Brian Pennington

A blog about Cyber Security & Compliance


March 2011

Comparison Of Cost Of Ownership Between In-House And Managed Pay

Image via Wikipedia

Interesting article comparing two payment methods a Merchant could choose.

It is written by a managed Payments Provider but tries to deliver the assumptions and figures as accurately as it can.

“The objective of this study is to compare an in-house supported credit/debit card EMV (Europay,MasterCard and Visa) Chip & PIN and PCI-DSS(Payment Card Industry Data Security Standard) accredited payment solution with a managed outsourced payment service solution provided by YESpay through a comprehensive financial model analysis, consisting of cost-of-ownership and cash-flow analysis.

Cost-of-ownership and cash-flow analysis provides a good base for comparing the financial propositions of the two payment solutions, namely, in-house and managed. Combining this with the intangible costs and benefits of the two systems gives a complete comparative analysis.

The result of this study shows that by outsourcing their payment solution to a third party payment service provider, mid- to top-tier retailers can save more than 50% on cost of ownership of their payment solution depending on size of the POS till requirements.”

Access the white paper here Comparison Of Cost Of Ownership Between In-House And Managed Pay registration required and was written by Vivek Singh

For more information on PCI DSS visit the PCI Resouce centre here


How to Choose a QSA – SANS

The Quality Security Assessor (QSA) a Merchant chooses will dramatically impact on how the Merchant achieves compliance.

In simple terms the right advice and guidance saves time and money whilst reducing risk and achieving compliance. The wrong advice or guidance could prove extremely costly.

SANS: “The independent white paper in this security KnowledgeVault is just one of the resources to help you make the right decision. It details the top 5 questions to ask a prospective QSA firm and offers guidelines on everything from making sure they adequately handle compensating controls to assessing their expertise with virtualization”.

The 5 questions are

  1. For what types of organizations have you performed PCI DSS assessments?
  2. What is your background?
  3. Who will be performing the work?
  4. How do you validate and assess compensating controls?
  5. Are there examples of your assessments being used to improve security for clients?

Reading the white paper and asking these question could prove vital to the succesful completion of a PCI DSS project.

Download the white paper here. Registration is required.

Source: Dell and SANS

CyberSource Brings World’s Largest Fraud Detection Radar to Online Merchants

CyberSource, a Visa company (NYSE: V), today announced availability of the world’s largest real-time fraud detection radar, empowering online merchants to pinpoint fraud faster, more accurately, and with less manual intervention.

This advance enables merchants to conduct more accurate analyses of their inbound orders, including comparison of those orders to the over 60 billion transactions Visa and CyberSource process annually, including orders that were confirmed to be fraudulent.

Data insight derives from transactions across multiple payment types and from merchants worldwide, spanning online, call center, mobile and POS sales channels. The transaction data is supplemented by 200 validation and correlation tests. This solution effectively expands the depth and breadth of transaction pattern visibility.

The new development comes at an opportune time.  

  • eCommerce merchants say fraud became more sophisticated and harder to detect in 2010, and this challenge is likely to grow. Download the CyberSource 2011 Fraud Report here 
  • 90% of online thieves are now associated with organized crime. Details of Fraud patterns can be found here
  • botnet” infections are growing at a rate of approximately 200,000 per day.  Download “10 Botnet Questions” White Paper here

The ability to accurately detect fraud in such a sophisticated criminal environment requires correlating vast amounts of information to detect subtle anomalies.

Data is the lifeblood of fraud detection,” said Michael Walsh, CyberSource President and CEO. “When Visa acquired CyberSource, one of the stated goals was to deliver a new level of fraud prevention to online merchants, enabled by our end-to-end view of electronic transactions, worldwide. We are now delivering exactly that.”

Read the full PRnewswire press release here

PCI Council Releases Guidance for Protecting Telephone Based Payment Card Data

The PCI Council today released a 12 page Information Supplement that is an essential read for anyone who takes credit card payments over the phone. The supplement is titled “Protecting Telephone based Payment Card Data”.

Download the pdf here.

Benefits of PCI Compliance – direct and indirect

Credit cards
Image via Wikipedia

Many Merchants see the Payment Card Industry’s Data Security Standard (PCI DSS) as an expense they could do without. 

The counter argument is most businesses would struggle if nothing was done to tackle Credit Card Fraud because the Credit Card companies would need to charge Merchants a higher transaction rate to cover their losses. 

So, what other reasons could there be for becoming PCI Compliant? 

The answer very much depends on your business type and the loyalty of your customers and prospective customers. 

Some very good reasons for becoming PCI compliant are listed below.

Continue reading “Benefits of PCI Compliance – direct and indirect”

Cloud Computing Risk Assessment from ENISA

European Network and Information Security Agency
Image via Wikipedia

In November 2009 The European Network and Information Security Agency (ENISA) published a document title “Cloud Computing Risk Assessment” the “Benefits, risks and recommendations for information security“.

The document maybe 15 months old but it is an excellent starting point for any organisation looking to invest in the CLOUD.

The official ENISA wording is below.

ENISA, supported by a group of subject matter expert comprising representatives from Industries, Academia and Governmental Organizations, has conducted, in the context of the Emerging and Future Risk Framework project, an risks assessment on cloud computing business model and technologies. The result is an in-depth and independent analysis that outlines some of the information security benefits and key security risks of cloud computing. The report provide also a set of practical recommendations.Produced by ENISA with contributions from a group of subject matter expert comprising representatives from Industry, Academia and Governmental Organizations, a risk assessment of cloud computing business model and technologies. This is an in-depth and independent analysis that outlines some of the information security benefits and key security risks of cloud computing. The report provide also a set of practical recommendations. It is produced in the context of the Emerging and Future Risk Framework project.

Download the document from the ENISA site here.

Botnets: 10 Tough Questions downloadable research

European Network and Information Security Agency
Image via Wikipedia

 As part of the project Botnets: Detection, Measurement, Mitigation & Defence” a series of questions was discussed by internationally renowned experts in the field of botnets between September and November 2010.

This document presents a selection of the most interesting results. The document distills the major issues which need to be understood and addressed by decision-makers in all groups of stakeholders.

Editor: Dr. Giles Hogben
Authors: Daniel Plohmann, Elmar Gerhards-Padilla, Felix Leder

Download the document here

The European Network and Information Security Agency, working for the EU Institutions and Member States. ENISA is the EU’s response to security issues of the European Union. As such, it is the ‘pace-setter’ for Information Security in Europe.

The objective is to make ENISA’s web site the European ‘hub’ for exchange of information, best practices and knowledge in the field of Information Security. This web site is an access point to the EU Member States and other actors in this field.

PCI SSC Board of Advisors 2011 elections are now open

The PCI SSC Board of Advisors elections for 2011 to 2013 are now open.

All Participating PCI SSC organisations can vote. Votes close 08 April 2011. The votes will decide the composition of the Board of Advisors for the next 2 years.   A complete list of the candidates is below:

Financial Institution – 3 votes

  • Australia and New Zealand Banking Group Limited (ANZ)
  • Bank of America
  • Bank of America Merchant Services
  • Banrisul S.A.
  • Citi
  • JPMorgan Chase & Co.
  • SIX Multipay
  • WorldPay (UK) Ltd 

Merchant – 3 votes

  • Allstate Insurance Company
  • British Airways
  • CHS Inc.
  • CVS Caremark
  • Exxon Mobil Corporation
  • FedEx
  • Hawaiian Airlines
  • HMSHost
  • Intuit Inc.
  • Loves Travel Stops & Country Stores, Inc.
  • McDonald’s Corporation
  • National Association of College and University Business Officers
  • Starbucks Coffee Company
  • Tesco Stores Limited
  • The Walt Disney Company
  • VF Corporation
  • Wal-Mart Stores, Inc.
  • Woolworths Limited 

Processor – 3 votes

  • Cielo
  • DirectCash Payments Inc.
  • Elavon
  • First Data Corporation
  • Fiserv
  • Global Payments Inc. (NYSE:GPN)
  • Heartland Payment Systems
  • Litle & Co.
  • Merchant Warehouse
  • Mercury Payment Systems
  • Moneris Solutions
  • Payment Processing Inc
  • Point International (Point Group)
  • Sage Payment Solutions
  • The SHAZAM Network
  • TSYS 

Vendor – 3 votes

  • Agilysys
  • ATX Innovation
  • Cisco
  • Citrix Systems, Inc.
  • Convergys
  • Datapipe
  • Fico
  • Hypercom Corporation
  • Ingenico
  • Mako Networks
  • MICROS Systems, Inc.
  • nuBridges, Inc.
  • Panasonic Avionics Corporation
  • Reliant Security
  • RSA
  • Shift4 Corporation
  • Vanguard Integrity Professionals
  • VeriFone Systems, Inc.
  • Voltage Security 

Other – two votes

  • Apriva
  • Envision Telephony Inc.
  • European Payments Council
  • IATA
  • Interac Association
  • Network Frontiers (the Unified Compliance Framework)
  • Payment Alliance International
  • Paypal
  • RSPA – Retail Solutions Providers Association
  • The UK Cards Association
  • Vendorcom
  • VigiTrust Ltd
  • Wright Express

 Data supplied by VeriTape.

Fraud losses drop on UK cards, cheques and online banking

The UK Card Association reports that fraud losses over 2010 in the UK on cards, cheques and online backing has dropped against 2009 figures.

Total fraud losses on UK cards fell to £365.4 million in 2010 – a 17 per cent reduction compared with losses in 2009. This is the lowest annual total since 2000 and follows on from a fall of 28 per cent in 2009. This current downward trend is due to the banking industry’s ongoing investment to deter, detect and prosecute fraudsters.  Initiatives include: better awareness amongst retailers about how to protect their chip and PIN equipment from criminal attack; greater sign-up to online fraud prevention initiatives such as MasterCard SecureCode and Verified by Visa by cardholders and retailers; improved industry sharing of fraud data and intelligence; increasing use of fraud detection tools by banks and retailers; the increasing roll-out of chip and PIN abroad and the upgrade of chips on UK cards.

Online banking fraud losses totalled £46.7 million in 2010a 22 per cent fall on the 2009 figure. Factors contributing to this fall include customers better protecting their own computers with up-to-date anti-virus software combined with banks’ use of sophisticated fraud detection software. This decrease has occurred despite a continuing rise in phishing attacks, up 21% from 2009.

Phone banking fraud losses totalled £12.7 million during 2010, an increase of five per cent from 2009. Most losses involve customers simply being tricked into disclosing their personal security details – through cold calling or fake emails – which the criminal then uses to commit fraud. This suggests that some customers are still not aware that their bank will never cold call or email them to ask for login details and passwords.

Cheque fraud losses decreased from £29.8 million in 2009 to £28.9 million during 2010. The vast majority of attempted fraud gets stopped before the cheque is paid. The industry’s ongoing work to prevent cheque fraud has helped drive these losses down. The continuing drop in cheque usage has also contributed to the three per cent fall in overall cheque fraud losses.

Detective Chief Inspector Paul Barnard, Head of the Dedicated Cheque and Plastic Crime Unit (DCPCU) – the industry-sponsored specialist police unit that tackles the organised criminal gangs behind fraud – comments: 

“Whilst another drop in fraud is good news, the fraudsters haven’t shut up shop which is why there can be no room for complacency on the part of the banking industry, retailers, law enforcement or indeed customers themselves.  By taking simple steps, such as:  shielding our PIN with our free hand whenever we enter it, particularly at cash machines; being wary of unsolicited emails or calls; and making sure that our computers have regularly updated anti-virus software in place, we can make life harder for the criminals.

“Fortunately in the UK – unlike some other countries – innocent victims of any type of payment fraud on their debit or credit card or account are protected and should not suffer any financial loss.”

Melanie Johnson, Chair of The UK Cards Association, which represents UK credit and debit card providers said:

“The cards industry is greatly encouraged by the major decrease in card fraud losses for a second successive year, but we will not be easing off our efforts as a result. It is essential to us that customers feel safe and secure when they use their cards and we will continue to invest in a wide range of fraud prevention initiatives to keep it this way.”

Fraud figures released by the National Fraud Authority (NFA) earlier in the year also serve to put these banking fraud losses into perspective. The NFA estimated that fraud in all its guises costs the UK more than £38 billion a year – card and banking fraud accounts for just over one per cent of this figure.

Details of the figures from 2007, 2008, 2009 and 2010 compare can be found here

77% of Hospitality Sector Mistakenly Believe They Are PCI Compliant

Orthus Limited, on the 7th March 2011, released the results of a survey conducted of 1000 Level 4 Merchants in the United Kingdom hospitality sector to verify their PCI DSS compliance status. 

The survey indicates 77% of 1000 Level 4 Merchants were compliant to PCI DSS when in fact they were not compliant:

The rest of the survey and its finding are below:

  • Of the respondents claiming to be PCI compliant, 94% stated they had conducted the required vulnerability assessment scanning.
  • Of the respondents claiming to be PCI compliant, only 36% stated they had conducted required security penetration testing.
  •  Of the respondents claiming to be PCI compliant, only 9% stated they had security policies.
  • Of the respondents claiming to be PCI compliant, not 1 had conducted the required wireless scanning.
  • Only 24% of the respondents stated they had executed a self assessment questionnaire (SAQ).
  • Of the 24% who had executed a SAQ, less than 50% had stated they had submitted it to their Acquirer.

“The results of the survey are disturbing and indicate that businesses do not understand the PCI DSS requirements and what constitutes compliance. Almost all of the Level 4 Merchants surveyed who mistakenly believed they were compliant stated that they were told by a vendor that compliance entailed conducting vulnerability scanning. Upon completing the scanning, the Merchants understood themselves to be compliant and therein lay the problem. Merchants are getting their information primarily from vendors who have a vested interest in selling their product.”

“Misinformation is a significant problem in the market.  Vendors are selling their products as facilitating PCI compliance and buyers are not doing their homework” says Orthus Data Compliance Specialist, Courtney Bryan.  “If the vendors are affiliated with an Acquiring Bank their products are even perceived as required for compliance so after a Merchant purchases them, they naturally assume they are now compliant” states Bryan.  

“Something has to be done about this problem. Merchants need unbiased advice and assistance with implementing this risk management framework to prevent card data theft and fraud. There is a real knowledge void in the market about what constitutes PCI DSS compliance and until it’s addressed – vendors will continue to exploit it while the Merchants carry the risks” says Bryan.

Orthus can be found at and the press release for the survey “PCI Compliant: Are You Really Sure?” has as the contact

Where do security breaches occur? What type of data is stolen and who makes the discovery?

Credit card
Image via Wikipedia

Trustwave has published its Global Security Report 2011 and it has some very interesting research.

The research is from incidents investigated by the company. Specifically, a total of 220 investigations, undertaken against suspected breaches, 85% were confirmed with 90% resulted in data theft.

The headline statistics are:

Industry breakdown of where the incident happened

  • Food and beverage   57%
  • Retail   18%
  • Hospitality   10%
  • Government   6%
  • Financial   6%
  • Education   1%
  • Entertainment   1%
  • Construction   1%

 Types of Data stolen

  • Payment Card Data   87%
  • Sensitive company data   8%
  • Trade Secrets   3%
  • Authentication Credential   2%
  • Customer records   2%

It could be that Trustwave is a Payment Card Industry Forensics and Incident Investigator or it is further proof, if we needed it, that the bad guys are after the money.

Who found out that there had been an incident?

  • Regulatory detection   60%
  • Self detection   20%
  • Public detection   13%
  • Law enforcement   7%

Is it any wonder why the credit card issuers are strictly enforcing Payment Card Industry Data Security Standards (PCI DSS) when Merchants find 1 in 5 Account Data Compromises (ADC), also known as a breach.

Previous research found that the majority of cards are used in multiple frauds.

Merchants come out on top in the time to detect a breach

  • Regulatory detection  156.5 days
  • Public Detection   87.5days
  • Law Enforcement   51.5 days
  • Self Detection   28 days

This is interesting, 1 in 5 breaches were found first by a Merchant which means the majority of breaches take over 100 days to be discovered.


Create a free website or blog at

Up ↑

%d bloggers like this: