http://www.software4distributors.com/mid-year_supplement/Download_Supplements.aspx
Thursday, October 7, 2010
Announcing 2010 Mid-Year Supplements
http://www.software4distributors.com/mid-year_supplement/Download_Supplements.aspx
Wednesday, June 16, 2010
How to Adhere to Payment Card Industry Data Security Standards by Ron Schmittling
To learn more about PCI Compliance Review:
http://www.software4distributors.com/resource/default.aspx
To learn more about IT Security and Privacy:
http://www.software4distributors.com/evaluation/registration.aspx 
PCI Compliance Primer
As consumers rely more on debit and credit cards as opposed to cash, merchants are facing increased risk exposures if they don’t have proper security measures in place. Cyberthieves troll for information on merchant networks, which has resulted in significant security breaches that have made headlines.
In 2004, a consortium of credit card companies, including Visa, MasterCard, Discover and American Express, banded together to set Payment Card Industry (PCI) Data Security Standards. These standards direct merchants that process, store or transmit credit card information to maintain a secure environment. And if your business accepts credit or debit cards, the standards apply to you.
Business owners have to comply with those security standards and implement safeguards to protect customer information. This article will discuss how your company can meet PCI standards and protect against security breaches.
What is PCI compliance, and who must comply?
The three keywords for PCI compliance are process, store and transmit. If your organization processes, stores or transmits credit card information, you must maintain a secure environment as laid out by the PCI standards. So, if customers or vendors use debit or credit cards to make purchases from your business, you must be compliant. This includes meeting 12 standards, which can be broken down into six key areas: building and maintaining a secure network; implementing safeguards to protect cardholder data; maintaining a vulnerability management program; applying strong access control measures; regularly monitoring and testing network security; and enforcing an information security policy.
Your policy will ultimately drive the compliance process, so the first step is to take a security inventory of your business to determine how compliant it is, what security measures are in place and what weak spots must be addressed. An outside adviser with experience in security and privacy can provide feedback on how to structure a plan. This framework will set the tone for your internal compliance strategy and help protect your business.
PCI security standards are not laws; they are a method of self-imposed regulation by the consortium of credit card companies. There are no federal mandates in place, but there is a move in that direction since some states have started to pass laws or require organizations to comply with PCI Data Security Standards. This trend is expected to continue in association with the Data Breach Notification Laws movement.
What are the consequences of failing to comply with the standards?
At their discretion, payment brands such as Visa or MasterCard can fine acquiring banks $5,000 to $10,000 a month for PCI compliance violations. Banks are likely to pass these fees on to noncompliant merchants. Many banks have begun notifying noncompliant merchants of their need to comply or face fines.
You should review your merchant agreement and note any penalties and fees for noncompliance, which can include prohibiting merchants from processing credit card transactions, higher processing fees and other restrictions. Any fraud loss associated with a compromise in security may be borne by the merchant starting on the date of the security breach. Depending on the level of security negligence, the FTC could become involved and impose significant federal fines, up to $250,000 and/or up to five years in prison.
Not knowing is not a viable excuse for noncompliance and could cost you and your organization. It is your responsibility to understand your merchant agreement and what the PCI standards mean to your organization.
What steps can a company take to become PCI compliant?
Compliance responsibility depends on your merchant level, and there are four levels as defined by PCI Data Security Standards. Level 1 merchants are those that process more than 6 million transactions a year. It is important to note the annual transactions are measured in volume, not dollars. Level 2 includes merchants that process 1 to 6 million transactions per year. Level 3 covers merchants with 20,000 to 1 million eCommerce transactions per year. Level 4 includes any merchant with fewer than 20,000 eCommerce transactions per year, and all other merchants with fewer than 1 million transactions annually.
Companies in Levels 2, 3 and 4 follow the same compliance process that includes completion of an annual self-assessment questionnaire and having quarterly network scans performed by a PCI Approved Scanning Vendor (ASV). The results are submitted to the merchant’s bank. Level 1 merchants follow similar procedures, but also are required to have an annual on-site review completed by a Qualified Security Assessor (QSA), a PCI-certified provider and have an annual network penetration test performed. The QSA will submit the merchant’s Report on Compliance to its merchant bank. The PCI Council lists ASVs and QSAs at http://www.pcisecuritystandards.org/.
Where should an organization start on its PCI compliance initiative?
The most important step is to set an internal policy of how you’ll address PCI compliance and information security. Too many times, organizations rush into identifying a new product they think will fix PCI compliance or information security problems instead of organizing their efforts around the organization’s overarching policies and processes.
Once that policy has been defined and implemented, an organization can begin to enforce it and truly drive its compliance initiatives. But compliance starts with your information security policy and security controls. Many organizations struggle with where to start, as PCI compliance can be a daunting and complex task. Reaching out to a QSA to kick-start your PCI compliance efforts is a great first step.
What are the PCI DSS main areas?
The actual PCI Data Security Standards include 12 major requirements for validation and certification under six main auditing areas or "control objectives". All of the compliance areas include basic security rules that most merchants and service providers should already have in place, or have a familiarity with them when audited. 
The six main control objectives for PCI DSS compliance and validation are as follows:
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
What is a QSA?
QSA stands for Qualified Security Assessor. It is a certification obtained by experienced security consultants that enable them to conduct the on-site data security assessments for PCI DSS Compliance. QSA's are required to recertify every year by attending training provided by the PCI Council and passing a rigorous exam. A recertifying QSA must also obtain annual professional education credits from training and other experiences in order to retain certification. May QSA's also maintain other certifications through their work as security practitioners such as CISSP, CISA, CISM, etc.
What are the requirements for becoming a QSA?
The PCI Council requires all QSA’s to be full time employees of a Validated QSA company. The security professional must complete a thorough application process with the PCI Council and undergo and pass its three-day QSA training course. A closed-book exam is administered which must also be passed to receive the official QSA certification. 
In addition, the QSA must meet the following minimum requirements, submit a current resume with the PCI Council, and complete a background check from the QSA company:
- CISSP, CISA or CISM Certificate
- 5 Years of IT Security experience
Why are QSAs important?
PCI QSAs are trained by the PCI Standards Council to understand the intent and rigor required to meet the PCI requirements. Only a QSA can certify PCI compliance and working with a QSA is the best way to ensure your implemented controls will meet the PCI compliance requirements. And of course, getting it right the first time saves time and money.
QSAs are required to strictly adhere to the DSS audit procedures document and complete the mandatory Report on Compliance required for PCI certification and validation on behalf of the merchant or service provider. 
Many QSA’s help companies perform their annual PCI self-assessments also. Self-assessments are much easier said than done, as most merchants and service providers simply lack the knowledge and understanding of PCI to self-assess with no help. A QSA can help bridge the knowledge gap and quickly assist with completing your self-assessment.
Further, a QSA can also assist in recommending various hardware and software solutions for PCI compliance along with giving a company excellent guidance on how to meet the rigorous demands of PCI Compliance. When it comes to compliance and certification for PCI, you need to use a QSA.
What types of services do QSA’s typically provide?
QSA’s typically provide the following types of services:
- On-Site Data Security Assessments (PCI "Audits"),
- PCI Gap Analysis or Readiness Assessments,
- Remediation Services for areas of PCI deficiency,
- Project Management,
- General PCI consulting and advice.
Depending on the size of the company, its complexity, and the number of distinct credit card processes, most engagements will last anywhere from 1 - 6 months.
Level-1 Merchants and Level 1-2 Service Providers are required to have a QSA to conduct their annual on-site data security assessment. Level 1-2 qualifiers are that they have more than 6 million transactions. Level 2-4 Merchants and Level-3 Service Providers do not have required QSA audits and may use the PCI Self-Assessment Questionnaire to self-certify.
What are the pros and cons of hiring a QSA versus doing it yourself?
There are pros and cons for both ways of performing PCI compliance, but the pros outweigh the cons in selecting a QSA to assist with your PCI compliance initiatives. QSAs provide third-party validation which proves 'due diligence', in addition, they know the data security standard and how it is to be applied to different types of organizations. The cons are the usually the cost of hiring a QSA. Yet, the costs to the organization when considering ‘doing it yourself’ should also be considered - that is, resources needed to assist with PCI compliance plus resources from other strategic, profit-generating initiatives. Another con to consider is that it can be difficult to get up to speed on all PCI requirements, which could provide an unfortunate opportunity for merchants to miss key areas, controls, and dates. In the long run, it may be far more economical to hire a QSA. 
What are the benefits of using a QSA and becoming PCI compliant?
In the past few years as cybercrime has sky-rocketed it's necessary to do more to protect companies and customers alike. The PCI requirements might seem difficult to get a grasp on; however, they are beneficial for customers, merchants, and the credit card industry. Merchant and service providers have to meet a number of measures from QSAs and ASVs in order to be PCI Compliant. 
There are a number of significant benefits to becoming PCI Compliant and utilizing a QSA to assist, including:
- 'Trust'. Consumers greatly benefit from doing business with PCI Compliant companies because it means all of their sensitive information is kept both safe and secure.
- Means that your business has been checked for security weaknesses by a qualified, information security professional.
- It provides an incredibly solid structure for greatly improving security, operation and audit performance by a having an independent assessment performed.
- It sets any business up to be more stable and to avoid infections or security disasters.
- Without it you can't process credit card information and a merchant cannot get by without processing credit cards nowadays.
- Merchants who are PCI compliant are offered some level of protection from the fines if you should happen to be breached. If you are compliant at the time you suffer an attack, you may have a ‘safe harbor’, along with connections to a QSA that can assist in shepherding the process to minimize the breach effect on both your customers and business.
About The Author 
Ron Schmittling, CPA/CITP, QSA, CISA, CIA, Security and Privacy Practice Leader at Brown Smith Wallace, LLC
Ron’s 18+ years of experience include more than five years in senior-level technical leadership roles at a major financial services firm, as well as, positions in information security and technology consulting for several international organizations. Ron is a thought leader, frequent speaker and author on topics in the information security and PCI compliance arena. Ron is a member of the American Institute of Certified Public Accountants (AICPA), the Illinois CPA Society (ICPAS), the Missouri Society of CPAs (MSCPA), ISACA, Institute of Internal Auditors (IIA), InfraGard, International High Technology Crime Investigation Association (HTCIA), Information Systems Security Association (ISSA), and the Institute of Computer Forensic Professionals (ICFP).
Schmittling can be reached at 314-983-1398 or schmittling@bswllc.com. 
About The Brown Smith Wallace Security and Privacy Practice
The Brown Smith Wallace Security and Privacy Practice is a market leader in helping businesses, government, financial institutions, retailers, educational institutions, and healthcare groups and other organizations define the true risks in their environment and deploy the right solutions and technologies to ensure the continued success of day-to-day operations and objectives. Our services include attack and penetration testing, internal vulnerability assessments, security risk assessments, security training, social engineering tests, PCI compliance reviews, PCI readiness assessments, PCI ASV vulnerability scanning, privacy risk assessments, computer forensics, and many others.
Monday, May 31, 2010
Are You Under-Utilizing Your Technology? By Steve Epner, CSP
To request a copy of our Guides, visit:
http://www.software4distributors.com/resource/default.aspx 
To compare software packages side-by-side, visit:
http://www.software4distributors.com/evaluation/registration.aspx
Are you and your management team getting the information you need to make the right decisions at the right time for the right situation? Is the information you get from your computer system:
- Current
- Accurate
- Reliable
- Meaningful
- Relevant
If not, you may not be using your computer to its fullest capacity. According to most surveys, businesses use less than 15 percent of the features and functions that are available on their computer systems. While automation systems are one of the largest financial and time investments that most companies make, most owners are pitifully unaware of what can be done. It is a tremendous waste of resources.
What you want to do to be more successful is to get a greater return on your information investment?
You must begin by documenting what you are doing today. This is imperative as most companies have created entangled masses of paperwork based on system failures of long ago. These quick fixes havenever been reviewed as systems have been upgraded, enhanced, or replaced. As a result, most people force their current system to try to do things the old way. The bottom line result is that we use very little of what the system can do for us as we try and duplicate or imitate old procedures that are no longer necessary or appropriate.
We also need to look at what steps have been added to your paper and information flow because you just “want to be sure”. Many times we add steps to review, revise, and approve computer-generated output because there is no trust in what is being created.
Proper planning and execution of your paperwork flow will correct this situation. Our many years of experience have allowed us to find that most companies can easily reduce 20 percent of the time they spend handling paper. In some cases, the number will go as high as 75 percent. Don’t be embarrassed if, as you look around, you find many things that just don’t need to be done.
Another area of analysis that we find very helpful is to look for bottlenecks. When we do a bottleneck analysis, we take a look at the forms that enter, are created in, and leave each desk. It is quite an eyeopener for most executives to see how paper is processed in their offices. There are many times when people get paper “just to look”. They add no value.
We are very conscientious as we eliminate duplication, bottlenecks and efforts that don’t add value for the company or the end user.
More importantly, we take a look at the numbers that you use to run your business. It always amazes us how many people spend time re-entering data into spreadsheets so they can get valuable management information. Most systems today have many of these features built in. We will help you find what is already there to reduce the time and effort you need to find the answers to help you make decisions. Furthermore, we will reduce the number of errors caused by transcribing numbers and the time and effort involved in running multiple systems manually when the answers can be provided on an almost automatic basis.
To make things even better, we can often help you create graphical output which will show you exactly where the company is and where it is going. These reports can be produced on a daily, weekly, monthly, or quarterly basis. By using “running averages”, we are able to smooth out individual peaks and valleys so that a trend is more easily recognized. Executives should get an End of Day Report that shows how they did. This is available in all of the systems we have reviewed and we would guess that it is available in what you already have if you are willing to look for it.
Some time ago (or in the recent past), you made a major investment in automation for your company. You spent a lot of money to buy hardware, software, and services. You took valuable resources (people) and put them through weeks of training, conversion, and start up. The end result is one of the largest noninventory investments that you will ever make (other than brick and mortar). If you are using only 15 percent of this investment, you are not getting the return you deserve or should expect.
Step back from what you are doing, take a look at how things operate, be prepared to make changes, and you can increase the effectiveness of your information investment. Just doubling your return to 30 percent should have major impact on your ability to operate the business effectively and to reduce the cost of servicing your clients.
About The Author
Steve Epner, CSP, Founder of the Brown Smith Wallace Consulting Group
Steve Epner has been directing traffic on the information super highway since 1966. A highly regarded industry expert, Epner is widely published and has provided comment for national business publications including the Wall Street Journal. His experience in business, technology and strategic planning makes him a nationally renowned technical speaker.
Epner can be reached at sepner@bswllc.com. 
About The Brown Smith Wallace Consulting Group
The Brown Smith Wallace Consulting Group has been serving the distribution community for more than 20 years through the publication of the Distribution Software Guide, speaking at industry programs, giving free telephone advice to distributors and providing fee-based consulting services to companies who need help selecting the best software packages for their business.
Monday, April 12, 2010
What’s the point of the software demo?
I attended a program presented by a local Microsoft partner this week. The partner did a very nice job of hosting this presentation; rented a very nice meeting room at a local restaurant, spent a ton on food, had Microsoft representation, gave away a nice door prize. Attendance wasn’t quite what they wanted but it was still a nicely attended event. But I think they missed an opportunity to make the needed impact on the attendees to move them forward in their software selection process.
Microsoft sells four ERP packages under the Dynamics brand and each product occupies a certain niche as explained by this partner: AX is the high end package, NV is a mid-tier product that is easily customized, GP is another product for mid-sized companies that have both distribution and manufacturing requirements and SL is for companies with project management needs.
Each product was demonstrated for 30 minutes. Each demonstration focused on the role-based model that Microsoft has incorporated into their software. Users are assigned a profile based upon their role in the organization and each role has a set of tasks already configured so that the user can be more productive more quickly every day. Each user can customize their start up screen with menu options, alerts, fact boxes and fast tabs. Great – but did I have to see the same thing 4 times? Did 75% of the time have to be devoted to showing the same functionality again and again?
This brings me to my point – what’s the point? What do you need to see in order to decide that this software package could/should be considered by your company as a potential solution? Is it replenishment? Order processing? e-Commerce? Make a list of the business processes that are critical to your business and communicate that to the software vendor. Reporting, Dashboards and Business Intelligence are the whip cream and cherries of software demos. It’s sweet and looks appealing but not very filling. Make sure you know what the point of the software demo is before you invest your time and the software vendors time.
Thursday, April 1, 2010
Part 2 - Successful Software Selection "Getting It Right The First Time Is All About People"
Recap:
Yesterday People Factor One (Who Makes The Selection?) and People Factor Two (Creating "Buy-In" For Change) was presented.
People Factor Three: Did you ensure the converted data is accurate and complete?
The third area relates to moving data from the old system to the new one. Don’t create an opportunity to fail by failing to follow-through with the conversion.
We’ve found the best thing to do is have a small group of employees and support personnel from the vendors do and test the conversion. Make sure the team has procedures in place to ensure that all of the data has been converted – check the simple things – compare the number of vendors, customers, outstanding invoices from one system to another.
Make sure everything is accurate. Develop checks and “hash” totals (total outstanding receivables, total open payables, etc. Audit the data before going live and you minimize problems. Find the problems before an existing customer cannot be found, or data is obviously wrong.
People Factor Four: Was there sufficient training and test time?
Finally, there is training and testing; more systems fail because companies underestimate the need to train their employees.
It does not matter how much the employees say they want the solution or how computer literate the staff may be, without a dedicated effort to train and test the system, you will fail.
The first two weeks with any new system are critical. If all of the time is spent fighting educational problems, you risk creating the perception that the new application is error prone, hard to learn, hard to use, not user friendly and probably the wrong choice.
Once that happens, it can be a fast death spiral into the ground. Users lose faith, and then they start to doubt the system, its capability and their ability to get any of the advantages promised by the sales people.
Here are a few hints to make sure you keep the training at a sufficient level.
First, if budgets are really an issue, try to negotiate a reduction in the total cost of training. Keep the courses and support that the vendor suggests but explore using CD or Web-based training instead of instructor-based training. This is much less expensive. Or have your best employees get trained and have them train other users. It is in your and the vendor’s best interest to make sure the implementation is smooth and successful. They want you to be a showcase site. That means, they will often work with you on the approach to and cost of training if you let them know how serious you are to do it right – the first time.
Second, set up a test environment. We call it a sandbox. Let everyone play on the system as they get trained. The positive effects of training are reduced by the square of the time in hours between the end of training and when they get to next use the system. That means that if after training a week goes by with no system use, about 50 percent of the training is lost. Make sure that there is not only a place to play on the system, but that there is time as well. Get temps to help with the everyday work so your best people can be trying out the new systems.
Run full days of activity against a subset of all accounts and inventory. Print out all of the reports and make sure you and your staff understand where and how the numbers show up. Test everything to make sure it is right for the way you want to use it before it is mission critical.
Looking For Help?
Successfully implementing a system is a big challenge. It is important that your team and the vendors’ consulting organization work together to achieve this goal. The important thing to remember is you are not alone – there are experts, like the members of our team, who have successfully done this before and who are willing to guide you through the process.
When it comes to the technology choices themselves, consider using a resource like our Distribution Software Guide at http://www.software4distributors.com/resource/default.aspx.
Also compare software packages side-by-side at http://www.software4distributors.com/evaluation/registration.aspx.
Wednesday, March 31, 2010
Part 1 - Successful Software Selection "Getting It Right The First Time Is All About People"
Intro:
There is an old joke that says there are only two steps to software selection. Step one is to select a solution and step two is to throw it out. With forethought and a little effort – you can make a successful software selection, the first time, and skip step two altogether. The trick you see is all about people – it is your people who must participate in choosing a solution that meets your business needs and take ownership for its implementation and use.
People Factor One: Who Makes The Selection?
First and foremost is: “he (or she to be politically correct) who makes the decision is stuck with it.”
The best solutions include a team that represents all of the various levels of your business – from management, marketing and sales, purchasing, warehouse, logistics and finance. When you allow representation from multiple venues within the business you create a situation for success. When your selection team includes multiple voices the selection becomes a matter of pride -- everyone wants to participate in finding the best solution for the company.
In addition to creating “pride of ownership” a team consisting of a representative sample of end users will help distribute the selection burden by helping to define requirements – which will vary from department to department, attend demonstrations, call the references and be invested in the final selection.
People Factor Two: Creating “Buy-In” For Change
Another old saying goes: “the only person who likes change … is a wet baby.” We all resist change. New systems can to wreak havoc on our daily lives – introducing new procedures, changing why we do things the way we do – it can be pure torture and too often is, if allowed to be.
To succeed, make the selection and implementation a top priority. Let everyone know that the owners and top management are part of the team. Pick the most senior executive possible to lead the effort and make sure they take an active and very visible role throughout the project – give your employees a leader worth following.
For People Factor Three and Four, come back tomorrow.
Looking For Help?
Successfully implementing a system is a big challenge. It is important that your team and the vendors’ consulting organization work together to achieve this goal. The important thing to remember is you are not alone – there are experts, like the members of our team, who have successfully done this before and who are willing to guide you through the process.
When it comes to the technology choices themselves, consider using a resource like our Distribution Software Guide at http://www.software4distributors.com/resource/default.aspx.
Also compare software packages side-by-side at http://www.software4distributors.com/evaluation/registration.aspx.
Monday, February 22, 2010
Finally a rationale discussion of Cloud Computing
David Linthicum presented several valuable slides in the webinar. The first slide that was useful listed seven criteria to be used to determine when Cloud Computing is a fit. Those criteria were:
- When process, applications and data are largely independent
- When points of integration are well defined
- When a lower level of security is fine
- When the core internal architecture is healthy
- When the web is the desired platform
- When cost is an issue
- When the applications are new
The next slide listed the criteria for determining when Cloud Computing isn’t a fit. Those criteria were:
- When process, applications and data are interdependent
- When points of integration are poorly defined
- When a high level of security is needed
- When the core internal architecture needs work
- When the application requires a native interface
- When cost is an issue
- When the applications is legacy
David also provided a 17 step process for implementing a cloud computing initiative.
We have found this to be one of the few objective and balanced assessments of Cloud Computing and recommend that you read his blogs and book. His book is available on Amazon and he has a blog at http://davidlinthicum.sys-con.com/
Friday, February 12, 2010
SIFTing Through Your Technology Choices
Other tools to help you in your software selection are the 20th annual Distribution Software Guide and 4th annual Manufacturing Software Guide.
Monday, February 1, 2010
Documenting Your Current Process is a Waste of Time and Money
Documenting your current processes can be a waste of time and money.
When we are preparing the project plan for conducting a selection project, one topic that is always discussed is whether the client needs to document the existing processes before starting the selection engagement. We believe that the answer to this question is “NO”. Let me explain why:
Our research indicates that clients who engage us to assist them with a software selection have know for at least two, and more likely three years, that they need to replace their software. The decision to replace software requires a significant amount of time and money.
During this period of dissatisfaction, various workarounds are added to address the weaknesses of the system. This includes external applications that are bolted on or developed in-house, applications that are purchased and not integrated, workarounds developed using Excel spreadsheets and more. In other systems we see comment field crammed with actionable information since this is the only place that users have for storing this important information. Unfortunately, if users have not read these instructions or follow the instructions errors will occur in handling orders. To prevent this from occurring more ad-hoc systems or procedures are implemented.
Investing significant time and money in documenting and flowcharting doesn’t result in a better set of requirements. At the Brown Smith Wallace Consulting Group, we have developed process outlines that reflect the standard process flows that the most new ERP packages will follow. We use these outlines to conduct interviews with groups of users to aid us in developing the requirements for a new ERP package. Typically users like to tell us what their software doesn’t do and how hard it is for them to get the right job done on time. These process indexes help us to keep the focus on the process and not the flaws of the current system.
Having a flowchart of the existing system only helps us to understand how dysfunctional the existing system is. It doesn’t help create the vision of the future state of the business. This doesn’t occur until they see demonstrations of new systems and the capabilities that are available to them. Only then can they start to understand the value of the new processes incorporated into the new software.
So if you know your current system needs to be replaced, start by documenting the requirements to achieve the future vision and do not document the past that you want to replace.
Wednesday, January 27, 2010
Managing ERP Implementations Differently
1. ERP packages that have been heavily customized can't be upgraded.
2. Maintenance investments are wasted as you can't benefit from new enhancements
3. New technologies (cloud computing, mobile apps, social media) are changing how ERP is delivered
4. Analytics and utilization of data is the new "killer app"
5. Implement new ERP software and don't customize it this time change your process instead.
If you are using older ERP software that can be upgraded because of the customizations read this article.
CIO Magazine: ERP_How_and_Why_You_Need_to_Manage_It_Differently?
 
 
