25
Feb

A Brief Introduction to Artificial Intelligence For Normal People

c4Lately, artificial intelligence has been very much the hot topic in Silicon Valley and the broader tech scene. To those of us involved in that scene it feels like an incredible momentum is building around the topic, with all kinds of companies building A.I. into the core of their business. There has also been a rise in A.I.-related university courses which is seeing a wave of extremely bright new talent rolling into the employment market. But this is not a simple case of confirmation bias – interest in the topic has been on the rise since mid-2014.

The noise around the subject is only going to increase, and for the layman it is all very confusing. Depending on what you read, it’s easy to believe that we’re headed for an apocalyptic Skynet-style obliteration at the hands of cold, calculating supercomputers, or that we’re all going to live forever as purely digital entities in some kind of cloud-based artificial world. In other words, either The Terminator or The Matrix are imminently about to become disturbingly prophetic.

Should we be worried or excited? And what does it all mean?

Will robots take over the world?

When I jumped onto the A.I. bandwagon in late 2014, I knew very little about it. Although I have been involved with web technologies for over 20 years, I hold an English Literature degree and am more engaged with the business and creative possibilities of technology than the science behind it. I was drawn to A.I. because of its positive potential, but when I read warnings from the likes of Stephen Hawking about the apocalyptic dangers lurking in our future, I naturally became as concerned as anybody else would.

So I did what I normally do when something worries me: I started learning about it so that I could understand it. More than a year’s worth of constant reading, talking, listening, watching, tinkering and studying has led me to a pretty solid understanding of what it all means, and I want to spend the next few paragraphs sharing that knowledge in the hopes of enlightening anybody else who is curious but naively afraid of this amazing new world.

Oh, if you just want the answer to the headline above, the answer is: yes, they will. Sorry.

How the machines have learned to learn

The first thing I discovered was that artificial intelligence, as an industry term, has actually been going since 1956, and has had multiple booms and busts in that period. In the 1960s the A.I. industry was bathing in a golden era of research with Western governments, universities and big businesses throwing enormous amounts of money at the sector in the hopes of building a brave new world. But in the mid seventies, when it became apparent that A.I. was not delivering on its promise, the industry bubble burst and the funding dried up. In the 1980s, as computers became more popular, another A.I. boom emerged with similar levels of mind-boggling investment being poured into various enterprises. But, again, the sector failed to deliver and the inevitable bust followed.

To understand why these booms failed to stick, you first need to understand what artificial intelligence actually is. The short answer to that (and believe me, there are very very long answers out there) is that A.I. is a number of different overlapping technologies which broadly deal with the challenge of how to use data to make a decision about something. It incorporates a lot of different disciplines and technologies (Big Data or Internet of Things, anyone?) but the most important one is a concept called machine learning.

Machine learning basically involves feeding computers large amounts of data and letting them analyse that data to extract patterns from which they can draw conclusions. You have probably seen this in action with face recognition technology (such as on Facebook or modern digital cameras and smartphones), where the computer can identify and frame human faces in photographs. In order to do this, the computers are referencing an enormous library of photos of people’s faces and have learned to spot the characteristics of a human face from shapes and colours averaged out over a dataset of hundreds of millions of different examples. This process is basically the same for any application of machine learning, from fraud detection (analysing purchasing patterns from credit card purchase histories) to generative art (analysing patterns in paintings and randomly generating pictures using those learned patterns).

As you might imagine, crunching through enormous datasets to extract patterns requires a LOT of computer processing power. In the 1960s they simply didn’t have machines powerful enough to do it, which is why that boom failed. In the 1980s the computers were powerful enough, but they discovered that machines only learn effectively when the volume of data being fed to them is large enough, and they were unable to source large enough amounts of data to feed the machines.

Then came the internet. Not only did it solve the computing problem once and for all through the innovations of cloud computing – which essentially allow us to access as many processors as we need at the touch of a button – but people on the internet have been generating more data every day than has ever been produced in the entire history of planet earth. The amount of data being produced on a constant basis is absolutely mind-boggling.

What this means for machine learning is significant: we now have more than enough data to truly start training our machines. Think of the number of photos on Facebook and you start to understand why their facial recognition technology is so accurate.

There is now no major barrier (that we currently know of) preventing A.I. from achieving its potential. We are only just starting to work out what we can do with it.

When the computers will think for themselves

There is a famous scene from the movie 2001: A Space Odyssey where Dave, the main character, is slowly disabling the artificial intelligence mainframe (called “Hal”) after the latter has malfunctioned and decided to try and kill all the humans on the space station it was meant to be running. Hal, the A.I., protests Dave’s actions and eerily proclaims that it is afraid of dying.

This movie illustrates one of the big fears surrounding A.I. in general, namely what will happen once the computers start to think for themselves instead of being controlled by humans. The fear is valid: we are already working with machine learning constructs called neural networks whose structures are based on the neurons in the human brain. With neural nets, the data is fed in and then processed through a vastly complex network of interconnected points that build connections between concepts in much the same way as associative human memory does. This means that computers are slowly starting to build up a library of not just patterns, but also concepts which ultimately lead to the basic foundations of understanding instead of just recognition.

Imagine you are looking at a photograph of somebody’s face. When you first see the photo, a lot of things happen in your brain: first, you recognise that it is a human face. Next, you might recognise that it is male or female, young or old, black or white, etc. You will also have a quick decision from your brain about whether you recognise the face, though sometimes the recognition requires deeper thinking depending on how often you have been exposed to this particular face (the experience of recognising a person but not knowing straight away from where). All of this happens pretty much instantly, and computers are already capable of doing all of this too, at almost the same speed. For example, Facebook can not only identify faces, but can also tell you who the face belongs to, if said person is also on Facebook. Google has technology that can identify the race, age and other characteristics of a person based just on a photo of their face. We have come a long way since the 1950s.

But true artificial intelligence – which is referred to as Artificial General Intelligence (AGI), where the machine is as advanced as a human brain – is a long way off. Machines can recognise faces, but they still don’t really know what a face is. For example, you might look at a human face and infer a lot of things that are drawn from a hugely complicated mesh of different memories, learnings and feelings. You might look at a photo of a woman and guess that she is a mother, which in turn might make you assume that she is selfless, or indeed the opposite depending on your own experiences of mothers and motherhood. A man might look at the same photo and find the woman attractive which will lead him to make positive assumptions about her personality (confirmation bias again), or conversely find that she resembles a crazy ex girlfriend which will irrationally make him feel negatively towards the woman. These richly varied but often illogical thoughts and experiences are what drive humans to the various behaviours – good and bad – that characterise our race. Desperation often leads to innovation, fear leads to aggression, and so on.

For computers to truly be dangerous, they need some of these emotional compulsions, but this is a very rich, complex and multi-layered tapestry of different concepts that is very difficult to train a computer on, no matter how advanced neural networks may be. We will get there one day, but there is plenty of time to make sure that when computers do achieve AGI, we will still be able to switch them off if needed.

18
Feb

What Is a QSA

c3Since the formation of Payment Card Industry Data Security Standards back in 2004, PCI DSS has setup its requirement for financial service providers and large merchants to use QSAs to carry out onsite assessments and to check on Compliance and security. QSA stands for Qualified Security Assessors; it is a designation awarded to individuals by the PCI Security Standards Council, whom it finds qualifying to execute consulting services and PCI assessments.

Recently, PCI DSS has expanded to take in its guidelines for training QSAs and some other advancement. Still QSAs and the services they provide do vary a lot. With assessors, the thoroughness, methodologies, technical skills and some other areas differ a lot.

The PCI DSS V2.0

The PCI DSS v2.0 released on 30th October includes number of classifications and further areas of guidance for assessments. The standard according to new version states that the first step of any PCI DSS assess is to describe the scope of assessment, by pointing out clear maps (locations and flows) of cardholder information within a system.

A lot of organizations are not aware about every single location where the card holder information is situated in their systems. A QSA must have understanding about application data handling, network architecture, operating system security, storage and database technology, and other business and IT functions in order to carry out those assessments.

Virtualization Technology

A new guidance has also been added in the PCI DSS v2.0 which is its grant of using virtualization technologies and how to assess them. As many organizations are looking to handle cost efficiencies savings through implementation of application and server virtualization, it is a must for the QSAs to know more about this technology and how it differs from the traditional server/client technologies they are using for assessment.

Through virtualization numerous server instances can be developed and run from a single physical system. This has been considered as non compliant by many QSAs in the past. PCI v2.0 Section 2.2.1 permits the use of virtualization; but makes it clear to run only one function on a single virtual server like one machine will run database services, while another will be used for running web services. So it is important for the QSAs to know about virtualization specific controls, virtual network segmentation and the IT controls which come in use with the virtualization platforms.

Choosing a QSA

Once you select a QSA, the relationship might develop into a long one. It is necessary for the organizations to look for a QSA that knows about the same technology that is needed to be audited. In order to hire a QSA, the companies must gather information about business requirements; develop a detailed interview about past experiences (of QSA) and must choose a time for onsite review and planning or meeting. Make sure that the individual QSA you spoke and work with for carrying out collection of data and assessment and who will eventually be coming onsite for managing assessment are the same.

The QSA firm will have great effects on your compliance and security for a long time. Making the right decision regarding QSA selection will turn out in great advantage for both fulfilling the PCI DSS Compliance requirements as well as making your security system for a longer period of time.

12
Feb

Is PCI Compliance Expensive

c2There are a couple of reasons on which cost of PCI DSS Compliant depends, which includes the type of your business, annual number of transactions, current IT infrastructure, and the existing credit/debit card network of processing and storing data.

Possible PCI Compliance Fees

According to estimations, the largest merchants of nation, categorized as Level 1 merchants (having more than 6 million transactions a year), spent $125,000 assessing the possible required PCI related work and an addition of $568,000 to meet the PCI requirements.

Reports state that level one 1 merchant, a national retailer having 210 stores, spent about $500,000 to become compliant. Furthermore, Level 2 merchants carrying out annual transactions in between 1 and 6 million may require spending $105,000 for assessment and an addition of $267,000 for compliance.

Level 3 merchants carrying out e commerce transactions between 20,000 to1, 000,000 are supposed to spend $44, 000 for assessing and $81, 000 more for compliance. The level 4 merchants handling e commerce transactions below 20,000 have different prices to pay for being compliant, which depends on the type of business.

Additional Costs

The costs of being PCI Compliant just don’t end here; instead, there are a couple of additional costs. This might include the fee required for software and hardware upgrading, if the data is stored in house. According to calculations an organization having 100,000 credit cards on file is required to give $6 in encryption costs per card. On the other hand, technologies like tokenization can be used by the merchants. In tokenization (in which data storage is remote) there is a per transaction fee in place of upfront cost. In all of these estimates no opportunity and cost labor cost of other profit making endeavors has been included.

Requirements of the Merchants

A merchant accepting, processing or storing credit card data needs to be compliant. It is still essential for small retailers and restaurants using a single POS system or terminal to be PCI Compliant. Both businesses are required to fill out Self Assessment Questionnaire, but the compliance process is much less involved. POS systems used by merchants are required to stay extra careful to make sure that no prohibited card data is being stored improperly and are needed to validate their vendor as PABP compliant (soon to become PA DSS).

Cost for Being Non compliant

Being noncompliant is not an option and every large merchant is required to be PCI Compliant otherwise they will be imposed with huge monthly fines. A merchant being noncompliant has to pay additional interchange cost which will result in higher processing cost. The card brands are most likely to charge fines when a merchant is noncompliant at the time of data breach.

Also, the discovery and face remediation costs can be huge than the fines itself. The cost of data security break can be anywhere from $90 to $305 per customer data breached. Some merchants find PCI DSS requirements quite annoying and get frustrated about it; while some consider it as basic security requirements and think that it should be in place.

4
Feb

Should Everyone Become PCI Compliant

c1In PCI Compliance, there is a lot more to your business than your website. If your business is dealing with credit card numbers over phone, or carries out face-to-face transactions, or holds up records of credit card number; then all of this has nothing to do with your website and it is really necessary for your business to meet up with PCI requirements. Well, now a question might come in your mind that does every business needs to be PCI Compliant; the answer to it has already been given above. In this article you will find answers to the question that trouble you with PCI requirements.

Should I Be Worried About PCI Compliance?

A business receiving payments through credit cards from customers needs to be PCI compliant, even if that business gets paid via credit card once in a year. The number of transactions doesn’t matter at all, even if your website is accepting third party services like PayPal or Google Checkout you are required to be PCI Compliant because it is your business that is accepting payments via credit cards and not your website.

What Will Happen If I Am Not PCI Compliant?

If your business is not according to the PCI Compliance requirements and your site’s security happens to get breached; then huge penalties will be imposed on your business ranging from $5,000 to $500,000. The fines are the first thing you will face due to being non compliant and there will be numerous other damages to your business that you will start seeing.

Terminated Merchant File

If your business is not PCI compliant; then you might lose your merchant account, which means that you won’t be able to carry out any credit card payments. Not only this, but you will also be place in the Terminated Merchant File (TMF) of MasterCard/ Visa, which will make ineligible to get another merchant for at least a couple of years. The TMF is actually a BLACKLIST for the merchants from which getting your name removed is nearly impossible.

The Terminated Merchant File is sometimes also known as The Match File, once a merchant gets his added in this file; his name, name of the business, address of home and business all are written in a record. So it is no use to apply again on the name of another family member or business partner because according to documentation, it will be taken as the same business and location (which is already blacklisted).

Card holder Data Environment

Does setting up Firewall Configuration will limit direct public access between internet and any system included in the card holder data environment? Well it depends; the cardholder data includes everything of your website as well as the database. A database server must have its own physical server that should be connected to a VPN.

Even if the data isn’t being stored by your database, it is however giving content to your site which transmits and collects the card holder information that is why it is included in the card holder data environment.