Go Kiosk by the Kiosk Industry Group

Flaws in chip and pin bank card security identified

2010-02-12T20:01:31Z

Scientists have identified security flaws in chip and pin technology that they say are so serious as to require a rethink of the whole system.

The Cambridge University researchers discovered a loophole that could be used to make bank card payments without knowing the correct pin.

Link for Video

Self-service trends in 2010

2010-01-06T17:57:11Z

Craig Keefner
• 05 Jan 2010

By the end of 2009, there were almost 30,000 DVD-vending kiosks deployed, with more on the way. This application likely has surpassed the photo kiosk as the second-most visible symbol of self-service working, next to grocery self-checkout. Anticipating the next such "big thing" keeps all of us in the kiosk industry busy following the tweets and news in the hope of catching the next wave.

Here is a roundup of 2010's potential suspects, from my point of view, divided into three market groups -- maturing, growth and new drivers.

Maturing market

Vending and reverse vending -- These are apps where customers put money in to get a product, with the DVD kiosk being a prime example. Reverse vending is where products/goods are deposited into a machine and money/credit is given to the customer. The ecoATM self-service e-cycling kiosks would be an example of this, and the TITO ticket and token redemption machines in Las Vegas are good examples as well.

Complete Article

Radiant Being Sued by Restaurants for violating PCI Compliance

2009-12-03T14:58:37Z

Radiant being sued not over it's Aloha system which is PCI-validated but over the use of PC Anywhere.

Restaurants Sue Vendor for Unsecured Card Processor

By Kim Zetter
November 30, 2009 |
11:44 pm |
Categories: Breaches, The Courts

Seven restaurants have sued the maker of a bank card-processing system for failing to secure the product from a Romanian hacker who breached their systems.

The restaurants, located in Louisiana and Mississippi, filed a class-action suitagainst Georgia-based Radiant Systems for producing a point-of-sale (POS) system that they say was not compliant with payment card industry security standards and resulted in an undetermined number of customers having their debit and credit card numbers stolen.

The suit alleges that the system stored all the data embedded on the bank card magnetic stripe after the transaction was completed -- a violation of industry security standards that made it a high-risk target for hackers.

Also named in the suit is Computer World, a Louisiana-based retailer, which sold and maintained Radiant'sAloha POS system.

According to plaintiffs, Computer World's technicians allegedly installed the remote-access program PCAnywhere on the systems to allow its technicians to fix technical problems from off-site. The only problem is, the company failed to secure the program. The suit alleges that the system was not up to date with software patches, and the PCAnywhere remote log-in and password that technicians used to access the POS systems was the same at every one of the 200 Louisiana locations where the system was installed. According to one of the plaintiffs who spoke with Threat Level, the default login was "administrator" and the password was "computer."

As a result, a hacker, believed to be based in Romania, accessed the systems of at least 19 businesses through the PCAnywhere software, and possibly others plaintiffs say. Once inside, the hacker installed malware to grab card data as it was swiped and send it to an e-mail address in Romania. The hack follows a wave of similar attacks that targeted point-of-sale systems at other national retailers and restaurant chains between 2005 and early 2009, including Dave & Busters restaurants, Hannaford Brothers, TJX, Wal-Mart and others.

The suit was filed in March in the U.S. District Court in Louisiana, but the court ruled only last week that the seven plaintiffs could proceed as a group with their case, opening the way for additional plaintiffs to join the litigation.

"We want other restaurants nationally to be aware of the hidden dangers posed by these technology companies and the unfair penalties imposed by the credit card companies," said plaintiffs attorney Shiel Gallagher in a press release. "These huge companies shouldn't have the power to destroy these restaurants."

The plaintiffs include Crawfish Town USA, Don's Seafood & Steak House, Jone's Creek Cafe, Mel's Diner, Picante's Mexican Restaurant, Sammy's Grill and a Best Western. Two other restaurants have also sued Radiant Systems and Computer World separately.

The restaurants are seeking millions in damages to recover their costs from the breach. These include fines levied against them from Visa and other credit card companies for failing to be PCI-compliant, the cost of forensic audits to uncover the source of the breach, chargebacks to cover fraudulent charges made on customer accounts and reimbursements to card providers who had to issue new customer cards.

According to the plaintiffs' court filing (.pdf), Radiant and Computer World were allegedly warned by Visa in April 2007 that the Aloha system, along with POS systems made by five other vendors, were non-compliant because they stored card data. Visa also sent out a bulletin in November 2006 warning that one of the most frequent vectors for hackers to penetrate POS systems was through poorly configured or unpatched remote-access software (.pdf) and default passwords. Nonetheless, the restaurants say, Radiant and Computer World sold them a product that was neither PCI-compliant nor secured against a known attack.

PCI compliance involves 12 requirements that include: installing and maintaining a firewall, changing default vendor passwords, encryption of transaction data while it's being processed and updated security patches and anti-virus definitions, among other things. Businesses that accept bank card payments from customers are contractually required by the payment card industry to have PCI-compliant architectures and to use only products that are PCI-compliant.

Charles Hoff, general counsel for the Georgia Restaurant Association and one of the plaintiffs' attorneys, says these kinds of security disputes are becoming more common but rarely garner public attention because vendors tend to settle rather than risk exposure through a court case. He said this suit was filed only after Radiant refused to take responsibility for the breaches.

"Radiant ... took a very arrogant attitude about it," he told Threat Level. "I've had other POS vendors who felt they should be accountable, and the end result was that they knew they needed to do the right thing. Radiant I don't think thought we were serious. Radiant's website gives customers the greatest assurance that when it comes to their resellers, they monitor and make sure they're scrutinized and compliant. It really would give you all the confidence in the world if it was actually done."

Radiant has declined to comment on the details of the suit.

"What we can say is that Radiant takes data security very seriously and that our products are among the most secure in the industry," Paul Langenbahn, president of Radiant's hospitality division, told the Atlanta Journal Constitution. "We believe the allegations against Radiant are without merit, and we intend to vigorously defend ourselves."

Keith Bond, owner of Mel's Diner in Broussard, Louisiana, told Threat Level that he purchased his Aloha system for $20,000 and installed it around late November 2007. Computer World, he says, convinced him that the system needed to be connected to the internet for faster transaction processing, as opposed to the dial-up modem connection he had been using for processing.

In April 2008, just a few months after installing the system, one of his employees called to tell him that the mouse cursor on one of three Aloha terminals he'd bought seemed to be moving on its own and that employees were unable to take control of it.

After contacting Computer World technicians, the restaurant was told to disconnect its system from the internet. A service tech appeared the next day to replace the hard drive, but didn't disclose the nature of the problem or indicate that an intruder had breached the system. Bond learned only later that a keystroke logger had been installed on all three of his Aloha terminals, and that the intruder had been siphoning card numbers for about three weeks.

He discovered this only after Visa and Mastercard contacted him in May to tell him his system had been breached. Bond, whose 24-hour diner processes about 60 to 70 card transactions a day, says 669 card numbers were stolen during the three-week period the hacker was in his system.

"If they had accessed the server, they would have got thousands of card numbers," Bond said.

The credit card companies forced him to hire a forensic team to investigate the breach, which cost him $19,000. Visa then fined his business $5,000 after the forensic investigators found that the Radiant Aloha system was non-compliant. MasterCard levied a $100,000 fine against his restaurant, but opted to waive the fine, due to the circumstances.

Then the chargebacks started arriving. Bond says the thieves racked up $30,000 on 19 card accounts. He had to pay $20,000 and managed to get the remainder dropped. In total, the breach has cost him about $50,000, and he says his fellow plaintiffs have borne similar costs.

Bond said Radiant and Computer World were unresponsive.

"Radiant just basically hung us out to dry," he says. "It's quite obvious to me that they're at fault.... When you buy a system for $20,000, you feel like you're getting a state-of-the-art sytem. Then three to four months after I bought the system, I'm hacked into."

Image courtesy California State Controller's Office

Recommended Commentary Link

Lessons Learned From PCI Compliance

2009-11-26T15:45:20Z

Assessors reveal mistakes companies make with data security standard. -- To help companies get ready for a an evaluation, we asked QSAs to describe common problems they encounter when working with IT groups on PCI compliance. What follows are five best practices to help companies better prepare for an assessment and maintain compliance.

1. Know Where Data Lives
First off, you must know how credit card data flows through your system, where the data resides in the enterprise, and who has access to it. Assessors ask for this information at the outset of an assessment because it determines the scope of the project. They aren't there to review your entire security infrastructure, just the systems that collect, process, transport, and store credit card data. A surprising number of companies don't have a good grasp of this information. "It's common for a client to completely miss a particular data flow and have no idea that credit card data is being forked off to system X, Y, or Z," says a QSA at Neohapsis, who asked to remain anonymous.
Companies express an "extreme amount of frustration" over the amount of effort they have to put in to put the full picture together, says Ted Keniston, a QSA and managing consultant with the global compliances group at Trustwave. "We should be validating this information, not determining it."
Having a complete picture of credit card data isn't just a courtesy to your assessor; it also affects your ability to protect customer information, because you can't secure what you don't know about.
2. PCI Is A Moving Target
Let's say your assessor has just stamped you "compliant." You breathe a sigh of relief. The PCI assessment is annual, so you don't have to worry about it for another 12 months, right? Not so.
PCI compliance is only valid and only applies to the state of the network and systems at the time of the assessment. The moment you make changes to systems that fall under the

Rest of article and pdf of entire article

Source link

inside-pci-compliance_884972.pdf

2009 Encryption and Key Management Industry Benchmark Report

2009-10-26T13:22:07Z

Report from trust catalyst detailing the trends and obstacles to data encryptions, applications affected, and why it's important (average cost per breach in $6M)

Excerpt: he most significant increases in this year's research were "File encryption - server" moving up from fifth to second place and "Mobile device encryption" rising from eleventh to ninth. Email encryption at the client saw the most significant fall, from third place in 2008 to fifth in 2009. There was not a significant increase in encryption adoption for databases or backup tapes in 2009. We continue to caution organizations not encrypting these applications that they remain at serious risk of data breach -particularly with regard to patient and credit card data.

2009_Enc_and_Key_Mgmt_Industry_Benchmark_Report_201009.pdf

Tokenization Vs. End-to-End Encryption: Experts Weigh in

2009-10-23T21:17:35Z

Pros and Cons of the Emerging Technologies Eyed to Improve Data Security

October 19, 2009 - Linda McGlasson, Managing Editor

Save

Digg

Delicious

Tokenization or end to end encryption - which solution will win the hearts of data protectors in the race to secure data?

A recent study conducted by PriceWaterhouseCoopers on behalf of the Payment Card Industry Security Standards Council shows that end to end encryption and tokenization are the top choices for companies seeking to employ new emerging technologies to protect payment card and other critical data. And both approaches have their public proponents, including Heartland Payment Systems (HPY) CEO Robert Carr, who's been encryption's most vocal supporter in the wake of his organization's historic breach.

But what are the pros and cons of each approach? We turned to a panel of information security experts for their analyses of tokenization vs. end to end encryption.

Defining the Solutions
A quick look at the essence of these two solutions:

Tokenization replaces sensitive card data information with unique id symbols that keep all the essential data, without compromising its security. This approach has become popular as a way to increase security of credit card and e-commerce transactions, while minimizing the cost and complexity of industry regulations and standards - especially the Payment Card Industry Data Security Standard (PCI).

End to end encryption, also defined by Visa as data field encryption, is continuous protection of the confidentiality and integrity of transmitted data by encrypting it at the origin, then decrypting at its destination. The encrypted data travels safely through vulnerable channels such as public networks to its recipient, where it can be decrypted. One example is a virtual private network (VPN) that uses end to end encryption.

The question for many organizations is not either/or, but rather which approach best fits into the organization's existing security architecture?

Pros and Cons
Size is a factor for organizations weighing tokenization and end to end encryption, says Dave Shackleford, former chief security strategist at EMC, and now principal at Blue Heron Group. "I would probably choose tokenization for smaller organizations, but larger ones will likely benefit more in the long run from looking to implement robust encryption practices and technologies," Shackleford says. Tokenization may not encompass all the data that needs to be protected by larger organizations, he adds.

read rest of article

Visa Announces New Data Encryption Practices

2009-10-23T21:14:28Z

Visa has announced new global best practices for data field encryption, also known as end-to-end encryption - a much-discussed solution in the wake of the Heartland Payment Systems breach.

Announced by the global credit card company on Monday, these best practices are designed to further the payment industry's efforts to develop a common, open standard while providing guidance to encryption vendors and early adopters. Data field encryption protects card information from the swipe to the acquirer processor with no need for the merchant to process or transmit card data in the "clear."

Visa's Jennifer Fischer, senior business leader in the card company's risk area, says encryption is not being touted as a silver bullet for anyone, "But we see it as a way to supplement and help, in many cases, augment existing security measures."

Data field encryption can be another layer to enhance a merchant's security by eliminating any clear text data either in storage or in flight.

In addition to issuing these encryption best practices, Visa is chair of the ANSI X9F6 standards working group and is helping to develop a much-needed industry data field encryption standard. Fischer notes that Visa is also working with the Payment Card Industry Security Standards Council in reviewing its recent study by PriceWaterhouseCooper on emerging technologies use in the payments industry. Encryption was cited as one of the top four emerging technologies being looked at within the payment stream to protect data.

read rest of article

Heartland Tests End-to-End Encryption; Gets Good Reviews

2009-10-23T21:12:09Z

In the first step of its move toward end-to-end encryption, Heartland Payment Systems (HPY) last week completed the first phase of its pilot project.

Heartland, the sixth biggest payments processor, earlier this year announced that it was hit with a data breach, wherein credit card numbers and debit card information were taken by hackers who broke into the payment processor's internal network. Since the breach was announced, the company has been working toward introducing advanced encryption standard (AES)-encrypted card transactions from merchants to Heartland's processing platform.

The merchant that took part in the pilot last Monday was a small carwash operation in Plano, TX, near Heartland's operation center. AES is the highest level of encryption and is currently on track to replace Data Encryption Standard (DES) and Triple DES as the desired standard for sensitive data. The pilot transactions included multiple credit cards, prepaid and signature debit card transactions that tested each of the major card brands, says Robert Carr, Heartland's chairman and chief executive officer.

Heartland's Solution

Heartland's new tamper-resistant security module terminal is meant to stop hackers from sniffing data beginning at the point of sale until it reaches the end point at the payment processor. Typically, cardholder data is unencrypted as leaves a merchant's terminal and isn't encrypted until it is either tokenized in a gateway or at rest in the processing platform's data warehouse.

Click to Get Updates on the Latest Information Security News

The pilot tested four of five payment zones, the fifth being contingent upon the card brands or card issuer, when the data is sent from the processor to the authorization and settlement centers of the card brand or issuer.

Rest of article

Mobile Barcodes Explained - Aztecs in the Matrix

2009-10-07T15:23:24Z

Mobile barcodes are on the verge of becoming a global phenomenon, but what exactly are they, what do they do, and for whom? We became familiar with the original, linear barcodes (or 1D), from our supermarket shopping in the 1980's (although the technology was patented in the 1950's). They comprise a series of vertical black lines and white spaces of variable width, representing numbers, which are read (or decoded) by a barcode reader to extract the information they bear.

However, as barcodes were used in an ever greater variety of environments beyond straightforward stock control, they became longer and longer as people tried to pack more information onto them. A new generation of barcodes was devised in the 1990's, usually referred to as 2D or matrix codes. They are formed by patterns of black and white squares arranged on a (usually) square grid and can encode thousands of alphanumeric and other characters in virtually any language. Immediately the size and capacity problem was solved, opening the way for applications that had never been considered.

Another radical and exciting advancement in barcode reader technology allowed the camera in a mobile phone to act as a reader. Mobile phones can now be enabled to read a variety of 2D mobile barcodes. These include QR codes, Data Matrix, Cool-Data-Matrix, Aztec, Upcode, Trillcode, Quickmark, shotcode, mCode and Beetagg.

The vast majority of symbologies are in the public domain, which means they can be used by anyone without restriction and without payment of a fee or royalty. This public approach gives rise to internationally recognised standards, global interoperability, and creates an economy of scale. This is a great boon for advertisers and consumers (both of whom are the mobile operators' customers) because only one software client is required to read any code. For the operators, this translates to greater choice and more competitively priced equipment.

Unfortunately, some barcode developers have chosen the proprietary route, which means they keep control of their own codes, the information that is permitted to be encoded and charge a fee or royalty for their use. These issues and the lack of interoperability usually means that proprietary barcodes tend to be used in controlled, closed environments, rather than in open, public systems around the world.

The most common use of mobile barcodes is to request information or a service or content from a Web site. It might be details of a promotion, or a discount voucher via SMS or MMS, or to activate a download such as a ringtone, music track or game, or click to call an IVR or human agent, or buy a travel or concert ticket. The advertiser pays the set-up costs as well as its operator partner on a per-click, download, view, redeemed coupon, ticket sale or call, depending on the campaign.

The key is that mobile barcodes are a pull technology, a permission-based way for a consumer to engage with an advertiser or medium. This is a very important attribute since there is a great deal of consumer angst and regulatory concern about intrusivemobile marketing: mobile barcodes are a world away from pushing unsolicited spam via SMS or MMS. Big brands are understandably wary of engaging in any advertising activity that compromises their reputation by alienating their customers and have stayed away from these kinds of push campaigns.

The pull of mobile barcodes overcome these issues and offer a direct, accountable way of connecting with consumers. However, if mobile barcodes are to succeed as an advertising medium, a high level of back-office integration is necessary, which reinforces the importance of open standards for processes and interfaces. Operators will need to demonstrate to the world's biggest brands that the barcode scanning transactions are accurate, reliable and defendable because they are going to charge that brand for every click.

The precedent is there: Google has built a multi-billion dollar, online business on this per click or interaction model with its Google AdWord/AdSense, which provides advertisers with reliable, accountable records of their users' transaction history and an accurate invoice, plus timely and granular revenue share payments to other parts of the ecosystem. In mobile, unlike online, there is the additional challenge that these mechanisms have to work across carriers, across countries and across currencies.

So the stage is set. With 2D barcode scanning, advertisers have a reliable, permission-based mobile channel open to them. Consumers love them as an easy way of using mobile technology to engage with services and media they are interested in, as has been demonstrated in spades in Japan, where mobile barcodes are part of everyday life. This is because Japan is unusual in having a very dominant operator, NTT DoCoMo, which decided to endorse QR codes and ensured that all new handsets had QR code client software embedded in them. The rest is history, but this approach is not applicable to markets in most other countries, which typically have four or five operators competing against each other.

The challenge now is to ensure that any brand advertiser can run the same ad campaign in Singapore, London and Seattle instead of having to produce and run different campaigns in each country and for every operator. The inability to do this has been another big inhibitor to mobile advertising. Mobile barcodes have the potential to overcome these issues and become the mainstream, global phenomenon that they could and should be. However to attain this goal, the various parties that make up the ecosystem and the various warring factions within the mobile barcode industry need to come together and work on common standards* that will be to everyone's advantage.

How PA DSS Will Change the Application Business Forever

2009-10-06T19:37:04Z

By David Taylor -- Most merchants and application vendors seriously underestimate both the scope and the force of the Payment Applications Data Security Standard (PA DSS). If so, it's only because they haven't read the standard or don't immediate grasp what's involved.

Essentially, this standard could cause merchants in all industries and of all sizes to have to switch payment application vendors. Furthermore, since these applications are not generic "plug and play" software "modules," any changes will require changes to all custom code designed to integrate with ERP, sales audit, general ledger and other office management applications would also have to change. In short, PA DSS is a much "bigger deal" than the 1.2 release of the PCI DSS.

The Scope of PA DSS. Any application packaged for sale that collects (e.g., via a form that someone fills in or automated means), processes, or stores card data is included in the scope of PA DSS. That means that ALL merchants (even Level 4s) must only be running validated applications and this means that application vendors must pay to have their application tested in a "laboratory" by a PA DSS QSA (assessor), a list of which is conveniently maintained by the PCI Security Standards Council, who recently took over the task from Visa.

Assessment is price-competitive. Currently, there are fewer than 20 companies worldwide that have been approved to test and validate PA DSS compliance. More are joining the list all the time. Because the demand from merchants and, hence, application vendors, is just developing, we're hearing stories of a very price-sensitive market, with resulting "variability" in the quality of assessment, because low-ball-bidders have to make a profit on their assessments. As a result, we caution all merchants not to assume an equal level of data security between two application vendors just because they both appear on the PA DSS "white list." Merchants need to do their own validation of the data security controls and ask for copies of the PA DSS test reports.

The application vendor's dilemma. We've interviewed application vendors who tell us they are waiting until customers demand PA DSS compliance before having their software tested, and/or that their customers (the merchants) have no clue about PA DSS, so they don't want to get their current version validated, when a new version will be coming out in another 6 months, and they'd have to pay to have it tested also. The issue of "Why pay for security testing that customers don't even care about?" is likely to continue for another six months or so. As long as the focus of the SSC and the card brands is on the "minor tweaks" in PCI DSS 1.2, there will be less marketing bandwidth available to highlight the major changes which PA DSS will bring about in the market.

The demand lag and its market impact. This "cat and mouse" issue of paying to have a version validated prior to demand for PA DSS will get much more complex over the next two years. Most application vendors have, thusfar, only had zero or one version tested, because it's expensive and demand is "immature" at best. We expect that getting tested and being on the PA DSS "white list" will become part of nearly all relevant RFPs within a year. If this doesn't happen, then it's highly unlikely that the merchant community (all levels) will be running all PA DSS compliant applications by the October 2009 and July 2010 deadlines. Faced with potentially massive non-compliance, the logical response would be to postpone the deadlines. It's happened before.

What are the compensating controls for PA DSS? Read rest of article

Tokenization and your store

2009-10-01T17:48:39Z

New approach shapes how retailers secure private information and consumer confidence against data breaches

With stores located in various states and, in some cases, overseas, chain stores face a unique data security challenge. The plethora of recent State Breach Notification Laws and European privacy laws, as well as industry mandates such as the Payment Card Industry's Data Security Standard, put a lot of pressure on chain store CSOs to come up with foolproof ways to protect consumer information against a data breach.

Source Article

Many retailers have already adopted localized encryption and follow data security best practices but, for some companies, this may not be the most efficient way to protect credit-card numbers and various forms of personally identifiable information (PII), including customer loyalty data, and employee social security and commercial drivers' license numbers, etc.

With traditional localized encryption, the encrypted data is stored in applications and databases in place of the original unencrypted data, which means it is located in many places throughout the enterprise. Every system that contains encrypted data is a point of risk and remains "in scope" for PCI DSS compliance and audits. What's more, encrypted data takes more space than unencrypted data, requiring costly programming modifications to applications and databases, along with increased data storage costs.

To solve these challenges, a new data security model -- format preserving tokenization -- is beginning to gain traction with retailers. Tokenization reduces the number of points where sensitive data is stored within an enterprise by replacing encrypted data with data surrogates (tokens) and storing the encrypted information in a central data vault. This makes data security easier to manage and provides an extra layer of security, but it also takes systems "out of scope" for PCI DSS compliance.

Tokenization explained

With traditional encryption, when a database or application needs to store sensitive data, those values are encrypted and the cipher text is returned to the original location. With tokenization, a token -- or surrogate value -- is returned and stored in place of the original data. The token is a reference to the actual cipher text, which can be stored locally ("in-place tokenization") or, as in the newly-emerging model in a central data vault. As long as the token is format-preserving, it can be safely used by any application, database or backup medium throughout the organization. This minimizes the risk of exposing the actual sensitive data and allows business and analytical applications to work without modification.

Format-preserving tokens can either match the expected data type or expose a subset of the original value to simultaneously protect the information and enable applications and job functions to continue unmodified. For example, the token could expose the last four digits of the social security number or credit card number to enable call center operations.

Tokens use the same amount of storage space as the original clear text data instead of the larger amount of storage required by encrypted data. And since tokens are not mathematically derived from the original data, they are arguably safer than exposing cipher text. They can be passed around the network between applications, databases and business processes safely while leaving the encrypted data they represent securely stored in a central data vault. Authorized applications that need access to encrypted data can only retrieve it using a token issued from a token server, providing an extra layer of protection for sensitive information and preserving storage space at data collection points.

Encryption, tokenization, or both: What's right for your enterprise?

There are two distinct scenarios where implementing a token strategy can be beneficial: to reduce the number of places sensitive encrypted data resides or to reduce the scope of a PCI DSS audit. The hub and spoke model is the same for both and contains these three components:

* Centralized encryption key manager to manage the lifecycle of keys.
* Token server to encrypt data and generate tokens.
* Central data vault to hold the encrypted values, or cipher text.

These three components comprise the hub. The spokes are the endpoints where sensitive data originates such as point-of-sale terminals or the servers in stores, various departments at headquarters, a call center or Web site.

In the traditional model, data is encrypted at the stores (spokes) and stored there; or encrypted at headquarters and distributed back out to the stores. Under the tokenization model, encrypted data is stored in a central data vault and tokens replace the corresponding cipher text in applications available to the stores, thereby reducing the instances where cipher text resides throughout the enterprise. This reduces risk because the only place encrypted data resides is in the central data vault until it is needed by authorized applications and employees.

In the second scenario, the model is the same but the focus is on using only tokens in spoke applications thereby reducing scope for a PCI DSS audit. In this case, employees only need a "format-preserving" token where the token provides enough insight for them to perform their jobs. For instance, the token will contain the last four digits of a credit card. In the traditional encryption model, cipher text resides on machines throughout the organization. All of these machines are "in scope" for a PCI DSS audit. In the centralized tokenization model, many of the spokes can use tokens in place of cipher text, which takes those systems out of scope for the audit.

Format preserving tokenization is ideal for some chain store enterprises, while a hybrid approach is better for others. Localized encryption is the default when stores are not always connected to a central data vault. In instances where stores are electronically connected to the data vault, tokenization is often the solution of choice. For many chain store companies, using a combination of localized encryption and tokenization is a practical approach for improving data security.

Format preserving tokenization protects payment-card information and employee information as well as all types of customer PII and loyalty data collected by many chain store marketers. Not only does the technology provide an extra layer of security in an extended enterprise, but it reduces storage space requirements and the scope of PCI DSS audits.

Gary Palgon is VP product management for data protection software vendor nuBridges, and is a frequent contributor to industry publications and a speaker at conferences on eBusiness security issues and solutions. He can be reached at gpalgon@nubridges.com.

Americans prefer online banking - ABA survey

2009-09-25T21:38:55Z

For the first time, more US bank customers express a preference for managing their finances online compared to any other method, according to a survey from the American Bankers Association.

Source link

The survey of 1000 people, conducted for the ABA by Ipsos-Reid, shows online banking is preferred by one-in-four of the sample. It is the most popular method among all customer age groups under the age of 55 although older people still prefer visiting branches.

The survey also shows mobile banking is yet to make the predicted breakthrough, cited as the preferred method by only one per cent, with most of these being 18 to 24 year olds.

Branch banking is the second most popular method, cited by 21%, with 17% preferring to use ATMs and four per cent the telephone.

Nessa Feddis, senior counsel and retail banking expert, ABA, says: "This marks a watershed change. It tells us that for the first time, more consumers prefer the speed and convenience of conducting their banking transactions on the Internet than visiting their local branch. It also tells us that consumers now have confidence in the accuracy and security of online banking."

A recent poll sponsored by vendor Fiserv found that more than two million US households have adopted online banking and bill payment during the last year, meaning the services are now used in over three quarters of homes with Internet access.

IKEA Execs Discuss Launch Of US Loyalty, Use Of Mobile Medium

2009-09-24T13:36:26Z

Written by Amanda Ferrante

Tuesday, 15 September 2009 00:00

Well known for its innovative approach customer relationship management, home furnishings retailer IKEA has been giving customers all over the world something to talk about. Focused on providing consumers with the ultimate in function, design and price, Founder Ingvar Kamprad believed in saving in every way possible--except on ideas and quality. Store traffic has steadily increased, with nearly 650 million visitors in 2008 alone.

Largely attributed to the company's commitment to customer service, IKEA continues on inspiration and innovation. Retail TouchPoints recently caught up with IKEA US execs Tracey Kelly (Communications Manager) and Marty McGuire (Direct Marketing Manager) to discuss the company's approach to loyalty and the upcoming holiday shopping season, as well as new plans to tap into the new media goldmine that is, the mobile phone.

Retail TouchPoints: IKEA has established itself as a prominent player in the furniture industry with strong brand power and a commitment to customer service. What are some the fundamentals of IKEA's business model?

Tracey Kelly: IKEA's business idea is to offer a wide range of well designed, functional home furnishings products at prices so low that as many people as possible will be able to afford them. For more than 60 years IKEA has been learning about everyday life at home for people all over the world. We use that knowledge and experience to offer solutions that meet our customer's needs. We believe that although people may live on a limited budget, they still want to create a beautiful and functional home. IKEA stores sell everything to furnish the home under one roof. The room settings in our stores show the range in an inspiring way that offers customers ideas and smart solutions for their homes. Most IKEA furniture is available to take home today so that customers can begin to enjoy their purchase immediately.

RTP: Can you speak to IKEA's loyalty program and how it integrates into customer service? What feedback have you seen from the recent deployment of IKEA FAMILY registration kiosks in Belgium? Is this an effort that might be expanded into the US market?

Marty McGuire: Our global loyalty program "IKEA FAMILY" will be introduced in the US, but we are still working on the timing and how it will be integrated into the full shopping experience. Kiosks will play a role in our US program, benefiting from the IKEA experiences gained from other countries in addition to our own research.

RTP: The mobile phone has really been established as an additional channel in retail, and IKEA has taken full advantage of that by using it to build a database of customers. The response has been impressive, as Mobile Marketer reported 23,000 opt ins as of June. Are you seeing this number grow? How is IKEA putting this information to work? Targeted offers?

McGuire: Interest in IKEA Mobile content from our customers is increasing rapidly. There is a lot of opportunity to better serve our customers' needs by providing content that is optimized for their smartphone's display size and embraces the features they already use (SMS, GPS, Web access, downloadable apps, email, etc.). Mobile presence by retailers is expected from many consumers today, and we will increasingly be supporting existing and new customers through the mobile channel as smartphone penetration increases in the US. IKEA US customers can now sign up for IKEA Mobile SMS notifications by texting "JOIN" to 62345, by visiting our IKEA US Mobile Web site at http://m.IKEA.us or via our Web site at www.IKEA-USA.com/signup.

RTP: From an overall retail perspective, how do you see customer behavior and purchasing patterns shifting going into holiday? What are some of the ways IKEA is driving in store traffic in the coming months?

Kelley: The biggest selling period for IKEA is when we distribute our annual catalog during August, not during the holidays as it might be with other retailers. Given the current economic conditions, we felt now is the time to lower prices even further on some of our best selling products for our new catalog. These are the products that our customers love; many of them have been in the IKEA range offering for many years. Based on our experience we know that by doing this we will drive traffic to our stores. We will continue to lower prices on many of our best sellers throughout the coming year.

Source Link

First Data And RSA "Legitimize" Tokenization-Then What?

2009-09-23T20:09:32Z

The conventional wisdom is that when large vendors enter a niche market, those vendors "legitimize" that market. But the announcement that First Data and RSA Security are getting into the credit card tokenization business raises many issues beyond them simply "making" the tokenization market. Here is my first take on the implications of this announcement:

Posted from StorefrontBackTalk

Pressure On The PCI SSC To Embrace Tokenization
The PCI Security Standards Council already commissioned Price-Waterhouse Coopers to do a study of tokenization, end-to-end encryption and other "beyond PCI" issues. The results will likely be discussed at the PCI SSC Community Meetings. That's great. Merchants, service providers and even QSAs want specific guidance about tokenization. This announcement and the weight of the players in the market should virtually guarantee that tokenization will be specifically addressed in the next release of PCI DSS, in addition to QSA training and other guidance from the SSC.
Pressure On Payment Processors And Gateways
I have said before that the number of companies offering tokenization will increase several-fold within a year. We've already seen about a dozen players enter the market in the last six months. I'm expecting 30 to 40 more announced packages over the next six months, as payment processors, gateways, encryption vendors and application vendors all vie to see who can remove credit card data from the merchant environment the fastest.
Tokenization Standards And Portability Will Be Hot Topics In 2010
The more options in the market, the more the demand for "token switching" will increase. Merchants who have entrusted their card data to Service Provider X will increasingly seek shorter duration contracts and have more specific demands about how they migrate their data from one tokenization provider to another.

Because there are not currently any standards for either the form of a credit card token, how it is generated or how one token type can be converted to another (they can't, BTW), as more merchants realize this, they will raise concerns about being "locked in" to a particular tokenization approach. Smaller vendors will develop "token migration" or conversion tools, etc.
Multi-Channel Options And Other Complexity Issues Will Emerge

Read rest of story at StorefrontBackTalk

New driver license legislation proposed

2009-09-21T22:22:28Z

Some believe that new proposed driver license legislation would help states better secure IDs while also protecting citizen privacy. Others say it "guts" an existing law and takes states back to pre-9/11 identity vetting for IDs.

Debate on whether it increases or decreases security

by Zack Martin, Editor, Avisian Publications

Story Link

A hearing held in the U.S. Senate Committee on Homeland Security and Governmental Affairs on the proposed bill called the Providing Additional Security in States' Identification (PASS) Act of 2009. Testimony revealed very different takes on the bill that would basically roll back, REAL ID. It's not clear how the proposed change would impact states already complying with REAL ID and rolling out new documents. Even with this new bill looming, some states are still moving ahead to comply with REAL ID.
"The major problem with REAL ID is that it is producing very little progress in terms of securing driver's licenses, and it is not getting us to where we need to be," said Janet Napolitano, secretary of the U.S. Department of Homeland Security. "Simply put, REAL ID is unrealistic."
Citing the almost $4 billion estimated price tags for states to switch to REAL ID and unfeasible deadlines, Napolitano offers up PASS as an alternative. Napolitano, when she was governor of Arizona, had signed a law against REAL ID.
"PASS ID is a critical piece of national security legislation that will fix the REAL ID Act of 2005 and institute strong security standards for government-issued identification," she said. "PASS ID will fulfill a key recommendation of the 9/11 Commission, that the federal government set standards for identification such as driver's licenses and non-driver identification cards-and this bill will do so in a way that states will implement, rather than disregard. PASS ID will enact the same strong security standards set out by REAL ID as quickly as REAL ID but, critically, this bill provides a workable way to get there."
Napolitano said that PASS ID keeps document verification and authenticating of source documents, advocates the physical security of ID production, requires that photos of applicants be taken and still has the requirement to show compliant IDs. "All in all, PASS ID would match the security provided in REAL ID, while providing the states with more flexibility to innovate and meet the standards," she said.
How does it differ from REAL ID?
The major difference is that PASS ID gives states different options to meet the criteria. "While REAL ID mandates electronic verification for all source document information, PASS ID would maintain a focus on ensuring the authenticity of identity source documents that applicants present, allowing states to adopt cost-effective ways to achieve or exceed that threshold," Napolitano said.
Since states would be able to choose how to verify identity there would be some cost savings, Napolitano said. The bill would also codify state grants for driver licenses and speed up implementation.
"States would have one year after the issuance of final DHS regulations to begin issuing compliant documents, and would have five years from that date to enroll driver's license holders as they see fit," she said. "The REAL ID deadline for completing issuance of compliant driver's licenses is December 2017. If Congress enacts the PASS ID Act as it is currently written by October 2009, states could complete enrollment by July 2016, a full one year and five months ahead of the REAL ID timetable."
PASS ID potentially rolls back one key requirement of REAL ID, checking other states to see if an individual has multiple licenses. Napolitano and others say this was cause for privacy concerns. "PASS ID would not require states to provide direct access to each other's driver's license databases; in fact, the bill contains protections against creating any national identity database containing all driver's license information and requires states to adopt adequate procedures to prevent unauthorized access to or sharing of personally identifiable information," she said.
Read rest of the story and how Opponents see PASS ID as a weak substitute for REAL ID.
Link to story