March 2009 Archives

In late 2008 the California legislature passed a stronger version of ADA which was Senate Bill 1608. This bill became effective January 1, 2009. Here is a summation of it + some additional links related to this area.

Article from: San Diego Business Journal 

Article date:January 12, 2009

When Congress passed the Americans with Disabilities Act in 1990, the intent was to ensure that Americans who have disabilities would be able to access public buildings and be treated fairly in the workplace.

Lawmakers surely did not anticipate the unintended consequences of their good intentions.

The ADA's purpose was for businesses to make "reasonable modifications" to ensure access, not to create a cottage industry for personal injury lawyers to abuse the law and exploit regulatory technicalities for their own financial gain.

In the past several years a small group of unscrupulous serial plaintiffs have wreaked havoc on small businesses across California, filing thousands of lawsuits for alleged ADA violations.

The reason California has been such a lucrative state in which to file ADA lawsuits is because it is one of the most generous states in the country when it comes to fines.

The federal ADA only allows private lawsuits to seek compliance with accessibility standards.

However, California law allows a plaintiff to ask for up to $4,000 in damages for each alleged ADA violation, no matter how minor and even if it did not deter access in any way--for example, a sign being the wrong color or a ramp elevation grade a percent too steep.

In addition to that fine, businesses can also be sued for thousands of dollars for each day the violations are not remedied.

Gaming The System

Serial ADA plaintiffs game the system to extract a quick cash settlement to "go away," earning the reputation of filing so-called "shakedown" lawsuits.

Many business owners say these types of plaintiffs sue numerous businesses in an area at one time, use nearly identical language in each lawsuit, and always demand a quick cash settlement without a requirement that any alleged violations are fixed.

Since most small businesses can ill afford the exorbitant cost of fighting any lawsuit, regardless of merit, they opt to pay a settlement.

Some 18 years after the original act was passed, less than 3 percent of California's businesses are ADA compliant.

Business owners claim it has been very difficult for them to comply, given conflicting state and federal standards, voluminous and changing legal requirements over the years, a lack of ADA training for building inspectors and architects, and inconsistent interpretations of damage provisions.

For years the business and disabled communities have been at an impasse on the best way to increase access while reducing what many business owners refer to as "legalized extortion."

ADA Reform

The two sides have finally come together with a comprehensive ADA reform measure in the form of Senate Bill 1608, which received unanimous support in both houses of the state Legislature and went into effect Jan. 1.

One of the most important provisions in the new law is a stipulation that plaintiffs may recover damages only for a violation they personally encountered or that deterred access on a particular occasion, rather than for alleged violations that may exist but did not cause a denial of access.

Other key provisions include:

* A requirement that all inspections relating to permitting, plan checks or new construction in privately owned buildings be conducted by a building inspector who has gone through the state architect certification training program and is a certified access specialist.

* Incentivizing building owners to use state-certified access specialists to ensure compliance.

* A temporary stay of litigation and a streamlined court procedure for businesses that have utilized a CAS, but are still sued.

* A new state disability commission that will be tasked with evaluating and providing recommendations on further disability issues having an impact on the disability community and business.

These reforms will help achieve the true intent and spirit of the state and federal ADA laws. It does not take away the right of people to sue if they are denied access or encounter a genuine violation. It does clarify the laws and creates less opportunity for abusive, shakedown lawsuits.

With the current state of our economy, these reforms could not come at a more opportune time for small businesses struggling just to keep their doors open.

Lorie Zapf is San Diego regional director of California Citizens Against Lawsuit Abuse. 


Senate Bill 1608

http://info.sen.ca.gov/cgi-bin/postquery?bill_number=sb_1608&sess=PREV&house=B&site=sen



LINK

Title 36: Parks, Forests, and Public Property
PART 1194--ELECTRONIC AND INFORMATION TECHNOLOGY ACCESSIBILITY STANDARDS
Subpart C--Functional Performance Criteria

 

§ 1194.31   Functional performance criteria.

(a) At least one mode of operation and information retrieval that does not require user vision shall be provided, or support for assistive technology used by people who are blind or visually impaired shall be provided.

(b) At least one mode of operation and information retrieval that does not require visual acuity greater than 20/70 shall be provided in audio and enlarged print output working together or independently, or support for assistive technology used by people who are visually impaired shall be provided.

(c) At least one mode of operation and information retrieval that does not require user hearing shall be provided, or support for assistive technology used by people who are deaf or hard of hearing shall be provided.

(d) Where audio information is important for the use of a product, at least one mode of operation and information retrieval shall be provided in an enhanced auditory fashion, or support for assistive hearing devices shall be provided.

(e) At least one mode of operation and information retrieval that does not require user speech shall be provided, or support for assistive technology used by people with disabilities shall be provided.

(f) At least one mode of operation and information retrieval that does not require fine motor control or simultaneous actions and that is operable with limited reach and strength shall be provided.


Link to Article on ADA Amendments Affecting Business

California Executive Magazine
ADA Amendments May Bring Subtle Change to Cal
Businesses
October 30, 2008
By Steve Tanner

Amendments making the Americans with Disabilities Act (ADA) much
stricter for U.S. employers, signed into law earlier this year, take effect in
2009. But those amendments, for the most part, should have little bearing on
employers in California, which has its own equivalent, the Fair Employment
and Housing Act (FEHA).

FEHA law remains a little more employee-friendly than federal law, which
means that little will change in the way that Golden State employers handle
disability issues. But some labor and employment attorneys say the new
amendments may actually spur more lawsuits in California and that they
lower the bar for plaintiffs to cite federal law.

The difficult part for employers in defending such cases will be that
plaintiffs will be more apt to file suit under both ADA and FEHA.

"The major difference for California employers is that they'll see more ADA
claims and they'll be harder to defend," says Irvine-based labor and
employment attorney Bob King.

For most states other than California, the amendments are a serious gamechanger,
says Atlanta-based attorney and ADA expert Myra Creighton, a
partner with Fisher & Phillips LLP.

ADA applies to companies with 15 or more employees, while FEHA is
applicable to businesses with at least five employees.

ADA Amendments: On Par with California

The ADA amendments generally broaden how a disability is defined under
federal law, overturning a U.S. Supreme Court decision that tightens this
definition to only include impairments that "severely restrict" major life
activities. In line with California's definition, the ADA will now include
impairments that "substantially limit" major life activities, a notion the Equal
Employment Opportunity Commission (EEOC) will further define in the
near future.

Overturning another U.S. Supreme Court decision, which holds that
impairments are to be evaluated after considering the effects of "mitigating
factors" such as medication or prosthetics, the amendments largely do away
with such evaluations.

"The Supreme Court found that if your disability was controlled with
insulin, for example, then you're not necessarily disabled," Barer says. "The
amendments change this, so that you're still considered disabled."

He says this likely will not include the roughly 75% of Americans who use
eyeglasses or contact lenses, also in line with California law.

What's New For California Employers

It remains to be seen exactly how the new amendments will play out in
federal courts. But one element of the ADA that may provide more
protection than state law for California employees - meaning it would have
to be followed - is the inclusion of people who are merely "regarded as"
being disabled, says attorney Margaret Rosenthal. Pending guidance by the
EEOC will provide more details about this and other amendments.

"I think that 'regarded as' is covered under state law, but the issue under state
law is how it is defined and whether or not you are entitled to
accommodations," says Rosenthal, a partner in the Los Angeles office of
Baker & Hostetler LLP, adding that attorneys are still waiting to see how the
ADA amendment will define 'regarded as' and whether it will require
accommodations.

If the EEOC decides that employers do not have to accommodate someone
who is merely perceived as being disabled, it could help level the playing
field, King says. The "regarded as" claim, he adds, is primarily a plaintiff's
legal weapon.

"California law isn't clear in that respect. So you can say, as comparable
precedent under the ADA [hypothetically speaking], that you don't have
accommodate employees who are only regarded as disabled," King says.
But if the ADA amendment ends up requiring accommodations or otherwise
affords more protection for employees, then it would have the opposite
effect, attorneys say.

Increased ADA Claims?

There is some debate whether or not the strengthened federal ADA
requirements will indeed trigger more lawsuits for California employers,
although attorneys all say the amendments will make it easier for plaintiffs
to cite federal law. Another theory is that the sweeping changes in ADA will
generate more attention to disability discrimination, prompting more suits.

"You'll see more people challenging decisions on an ADA basis, even if the
law in California hasn't changed," says Jennifer Berman, managing director
of the HR advisory consulting and training group at CBIZ Inc. in San Jose.

King says the amendments will give plaintiffs citing both federal and state
law more firepower, since the ADA will provide nearly as much protection
as FEHA. One likely result, he says, is an increased difficulty in challenging
claims of an employee's disability status.

"So you'll start seeing more federal claims against California employers,"
King says. "There was a big initial hurdle, which was to prove whether or
not someone is disabled. Now that hurdle is much lower."

Rosenthal says she believes the ADA amendments won't have much of an
impact in California, but that plaintiffs in the state might be more willing to
file in federal court for "regarded as" claims.

Attorneys also say lawsuits could increase for California companies that
have offices in other states.

Compliance Advice
Employers already compliant with FEHA and that have properly trained
their supervisors and HR managers are probably in good shape, attorneys
say.

"If employers have good policies in place right now, with regard to
accommodations, then I don't think it will affect them too much," says Scott
Barer, an attorney based in Woodland Hills, referring to the requirement
under both FEHA and ADA to provide reasonable accommodations for
disabled employees.

Those that have been lax with respect to their FEHA and ADA obligations,
however, should take the opportunity to get back up to speed. Berman says
many of the California companies she consults are woefully vulnerable to
ADA (and FEHA) lawsuits.

"You look at most policies, and they're just generic," Berman says,
suggesting that employers specifically address discrimination under ADA, as
well as FEHA, in training and employee handbooks. She says it might also
be a good idea to create a separate section on disability discrimination within
an organization's anti-discrimination training program.
Berman stresses the importance of providing relatively detailed job
descriptions, which are matched against employees' accommodation
requests. Attorneys echo the importance of job descriptions as well.

"The best way to prove whether or not someone could do their job is to have
a description on hand," says Washington, D.C. attorney Tina Maiolo, a
member of Carr Maloney P.C.

King and other attorneys say the new ADA amendments, even if they
change little for California employers, are an opportunity to review the socalled
"interactive process" of sitting down with a disabled employee and
determining what reasonable accommodations would help them meet the job
requirements. This process should be documented as well, attorneys say.
"I think where these claims often go awry really is in the interactive process,
which often breaks down," King says. "I would use these amendments as a
framing opportunity to review the interactive process again. Not just for HR
people, but also managers."

Rosenthal says most small businesses in particular often need help analyzing
disability issues. Similarly, Barer says it's often money well spent to consult
an attorney if a disability issue arises, that business executives and managers
should not be expected to become experts on ADA and FEHA but rather
"issue-spotters."

California employers would be wise to review their policies and be prepared
for the changes to federal law, but most attorneys say the ADA amendments
change little within the state. The amendments take effect on Jan. 1, 2009.


Over the last few years, Redbox has been able to build an impressive DVD rental network by being innovative and flexible while their competitors were still laughing at the concept of kiosk rentals. Over time they've added features to the Redbox website that allow customers to browse and reserve titles online. They've linked their kiosks together so that unlike competitors (ahem: Blockbuster), you can actually rent a movie from one location and return it at another. Redbox's core business may ultimately be, plain old boring physical DVD rentals, but there's no denying that they've been an innovator in their industry. Which is why I am so perplexed by their most recent decision to go hostile against iPhone owners.

Given the company's reputation for thinking progressively, I was disappointed to learn that they've decided to take a technological step backwards by putting pressure on the Inside Redbox blog, to kill their Inside Redbox iPhone application.

I haven't jumped on the iPhone bandwagon myself yet, but I can understand why some people think of their phones as an extra appendage. The apps store was a brilliant move by Apple and has created all kinds of interesting software programs that wouldn't have existed if people had to rely on big companies to build them.

By taking advantage of the GPS features inside the phone, Inside Redbox was able to give iPhone customers the ability to look up which Redbox was closest to them at any given moment. It also allowed customers to find out whether a specific title was available before wasting time visiting the kiosk in person.

The best part about the application though, was it's ability to reserve movies directly from the iPhone. This means that if you're standing in line at a Redbox and the person ahead of you is taking too much time selecting a movie, you could theoretically use your iPhone to digitally cut in line and reserve the last copy of Harold and Kumar instead of having to wait impatiently.

When you consider that one of the biggest customer service complaints about Redbox are the long lines, it blows my mind that Redbox would discourage consumers from using their own mobile device by having them monopolize a kiosk instead.

Whether a customer prefers to order their movies from the internet, a kiosk or the middle of the store while shopping for groceries shouldn't make a difference to Redbox. No matter what, they are still making a sale, even if they don't have 100% control over the purchase.

Inside Redbox is mum on details and calls to Redbox's PR agency didn't shed any light on the situation, but the two most "controversial" features included in the app is a list of codes for free Redbox movies and the fact that the app relies on Redbox's website for most of the content.

One theory for why Redbox doesn't seem to care about iPhone customers is that while they've been able to get a lot of buzz using their free movie offers online, consumers haven't been all that aggressive about redeeming the promotions. Since iPhone customers have access to the most recent free offers while they are actually standing in front of the Redbox kiosk, it makes it easier for customers to take advantage of their specials.

If this is the reason why Redbox killed the application, my response would be that Redbox hasn't solved their problem, they've just made it more difficult to work out a reasonable compromise with their customers. It won't take consumers very long to figure out that they can bookmark Inside Redbox's list of free codes or RedboxCodes.com on their iPhones and still have access to the same information.

Rather then fighting progress, Redbox should be using the relationships formed through the application to streamline their movie promotions. They already restrict some of their offers to new customers only, so why can't they work out a deal for iPhone promotions? Wouldn't it be better for Inside Redbox iPhone users to have a 10% chance at "winning" a free movie instead of killing the app and forcing these customers underground? By trying to lower the wham hammer on this neat little application, they'll only end up upsetting customers instead of addressing a weakness in how they've choosen to promote their service. Just because the iPhone app doesn't fit into their mold of what marketing should be, doesn't mean that killing it is the best solution.

A second theory for why Redbox may have requested that the app be pulled is that Inside Redbox uses Redbox.com's website for a healthy chunk of their content. Some businesses may object to this and want to have 100% control over how their customers are "allowed" to use their product, but smart companies see the benefits of being open. In fact open API's are becoming increasingly common in the tech industry. By allowing third parties to mashup and repurpose your data, entirely new creations are possible. This is why some of the most successful companies have business models that encourage outsiders to partner with them. The Inside Redbox app may repackage content from Redbox's website, but when push comes to shove, it's really no different than an internet browser. Is it really better for Redbox to force their customers to have a subpar experience using the Redbox.com website on the iPhone instead of an app that is specifically designed to be viewed on the small screen? I don't think so.

Asking Inside Redbox to pull their program is a bit like asking Microsoft to not allow Redbox's website to be shown on Internet Explorer. If Redbox really objects to how their content is being used, they have the power to change it. Instead of trying to kill the third party programs that tap into what they've already created, they should be encouraging their fans to mix, mash and experiment to create new experiences for their customers.

To date, Redbox has managed to stay ahead of the competition by being nimble and by nurturing a passionate and dedicated fan base. Their decision to now turn on the very fans who cared about them long before their mainstream momentum, says a lot about how fickle their business decisions really are. Instead of acting like the innovator that I know they are, they are acting like a big media company. Hopefully, Redbox comes to their senses and "authorizes" the use of an app that only makes their service more valuable to their customers.

Davis Freeberg is a technology enthusiast living in the Bay Area. He enjoys writing about movies, music, and the impact that digital technology is having on traditional media. Read more at Davis Freeberg's Digital Connection.


http://www.zatznotfunny.com/2009-03/why-is-redbox-afraid-of-the-big-bad-iphone/


March 2009 -- Patient self-service kiosks are being used with growing frequency in hospital ambulatory settings and emergency departments. These interactive computer stations, which come in a variety of designs, perform self-service tasks such as patient check-in, collection of co-payments, and wayfinding. In a hospital waiting area, they can speed the process for patients and take some of the workload from registration personnel, who are then freed up to help patients with more complicated registration or payment needs.

Compared to other technologies such as electronic medical records or clinical systems, patient kiosks are relatively easy to implement, require a small investment, and can be deployed selectively to the departments that are likely to benefit from their use. Kiosks can be freestanding (like those at the airport), wall-mounted (like bank ATMs), placed on a countertop, or they can be mobile (like a tablet PC). In addition to the relatively simple functions of check-in and co-payments, kiosks can be designed to facilitate language translation, the signing of patient consent forms, gathering demographic and clinical information for triage, and performing satisfaction questionnaires.

The experiences of leading hospitals have shown that kiosks can increase patient satisfaction by reducing waiting times and offering greater convenience and privacy. Many organizations also achieve significant operational benefits, including increased patient throughput and improved accuracy of demographic data in patient records.

Although fewer than 10% of health delivery organizations have implemented patient kiosks, the experiences of early adopters show that kiosks can be effective tools for improving service and efficiency and meeting rising consumer expectations. 


Healthcare_2009_TouchscreenCheckInKiosks.pdf

Cloud Computing - What is it?

Cloud computing resources question was raised by a member of Health Infomatics group we participate in. Health technology right now is one very hot potato so to speak. Here is the link from Thinclient.org

Heartland Payment Systems (HPY), one of the largest credit card processors in North America, is finally being called to the carpet for the apparent lapses in Payment Card Industry Data Security Standards (PCI DSS) that contributed to the largest data breach of 2008, perhaps even the largest breach ever considering the full extent of the exposure has yet to be determined.

Called to the carpet sort of, anyway; the sanctions and guidance laid out by Visa (V) seem a little lackluster when weighed against the severity and duration of the breach.

Given that Visa is now considered the most likely of several candidates for inclusion in the Dow Industrial Average, taking up slack from soon to be sidelined Citigroup (C) and Bank of America, (BAC) it is not surprising that they do not want to call too much attention to the situation:

On January 20th of this year, Heartland Payment Systems (HPS) publicly disclosed a large-scale compromise involving account data from all card brands. In light of this event, Visa has taken the following actions to help protect the Visa system:

CAMS Alerts - Between January 18th and February 4th Visa issued a series of Compromised Account Management System (CAMS) alerts (US-2009-046-IC) to financial institutions related to this compromise event. Providing this information can help financial institutions act quickly to minimize fraud on exposed card accounts.

It is worth noting here that Visa and MasterCard (MC) reported anomalies to Heartland in late October, about two and a half months before the CAMS alert was issued.

The rest of the story


Wal-Mart Stores is striding into the market for electronic health records, seeking to bring the technology into the mainstream for physicians in small offices, where most of America's doctors practice medicine.

Wal-Mart's move comes as the Obama administration is trying to jump-start the adoption of digital medical records with $19 billion of incentives in the economic stimulus package.

The company plans to team its Sam's Club division with Dell for computers and eClinicalWorks, a fast-growing private company, for software. Wal-Mart says its package deal of hardware, software, installation, maintenance and training will make the technology more accessible and affordable, undercutting rival health information technology suppliers by as much as half.

"We're a high-volume, low-cost company," said Marcus Osborne, senior director for health care business development at Wal-Mart. "And I would argue that mentality is sorely lacking in the health care industry."

The Sam's Club offering, to be made available this spring, will be under $25,000 for the first physician in a practice, and about $10,000 for each additional doctor. After the installation and training, continuing annual costs for maintenance and support will be $4,000 to $6,500 a year, the company estimates.

Wal-Mart says it had explored the opportunity in health information technology long before the presidential election. About 200,000 health care providers, mostly doctors, are among Sam Club's 47 million members. And the company's research showed the technology was becoming less costly and interest was rising among small physician practices, according to Todd Matherly, vice president for health and wellness at Sam's Club.

The financial incentives in the administration plan -- more than $40,000 per physician over a few years, to install and use electronic health records -- could accelerate adoption. When used properly, most health experts agree, digital records can curb costs and improve care.

But many, especially physicians in small offices, doubt the wisdom of switching to electronic health records, given their cost and complexity.

Only about 17 percent of the nation's physicians are using computerized patient records, according to a government-sponsored survey published last year in The New England Journal of Medicine. The use of electronic health records is widespread in large physician groups, but three-fourths of the nation's doctors work in small practices of 10 physicians or fewer.

Wal-Mart, however, has the potential to bring not only lower costs but also an efficient distribution channel to cater to small physician groups. Traditional health technology suppliers, experts say, have tended to shun the small physician offices because it has been costly to sell to them. Taken together, they make up a large market, but they are scattered.

"If Wal-Mart is successful, this could be a game-changer," observed Dr. David J. Brailer, former national coordinator for health information technology in the Bush administration.

In the package, Dell is offering either a desktop or a tablet personal computer. Many physicians prefer tablet PCs because they more closely resemble their familiar paper notepads and make for easier communication with the patient, since the doctor is not behind a desktop screen.

EClinicalWorks, which is used by 25,000 physicians, mostly in small practices, will provide the electronic record and practice management software, for billing and patient registration, as a service over the Internet. This "software as a service" model can trim costs considerably and make technical support and maintenance less complicated, because less software resides on the personal computer in a doctor's office.

Dell will be responsible for installation of the computers, while eClinicalWorks will handle software installation, training and maintenance. Wal-Mart is using its buying power for discounts on both the hardware and software.

Wal-Mart's role, according to Mr. Osborne, is to put the bundle of technology into an affordable and accessible offering. "We're the systems integrator, an aggregator," he said.

The company's test bed for the technology it will soon offer physicians has been its own health care clinics, staffed by third-party physicians and nurses. Started in September 2006, 30 such clinics are now in stores in eight states. The clinics use the technology Wal-Mart will offer to physicians.

"That's where the learning came from, and they were the kernel of this idea," Mr. Osborne said.
The healthcare kiosk market is estimated to be over $800M by the year 2013. One of the reasons is that the inefficiencies of the old model cannot be sustained anymore (ie paper in triplicate).

What are the Benefits of the new systems?

Benefits

·         24 x 7 Access for Patients to pay via credit card or electronic check

·         Simplified view of patient statements

·         Ability to pay multiple accounts with one transaction

·         Automatic payment reconciliation with billing system

·         Ability to offer payment plans and recurring payments

·         Insurance payment and adjustment information

·         Works with multiple billing systems where necessary

·         Secure communication with financial staff

·         Email notification of new bills and billing updates

·         Utilize your existing merchant services

·         Robust FAQ and glossary to reduce business office call volume

·         Branded to your organization

·         Standard and configurable reports 


How do those benefits translate into ROI?

-       Transaction results showing 76% of all transactions are successfully completed at kiosks, and this percentage is steadily increasing.

-       Savings - The VA has concluded that they save 1.5 FTEs per kiosk overall

-       Data improvement - Allowing patients to correct demographic data has had impressive results in improving the information accuracy of patient records.  As a side benefit, the VA reduced returned mailings (due to inaccurate addresses) by 8000 pieces in a single region.  This resulted in a savings of $150,000 per year

-       Acceptance - Initial acceptance of a new kiosk implementation is very high.  54% preferred to use the kiosk (this moves to a higher level quickly ... see 76% above).

-       Demographics - The average age of a kiosk user in the VA is 62.  To achieve this average, many thousands of patients well over age 62 use the kiosk.

-       Increased compliance with data accuracy goals and positive identification standards

-       Increased compliance with pre-registration, JCAHO, positive identification mandates

-       Source: The Pittsburgh VA Medical Center


Here is nice table comparing different systems and graded:

 


 

Overall Functionality Rating

eCW

McKesson

Medfusion

IBM

NCR

Seepoint

Vecna Technologies, Inc.

Patient Kiosk

58%

69%

77%

53%

91%

82%

72%

Patient Portal

90%

79%

95%

58%

100%

29%

100%

Provider / Referring MD Portal

0%

0%

16%

47%

53%

0%

100%

Pharmacy Portal

100%

100%

100%

50%

100%

0%

100%

Language

56%

31%

56%

100%

81%

100%

100%

Total

68%

64%

78%

62%

91%

55%

90%

 



hrough October 29, 2008, Trustwave's forensics practice has investigated 443 cases of cardholder data compromise. The information contained within this article is the culmination of almost seven years of card compromise investigations.

Key Developments in 2008: The Theft of Cardholder Data in Transit

In 2008, the most notable development in payment card compromises is the theft of cardholder data at rest (stationary on a system component) to its theft in transit (moving through a system). Trustwave experts have noted that attackers, are stealing data in real-time by eavesdropping on a certain device and stealing the data as it passes to or through a particular system rather than stealing data that is stored on that system.

One example of this is an attackers' use of unauthorized applications--referred to as malware--that steals cardholder data from a computer's Random Access Memory. What's perhaps most unsettling about the trend is that a merchant can use a payment application that complies with the Payment Application Data Security Standard (PA-DSS) or Visa's Payment Application Best Practices (PABP), but still fall victim to a compromise.


Merchants and service providers must recognize that payment card security extends beyond just using PABP or PA-DSS validated payment applications and eliminating the storage of prohibited cardholder data. Any entity involved in the processing, storage or transmission of payment card data must ensure that they comply with the Payment Card Industry Data Security Standard (PCI DSS). In the cases of track data parsing from RAM that Trustwave has examined, the intruder gained the access necessary to execute the attack because the victim organization did not comply with the PCI DSS in full.

General Payment Card Compromise Statistics

The theft of cardholder data in transit is only beginning to impact Trustwave's compromise statistics. However, our experts expect the occurrence of these types of breaches to increase.

Below are more general statistics that, for the most part, have remained constant over the past few years.

Payment Card Acceptance Channel

Whether the compromised merchant accepts payment cards over the Internet, in person or over the telephone or through the mail; we see the greatest variation between North America and EMEA (Europe, the Middle East and Africa) cases. In North America, the majority of compromises investigated by Trustwave were of brick-and-mortar merchants. In EMEA, the majority of compromises investigated were of e-commerce merchants. This fact is the reason many of the statistics from North America and EMEA differ as they do.

Industry

Businesses involved in the food service and retail segments make up the majority of compromises investigated by Trustwave, with approximately half of the compromises occurring at food service locations. In North America, the majority of compromises occurred at food service establishments. In the EMEA region, the majority of Trustwave investigations were of payment card breaches at merchants within the retail sector.

Cases by Responsibility for Payment System Administration

Many North American merchants investigated by Trustwave use outdated payment systems or do not configure them securely. Misconfigured payment applications will store or insecurely transmit cardholder data that can be stolen by an attacker. Many times a third party configured those payment applications and so negligence on the part of the third party more often contributes to the payment card compromises investigated in North America. Because the use of outmoded payment applications is not as prevalent in EMEA as in North America, neither are the problems caused by third-party installation, configuration or maintenance of such payment applications. Common PCI DSS Failures of Compromised Merchants

For the most part, while the frequency of failure may be less, the PCI DSS requirements that compromised merchants fail to meet correspond in EMEA and North America. The PCI DSS requirements that compromised merchants failed to fulfill include:

  • Requirement 3: Protect stored cardholder data
  • Requirement 6: Develop and maintain secure systems and applications
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 12: Maintain a policy that addresses information security for employees and contractors

Cases by Technical Cause

Trustwave finds that five technical causes contribute to the majority of payment card compromises across both North America and EMEA:

  • SQL Injection: Exploiting flaws in a Web application to force a back-end database to disclose information stored in the database (such as cardholder data)
  • Remote Access: Accessing remote control software used to operate a computer from remote locations
  • Backdoor/Trojan: Installing malware onto a system to gain access to a network
  • Perimeter Security Issue: Lack of or insecurely configured perimeter security
  • Weak Passwords: Guessing authentication credentials (username and password)

The majority of compromises investigated by Trustwave in North America occurred due to insecure payment applications that store prohibited data; however, as previously noted, the theft of cardholder data in transit is on the rise.

SQL injection is the number one cause of compromise cases investigated by Trustwave in EMEA. Again this can be attributed to the fact that more e-commerce merchants are compromised in EMEA. An e-commerce merchant must have a public-facing Web site in order conduct business and so leaves a section of their system open for attack.

Conclusion and Merchant Action Items

The key take-away from this analysis of card compromise cases should be that merchants must comply with the PCI DSS. Plenty of data security pundits continue to disparage the standard. However, the PCI DSS provides a comprehensive security standard that if followed, prevents the theft of cardholder data. To protect themselves and their customers, merchants must take a holistic approach to data security--an approach such as that prescribed and explained in the PCI DSS. [end] 


Source Link

Bob French of Mix&Burn at PMA in Las Vegas demonstrates on his countertop kiosk how music download to ipod works. Many in the industry believe that additional revenue channels like this coupled with conventional (and unconventional) photo kiosk is how the "photo kiosk" will grow in into its next generation. Here is link for video



Related Ring Sites:
  GoKIS  |   ThinClient.org  |   keefner.com  |   Visi Kiosk site  |   KIOSK  |   Kis-kiosk.com  |
Resource Sites:
  Elo TouchSystems  |   Acire Inc.  |   Nextep  |   TIO Networks  |   Olea  |   Self-Service Networks  |   Meridian Kiosks  |   Provisio  |   Kioware  |
  Selling Machine Partners  |   Source Technologies  |   Seepoint  |   5Point  |   Nanonation  |   Netkey  |   KioskCom  |   Summit Research  |   NCR  |