Recently in Security Category

Payment processing trends: What every operator should know

By Administrator on June 4, 2010 7:01 PM
While there are many trends in the credit and debit card industry, security is the trend that most restaurants should put at the top of their list. Security goes beyond locking the front door at closing time. Restaurant operators also must secure the sensitive information their customers provide when paying for their services.
 
Identity theft and credit card fraud are chief concerns for consumers and the credit card industry, and should have great significance to the restaurant operator. Card and identity thieves are becoming increasingly more capable.
 
In 2009, there was a considerable increase in businesses affected by security breaches in the hospitality and restaurant industry. In response to the growing threat, major credit card brands like Visa and MasterCard have continued to increase the scope and rigor of consumer protection standards.
 
The PCI DSS (Payment Card Industry Data Security Standard) has been implemented in phases, with various deadlines, to control the way card data is transmitted and stored. Credit card processors have a looming deadline of July 1, 2010, to ensure their customers operate in a PCI compliant manner.
 
The PCI DSS standard covers many aspects of storing and handling credit card data. The PCI PED (PIN Entry Devices) component is focused on the hardware used at the point of sale (POS) for capturing the 4-digit PIN number on a consumer's debit card. Restaurant owners must ensure that debit card accepting devices are PCI PED compliant, or they risk fines and fees from their processors and the card brands.
 
While the July 1 deadline is directed at the member organizations (banks), processors enabling the acceptance of these transactions are expected to ensure their customers comply with these standards. Many processors are mandating that their customers undergo a PCI audit to ensure compliance and are assessing fees for those customers that do not comply.
 
The goal of these fees is to encourage customer compliance, which will help reduce the risk to both the merchant and the processor. A PCI audit varies in cost, based on the price negotiated by the customer or processor, but is intended to identify security concerns, including devices, software, and processes, that may expose the merchant to the risk of data theft.

Flaws in chip and pin bank card security identified

By Administrator on February 12, 2010 8:01 PM

Scientists have identified security flaws in chip and pin technology that they say are so serious as to require a rethink of the whole system.

The Cambridge University researchers discovered a loophole that could be used to make bank card payments without knowing the correct pin.

Link for Video

Lessons Learned From PCI Compliance

By Administrator on November 26, 2009 3:45 PM
Assessors reveal mistakes companies make with data security standard. -- To help companies get ready for a an evaluation, we asked QSAs to describe common problems they encounter when working with IT groups on PCI compliance. What follows are five best practices to help companies better prepare for an assessment and maintain compliance.

1. Know Where Data Lives

First off, you must know how credit card data flows through your system, where the data resides in the enterprise, and who has access to it. Assessors ask for this information at the outset of an assessment because it determines the scope of the project. They aren't there to review your entire security infrastructure, just the systems that collect, process, transport, and store credit card data. A surprising number of companies don't have a good grasp of this information. "It's common for a client to completely miss a particular data flow and have no idea that credit card data is being forked off to system X, Y, or Z," says a QSA at Neohapsis, who asked to remain anonymous.

Companies express an "extreme amount of frustration" over the amount of effort they have to put in to put the full picture together, says Ted Keniston, a QSA and managing consultant with the global compliances group at Trustwave. "We should be validating this information, not determining it."

Having a complete picture of credit card data isn't just a courtesy to your assessor; it also affects your ability to protect customer information, because you can't secure what you don't know about.

2. PCI Is A Moving Target

Let's say your assessor has just stamped you "compliant." You breathe a sigh of relief. The PCI assessment is annual, so you don't have to worry about it for another 12 months, right? Not so.

PCI compliance is only valid and only applies to the state of the network and systems at the time of the assessment. The moment you make changes to systems that fall under the 


Rest of article and pdf of entire article


inside-pci-compliance_884972.pdf

Tokenization and your store

By Administrator on October 1, 2009 6:48 PM

New approach shapes how retailers secure private information and consumer confidence against data breaches

With stores located in various states and, in some cases, overseas, chain stores face a unique data security challenge. The plethora of recent State Breach Notification Laws and European privacy laws, as well as industry mandates such as the Payment Card Industry's Data Security Standard, put a lot of pressure on chain store CSOs to come up with foolproof ways to protect consumer information against a data breach.

Source Article

Many retailers have already adopted localized encryption and follow data security best practices but, for some companies, this may not be the most efficient way to protect credit-card numbers and various forms of personally identifiable information (PII), including customer loyalty data, and employee social security and commercial drivers' license numbers, etc.

With traditional localized encryption, the encrypted data is stored in applications and databases in place of the original unencrypted data, which means it is located in many places throughout the enterprise. Every system that contains encrypted data is a point of risk and remains "in scope" for PCI DSS compliance and audits. What's more, encrypted data takes more space than unencrypted data, requiring costly programming modifications to applications and databases, along with increased data storage costs.

To solve these challenges, a new data security model -- format preserving tokenization -- is beginning to gain traction with retailers. Tokenization reduces the number of points where sensitive data is stored within an enterprise by replacing encrypted data with data surrogates (tokens) and storing the encrypted information in a central data vault. This makes data security easier to manage and provides an extra layer of security, but it also takes systems "out of scope" for PCI DSS compliance.

Tokenization explained

With traditional encryption, when a database or application needs to store sensitive data, those values are encrypted and the cipher text is returned to the original location. With tokenization, a token -- or surrogate value -- is returned and stored in place of the original data. The token is a reference to the actual cipher text, which can be stored locally ("in-place tokenization") or, as in the newly-emerging model in a central data vault. As long as the token is format-preserving, it can be safely used by any application, database or backup medium throughout the organization. This minimizes the risk of exposing the actual sensitive data and allows business and analytical applications to work without modification.

Format-preserving tokens can either match the expected data type or expose a subset of the original value to simultaneously protect the information and enable applications and job functions to continue unmodified. For example, the token could expose the last four digits of the social security number or credit card number to enable call center operations.

Tokens use the same amount of storage space as the original clear text data instead of the larger amount of storage required by encrypted data. And since tokens are not mathematically derived from the original data, they are arguably safer than exposing cipher text. They can be passed around the network between applications, databases and business processes safely while leaving the encrypted data they represent securely stored in a central data vault. Authorized applications that need access to encrypted data can only retrieve it using a token issued from a token server, providing an extra layer of protection for sensitive information and preserving storage space at data collection points.

Encryption, tokenization, or both: What's right for your enterprise?

There are two distinct scenarios where implementing a token strategy can be beneficial: to reduce the number of places sensitive encrypted data resides or to reduce the scope of a PCI DSS audit. The hub and spoke model is the same for both and contains these three components:

* Centralized encryption key manager to manage the lifecycle of keys.
* Token server to encrypt data and generate tokens.
* Central data vault to hold the encrypted values, or cipher text.

These three components comprise the hub. The spokes are the endpoints where sensitive data originates such as point-of-sale terminals or the servers in stores, various departments at headquarters, a call center or Web site.

In the traditional model, data is encrypted at the stores (spokes) and stored there; or encrypted at headquarters and distributed back out to the stores. Under the tokenization model, encrypted data is stored in a central data vault and tokens replace the corresponding cipher text in applications available to the stores, thereby reducing the instances where cipher text resides throughout the enterprise. This reduces risk because the only place encrypted data resides is in the central data vault until it is needed by authorized applications and employees.

In the second scenario, the model is the same but the focus is on using only tokens in spoke applications thereby reducing scope for a PCI DSS audit. In this case, employees only need a "format-preserving" token where the token provides enough insight for them to perform their jobs. For instance, the token will contain the last four digits of a credit card. In the traditional encryption model, cipher text resides on machines throughout the organization. All of these machines are "in scope" for a PCI DSS audit. In the centralized tokenization model, many of the spokes can use tokens in place of cipher text, which takes those systems out of scope for the audit.

Format preserving tokenization is ideal for some chain store enterprises, while a hybrid approach is better for others. Localized encryption is the default when stores are not always connected to a central data vault. In instances where stores are electronically connected to the data vault, tokenization is often the solution of choice. For many chain store companies, using a combination of localized encryption and tokenization is a practical approach for improving data security.

Format preserving tokenization protects payment-card information and employee information as well as all types of customer PII and loyalty data collected by many chain store marketers. Not only does the technology provide an extra layer of security in an extended enterprise, but it reduces storage space requirements and the scope of PCI DSS audits.

Gary Palgon is VP product management for data protection software vendor nuBridges, and is a frequent contributor to industry publications and a speaker at conferences on eBusiness security issues and solutions. He can be reached at gpalgon@nubridges.com. 

First Data And RSA "Legitimize" Tokenization-Then What?

By Administrator on September 23, 2009 9:09 PM
The conventional wisdom is that when large vendors enter a niche market, those vendors "legitimize" that market. But the announcement that First Data and RSA Security are getting into the credit card tokenization business raises many issues beyond them simply "making" the tokenization market. Here is my first take on the implications of this announcement:

Posted from StorefrontBackTalk

  • Pressure On The PCI SSC To Embrace Tokenization
    The PCI Security Standards Council already commissioned Price-Waterhouse Coopers to do a study of tokenization, end-to-end encryption and other "beyond PCI" issues. The results will likely be discussed at the PCI SSC Community Meetings. That's great. Merchants, service providers and even QSAs want specific guidance about tokenization. This announcement and the weight of the players in the market should virtually guarantee that tokenization will be specifically addressed in the next release of PCI DSS, in addition to QSA training and other guidance from the SSC.

  • Pressure On Payment Processors And Gateways
    I have said before that the number of companies offering tokenization will increase several-fold within a year. We've already seen about a dozen players enter the market in the last six months. I'm expecting 30 to 40 more announced packages over the next six months, as payment processors, gateways, encryption vendors and application vendors all vie to see who can remove credit card data from the merchant environment the fastest.

  • Tokenization Standards And Portability Will Be Hot Topics In 2010
    The more options in the market, the more the demand for "token switching" will increase. Merchants who have entrusted their card data to Service Provider X will increasingly seek shorter duration contracts and have more specific demands about how they migrate their data from one tokenization provider to another.


    Because there are not currently any standards for either the form of a credit card token, how it is generated or how one token type can be converted to another (they can't, BTW), as more merchants realize this, they will raise concerns about being "locked in" to a particular tokenization approach. Smaller vendors will develop "token migration" or conversion tools, etc.

  • Multi-Channel Options And Other Complexity Issues Will Emerge


    Read rest of story at StorefrontBackTalk


    • New driver license legislation proposed

    By Administrator on September 21, 2009 11:22 PM
    Some believe that new proposed driver license legislation would help states better secure IDs while also protecting citizen privacy. Others say it "guts" an existing law and takes states back to pre-9/11 identity vetting for IDs.

    Debate on whether it increases or decreases security

    by Zack Martin, Editor, Avisian Publications

    Story Link

    A hearing held in the U.S. Senate Committee on Homeland Security and Governmental Affairs on the proposed bill called the Providing Additional Security in States' Identification (PASS) Act of 2009. Testimony revealed very different takes on the bill that would basically roll back, REAL ID. It's not clear how the proposed change would impact states already complying with REAL ID and rolling out new documents. Even with this new bill looming, some states are still moving ahead to comply with REAL ID.

    "The major problem with REAL ID is that it is producing very little progress in terms of securing driver's licenses, and it is not getting us to where we need to be," said Janet Napolitano, secretary of the U.S. Department of Homeland Security. "Simply put, REAL ID is unrealistic."

    Citing the almost $4 billion estimated price tags for states to switch to REAL ID and unfeasible deadlines, Napolitano offers up PASS as an alternative. Napolitano, when she was governor of Arizona, had signed a law against REAL ID.

    "PASS ID is a critical piece of national security legislation that will fix the REAL ID Act of 2005 and institute strong security standards for government-issued identification," she said. "PASS ID will fulfill a key recommendation of the 9/11 Commission, that the federal government set standards for identification such as driver's licenses and non-driver identification cards-and this bill will do so in a way that states will implement, rather than disregard. PASS ID will enact the same strong security standards set out by REAL ID as quickly as REAL ID but, critically, this bill provides a workable way to get there."

    Napolitano said that PASS ID keeps document verification and authenticating of source documents, advocates the physical security of ID production, requires that photos of applicants be taken and still has the requirement to show compliant IDs. "All in all, PASS ID would match the security provided in REAL ID, while providing the states with more flexibility to innovate and meet the standards," she said.

    How does it differ from REAL ID?

    The major difference is that PASS ID gives states different options to meet the criteria. "While REAL ID mandates electronic verification for all source document information, PASS ID would maintain a focus on ensuring the authenticity of identity source documents that applicants present, allowing states to adopt cost-effective ways to achieve or exceed that threshold," Napolitano said.

    Since states would be able to choose how to verify identity there would be some cost savings, Napolitano said. The bill would also codify state grants for driver licenses and speed up implementation.

    "States would have one year after the issuance of final DHS regulations to begin issuing compliant documents, and would have five years from that date to enroll driver's license holders as they see fit," she said. "The REAL ID deadline for completing issuance of compliant driver's licenses is December 2017. If Congress enacts the PASS ID Act as it is currently written by October 2009, states could complete enrollment by July 2016, a full one year and five months ahead of the REAL ID timetable."

    PASS ID potentially rolls back one key requirement of REAL ID, checking other states to see if an individual has multiple licenses. Napolitano and others say this was cause for privacy concerns. "PASS ID would not require states to provide direct access to each other's driver's license databases; in fact, the bill contains protections against creating any national identity database containing all driver's license information and requires states to adopt adequate procedures to prevent unauthorized access to or sharing of personally identifiable information," she said.

    Read rest of the story and how Opponents see PASS ID as a weak substitute for REAL ID.

    Link to story

    EMV takes aim at U.S.

    By Administrator on June 18, 2009 10:43 PM
    Nice article on SecureIDnews covering EMV. by Andy Williams, Associate Editor, Avisian Publications

    Like a massive tidal wave, EMV continues to roll across the world, changing the global payments landscape. Since UK banks first committed to EMV five-years ago, more than 100 countries have taken the plunge in efforts to stem credit card fraud.

    But the U.S. has always remained outside the EMV plan. This, however, may be changing as fraud, technology and business is changing the payments landscape.

    Brian Byrne, head of product technology for standards and specifications at Visa estimates there are some 730 million EMV cards and 10 million terminals in existence around the world.

    Toni Merschen, group head of chip at MasterCard Worldwide, notes that the Single European Payments Area initiative requires 38 countries to complete the migration to EMV by Jan. 1, 2011.

    EMV gets its name from the companies which originally created it, Europay, MasterCard and Visa. Seven years ago Europay merged with MasterCard and the new standards body was renamed EMVCo. Its members now include Visa, MasterCard, Japan-based JCB and its newest member, American Express.

    EMVCo's primary goal "is to facilitate global interoperability and compatibility of chip-based payment cards and acceptance devices through deployment of relevant EMV Specifications," says an EMVCo spokesperson.

    EMV also goes by "chip and PIN," because the card contains a chip and a PIN is required before a transaction is processed. But nowadays, that chip and PIN moniker may be misleading. As Byrne, points out, many countries are foregoing the PIN part of EMV implementation, the predominant reason being that many consumers don't want to remember a PIN.

    The country most advanced towards EMV implementation is the UK, the banks their were the first to adopt chip and PIN, says Merschen. Other markets that have reached maturity for EMV migration on either cards, point-of-sales devices and ATMs include France and Turkey in Europe and Malaysia in the Asia-Pacific region, he adds.

    The migration isn't easy. Merschen says a number of infrastructure changes are required to handle EMV. "For issuers, there are new data elements that need to be supported by the issuer authorization and clearing host systems. Card data preparation, including key management, and card personalization also require hardware and software upgrades," Merschen says. "On the acquiring side, the impacts are similar. Acquirer host systems must be able to receive new data fields from terminals, which also need to be upgraded from both a hardware and software perspective."

    Glitches all but resolved

    In the early days of EMV there were issues, Merschen says, such as a shortage of approved products, lack of customer and vendor expertise with EMV and areas where the specifications left implementation options.

    That was then. These issues from the early days of EMV have largely been resolved, says Merschen. "Robust migration processes are available to guide the banks, merchant, and consumers in their migration involvement," he adds.

    Visa's Byrne describes the early road bumps as minor. "This card issued in country A was having some acceptance problems in country B. In some cases, some of the older terminals wouldn't work properly, but that was usually due to configuration issues, fairly minor stuff."

    EMV in the U.S.?

    So with the U.S. sandwiched between two EMV countries-Mexico and Canada-most think it's only a matter of time before the U.S. joins the EMV parade.

    Paul Beverly, president of Gemalto North America, believes increased fraud will mandate such changes.

    In an article in the spring 2009 issue of Regarding ID magazine, Beverly wrote: "The rest of the world is well on the way to EMV implementation. Europe and Asia have long been issuing cards and ... Latin America, faced with exploding credit card skimming fraud, is fully committed to EMV smart cards. .. Yet stakeholders in the United States still find fraud losses and identity theft risks acceptable. It is disappointing that U.S. companies are trailing the rest of the world in this area."

    Charles Walton, executive vice president for payments for INSIDE Contactless, believes that the U.S. will ultimately get on board with the secure cards. "We're seeing inherent insecurities in the system, such as the Heartland Payment Systems hack. It's only a matter of time before these types of hacks will become intolerable."

    Walton says hackers will look at the weakest point in the payment chain and exploit it. "If you start securing one point in the chain, it begins to expose the other points, the path of least resistance for water, will find the lowest point."

    MasterCard's Merschen says that these fraud migration and data compromise incidents, plus the possibility of government regulation will lead several U.S. banks to consider EMV.

    The handwriting is on the wall, so to speak. "It's inevitable that the U.S. migrate to EMV, primarily because fraud is escalating," adds Randy Vanderhoof, executive director of the Smart Card Alliance. "Major financial institutions in the U.S. are also international so it will not be a big step for them to issue these cards in the U.S."

    Contactless and EMV

    At first blush it would seem that contactless and EMV would be working toward opposite purposes, but Walton says EMV can run on top of contactless. "I would think of EMV as a security protocol that works with contactless as well as contact chips."

    Visa is using EMV specs in its contactless payWave technology, Byrne says. "The way we're deploying contactless in the U.S. is using EMV specs," says Byrne. "It's based on EMV technology making use of strong security elements baked into EMV. These new cards will not only be accepted in readers in the U.S. but also in the UK."

    The next generation of contactless cards will be a step toward EMV, says Vanderhoof. For example, MasterCard terminals certified for contactless also carry elemental portions of EMV. "We're seeing these gradual upgrades of the infrastructure to support it," he says.

    Vanderhoof says these new rules for EMV contactless are different than those for EMV contact cards. Purchases under about $25 can be a contactless transaction in the UK, just like in the U.S. "Just tap it and go, no PIN or signature. After a certain number of transactions you might be required to enter your PIN."

    Rest of story

    Proximity (NFC) Mobile Payment Technology - Security Whitepaper

    By Administrator on May 21, 2009 2:04 PM

    The opportunities offered by the advent of proximity mobile payments are clear; differentiated payment services, increased transaction volumes, faster transactions, increased customer convenience, operational efficiencies and the ability to increase customer loyalty through targeted gift and loyalty programs. With implementations already in place in Europe and Japan, strong consumer interest and the ability to leverage the contactless POS infrastructure already in place, NFC-enabled proximity mobile payments show much promise. But how will security be managed in an ecosystem with so many stakeholders, each managing their own unique aspect of the process? The news is good.

    Both the financial and mobile industries have made much progress in defining how NFC-enabled mobile payments will take place and how financial information will be secured. Security is bolstered by the use of industry standards and by the technology supporting proximity mobile payments. Industry organizations have defined standards based approaches to ensuring that payment account information is delivered securely to the mobile phone and stored securely in the phone's secure element.

    The NFC-enabled mobile phone leverages the existing ISO/IEC 14443 standard for communicating payment information from the phone to the merchant's POS terminal. Appropriate risk analysis of an operational model for proximity mobile payments can identify where there is potential for fraud or misuse, develop mitigation measures and assign responsibility. From the consumer's perspective, the proximity mobile phone payment looks just like a contactless credit or debit card transaction.

    Mobile phones can also leverage two-factor authentication technology to secure the payment application and information. Requiring a passcode or a fingerprint to initiate or respond to the terminal's attempt to initiate or validate a transaction can provide the consumer with additional comfort and a sense of control over a transaction.

    While implementations may vary, industry players are moving in a consistent direction. Industry organizations are working to increase ease of access, global interoperability and security of mobile payment technology to consumers. Pilot studies in the United States and implementations worldwide have tested both the technology and the mobile payments process. Proximity mobile payments technology is solid, and will serve this exciting new payment frontier well. Industry stakeholders can leverage the proven technology and a merchant infrastructure that is ready to go to take advantage of consumers' ever-growing love of mobile technology.

    Download whitepaper
    « Regulatory Standards | Main Index | Archives | Self-Service »


    Related Ring Sites:
      GoKIS  |   ThinClient.org  |   keefner.com  |   Visi Kiosk site  |   KIOSK  |   Kis-kiosk.com  |
    Resource Sites:
      Elo TouchSystems  |   Acire Inc.  |   Nextep  |   TIO Networks  |   Olea  |   Self-Service Networks  |   Meridian Kiosks  |   Provisio  |   Kioware  |
      Selling Machine Partners  |   Source Technologies  |   Seepoint  |   5Point  |   Nanonation  |   Netkey  |   KioskCom  |   Summit Research  |   NCR  |