Recently in Regulatory Standards Category

From SecureIDNews -- Link

Pilots concluding but final access control policies still more than a year out

John Schwartz, program manager for the Transportation Worker Identification Credential (TWIC), was going to begin an update on the program with the words "eight-years ago," but then thought better of it. It has been that long since Congress mandated that the Transportation Security Administration (TSA) create a credential for secure access to ports, and the agency is still working on the roll out.

It will most likely be 2012 before there are widespread readers electronically verifying the credentials, Schwartz said during a presentation at the Interagency Advisory Board meeting in September. But while critics dismiss the credential as an expensive flash pass, progress has been made toward wide-scale electronic verification at ports.

The TSA reports that at 135 enrollment centers across the country, 1.7 million workers have been enrolled and of those 1.6 million have activated their ID.

Schwartz and his team are working on a congressionally-mandated reader test that will lead to the final rule for reading the TWIC. His team has done testing in the lab, in the field without looking at the impact on a port's business processes and finally in the field while considering at the impact on business.

Through lab testing the TSA approved 28 readers and associated systems, Schwartz says. The lab tests looked at reader performance in different environmental conditions, extreme hot and cold temperatures, water and humidity, as well as durability tests.

The 28 approved readers include two alternative biometric systems. If a port can show a chain of trust in enrolling a worker in the local physical access control system, it is acceptable to use an alternative biometric, such as iris, to access the facility.

TWIC follows the FIPS 201 specification but diverges in the utilization of biometric and contactless technologies. In order to access the biometric on a TWIC a cardholder must be enrolled in the local physical access control system first. That means the TWIC privacy key, which is storied on the card's magnetic stripe and chip, must be registered into the local physical access control system before it can be read using the contactless interface.

This is different from other PIV credentials where the biometric is accessed only via the card's contact interface. TWIC modified the FIPS 201 spec for its use because port operators demand high throughput and PIN protected contact interface reads were deemed too time intensive.

For the field-testing, Congress instructed that the readers be used in at least five distinct geographic locations to test the business processes, technology and operational impacts.

The sites selected for the tests needed to be from a broad spectrum of operations and climates, Schwartz says. The final report on the testing was due in April but implementing specifications and identifying volunteer ports delayed the project.

The TSA received $8.1 million to provide independent testing, data collection and analysis, Schwartz says. The ports, terminal and vessel operators received $23 million in security grants with $15 million for the pilot and the remainder held in reserve for future reader deployments.

While $15 million may sounds like a lot of money to spend on readers, it wasn't spent just on that technology, Schwartz explains. Cabling, updating infrastructure and deploying physical access control systems had to be done in many instances for the system to work.

The tests have already generated some important lessons, Schwartz says. There have been challenges integrating the TWIC readers into different physical access control systems.

The messaging from the readers needs to be standardized and made to be visible in all environments, Schwartz says. He cites the example of a card rejected by a reader without an adequate error message. "If the card gets an error the guard would tell the worker they need a new one when it may not have been registered in the PACS or something more minor," Schwartz says.

There have also been issues with creating a standard for the information processing. The TSA has determined that the sequences for authenticating the card, checking the registration in the physical access control system and checking the hot list all need to be done in the same sequence.

The read range of the contactless readers has been problematic too, Schwartz says. Ports that used proximity cards previously are reeducating workers that the card may need to be held closer to the reader than with the prior technology. The cards, which come with plastic sleeves, also have to be removed from the sleeve to be read in some instances.

Educating cardholders on how to take care of the credential has been a learning experience, he says. Some truck drivers will keep the credential around the rearview mirror in the sun and this can damage the chip and antenna.

Explaining the hot list, or revocation list, has been problematic too, Schwartz says. A worker will lose the card, call the number to report it lost at which point it is placed on the revocation list. If the worker finds the card a day or two later and tries to use it, it is flagged port security is alerted.

Other problems have included general installation issues including electrical power fluctuations, physical reader placements that are too high, too low or too far from worker, and slow turnstile and gate mechanism responses.

The TSA is planning to deliver a report with the test findings to Congress in 2011, Schwartz says. After that the U.S. Coast Guard, which is responsible for enforcing TWIC, will make a rule for ports and port operators to follow. That will most likely not be until 2012.

Because of the delay in the final rule most port operators are opting to wait before deploying TWIC reading systems, says Walter Hamilton, senior consultant at ID Technology Partners. Port operators could deploy the systems now but are afraid they will have to retrofit or tear out technology depending on the rule.

But some reader manufacturers have given guarantees that if they opt for the maintenance package the vendor will guarantee compatibility with the final rule, Hamilton says. "It give the maritime operators some level of comfort," he says.

The TSA is looking to solve some other logistics issues as well, Schwartz says. Enrollment and card activation services for remote locations can be a hardship for some areas. Workers have to show up once to apply for the credential with all the appropriate documentation and then show up again a few days later to receive and activate the card.

This has been problematic in areas where the enrollment center is far from the port or port worker's home, he explains. Congress has questioned the TSA on this, asking if the credential can be mailed but the FIPS 201 standard doesn't allow the ID to be mailed. TSA is looking at other alternatives to solve this problem.

The durability of the credential has been another problem, Schwartz says. The card is tested before leaving the central production facility and before leaving the activation center, but there have been problems with card failures in the field.

Without the presence of a TWIC team member with card analysis tools, it has been difficult to determine whether the problem is with the card, the reader or the access control system at the facility.

The TSA is considering a move from a 72K chip to a 144K chip, Schwartz says. Before the change is made official, however, they are verifying that no other system changes will be necessary and that there will be little or no impact on production and reader equipment.

The TWIC road has been a long and arduous one, ultimately taking more than a decade from mandate through roll out to electronic verification of the credential. But one day soon U.S. ports may have the increased security originally envisioned by TWIC initiators.

by Mathew Hegarty  -- More and more healthcare organizations are turning to virtual desktops to address their challenges with the management, security and cost of their organizations end-point devices, namely workstations and laptops. This has long been a complicated subject for healthcare executives due to the complexities within in the healthcare environment. The fact is, end-point devices are the one piece of the technology chain not physically placed in a secured environment.  Servers and switches are hosted in secured and environmentally controlled Data Centers and IDF closets, but laptops and workstations do their work in the Emergency Room, admitting office, or on one of the Nurses mobile carts. This introduces not only additional support costs and challenges but security concerns as well.

Even for the IT administrators managing a traditional technology infrastructure consisting of servers, desktops and laptops creates serious challenges. Ensuring software is consistently updated, hardware is running optimally and data is secure and safely backed-up is a time-intensive monotonous effort that puts IT departments in reaction mode rather than focused on proactive system maintenance and innovation. 

The economics of Healthcare IT are simple. The cost of maintaining IT infrastructure is becoming untenable given the complexity of new systems; the need for flexible and scalable deployments are a requirement for all new projects with executive buy-in. Add to that increasing healthcare costs relative to inflation and newfound political pressure to keep costs down while maintaining the quality of the care being provided. One thing is certain, healthcare organizations are challenged as never before to do more with less.

Enter virtual desktops to save the day - and the bottom line - for healthcare. For the uninitiated, virtual desktops represent a philosophical shift in how end-point devices are deployed and supported across an organization. The traditional approach of managing hardware, software and data at the individual machine level is extremely costly, typically in an uncontrolled environment, and near impossible to keep consistent.

The simple fact is virtual desktop technology allows Healthcare IT departments to deploy desktops, laptops and portable devices at a lower cost and from a controlled, secure data center. By running the software on a centralized server and having users access only necessary applications, the resources required to support the network are minimized while network uptime can actually be increased; because we are ìpushingî the applications and configurations from a central point, consistency is maintained across the environment.

This isn't exactly a new concept.  IBM had seen the value of running centralized servers with terminals back in the late 1950's with the advent of the Mainframe.    The concept was simple: centralize the key resources in a secured, controlled data center and use lower cost ìdumbî terminals at each desk to communicate with the mainframe.  Well, whatís old is new again.  The main difference between the Mainframes of old and todays virtual desktops are the familiar graphical interface of Microsoft Windows.

Hospitals and clinics can now make technology work for them, not the other way around. Virtual desktops loaded on thin clients, old workstations or laptops mounted on rolling carts have transformed the way physicians and caregivers treat patients. Instant access to patient records and integrated prescription management means healthcare workers now have real-time information at the point of care, which translates into faster, more effective care for patients.

Compliance with HIPAA is made even easier by virtual desktop technology. By accessing applications and data stored on a centralized server, the risk of losing sensitive patient data through the theft of hardware is nearly eliminated. What's more, once data is entered by a caregiver the device used does not retain the patient data. In short, applications and data stored on servers in a data center are subject to the highest level of control and security possible.

From my perspective as an experienced Systems Integrator, a virtual desktop solution makes sense for just about every healthcare organization.  From small physician practices up to the largest hospital groups, the fundamental benefits are the same. Translation? Gone are the days of your IT staff having to troubleshoot individual desktops because of a problem with an application. Gone too is the need for updates and patches for individual applications and printers on every physical desktop. Application performance is raised to a higher level because the computing environment and configuration is controlled in the data center.

What's our prognosis on the future of healthcare IT? Virtual desktop technology brings too many benefits to healthcare at a time when cost containment and data control are paramount. The transformation of healthcare technology is happening now and will never be the same. Because the most efficient delivery of healthcare information always wins in the end, we're seeing the age of virtual desktops take form.

Source Link

Virtualization , Virtual Desktops , HIPAA , Healthcare IT , Compliance

While there are many trends in the credit and debit card industry, security is the trend that most restaurants should put at the top of their list. Security goes beyond locking the front door at closing time. Restaurant operators also must secure the sensitive information their customers provide when paying for their services.
Identity theft and credit card fraud are chief concerns for consumers and the credit card industry, and should have great significance to the restaurant operator. Card and identity thieves are becoming increasingly more capable.
In 2009, there was a considerable increase in businesses affected by security breaches in the hospitality and restaurant industry. In response to the growing threat, major credit card brands like Visa and MasterCard have continued to increase the scope and rigor of consumer protection standards.
The PCI DSS (Payment Card Industry Data Security Standard) has been implemented in phases, with various deadlines, to control the way card data is transmitted and stored. Credit card processors have a looming deadline of July 1, 2010, to ensure their customers operate in a PCI compliant manner.
The PCI DSS standard covers many aspects of storing and handling credit card data. The PCI PED (PIN Entry Devices) component is focused on the hardware used at the point of sale (POS) for capturing the 4-digit PIN number on a consumer's debit card. Restaurant owners must ensure that debit card accepting devices are PCI PED compliant, or they risk fines and fees from their processors and the card brands.
While the July 1 deadline is directed at the member organizations (banks), processors enabling the acceptance of these transactions are expected to ensure their customers comply with these standards. Many processors are mandating that their customers undergo a PCI audit to ensure compliance and are assessing fees for those customers that do not comply.
The goal of these fees is to encourage customer compliance, which will help reduce the risk to both the merchant and the processor. A PCI audit varies in cost, based on the price negotiated by the customer or processor, but is intended to identify security concerns, including devices, software, and processes, that may expose the merchant to the risk of data theft.

Scientists have identified security flaws in chip and pin technology that they say are so serious as to require a rethink of the whole system.

The Cambridge University researchers discovered a loophole that could be used to make bank card payments without knowing the correct pin.

Link for Video

Lessons Learned From PCI Compliance

Assessors reveal mistakes companies make with data security standard. -- To help companies get ready for a an evaluation, we asked QSAs to describe common problems they encounter when working with IT groups on PCI compliance. What follows are five best practices to help companies better prepare for an assessment and maintain compliance.

1. Know Where Data Lives

First off, you must know how credit card data flows through your system, where the data resides in the enterprise, and who has access to it. Assessors ask for this information at the outset of an assessment because it determines the scope of the project. They aren't there to review your entire security infrastructure, just the systems that collect, process, transport, and store credit card data. A surprising number of companies don't have a good grasp of this information. "It's common for a client to completely miss a particular data flow and have no idea that credit card data is being forked off to system X, Y, or Z," says a QSA at Neohapsis, who asked to remain anonymous.

Companies express an "extreme amount of frustration" over the amount of effort they have to put in to put the full picture together, says Ted Keniston, a QSA and managing consultant with the global compliances group at Trustwave. "We should be validating this information, not determining it."

Having a complete picture of credit card data isn't just a courtesy to your assessor; it also affects your ability to protect customer information, because you can't secure what you don't know about.

2. PCI Is A Moving Target

Let's say your assessor has just stamped you "compliant." You breathe a sigh of relief. The PCI assessment is annual, so you don't have to worry about it for another 12 months, right? Not so.

PCI compliance is only valid and only applies to the state of the network and systems at the time of the assessment. The moment you make changes to systems that fall under the 

Rest of article and pdf of entire article


Visa has announced new global best practices for data field encryption, also known as end-to-end encryption - a much-discussed solution in the wake of the Heartland Payment Systems breach.

Announced by the global credit card company on Monday, these best practices are designed to further the payment industry's efforts to develop a common, open standard while providing guidance to encryption vendors and early adopters. Data field encryption protects card information from the swipe to the acquirer processor with no need for the merchant to process or transmit card data in the "clear."

Visa's Jennifer Fischer, senior business leader in the card company's risk area, says encryption is not being touted as a silver bullet for anyone, "But we see it as a way to supplement and help, in many cases, augment existing security measures."

Data field encryption can be another layer to enhance a merchant's security by eliminating any clear text data either in storage or in flight.

In addition to issuing these encryption best practices, Visa is chair of the ANSI X9F6 standards working group and is helping to develop a much-needed industry data field encryption standard. Fischer notes that Visa is also working with the Payment Card Industry Security Standards Council in reviewing its recent study by PriceWaterhouseCooper on emerging technologies use in the payments industry. Encryption was cited as one of the top four emerging technologies being looked at within the payment stream to protect data.

read rest of article
The conventional wisdom is that when large vendors enter a niche market, those vendors "legitimize" that market. But the announcement that First Data and RSA Security are getting into the credit card tokenization business raises many issues beyond them simply "making" the tokenization market. Here is my first take on the implications of this announcement:

Posted from StorefrontBackTalk

  • Pressure On The PCI SSC To Embrace Tokenization
    The PCI Security Standards Council already commissioned Price-Waterhouse Coopers to do a study of tokenization, end-to-end encryption and other "beyond PCI" issues. The results will likely be discussed at the PCI SSC Community Meetings. That's great. Merchants, service providers and even QSAs want specific guidance about tokenization. This announcement and the weight of the players in the market should virtually guarantee that tokenization will be specifically addressed in the next release of PCI DSS, in addition to QSA training and other guidance from the SSC.

  • Pressure On Payment Processors And Gateways
    I have said before that the number of companies offering tokenization will increase several-fold within a year. We've already seen about a dozen players enter the market in the last six months. I'm expecting 30 to 40 more announced packages over the next six months, as payment processors, gateways, encryption vendors and application vendors all vie to see who can remove credit card data from the merchant environment the fastest.

  • Tokenization Standards And Portability Will Be Hot Topics In 2010
    The more options in the market, the more the demand for "token switching" will increase. Merchants who have entrusted their card data to Service Provider X will increasingly seek shorter duration contracts and have more specific demands about how they migrate their data from one tokenization provider to another.

    Because there are not currently any standards for either the form of a credit card token, how it is generated or how one token type can be converted to another (they can't, BTW), as more merchants realize this, they will raise concerns about being "locked in" to a particular tokenization approach. Smaller vendors will develop "token migration" or conversion tools, etc.

  • Multi-Channel Options And Other Complexity Issues Will Emerge

    Read rest of story at StorefrontBackTalk

  • The purpose and goal of the EMV standard is to specify interoperability between EMV compliant IC cards and EMV compliant credit card payment terminals throughout the world. There are two major benefits to moving to smart card based credit card payment systems: improved security (with associated fraud reduction), and the possibility for finer control of "offline" credit card transaction approvals

    So someone asks you -- is your kiosk EMV L2, or more specifically are your devices Level 2...

    Here are some definitions.

    EMV Level 1 covers the electrical and physical interfaces, and the transmission of data, between the terminal and the card. There is an extensive EMVCo defined level 1 approval process, which requires every card reader to have completed laboratory type approval before they can be used to perform EMV transactions. EMVCo also require this approval to be renewed at defined intervals to retain compliance.

    EMV Level 2 covers the set of functions that provide all the necessary processing logic and data that is required to select and process a card application in order to perform an EMV transaction.

    There is an extensive EMVCodefined level 2 approval process, which requires every EMV kernel to have completed laboratory type approval before they can be used to perform EMV transactions. EMVCo also require this approval to be renewed at defined intervals to retain compliance.

    There are no level 2 certified Card Readers for example. They are all Level 1. There are however Level 2 kernels.

    Reference EMVCO link

    Level 2 Contact Approved Application Kernels - Within 2 Years

    EMV 4.0 Approvals Within the Past Two Years

    The following list contains application kernels for which EMVCo has approved the first configuration within the past two years.

    EMVCo Terminal Type Approval Level 2 addresses the conformance of the terminal resident application software in whole or in part that supports the required and optional EMV specification functionality.

    EMVCo is pleased to announce the following Vendors Application Kernels have received EMVCo Terminal Type Level 2 approval according to EMV 4.0.

    489 Approved Kernel Configurations/140 Vendors

    The EMVCO site also lists devices which meet the EMV L1 certs.

    Level 1 Contact Approved Interface Modules

    EMVCo Type Approval Level 1 addresses the conformance of Interface Modules (IFM) to the EMV defined set of electrical, mechanical and communication protocol characteristics. EMVCo is pleased to announce the following vendors' interface modules (IFMs) have received EMVCo Terminal Level 1 approval according to EMV 4.0 specifications.

    For further details regarding these products, including the test result summary, please contact the relevant vendor. You may also contact the EMVCo via communication facility found on this website. Please go to the home page and select "Contact Us" and follow the prompts to submit your query.

    Please note that an IFM marked with an asterisk (*) has some restrictions. These restrictions are listed on the first page of the LOA. Contact the vendor to retrieve a copy of the LOA.

    661 IFM Approvals/242 Vendors

    EMV takes aim at U.S.

    Nice article on SecureIDnews covering EMV. by Andy Williams, Associate Editor, Avisian Publications

    Like a massive tidal wave, EMV continues to roll across the world, changing the global payments landscape. Since UK banks first committed to EMV five-years ago, more than 100 countries have taken the plunge in efforts to stem credit card fraud.

    But the U.S. has always remained outside the EMV plan. This, however, may be changing as fraud, technology and business is changing the payments landscape.

    Brian Byrne, head of product technology for standards and specifications at Visa estimates there are some 730 million EMV cards and 10 million terminals in existence around the world.

    Toni Merschen, group head of chip at MasterCard Worldwide, notes that the Single European Payments Area initiative requires 38 countries to complete the migration to EMV by Jan. 1, 2011.

    EMV gets its name from the companies which originally created it, Europay, MasterCard and Visa. Seven years ago Europay merged with MasterCard and the new standards body was renamed EMVCo. Its members now include Visa, MasterCard, Japan-based JCB and its newest member, American Express.

    EMVCo's primary goal "is to facilitate global interoperability and compatibility of chip-based payment cards and acceptance devices through deployment of relevant EMV Specifications," says an EMVCo spokesperson.

    EMV also goes by "chip and PIN," because the card contains a chip and a PIN is required before a transaction is processed. But nowadays, that chip and PIN moniker may be misleading. As Byrne, points out, many countries are foregoing the PIN part of EMV implementation, the predominant reason being that many consumers don't want to remember a PIN.

    The country most advanced towards EMV implementation is the UK, the banks their were the first to adopt chip and PIN, says Merschen. Other markets that have reached maturity for EMV migration on either cards, point-of-sales devices and ATMs include France and Turkey in Europe and Malaysia in the Asia-Pacific region, he adds.

    The migration isn't easy. Merschen says a number of infrastructure changes are required to handle EMV. "For issuers, there are new data elements that need to be supported by the issuer authorization and clearing host systems. Card data preparation, including key management, and card personalization also require hardware and software upgrades," Merschen says. "On the acquiring side, the impacts are similar. Acquirer host systems must be able to receive new data fields from terminals, which also need to be upgraded from both a hardware and software perspective."

    Glitches all but resolved

    In the early days of EMV there were issues, Merschen says, such as a shortage of approved products, lack of customer and vendor expertise with EMV and areas where the specifications left implementation options.

    That was then. These issues from the early days of EMV have largely been resolved, says Merschen. "Robust migration processes are available to guide the banks, merchant, and consumers in their migration involvement," he adds.

    Visa's Byrne describes the early road bumps as minor. "This card issued in country A was having some acceptance problems in country B. In some cases, some of the older terminals wouldn't work properly, but that was usually due to configuration issues, fairly minor stuff."

    EMV in the U.S.?

    So with the U.S. sandwiched between two EMV countries-Mexico and Canada-most think it's only a matter of time before the U.S. joins the EMV parade.

    Paul Beverly, president of Gemalto North America, believes increased fraud will mandate such changes.

    In an article in the spring 2009 issue of Regarding ID magazine, Beverly wrote: "The rest of the world is well on the way to EMV implementation. Europe and Asia have long been issuing cards and ... Latin America, faced with exploding credit card skimming fraud, is fully committed to EMV smart cards. .. Yet stakeholders in the United States still find fraud losses and identity theft risks acceptable. It is disappointing that U.S. companies are trailing the rest of the world in this area."

    Charles Walton, executive vice president for payments for INSIDE Contactless, believes that the U.S. will ultimately get on board with the secure cards. "We're seeing inherent insecurities in the system, such as the Heartland Payment Systems hack. It's only a matter of time before these types of hacks will become intolerable."

    Walton says hackers will look at the weakest point in the payment chain and exploit it. "If you start securing one point in the chain, it begins to expose the other points, the path of least resistance for water, will find the lowest point."

    MasterCard's Merschen says that these fraud migration and data compromise incidents, plus the possibility of government regulation will lead several U.S. banks to consider EMV.

    The handwriting is on the wall, so to speak. "It's inevitable that the U.S. migrate to EMV, primarily because fraud is escalating," adds Randy Vanderhoof, executive director of the Smart Card Alliance. "Major financial institutions in the U.S. are also international so it will not be a big step for them to issue these cards in the U.S."

    Contactless and EMV

    At first blush it would seem that contactless and EMV would be working toward opposite purposes, but Walton says EMV can run on top of contactless. "I would think of EMV as a security protocol that works with contactless as well as contact chips."

    Visa is using EMV specs in its contactless payWave technology, Byrne says. "The way we're deploying contactless in the U.S. is using EMV specs," says Byrne. "It's based on EMV technology making use of strong security elements baked into EMV. These new cards will not only be accepted in readers in the U.S. but also in the UK."

    The next generation of contactless cards will be a step toward EMV, says Vanderhoof. For example, MasterCard terminals certified for contactless also carry elemental portions of EMV. "We're seeing these gradual upgrades of the infrastructure to support it," he says.

    Vanderhoof says these new rules for EMV contactless are different than those for EMV contact cards. Purchases under about $25 can be a contactless transaction in the UK, just like in the U.S. "Just tap it and go, no PIN or signature. After a certain number of transactions you might be required to enter your PIN."

    Rest of story

    Wal-Mart this month became the latest major retailer to experiment with self-service kiosks, selling space in 77 stores for units that buy back used video games and issue credits directly to various payment cards.

    The initial trial is entirely isolated, with the kiosk vendor having access only to its own network and not to Wal-Mart's. But the $375 billion chain is officially considering having the machines offer in-store credits in the form of gift cards, which would mean allowing the kiosks two-way access to POS and potentially CRM data. That would force some serious strategic debate about how far outside vendor kiosks can--and should--be allowed to play inside a retailer's databases.

    The initial version of the kiosks collect payment card information as well as drivers license data. Even setting aside the potential future POS/CRM access, the payment and highly-sensitive driver's license data will force some of that debate right away. How secure are the kiosks? Who is ultimately responsible in the event of a security breach, both from a legal and PCI perspective?

    Beyond lawyers and assessors, consumers and the dollars they control will likely blame the retailer for any problems that started with a kiosk in or right next to its store. Wal-Mart officials are stressing that the Wal-Mart logo will not be used on any of the trial kiosks, although the Wal-Mart blue and yellow brand colors will absolutely be used. "This is not Wal-Mart's machine," said Melissa O'Brien, a spokeswoman for Wal-Mart's entertainment division. "We are leasing space to them in our store vestibules just like with do with other companies." And that nuanced distinction will be explained to every Wal-Mart customer how?

    The insistence that no brand be used displayed will be a nice point for the lawyers, but it won't do much for public perception. PCI Safe Harbor and legal indemnification won't help much if consumers feel betrayed.

    Another troubling issue is data ownership. If Wal-Mart gets consumers to come to their stores and asks them to interact with a kiosk in the store, can the kiosk vendor use that information to help other retailers? As a pragmatic matter, how can they not do so?

    The kiosks will know precisely who is returning what products and for how much money. Wouldn't consumers goods manufacturers--such as the ones that made that game as well as the ones that make rival offerings--kill for such data? Or to even be able to send a message to those people? And what about other retailers trying to steal some marketshare?

    Alan Rudy, CEO of E-Play, the Ohio-based kiosk operator that is working with Wal-Mart on this trial, insisted the units securely handle credit and debit card data. He said E-Play retains ownership of all information gathered by the kiosks and has no plans to share or sell it, but he wouldn't rule out anything for the future.

    Rest of the story

    Excerpt: Critical to the selection was choosing a vendor that best met PCI DSS (Payment Card Industry Data Security Standard) requirements. For this, ePlay turned to WatchGuard to provide the instrumental role in PCI DSS requirement 1 - Install and maintain a firewall configuration to protect cardholder data.

    Editors Note:  Regulations too often become a bullet point and lose there practical effect on a project. PCI compliance is that way with self-service terminals.  Many kiosks that handle credit card data do not have firewalls installed on them either for wired or wireless access. Here is example of firewall selection.

    SAN FRANCISCOApril 22 /PRNewswire/ -- RSA -- WatchGuard(R) Technologies, a global leader in extensible network security and connectivity solutions, today announced that ePlay, an innovator in the DVD rental business, has selected WatchGuard solutions to provide PCI DSS compliant firewall security, and to protect thousands of remote DVD and video game disc rental kiosks as well as ePlay's back-end data center.

    "After evaluating Cisco, and other network security vendors, ePlay standardized on WatchGuard for their high security, performance, reliability and unbeatable total cost of ownership," said David Stellmack, Senior Systems Engineer at ePlay. "This is a mission-critical network comprised of remote kiosks and a data center transacting a large volume of payment card transactions. With WatchGuard in place, we can drive down costs, reduce time to market, and increase our provisioning process by twofold."

    PCI DSS Compliant Protection

    Critical to ePlay selection was choosing a vendor that best met PCI DSS (Payment Card Industry Data Security Standard) requirements. For this, ePlay turned to WatchGuard to provide the instrumental role in PCI DSS requirement 1 - Install and maintain a firewall configuration to protect cardholder data.

    To do this, each ePlay kiosk is armed with a WatchGuard Firebox Edge appliance to provide firewall, intrusion detection/prevention services, and highly secure VPN network connectivity. For remote kiosks, such as those located outdoors, ePlay utilizes the WatchGuard 3G Extend family of wireless connectivity solutions. With it, triple-DES encrypted VPN tunnels carry payment card and other sensitive data via 3G cellular networks. This gives ePlay maximum flexibility for kiosk deployments, usage models and most importantly, strong cardholder data security.

    With hundreds of remote firewall appliances to manage, and thousands more to come in the next few years, ePlay relies on WatchGuard System Manager, which provides ePlay with a PCI DSS friendly, free software solution to manage and upgrade remote WatchGuard appliances.

    At the data center, a pair of WatchGuard X Peak 8500 e-series, running in high availability mode, terminates remote kiosk VPN tunnels. As required by the PCI DSS, this network of cardholder data is completely walled off and separated from ePlay's corporate network and online reservation architecture, which are protected by other WatchGuard firewall appliances.

    Stellmack concludes, "I've looked at other kiosk vendors and shudder at their approach to security; I don't think they're deploying anything even close to enterprise-level security for credit card transactions. We would rather be over-secure, and WatchGuard helps provide that."

    About e-Play, LLC

    e-Play is a revolutionary way of marketing, delivering and purchasing DVDs and Video Games: a high-tech DVD rental platform combined with the ability to buy/sell/trade video games all in a single machine. e-Play provides the technical innovation for its units to hold thousands of discs, convert used discs into cash or credit at the retailer and perform a playability check on every disc dispensed. The machines include new releases and catalog titles and feature an interactive touch LCD screen playing trailers and interactive advertising. Founded in 2005 and headquartered inColumbus, Ohio, e-Play Makes it Easy to Find the Movies - and now, the Games - You Want.

    About WatchGuard Technologies, Inc.

    Since 1996, WatchGuard(R) Technologies, Inc. has been the advanced technology leader of network security solutions, providing mission-critical security to hundreds of thousands of businesses worldwide. The WatchGuard family of wired and wireless unified threat management appliances and WatchGuard SSL VPN remote access solutions provide extensible network security, unparalleled network visibility, management and control. WatchGuard products are backed by WatchGuard LiveSecurity(R) Service, an innovative support, maintenance, and education program. WatchGuard is headquartered in Seattle and has offices serving North AmericaEuropeAsia Pacific, andLatin America. To learn more, visit

    Worth noting Heartland Payment Systems and RBS Worldpay have been removed from Visa Inc.'s list of PCI compliant service providers and will have to undergo new PCI assessments and reapply for inclusion on the compliance list, according to a Visa announcement.

    Visa's action came after the two companies revealed they were victimized by hackers who managed to plant malicious software in the companies' internal processing systems and steal card data from the unencrypted data stream. Heartland had been listed as under review -- but still compliant -- prior to Friday's announcement, but now Visa has removed the Princeton, N.J.-based company from its lengthy list of service providers compliant with the Payment Card Industry Data Security Standard (PCI DSS). It was unclear whether RBS also had been under review.

    This was noted on the ETA Compliance Portal and it looks to be a very helpful resource. Here is some of the information.

    For list of validated applications click here

    The OCS DSS Quick Reference Guide is located here pci_ssc_quick_guide.pdf

    The ETA Compliance portal is located at
    In late 2008 the California legislature passed a stronger version of ADA which was Senate Bill 1608. This bill became effective January 1, 2009. Here is a summation of it + some additional links related to this area.

    Article from: San Diego Business Journal 

    Article date:January 12, 2009

    When Congress passed the Americans with Disabilities Act in 1990, the intent was to ensure that Americans who have disabilities would be able to access public buildings and be treated fairly in the workplace.

    Lawmakers surely did not anticipate the unintended consequences of their good intentions.

    The ADA's purpose was for businesses to make "reasonable modifications" to ensure access, not to create a cottage industry for personal injury lawyers to abuse the law and exploit regulatory technicalities for their own financial gain.

    In the past several years a small group of unscrupulous serial plaintiffs have wreaked havoc on small businesses across California, filing thousands of lawsuits for alleged ADA violations.

    The reason California has been such a lucrative state in which to file ADA lawsuits is because it is one of the most generous states in the country when it comes to fines.

    The federal ADA only allows private lawsuits to seek compliance with accessibility standards.

    However, California law allows a plaintiff to ask for up to $4,000 in damages for each alleged ADA violation, no matter how minor and even if it did not deter access in any way--for example, a sign being the wrong color or a ramp elevation grade a percent too steep.

    In addition to that fine, businesses can also be sued for thousands of dollars for each day the violations are not remedied.

    Gaming The System

    Serial ADA plaintiffs game the system to extract a quick cash settlement to "go away," earning the reputation of filing so-called "shakedown" lawsuits.

    Many business owners say these types of plaintiffs sue numerous businesses in an area at one time, use nearly identical language in each lawsuit, and always demand a quick cash settlement without a requirement that any alleged violations are fixed.

    Since most small businesses can ill afford the exorbitant cost of fighting any lawsuit, regardless of merit, they opt to pay a settlement.

    Some 18 years after the original act was passed, less than 3 percent of California's businesses are ADA compliant.

    Business owners claim it has been very difficult for them to comply, given conflicting state and federal standards, voluminous and changing legal requirements over the years, a lack of ADA training for building inspectors and architects, and inconsistent interpretations of damage provisions.

    For years the business and disabled communities have been at an impasse on the best way to increase access while reducing what many business owners refer to as "legalized extortion."

    ADA Reform

    The two sides have finally come together with a comprehensive ADA reform measure in the form of Senate Bill 1608, which received unanimous support in both houses of the state Legislature and went into effect Jan. 1.

    One of the most important provisions in the new law is a stipulation that plaintiffs may recover damages only for a violation they personally encountered or that deterred access on a particular occasion, rather than for alleged violations that may exist but did not cause a denial of access.

    Other key provisions include:

    * A requirement that all inspections relating to permitting, plan checks or new construction in privately owned buildings be conducted by a building inspector who has gone through the state architect certification training program and is a certified access specialist.

    * Incentivizing building owners to use state-certified access specialists to ensure compliance.

    * A temporary stay of litigation and a streamlined court procedure for businesses that have utilized a CAS, but are still sued.

    * A new state disability commission that will be tasked with evaluating and providing recommendations on further disability issues having an impact on the disability community and business.

    These reforms will help achieve the true intent and spirit of the state and federal ADA laws. It does not take away the right of people to sue if they are denied access or encounter a genuine violation. It does clarify the laws and creates less opportunity for abusive, shakedown lawsuits.

    With the current state of our economy, these reforms could not come at a more opportune time for small businesses struggling just to keep their doors open.

    Lorie Zapf is San Diego regional director of California Citizens Against Lawsuit Abuse. 

    Senate Bill 1608


    Title 36: Parks, Forests, and Public Property
    Subpart C--Functional Performance Criteria


    § 1194.31   Functional performance criteria.

    (a) At least one mode of operation and information retrieval that does not require user vision shall be provided, or support for assistive technology used by people who are blind or visually impaired shall be provided.

    (b) At least one mode of operation and information retrieval that does not require visual acuity greater than 20/70 shall be provided in audio and enlarged print output working together or independently, or support for assistive technology used by people who are visually impaired shall be provided.

    (c) At least one mode of operation and information retrieval that does not require user hearing shall be provided, or support for assistive technology used by people who are deaf or hard of hearing shall be provided.

    (d) Where audio information is important for the use of a product, at least one mode of operation and information retrieval shall be provided in an enhanced auditory fashion, or support for assistive hearing devices shall be provided.

    (e) At least one mode of operation and information retrieval that does not require user speech shall be provided, or support for assistive technology used by people with disabilities shall be provided.

    (f) At least one mode of operation and information retrieval that does not require fine motor control or simultaneous actions and that is operable with limited reach and strength shall be provided.

    Link to Article on ADA Amendments Affecting Business

    California Executive Magazine
    ADA Amendments May Bring Subtle Change to Cal
    October 30, 2008
    By Steve Tanner

    Amendments making the Americans with Disabilities Act (ADA) much
    stricter for U.S. employers, signed into law earlier this year, take effect in
    2009. But those amendments, for the most part, should have little bearing on
    employers in California, which has its own equivalent, the Fair Employment
    and Housing Act (FEHA).

    FEHA law remains a little more employee-friendly than federal law, which
    means that little will change in the way that Golden State employers handle
    disability issues. But some labor and employment attorneys say the new
    amendments may actually spur more lawsuits in California and that they
    lower the bar for plaintiffs to cite federal law.

    The difficult part for employers in defending such cases will be that
    plaintiffs will be more apt to file suit under both ADA and FEHA.

    "The major difference for California employers is that they'll see more ADA
    claims and they'll be harder to defend," says Irvine-based labor and
    employment attorney Bob King.

    For most states other than California, the amendments are a serious gamechanger,
    says Atlanta-based attorney and ADA expert Myra Creighton, a
    partner with Fisher & Phillips LLP.

    ADA applies to companies with 15 or more employees, while FEHA is
    applicable to businesses with at least five employees.

    ADA Amendments: On Par with California

    The ADA amendments generally broaden how a disability is defined under
    federal law, overturning a U.S. Supreme Court decision that tightens this
    definition to only include impairments that "severely restrict" major life
    activities. In line with California's definition, the ADA will now include
    impairments that "substantially limit" major life activities, a notion the Equal
    Employment Opportunity Commission (EEOC) will further define in the
    near future.

    Overturning another U.S. Supreme Court decision, which holds that
    impairments are to be evaluated after considering the effects of "mitigating
    factors" such as medication or prosthetics, the amendments largely do away
    with such evaluations.

    "The Supreme Court found that if your disability was controlled with
    insulin, for example, then you're not necessarily disabled," Barer says. "The
    amendments change this, so that you're still considered disabled."

    He says this likely will not include the roughly 75% of Americans who use
    eyeglasses or contact lenses, also in line with California law.

    What's New For California Employers

    It remains to be seen exactly how the new amendments will play out in
    federal courts. But one element of the ADA that may provide more
    protection than state law for California employees - meaning it would have
    to be followed - is the inclusion of people who are merely "regarded as"
    being disabled, says attorney Margaret Rosenthal. Pending guidance by the
    EEOC will provide more details about this and other amendments.

    "I think that 'regarded as' is covered under state law, but the issue under state
    law is how it is defined and whether or not you are entitled to
    accommodations," says Rosenthal, a partner in the Los Angeles office of
    Baker & Hostetler LLP, adding that attorneys are still waiting to see how the
    ADA amendment will define 'regarded as' and whether it will require

    If the EEOC decides that employers do not have to accommodate someone
    who is merely perceived as being disabled, it could help level the playing
    field, King says. The "regarded as" claim, he adds, is primarily a plaintiff's
    legal weapon.

    "California law isn't clear in that respect. So you can say, as comparable
    precedent under the ADA [hypothetically speaking], that you don't have
    accommodate employees who are only regarded as disabled," King says.
    But if the ADA amendment ends up requiring accommodations or otherwise
    affords more protection for employees, then it would have the opposite
    effect, attorneys say.

    Increased ADA Claims?

    There is some debate whether or not the strengthened federal ADA
    requirements will indeed trigger more lawsuits for California employers,
    although attorneys all say the amendments will make it easier for plaintiffs
    to cite federal law. Another theory is that the sweeping changes in ADA will
    generate more attention to disability discrimination, prompting more suits.

    "You'll see more people challenging decisions on an ADA basis, even if the
    law in California hasn't changed," says Jennifer Berman, managing director
    of the HR advisory consulting and training group at CBIZ Inc. in San Jose.

    King says the amendments will give plaintiffs citing both federal and state
    law more firepower, since the ADA will provide nearly as much protection
    as FEHA. One likely result, he says, is an increased difficulty in challenging
    claims of an employee's disability status.

    "So you'll start seeing more federal claims against California employers,"
    King says. "There was a big initial hurdle, which was to prove whether or
    not someone is disabled. Now that hurdle is much lower."

    Rosenthal says she believes the ADA amendments won't have much of an
    impact in California, but that plaintiffs in the state might be more willing to
    file in federal court for "regarded as" claims.

    Attorneys also say lawsuits could increase for California companies that
    have offices in other states.

    Compliance Advice
    Employers already compliant with FEHA and that have properly trained
    their supervisors and HR managers are probably in good shape, attorneys

    "If employers have good policies in place right now, with regard to
    accommodations, then I don't think it will affect them too much," says Scott
    Barer, an attorney based in Woodland Hills, referring to the requirement
    under both FEHA and ADA to provide reasonable accommodations for
    disabled employees.

    Those that have been lax with respect to their FEHA and ADA obligations,
    however, should take the opportunity to get back up to speed. Berman says
    many of the California companies she consults are woefully vulnerable to
    ADA (and FEHA) lawsuits.

    "You look at most policies, and they're just generic," Berman says,
    suggesting that employers specifically address discrimination under ADA, as
    well as FEHA, in training and employee handbooks. She says it might also
    be a good idea to create a separate section on disability discrimination within
    an organization's anti-discrimination training program.
    Berman stresses the importance of providing relatively detailed job
    descriptions, which are matched against employees' accommodation
    requests. Attorneys echo the importance of job descriptions as well.

    "The best way to prove whether or not someone could do their job is to have
    a description on hand," says Washington, D.C. attorney Tina Maiolo, a
    member of Carr Maloney P.C.

    King and other attorneys say the new ADA amendments, even if they
    change little for California employers, are an opportunity to review the socalled
    "interactive process" of sitting down with a disabled employee and
    determining what reasonable accommodations would help them meet the job
    requirements. This process should be documented as well, attorneys say.
    "I think where these claims often go awry really is in the interactive process,
    which often breaks down," King says. "I would use these amendments as a
    framing opportunity to review the interactive process again. Not just for HR
    people, but also managers."

    Rosenthal says most small businesses in particular often need help analyzing
    disability issues. Similarly, Barer says it's often money well spent to consult
    an attorney if a disability issue arises, that business executives and managers
    should not be expected to become experts on ADA and FEHA but rather

    California employers would be wise to review their policies and be prepared
    for the changes to federal law, but most attorneys say the ADA amendments
    change little within the state. The amendments take effect on Jan. 1, 2009.

    Related Ring Sites:
      GoKIS  |  |  |   Visi Kiosk site  |   KIOSK  |  |
    Resource Sites:
      Elo TouchSystems  |   Acire Inc.  |   Nextep  |   TIO Networks  |   Olea  |   Self-Service Networks  |   Meridian Kiosks  |   Provisio  |   Kioware  |
      Selling Machine Partners  |   Source Technologies  |   Seepoint  |   5Point  |   Nanonation  |   Netkey  |   KioskCom  |   Summit Research  |   NCR  |