Going beyond current PCI security standards

Acknowledging the need for controls that go beyond those offered by the Payment Card Industry (PCI) Data Security Standard, a senior Visa Inc. executive Thursday described two new initiatives to reduce payment card fraud being tested by the company.


One of the pilots involves Fifth Third Bank, which is testing the use of magnetic stripe technology to create unique digital fingerprints for cards, said Ellen Richey, Visa's chief enterprise risk officer. Each stripe contains unique characteristics that can be captured and used to verify the digital identity of the card, Richey said during at a security event being hosted by Visa today. The goal is to stop the creation and use of counterfeit cards based on stolen payment card data.

Another initiative, being piloted by retailer OfficeMax Inc., involves the use of a challenge-response technique at the point of sale. The project is aimed at testing the efficacy of asking consumers to respond to specific questions such as their ZIP code, the last four digits of their phone numbers, or the first three digits of their area codes, as part of the transaction approval process.

Dan Roeber, vice president and manager of merchant PCI compliance at Fifth Third, said the bank had rolled out about 1,000 card readers to retailers who have not been informed about the pilot effort. The terminals are capable of reading the magnetic stripe information and creating a "DNA picture" of the card which is then matched during the authorization process, against baseline information for that card stored by the card issuer, he said during a panel discussion at the event Thursday.

During the pilot process, baseline images or fingerprints for a card are created when it is first swiped through one of the new readers, Roeber said. But going forward, if the approach works, baseline images for each card could be created and stored during the card issuing process itself, Roeber said. "Even if somebody gets into a database and makes fraudulent cards, the DNS fingerprints are not going to match," Roeber said. "The thing I really like about this technology is that there are no key management issues," as is the case with the use of end to end encryption for protecting cardholder data.

"We are very excited about this technology," he said.

Fifth Third is one of several "acquiring banks," which are responsible for authorizing retailers to accept payment card transactions.

William Van Orman, treasurer for OfficeMax, said the retailer had rolled out its challenge-response process to about 1,000 of its stores across Illinois, Indiana and Florida. The process, which has required changes to point-of-sale systems at these locations, involves asking customers ZIP codes or other personal information after swiping a card. The responses are then matched against responses to these questions that were previously selected by the consumer.

For the pilot, the emphasis was on simply trying to understand what kind of changes needed to be made to the point-of-sale systems, and the kind of impact the new authorization process would have on merchants and consumers, Van Orman said. Customers were informed that the data was being requested for a pilot project and had the chance to opt out if they chose to, Orman said. After an initial six-month period, the pilot project has been extended by another four months at the request of Visa, he said. "Overall we think it's a successful project," he said.

Richey said that while these projects were not quite ready for broad roll-out yet, they were indicative of the kind of approaches that could be used to make stolen data useless at the point of sale.

Richey also highlighted Visa's efforts to give consumers more tools to fight fraud. One of them is a new service called the Transaction Alert system, and is currently available to Chase cardholders with Android-based smartphones, she said. The service provides real-time alerts of purchase activity on their mobile devices, which consumer can tailor using information such as whether they were online transactions, and locations where the transactions were made. The program will become available to all card issuers later this year, she said.

The other program, which is still in development, is called Targeted Acceptance and would allow consumers to set personal limits on how, where and what amounts their cards can be used for. The service is already available to commercial customers and will be rolled out to consumers as well, Richey said.

Richey said Visa was not opposed in the future to the idea of using chip and PIN technologies that are used widely in Europe. They require consumers to enter PIN numbers, instead of signing, when making credit card transactions. The approach is widely considered to be safer than purely signature-based transaction, but it would require considerable investments on the part of card issuers to make the change. Richey said today that Visa "fully" supports the technology and said it was not a matter of "if" but "when" and "how" the technology would be adopted in the U.S.

Dave Weick, CIO at McDonalds Corp., discussed during a panel a new plan to minimize threats against payment card data. He described how the fast-food giant was exploring how to completely segregate all payment card data and transactions from the rest of its internal network. Weick said McDonalds had developed a way to accept payment card transactions without letting any of that data touch any of its own internal systems, including its point-of-sale devices.

No one in the company's internal system would have access to any cardholder data, and even the portion of the network that deals with card transactions would be handled by an outside vendor, Weick said. "We are very early on in this," he said, adding that the plan was to first roll out the approach to company-owned restaurants before deploying it across all franchises.

Recent Entries

CUPPS: The Platform of the Future (Airline Kiosk)
CUPPS has been architected as the platform of the future, able to accommodate many things even beyond the agent-facing applications…
EMV takes aim at U.S.
Nice article on SecureIDnews covering EMV. by Andy Williams, Associate Editor, Avisian PublicationsLike a massive tidal wave, EMV continues to roll…
Tokenization and Enterprise Security
Nice article on tokenization which also highlights lack of formal standards for tokenization at this time. Credit Card Tokenization: Put All…
Wal-Mart's Kiosk Trial Raises Serious PCI, Data Ownership Issues
Wal-Mart this month became the latest major retailer to experiment with self-service kiosks, selling space in 77 stores for units…
Proximity (NFC) Mobile Payment Technology - Security Whitepaper
The opportunities offered by the advent of proximity mobile payments are clear; differentiated payment services, increased transaction volumes, faster transactions,…
Look Beyond Hospitality Touch Screen Solutions
Whether you realize it or not, touch technology quickly is becoming the intuitive input delivery method of choice. Look no…
Level 4: The small-merchant PCI challenge
While sensational data breaches experienced by big-box retailers and processors fill the headlines, 85 percent of reported data compromises involve…
ATM Card Skimming and Pin Capture
ATM Card Skimming is a method used by criminals to capture data from the magnetic stripe on the back of…
Background - Use of Electronic Health Records in U.S. Hospitals
Report from New England Journal of Medicine on Electronic Health Records. Concludes - very low levels of adoption in U.S.…
PCI DSS in real life -- Requirement 1 Firewall
Excerpt: Critical to the selection was choosing a vendor that best met PCI DSS (Payment Card Industry Data Security Standard)…
User Interface & Content - Can I Use My Website?
Web sites, self-service can play nicely together according to Jim Kruper of Kioware.  With the increasing number of devices that…
Resource Link - Understanding credit card transaction fees
Merchants accounts, gateways and rates. Having your kiosk process credits cards swiped locally (card present) come with regulatory standard considerations…
Whitepaper - Introduction to CFM or Customer Flow Management
CFM or Customer Flow Management systems are found in more verticals/markets than any other application. Here is a technical document…
Compliance Resource: ETA and Electronic Transaction Compliance
Worth noting Heartland Payment Systems and RBS Worldpay have been removed from Visa Inc.'s list of PCI compliant service providers and…
Going beyond current PCI security standards
Acknowledging the need for controls that go beyond those offered by the Payment Card Industry (PCI) Data Security Standard, a senior…
ADA Requirements - Changes in California
In late 2008 the California legislature passed a stronger version of ADA which was Senate Bill 1608. This bill became…
Opinion - Why is Redbox Afraid of the iPhone?
Over the last few years, Redbox has been able to build an impressive DVD rental network by being innovative and…
Research Report - Touchscreen Check-In: Kiosks Speed Hospital Registration
March 2009 -- Patient self-service kiosks are being used with growing frequency in hospital ambulatory settings and emergency departments. These interactive…
Cloud Computing - What is it?
Cloud computing resources question was raised by a member of Health Infomatics group we participate in. Health technology right now…
Heartland Put on Probation for Security Breach
Heartland Payment Systems (HPY), one of the largest credit card processors in North America, is finally being called to the…



  |