Monthly Archives: September 2014

What is PCI DSS Compliance?

This entry is part 31 of 31 in the series Defining words

The PCI Security Standards Council provides the PCI Data Security Standard (PCI DSS).   Certain organizations including financial services providers need to be compliant with this standard as evidence that they protect payment card holder data (CHD).

The first step to applying the standard is to determine the portion of the IT environment where the standard is applicable (scope).  The PCI/DSS scope is called the Cardholder Data Environment (CDE) and includes “people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data.”  Network segmentation is the recommended means to reduce the scope as much as possible.

pcisecuritystandards.org breaks the standard down into 6 categories and 12 requirements:

  • Build and Maintain a Secure Network and Systems
    • Requirement 1. Install and maintain a firewall configuration to protect cardholder data
      • Segment the network to reduce exposure and scope of PCI assessments using firewalls and routers.  Separate the internet, DMZ, wireless networks, and internal networks from zones containing CHD.
      • Install personal firewalls on PCs and mobile devices.
      • Control the network and user devices to verify configurations are within policy.
    • Requirement 2. Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect Cardholder Data
    • Requirement 3. Protect stored cardholder data
    • Requirement 4. Encrypt transmission of cardholder data across open, public networks
  • Maintain a Vulnerability Management Program
    • Requirement 5. Protect all systems against malware and regularly update anti-virus software or programs
    • Requirement 6. Develop and maintain secure systems and applications
  • Implement Strong Access Control Measures
    • Requirement 7. Restrict access to cardholder data by business need to know
    • Requirement 8. Identify and authenticate access to system components
    • Requirement 9. Restrict physical access to cardholder data
  • Regularly Monitor and Test Networks
    • Requirement 10. Track and monitor all access to network resources and cardholder data
    • Requirement 11. Regularly test security systems and processes
  • Maintain an Information Security Policy
    • Requirement 12. Maintain a policy that addresses information security for all personnel.

My Travels

—– UK Travels
27 Jul 2014    10 Aug 2014    Business S
29 Jan 2008    31 Jan 2014    Business 9
19 Feb 2008    25 Feb 2008    Business 9
25 Aug 2009    27 Aug 2009    Business F

—– Other Travels (Date/Country/Reason/PpPage) —–
28 Apr 2008    SINGAPORE    Business 8
06 Mar 2008    BELGIUM        Business 8
23 Apr 2008    MALAYSIA    Business 8
15 Apr 2010    BRAZIL        Business 9
14 May 2008    TAIWAN        Business 10
24 May 2008    SINGAPORE    Business 10
31 May 2008    TAIWAN        Business 10
28 Apr 2008    SOUTH KOREA    Business 11
10 Sep 2007    AUSTRALIA    Business 12
22 May 2008    MALAYSIA    Business 12
26 Feb 2008    IRELAND        Business 13
26 Apr 2009    TURKEY        Business 14
16 May 2008    CHINA        Business 14
26 May 2008    MALAYSIA    Business 16
07 Jul 2008    BELGIUM        Business 16
09 Sep 2008    BELGIUM        Business 17
27 Jul 2008    SINGAPORE    Business 17
13 Sep 2008    SPAIN        Business 18
02 Mar 2009    MALAYSIA    Business 18
21 Feb 2009    SINGAPORE    Business 18
03 Mar 2009    SINGAPORE    Business 19
08 Mar 2009    SINGAPORE    Business 19
04 Mar 2009    INDONESIA    Business 19
10 Jun 2009    SINGAPORE    Business 21
07 Jun 2009    PHILIPPINES    Business 21
15 Jun 2009    MALAYSIA    Business 21
28 Oct 2009    FRANCE        Transit  A
14 Nov 2009    SINGAPORE    Business C
24 Oct 2010    FRANCE        Transit  C
17 Jun 2009    INDONESIA    Business C
12 Jan 2010    SINGAPORE    Business C
20 Jun 2009    CHINA        Business D
31 May 2010    CHINA        Business D
12 Jun 2010    CHINA        Business D
08 Nov 2009    NEW ZEALAND    Business F
29 Jul 2009    FRANCE        Business F
22 Sep 2010    SPAIN        Business G
17 Jun 2010    BRAZIL        Business G
17 Jul 2010    JAPAN        Business G
21 Oct 2010    SINGAPORE    Business H
03 Oct 2009    CANADA        Business H
18 Jul 2010    INDONESIA    Business H
06 Sep 2011    MALAYSIA    Business C
27 Nov 2011    MALAYSIA    Business C
26 Jan 2012    SINGAPORE    Business C
28 Jan 2012     MALAYSIA    Business F
19 May 2012     MALAYSIA    Business F
18 Feb 2013    MALAYSIA    Business F*
21 Dec 2012    KUWAIT        TRANSIT     F
29 Jun 2012    SINGAPORE    Business F
22 Jul 2012     INDONESIA    Business G
01 Jul 2012    MALAYSIA    Business G
25 Jul 2012    MALAYSIA    Business H
03 Jan 2013    MALAYSIA    Business H
17 Jan 2013    HONG KONG    Business J
24 Jan 2013    MALAYSIA    Business J*
01 Feb 2013    MALAYSIA    Business J*
31 Jan 2013    INDONESIA    Business K*
17 Feb 2013    INDONESIA    Business K*
08 Mar 2013    THAILAND    TOURISM  L*
11 Mar 2013    MALAYSIA    BUSINESS L*
11 May 2013    THAILAND    BUSINESS L*
16 May 2013    MALAYSIA    BUSINESS M*
28 May 2013    MALAYSIA    BUSINESS M*
10 Jan 2014    MALAYSIA    BUSINESS M*
27 May 2013    INDONESIA    TOURISM  N*
05 Mar 2014    MALAYSIA    BUSINESS Q*
07 May 2014    SINGAPORE    BUSINESS Q*
04 Mar 2014    INDONESIA    BUSINESS R*
07 May 2014    MALAYSIA    BUSINESS R*
25 May 2014    MALAYSIA    BUSINESS S*
24 May 2014    SINGAPORE    BUSINESS S*
10 Jul 2014    MALAYSIA    BUSINESS V*
21 Aug 2011    BRAZIL        BUSINESS W
02 Nov 2010    MALAYSIA    Business K
29 Sep 2009    AUSTRIA/SLOVAKIA Business L
17 Jan 2010    CANADA        Business L
09 Jun 2010    MACAU        Business M
09 Jun 2010    HONG KONG    Transit  M
18 Mar 2010    BRAZIL        Business N
11 Jun 2010    HONG KONG    Transit     N
18 Aug 2010    BRAZIL        Business P
12 Nov 2010    BRAZIL        Business Q
30 Mar 2011    BRAZIL        Business Q
20 Jan 2011    BRAZIL        Business R
11 Aug 2014    BRAZIL        VISIT    S*
02 Feb 2011    MOROCCO        Business X
06 Apr 2011    PERU        Business X
14 Aug 2011    CZECH REPUBLIC    Business 23

Category: Me

IT Capability: User Centered Design

This entry is part 10 of 10 in the series Strategic IT Capabilities

The IT group is usually tasked with designing new applications.  I am not sure I advocate that but that is what I have seen in practice at banks.  Therefore, I categorize User Centered Design as an IT Capability.

The following diagram lifted from Modern Web Development with IBM WebSphere gives a feel for what User Centered Design involves:

dev process - 01fig07

What I will say about User Centered Design is that it should not be the first step.  You must have some process that answers the question: “User Centered Design of what?”.  You need innovation processes operating at both the strategy and organization design levels.

Strategic Technology: JavaScript, Frameworks and Libraries

This entry is part 27 of 33 in the series Strategic Technologies

I feel a little crazy listing JavaScript as a strategic technology — Even more crazy enumerating the related frameworks and libraries, which seem to replace each other far too frequently to be considered “strategic”.  But I want to make the point that how you build Web applications (including mobile Web and hybrid apps) can have a material impact on the competitive advantage of even the largest banks, and that makes it a strategic topic.

Never has any programming language been adopted as widely as JavaScript.  The power and flexibility of the language as well as the extensive support by open source frameworks and libraries makes it very likely that JavaScript will continue to be the basis for most of the Web applications of the coming years.

Generally, I consider a library to be any set of related functions packaged up to be included in an application.  Some libraries are built by the app developer and some are external.

I consider two types of frameworks:

  • A set of libraries that work together in a tightly integrated way
  • A library that acts as a main function such that building an app means mostly filling in the blanks (overriding object methods in a prescribed way).

Two of the most important JavaScript libraries, in my view, are Dojo and jQuery.  These foundational frameworks build on Ajax to build Web 2.0 user interfaces.  A key early decision point for an enterprise architecture team would be which one of these two frameworks (or more likely a deft mix of the two) to get behind.

Note: The classic Web application architecture, where you build Web pages and “screen flows” on the server side with frameworks like Struts, JavaServer Pages (JSP) or JavaServer Faces (JSF) is nearing end-of-life (i.e. not strategic).  This architecture has been replaced by the Web 2.0 rich internet application (RIA), where apps use only a single page or a few pages to provide a page-oriented user interface (POUI).  The pages are built and updated by client-side JavaScript or similar client-side scripting language or mechanism.  Besides being more functional and attractive, RIA’s are more scalable because they move most of the user interface (UI) processing and information that the app stores about the state of the UI to the client, freeing the server memory and CPU to handle more clients.  For more on this please see Modern Web Development with IBM WebSphere.

 RIAs are generally divided into client side and server side components which communicate with each other via an application programming interface (API).   The trend is for this API to be made up of REST interfaces which transmit data in JSON format.  Invoking API interfaces and handling the results within the client is the core function of Ajax.

Client-Side Architecture

On the client side (again from Modern Web Development with IBM WebSphere):

RIA client side architecture 05fig10

JavaScript-based client architectures are standard for Web RIAs, mobile Web RIAs, and hybrid mobile apps.  There are a number of proven architecture stacks for doing this.  Two of the most popular are jQuery-Toolkit-based and Dojo-Toolkit-based.

Mobile Client Side Architecture based on the jQuery Toolkit

A configuration of JavaScript frameworks being used in mobile Web and hybrid apps (especially in conjunction with IBM Worklight) are:

  • Cordova (access to native mobile capabilities)
  • jQuery (General JavaScript library, especially for the DOM)
  • jQuery Mobile (navigation, page management, responsive grid)
  • Backbone (MVC, controller)
  • Underscore (Requires dependency library for Backbone)
  • Handlebars (templates for creating views)
  • JQM Themeroller (styles)
  • RequiresJS (class dependencies)
  • Twitter Bootstrap (responsive grid)
  • LESS/SASS (styles).