Welcome. I’m John Elliott and this is my small bit of the Internet. I’m a payments / privacy / cyber security / risk specialist. I work as a consultant and interim manager and I help organisations balance risk and regulation with business needs. I started this blog sometime in 2010 and then ended up in jobs where it wasn’t really appropriate to write publicly about the things I also worked with, which is why there’s always gap between posts.


I’m a part-time doctoral student at the University of Warwick Cyber Security Centre looking at principal-agent relationships in respect of cyber security. Specifically how regulators and companies validate the security claims of third-party entities to support regulatory or contractual compliance.

PCI DSS and payment security

I was fortunate to spend around three years as Visa Europe’s representative on the technical working groups of the Payment Card Industry (PCI) Security Standards Council (SSC); before that I worked as a Qualified Security Assessor. In that time I contributed extensively to DSS v3 and P2PE v2 and I also answered lots of questions about the standards and payment security.


Currently I’m looking after data protection at a large airline. Previously I was the interim Head of Information Security at a Building Society and I also worked at Open Banking on the interaction between GDPR and PSD2/PSR.


Since I studied Data Protection law I’ve been fascinated by the intersection between privacy law and information security practice. I moved into payment security in 2009 to understand how mandatory security regulation works, because firstly there were no privacy jobs and secondly I predicted then that there will be technical information security standards when the General Data Protection Regulation comes into effect (we’ll find out soon!). I’m a CIPP/E and have an LLM in Information Rights Law and Practice.

Open Rights Group

I’m an elected board member of the Open Rights Group, which works to protect digital rights through campaigning, research and education.


I’m a Fellow of the British Computer Society and Chartered IT Professional. I hold the CISSP, CRISC and CISA qualifications.

What is it with (out) fire?

There’s a reason that flames do not engulf whole cities when one building (or bakery) catches fire. And it’s not just because of prevention.

I use the metaphors of fire prevention and control, along with stories about the great fires of the world, to explain the world of cyber security to senior management and company boards.


Get in touch via LinkedIn, @withoutfire or email to john@you_can _probably_guess_the_domain.