced security testing company offshore. Surprised as such a tome, which we assumed must have excerpts of Tolkien’s Lord of The Rings in there for good measure – we went through it. We found that it was nothing more than a raw report of the entire software inventory of the entire scope of around 50 plus assets. Meaning it listed down in excruciating detail what are the software installed in each of these systems, the licenses the OS versions etc. It was nothing more than a dump of the system’s software and nothing more. Not even the courtesy vulnerability scan. We told our bright eyed customer that we cannot accept this, and while this is a good book to have in terms of detailing the software they have, it has nothing to do with penetration testing, or vulnerability assessment. From singing praises of the offshore company, he ended up throwing them invectives that would make a pirate cringe.

We do need to be careful. We are not saying that the entire industry is filled with such charlatans peddling so called pentest services for a song and giving you a report that only provides you with the figurative emperor’s clothing for your security needs…but we must be able to differentiate what is, and what is not, security testing.

If you have further questions on security testing, drop us a note at avantedge@pkfmalaysia.com and we can quickly assess your needs and advice you on your next options to take.

We are Minerals being Mined

It is often said, and its almost cliche – Personal Information is the new currency.

And now, with the news on Facebook and Cambridge Analytica, we are faced with the sort of global privacy crisis that we always knew it would be coming. Furthermore, it wasn’t as if Cambridge Analytica was a key data broker/trusted partner/premier solutions arm of Facebook. It just developed software to get the data. That’s it. 50 million users.

It was as simple as getting an app to use your facebook login to enter the app and that’s it. We think we are just logging into the app, but we are actually allowing the app to login into our facebook and take everything. Everything.

But what did we actually expect? Think about it.

Did we expect to have such a service like facebook where we can get information, connect with long lost friends, advertise our solutions and products, express our opinions in a global platform, create online value, message and chat, have thousands of hours of free access to apps etc etc – FOR FREE?

Unless Zuckerberg has the title of a ‘Saint’ in front of him, then that would be a hard sell.

No, Facebook says. You guys agreed to it. The terms of services says it. The one that is too long for you to humanly read. The one that they update without letting you know, and allowing trickles of liberality of information usage to seep in.

Facebook even contends that developers who have these information from their app cannot “transfer any data that you receive from us (including anonymous, aggregate, or derived data) to any ad network, data broker or other advertising or monetization-related service.”. That’s pretty kind of them. But in the first place, did Facebook inform users that their apps would be literally stealing the entire bank of information from the users?

It’s the sort of finger pointing activity you would expect – a phrase and sentence here and there that says, “Hey, we told you we are getting your information and we told these guys not to share! What can we do if they do share??!” But is Facebook giving excessive details? So in PDPA terms, it’s not just about third party sharing of information, it is about excessive collections.

In any case, I don’t think we have a case of PDPA against Facebook here as they do not have any systems in Malaysia processing personal information. But the point is that we have wittingly or unwittingly sold our information to Facebook in order to get the services they provide. Same for Google. Same for Apple. Same for Instagram. Same for Pokemon-go.

A great site we always give in our presentation of PDPA or information privacy to clients is: https://tosdr.org/

Terms of Services Didn’t Read. It’s a great site that basically summarises all the terms of services to human readable content and rate them according to how cavalier they are with our information. All the big guns are there. Even if not rated, we can look through their terms and have a little more details on what we are ‘paying’ them.

Take a look at Google, Youtube, Twitter to start with.

Facebook’s TOS:

  • The copyright license that you grant to Facebook goes beyond the requirements for operating the service. For instance, it includes the right for Facebook to transfer the license or to license it others on their terms (“sublicense”). Also, the copyright license does not end when you stop using the service unless your content has been deleted by everyone else.
  • This service uses cookies to track you even if you are not interacting with them directly. Amazon for instance, use cookies to track your device and serve targeted advertisements on other websites (Amazon associates, websites using Amazon Checkout). They “obtain certain types of information when your Web browser accesses Amazon.com or advertisements and other content served by or on behalf of Amazon.com on other Web sites”.
  • Facebook automatically shares your information with Bing, Pandora, TripAdvisor, Yelp, Rotten Tomatoes, Clicker, Scribd, and Docs, unless you manually opt-out.
  • Including: data analysis, testing, service improvement, control of the effectiveness of the personal ads, and location features and services.
  • You must use your legal name publicly on the service. Using a pseudonym or a pen name is not allowed. This can have negative consequences on the freedom of expression, especially for people who exercise certain professions, or who live in certain countries.
  • Facebook uses, pixels and local storage in order to gather information about you, your device, your browser cache, your use of Facebook. Facebook also uses cookies for adversing purposes.

For years I have advocated clients (and also my personal friends and family) to use Facebook with these in view. For family: Never post about your current location. Never put photos of your children up online. Never reveal too much about your views and opinions. For work: Never give any views on your current work, the time you finish work, the after drinks parties etc etc. Basically, never give any relevant information.

Will Facebook be able to still get information? For sure. Every “Like” you click. Every news you click. Even when you are not on Facebook, and you are browsing the web, there are Facebook plugins that can track what you are searching for. Even if you search on Google, whatever you are looking for will appear eventually on Facebook. Data brokers and advertisers trade our information like anything – and what you do on Google surfaces in other social media platforms.

But we know. Services aren’t free. Our parents says, “There is no free lunch” and this is certainly true. But how much do we know about this lunch we are paying? We might be getting Subway sandwiches, but paying the money for Burgers and Lobsters dining. That, I suppose, is what the world is now only finding out.

For more on our information security services and PDPA services, drop us an email at avantedge@pkfmalaysia.com. The only thing we are collecting from you is whatever you tell us on that email. That’s our term of services!

 

 

PCI-DSS and the Pervasive Certification Myth

The pervasive certification myth is so pervasive in PCI-DSS that we are going to give it its own Acronym: PCM. Because we are so tired of having to explain this over and over, we are going to canonize this corporate disease called PCM and forever immortalise it as the one of the most deluded, misleading and misinformed quackery to ever blanket the PCI-DSS industry, the same sort of quackery that insists urine therapy should still be used today for natural teeth whitening. Yes, it seems appropriate to compare these two in the same breath.

Please note that the below article is satirical (borne out by our immense frustration and oftentimes resignation that this will never be properly sorted out, ever).

PCI-DSS and PCM

The history of PCM has its roots in PCI-DSS itself being considered as a standard that can be certified against. Because of the name, Payment Card Industry Data Security Standard, immediately, fairly important people in the financial and banking industry who generally prefer to spend more time golfing and drinking fine wine than to actually read the standard and understand it better – these people concluded that like any other standard, there must be a certificate to ‘prove’ you are compliant. I mean, why not? ISO9001 has it. ISO27001 has it. Additionally, these were the same people who insist on having a certificate for literally everything that they do in their corporate life, from attending a half hour seminar talk on how to grow daffodils, to sleeping though a computer based training webinar; to providing a poor soul whose car has broken down some assistance in pushing it to the side of the road. Where’s my certificate to prove that I helped you, my good man?

Apparently, certificates are absolutely critical to our financial industry, without which our entire economy would surely descend into the Dark Ages of Financial Purgatory. In the same way, it has perpetuated into PCI-DSS that despite everything that the PCI council has said and has begged the entire industry to reject this PCM quackery, 99% of the time, we are still faced with the mind boggling, soul numbing, heart wrenching email or question stating: I want to see your PCI certificate.

Here’s the official statement from PCI council:

FAQ #1220

Are compliance certificates recognized for PCI DSS validation?

 

No. The only documentation recognized for PCI DSS validation are the official documents from the PCI SSC website. Any other form of certificate or documentation issued for the purposes of illustrating compliance to PCI DSS or any other PCI standard are not authorized or validated, and their use is not acceptable for evidencing compliance. The use of certificates or other non-authorized documentation to validate PCI DSS Requirement 12.8 and/or Requirement 12.9 is also not acceptable.

 

The PCI SSC website is the only source of official reporting templates and forms that are approved and accepted by all payment brands. These include Report on Compliance (ROC) templates, Attestations of Compliance (AOC), Self-Assessment Questionnaires (SAQ), and Attestations of Scan Compliance for ASV scans. Only these official documents and forms are acceptable for the purposes of compliance validation.

 

Because certificates and other non-authorized documentation are not officially recognized, entities that receive these documents to indicate their own compliance (for example, from a QSA or ASV) or another entity’s compliance (for example, from a service provider) should request that official PCI SSC documentation be provided. Any organization issuing, providing, or using certificates as an indication of compliance must also be able to provide the official documents.

OK.

We actually would prefer the answer to just be: “No. For heavens’ sakes stop asking the council such questions and waste our typing time on the keyboard!” But we are not the council. Else we will be out of work within a day.

You ask then: Wait a minute, if there is no certification, what are we supposed to submit then?

Well the answer to that is: it depends.

If you are a level 1 merchant or service provider, then you submit your Attestation of Compliance (AoC) signed off by yourself and the Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). You may also submit your ASV scan reports, or if requested your full Report of Compliance (RoC). But rarely those last two are needed. What is needed is the AoC. That’s your PCI ticket. If you are doing a self signed Self Assessment Questionnaire (SAQ), you submit in your AoC, and if required the full SAQ documents with your response on the applicable questions.

I suppose we (the consultants, advisors, auditors) didn’t help in stopping this PCM disease ourselves, by oftentimes referring to Level 1 as a PCI ‘certification’. It’s more of figure of speech than anything, meaning that a third party is to validate your compliance as opposed to you doing a self validating process under the Self Assessment Questionnaire (SAQ) path. So we end up saying certificate, certificate, certificate and finally everyone asks, well, then, where is my certificate? As in the actual, real certificate, and not this figure of speech one?

It also doesn’t help that most (if not all) QSAs play along with this ridiculous fallacy. They will come up with their own ‘certificate’, made to look very official, very grand, very formal and very important looking. You know, those papers with flowery borders at the side and some huge bold statement saying, So and So are official certified, and signed off by a very important person. Some even put a seal in there for good measure. As if they graduated from Hogwarts.

The truth is, that certificate paper is just piece of paper. It’s not acceptable in any way for PCI-DSS and shouldn’t even be requested by acquirers or banks. Yes, no matter that the QSAs even make it look like it’s gold laced, and our customers print it out in all its Arial font glory, and spend a few bucks to frame it up nicely. That’s all well and good, and they are entitled to do anything with it, but PCM rears its ugly head when acquirers, banks, customers and clients insist on having it. INSIST.

If you have gone through the level 1 validation with a QSA and that QSA is able to provide one of these certificates, as a consequence of the PCM disease, then I suppose it’s fine, you can just play along as opposed to haranguing them about the PCM disease like what we are doing right now. Just provide them that dratted document. This does increase the myth further though, and it starts infecting the entire industry even more, because, now the acquirer/client/bank will go to another company and declare they need the certificate that the other merchant had provided. Until they reach a small company who is doing their own SAQ, whereby they say: “Yes, even if you are doing a level 4 merchant compliance, you should still be having a certificate! Come on now, chop chop!”

And that’s what we are facing.

Without exposing which industry right now we are assisting (those following our recent blog posts may venture a very educated guess), we are helping a lot of merchants undergo level 4 self signed SAQs. This is absolutely allowed by PCI-DSS. There is zero requirement to get QSAs involved. ZERO. In fact, PCI council printed this out in their Top 10 myths of PCI-DSS.

So now, our clients want to submit their compliance document (AoC) to the group requesting for it and here is the summary of response they received: 

a) The group requesting our client’s compliance says that the SAQ needs to be sent over to the QSA so that the correct SAQ type applicable to our client’s business will be determined. (WHAT?!)

b) Our client only now has to submit the PCI DSS compliance certificate.

I looked at it and we just shrugged. Resignation. PCM. This is what this disease has caused.

Firstly – the first phrase is proof that the writer has not bothered to even understand the background of SAQ and PCI.

No. The SAQ DOES NOT NEED TO BE SENT TO THE ASSESOR! It doesn’t even make sense. You are telling me to send the assessor the SAQ document I filled up so they can determine what SAQ I need to fill up? What sort of recursive devilry is this? Is this one of those tricky while-do loop we do as programmers that never ends because the condition to end is the condition to begin as well?

How many times have the PCI council stated that it is not the QSA’s role to define the validation requirements of the merchant, or the service provider or the bank. It’s NOT. The QSA’s role is to assess based on whatever validation requirements that has been determined. Yes, they can advice. Yes, they can with their amazing experience and god-like understanding of PCI-DSS, suggest which validation requirement to take. But at the end, the acceptable validation requirements are based on the bank, the acquirer, or worst case whichever company requesting the merchant to be compliant. If none, then the validation requirements must fall back to the guidelines provided by PCI SSC, which means, it falls back to the individual card brands. We are not going to go into that for now, but in general, VISA/Mastercard has an agreement on merchant levels, but Amex has some weird levels of their own. What we are stating is that, if a merchant is considered a level 4 merchant based on its volume, but the acquirer decides that they must still undergo Level 1 validation, then that’s the acquirer’s call. But it’s never the QSA/consultant to decide this. The QSAs job is to assess the company against the validation requirements and have an opinion if it is pass or fail. The type of validation is determined by the acquiring party. So, no the first sentence is already incorrect, never mind the recursive gibberish.

The second sentence is where PCM disease kicks in. Because nothing is known about the ‘AoC’, everyone immediately assumes that the certificate is an official document from PCI-DSS and it should be sent in. No. If the merchant is doing a level 4 self signed SAQ, that is 100% allowed by the council and by their acquirers, where in Thor’s Holy Hammer are they going to get a certificate to fulfill your insatiable lust for PCI certificates??!!

I am tempted to just have my 5 year old son draw a smiley face on an A4 paper, and stick one of his favourite Cars 3 character sticker on it, sign off and laminate it.

Go ahead – I dare you to google “PCI certificate” and click on ‘images’ and see the result of PCM in our world. Thousands upon thousands of PCI certificate documents, some even daring to put the PCI SSC logo on the certificate as if to say PCI SSC has endorsed the certificates, to provide these documents an air of official integrity. Even worse, we see QSAs giving ‘certificates’ for clients undergoing SAQs. Wait, if they have audited them, then OK, fine. But if is a self signed SAQ, how can certificates be even provided?

We are not saying what they are doing is wrong. No, it’s not wrong to provide a PCI certificate. But PCI SSC has clearly stated that if you guys want to do this, you must state clearly that these are not official PCI documents and these are supplementary, not mandatory and only provided by the QSA/ASV and not endorsed by PCI-SSC and cannot replace the official documents like AoC or RoC. Basically, PCI is just saying, “Put it up in your office or your lobby so you can brag, but please don’t show it to us and say you are PCI compliant, we rather be looking at a piece of art written by a 5 year old kid with some Cars 3 character sticker on it.”

Finally, to end this article (or rant, it may seem to some). The reason why this is written is to drive home the fact that PCI-DSS has no actual paper certificates. None. Whatsoever. The actual document you should be requesting for is the Attestation of Compliance (AoC). Please do not ever request for the Certificate of Compliance ever again because this means, you are guilty of spreading the epidemic of PCM across the world.

Note: This article is meant to be satirical, for us to blow off steam and not intended to offend any party or to dispense actual advice. There is actually no such thing as an official PCI Pervasive Certification Myth. At least, it has not yet been officially defined, as far as we know.

 

 

 

© 2020 PKF AvantEdge

Theme by Anders NorenUp ↑