Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

PA-DSS

Retail and Financial Sectors Overly Confident About Breach Detection

Atomic Research have announced the results of a survey sponsored by Tripwire of 102 financial organizations and 151 retail organizations in the U.K., all of which process card payments.

The survey results indicate that recent data breaches have had little impact on the security controls of retail and financial organisations.

35% said it would take as long as two to three days to detect a breach on their systems

However, according to the 2014 Verizon Data Breach Investigations Report, 85% of point-of-sale intrusions took weeks to discover and 43% of web application attacks took months to discover.

It is shocking to see the high level of confidence exhibited by respondents in the wake of the recent series of high-profile cardholder data breaches,” said Tim Erlin, director of IT security and risk strategy for Tripwire, in response to the findings. “6% of respondents said they are confident that their security controls are able to prevent the loss of data files, but this confidence flies in the face of recent evidence to the contrary

The Payment Card Industry Data Security Standard is a security standard that outlines minimum security requirements for organizations that handle cardholder information. When asked how important PCI compliance is to their overall security program, 43% of respondents said it was the backbone of their security program, and 36% said it was half of their security program. However, in order to protect confidential customer data, organisations must apply additional security controls.

Other findings include:

  • 24% of those studied have already suffered a data breach where Personally Identifiable Information (PII) was stolen or accessed by intruders
  • 36% of respondents do not have confidence in their incident response plan
  • 51% of respondents are only somewhat confident that their security controls can detect malicious applications
  • 40% of respondents said they do not believe that recent high profile cardholder breaches have changed the level of attention executives give to security

It is great that recent breaches have increased cybersecurity awareness and internal dialogue. However, the improved internal communication may be biased by a false sense of security,” said Dwayne Melancon, chief technology officer for Tripwire. “For example, 95% of respondents said they would be able to detect a breach on critical systems within a week. In reality, nearly all of the recent publicly disclosed breaches have gone on for months without detection

Furthermore, only 60% of respondents believe their systems have been hardened enough to prevent the kind of data loss similar to that seen in recent high profile breaches,” Melancon continued. “These attitudes seem to indicate a high degree of overconfidence or naiveté among information security practitioners. I believe a number of these organizations may be in for a rude awakening if their systems are targeted by criminals

The Tripwire report can be found here.

PA DSS and PCI DSS version 3.0 now available in 9 languages

The PCI Security Standards Council (PCI SSC), have announced that the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS) 3.0 are now available in nine languages.

“It’s important that organizations around the globe have the resources they need to protect card data,” said Bob Russo, general manager, PCI Security Standards Council. “We’re happy to make the PCI Standards available in a number of languages to assist organizations as they work to make payment security part of their business-as-usual practices.”

PCI DSS and PA-DSS 3.0 were published in November 2013, with updates made based on feedback from the Council’s global constituents and response to market needs.

Over 50% of this feedback came from outside of the U.S., emphasizing the Council’s active international membership base.

The PCI SSC website supports translated pages and PCI materials including the new PCI DSS v3.0 and PA-DSS v3.0 in the following languages:

  • Chinese
  • French
  • German
  • Italian
  • Japanese
  • Portuguese
  • Russian
  • Spanish

“We continue to be encouraged by the growing participation from global stakeholders in PCI Standards development, said Jeremy King, international director, PCI Security Standards Council. “We’re optimistic that these translations will increase awareness and adoption of the standards and drive improved payment security.”

EMV – The perspective of a QSA who has worked on both sides of the Atlantic

With the spate of cyber attackers on US retailers recently Coalfire’s European MD, Andrew Barratt considers how the attacks on retailers differ outside the US and what the potential impact of similar attacks is in a world where Chip and Pin technology is more widely deployed.

Working in both the US and Europe gives us a good perspective on the payment security landscape.  The US has a much higher rate of credit card usage than most European countries, loyalty schemes and reward incentives are much more mature and embedded in consumer culture.  In Europe card usage is increasing but the type of card varies by country.  In the UK credit card use is moving in a similar direction to the US and includes a high rate of debit card usage; cards are quickly replacing cash. The UK now has lots of innovative mobile tech trying to disrupt the card market as well.   Germany is very different, credit card usage is very low (consumer culture is quite averse to borrowing) and the debit scheme is a closed system.  However both of Europe’s large economies moved away from using the magnetic stripe years ago.

EMV or Chip and Pin as it is more commonly referred to in the UK has been in heavy use since 2006 which has helped lower the impact of brick and mortar retail breaches significantly.  It doesn’t rely on sending the full track information to the payment processor meaning that the data is easier to secure.

With retailers adopting more of the security controls detailed in the Payment card industry data security standard and with widespread adoption of Chip and Pin for authenticating customers huge losses from face to face retailers are less common.

Large US retailers are being targeted for smash and grab style payment card data breaches because the data is easier to use fraudulently.  If a cyber-attack steals a lot of magnetic stripe data, this can be used to clone cards, which can then be used in stores to make fraudulent purchases.

Where transactions are authenticated using EMV’s Chip and Pin verification method less data is transmitted to the processor.  If this data is stolen it is harder to be used fraudulently.  It’s not impossible but a lot harder.  EMV is not without its flaws and a number of attacks have been demonstrated by Professor Ross Anderson’s research team at Cambridge University.  These typically attack the card reader and try to grab the Pin as it is sent to the smart card on the Chip for verification.

For US retailers minimizing exfiltration possibilities should be a high priority, lock down and monitor the outbound connections.

The fraud bubble has been squeezed attackers focus on e-commerce operations in the UK, service providers and other businesses that handle lots of cardholder not present transactions.  As the cost of implementing attacks against the smart card declines Europe serves to be a good learning ground for the US.  If the US adopts a future EMV model adoption can be considered with lessons learned overseas for more consumer protection.

Article written by Andrew Barratt

Twitter:     @Andrew_barratt

LinkedIn:  http://www.linkedin.com/in/andrewbarratt

A summary of the 2013 PCI SSC North America Community Meeting by Matt Getzelman

The most valuable technical information was presented during the ‘Assessors Only’ session on Tuesday afternoon.  The SSC covered the upcoming changes to the PCI DSS and PA-DSS standards.  There was an open Q&A session with excellent insight on the industry’s concerns and the SSC’s intent with many of the proposed changes.  Some of the key announcements and observations were:

  • ASV Changes – A lot of information was presented about upcoming changes to the Approved Scanning Vendor (ASV) baseline (which is currently in progress).  The SSC has created a task group to deal with the issue around “Scan Interference”.  The task force will deal with this issue and communicate clear expectations to the rest of the industry.  A number of “hints” were dropped with regard to web-based vulnerabilities and how they will play a bigger role in ASV scans (and the revised baseline) going forward.

  • PCI DSS 3.0 – Business as Usual – Clarifications on this new section within the 3.0 standard in the sense of no assessor validation or documentation will be required.  This is merely a section on implementation best practices for continuous PCI DSS compliance.

  • PCI DSS 3.0 – Template Changes – New to the 3.0 release, the SSC has created a reporting template that they would like all QSA organizations to use.  The reporting instructions had previously been outlined in a separate document.  They are now included within the standard itself.

  • PCI DSS 3.0 – Scope – The SSC made some significant improvements to its intent around PCI DSS scope of validation.  These clarifications were covered again during the assessor and general sessions.  Most importantly the following:  Systems that affect the security of the cardholder data environment should be considered as in-scope for the assessment.  During one of the Open Forum sessions, we asked if this would include A/V servers, patching servers, DNS systems, etc…and the SSC confirmed yes.  It’s important to note that they indicated that this will include originating web-servers for ecommerce outsourcing solutions. 

  • PCI DSS 3.0 – Phase-in Requirements – There are several new requirements that will be considered best practice only until June, 2015.  It’s important to review and analyze these new requirements now to prepare your organization for the upcoming impact to your compliance efforts.  Our favorite is the change to the penetration testing requirements:

Penetration testing must now validate segmentation technologies   

  • Avoid the Silver Bullet – We heard this phrase a lot during the SSC presentations and informal discussions with the card brands.  The SSC wants to dispel the myth that so many merchants seem to be falling prey to.  There is no such thing as a “Silver Bullet” solution that eliminates all PCI DSS scope and responsibility.

  • PA-DSS Template Changes – There was very little content presented on the upcoming changes to the PA-DSS.  We met several key SSC representatives that will allow us to provide direct feedback about the draft standard.  Coalfire has concerns and questions on two major areas in the new draft that we will clarify in the near future:

Hashing requirements for passwords – SDLC guidelines

  • PCI SSC Tokenization Standards – It seems surreal, but the SSC plans on releasing four tokenization standards in 2014. These standards will cover hashing strength and other considerations for using tokenization technologies to reduce scope.  These are not to be confused with the “Tokenization” guidelines recently announced by some card brands.

The original post by Matt Getzelman, PCI Practice Director, can be found here.

PCI-DSS and PA-DSS Version 3.0 – the full highlights and changes

Brian Pennington

The PCI SSC considered many things when drafting Version 3.0 of the PCI DSS and PA DSS standards including:

  • What will improve payment security?
  • Global applicability and local market concerns
  • Appropriate sunset dates for other standards or requirements
  • Cost/benefit of changes to infrastructure
  • Cumulative impact of any changes

The nature of the changes reflects the growing maturity of the payment security industry since the Council’s formation in 2006, and the strength of the PCI Standards as a framework for protecting cardholder data. Cardholder data continues to be a target for criminals.

Lack of education and awareness around payment security and poor implementation and maintenance of the PCI Standards leads to many of the security breaches happening today.

The updates address these challenges by building in additional guidance and clarification on the intent of the requirements and ways to meet them. Additionally, the changes in PCI DSS and PA-DSS 3.0 focus…

View original post 1,770 more words

PCI DSS Version 3, what does it have in store for you?

The PCI Security Standards Council (PCI SSC), have published PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) 3.0 Change Highlights as a preview of the new version of the standards coming in November 2013.

 Version 3.0 to focus on flexibility, education and awareness, and security as a shared responsibility

The changes will help companies make PCI DSS part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility.

The seven-page document is part of the Council’s commitment to provide as much information as possible during the development process and eliminate any perceived surprises for organizations in their PCI security planning. Specifically, the summary will help PCI Participating Organizations and the assessment community as they prepare to review and discuss draft versions of the standards at the 2013 Community Meetings in September and October.

Changes to the standards are made based on feedback from the Council’s global constituents per the PCI DSS and PA-DSS development lifecycle and in response to market needs.

Key drivers for version 3.0 updates include:

  • lack of education and awareness
  • weak passwords and authentication challenges
  • third party security challenges
  • slow self-detection in response to malware and other threats
  • inconsistency in assessments

Today, most organizations have a good understanding of PCI DSS and its importance in securing card data, but implementation and maintenance remains a struggle – especially in light of increasingly complex business and technology environments,” said Bob Russo, PCI SSC general manager

The challenge for us now is providing the right balance of flexibility, rigor and consistency within the standards to help organizations make payment security business-as-usual. And that’s the focus of the changes we’re making with version 3.0

Based on feedback from the industry, in 2010 the PCI SSC moved from a two-year to a three-year standards development lifecycle. The additional year provides a longer period to gather feedback and more time for organizations to implement changes before a new version is released. Version 3.0 will introduce more changes than version 2.0, with several new sub-requirements.

Proposed updates include:

  • Recommendations on making PCI DSS business-as-usual and best practices for maintaining ongoing PCI DSS compliance
  • Security policy and operational procedures built into each requirement
  • Guidance for all requirements with content from Navigating PCI DSS Guide
  • Increased flexibility and education around password strength and complexity
  • New requirements for point-of-sale terminal security
  • More robust requirements for penetration testing and validating segmentation
  • Considerations for cardholder data in memory
  • Enhanced testing procedures to clarify the level of validation expected for each requirement
  • Expanded software development lifecycle security requirements for PA-DSS application vendors, including threat modeling

 These updates are still under review by the PCI community. Final changes will be determined after the PCI Community Meetings and incorporated into the final versions of the PCI DSS and PA-DSS published in November.

PCI DSS and PA-DSS 3.0 will provide organizations the framework for assessing the risk involved with technologies and platforms and the flexibility to apply these principles to their unique payment and business environments, such as e-commerce, mobile acceptance or cloud computing,” added Troy Leach, PCI SSC chief technology officer

How the British have changed the way they spend their money over the last decade

The UK Payments Council has published its latest report, The Way We Pay, and brings together all the significant trends over the past decade. It shows how many cash payments are continuing to migrate to debit card, how the debit card has won the day for now, but also how it’s possible to see the end of the road for plastic as the mobile phone could take over our payments arsenal. 

Executive Summary

Getting Paid

  • The shift from cash is gathering pace as firms, the state, and pension funds increasingly eliminate cash and cheques from their payments to individuals
  • Now only 9% of adults do not have a current account, and only 4% have no sort of account at all. Use of branches has declined sharply but having an account is the key to accessing all the modern ways to pay

Spending it

  • Cash still makes up the largest proportion of our daily one-off transactions – three in five of our purchases – but they are very small in value
  • Just ten years ago, three quarters of our shop purchases used cash. Now just over half do
  • Debit cards are quickly taking over in the lower value transaction
  • Contactless payment is poised to become ever more popular, and will push even more transactions onto plastic
  • We use our credit cards for bigger purchases than debit cards, and we use them less than we used to
  • Cheques are very niche nowadays with usage halving every five years, but remain popular with some groups of people and some organisations. Effectively gone from the high street, we mainly use them for financial transactions
  • Supermarkets now account for over half of our retail spending, up from 46% in 2001 as they have added more and more products and opened stores rapidly
  • Entertainment spending is the big winner. The economy may be gloomy, but we are spending more having fun, and doing more of it on plastic
  • Spending abroad doubled in a decade

Regular Payments

  • Automatic payments (like Direct Debit) are now over three quarters of our regular commitments – up from half in 2001
  • Housing costs have escalated, whether you own or rent
  • Charities have shown great success in a decade of recruiting Direct Debit commitments
  • Flashing less cash, but plastic may quickly lose its place in the sun to more innovative forms of payment, like mobile payments
  • Number of cash machines doubles in decade, as people abandon the bank queue for the hole-in-the-wall
  • But cash is becoming less important to us, particularly by value
  • By value debit cards overtook cash in 2010, even before contactless took off
  • Debit card holding is now 90%, up from 84% in 2001
  • In 2001 debit card spending caught up with credit cards, but now far exceeds them
  • Credit cards matured in the 2000s, and card holding even declined

How businesses do it

  • 98% of businesses are small, with fewer than 20 employees, so the payment needs of firms vary enormously according to their size and complexity
  • Cheque usage is still popular with the smallest firms, but even so, cheque usage by business continues to fall sharply
  • The smallest firms bank more like consumers, and often even use personal accounts
  • Use of Direct Debit among businesses lags behind consumer use. Businesses prefer the flexibility on the timing of payments

The future

  • The use of contactless debit cards is set to increase. Many chains of stores already have point-of-sale devices to accept them, with more retailers planning to come on stream, this will continue to increase consumer awareness
  • The debit card may have had its day. New technology means payment chips are now being embedded in phones, with more innovation to come
  • New entrants may also appear. Smartphones are capable of scanning barcodes, a system which could easily be designed to take a payment from an account at a point-of-sale
  • Paying a friend or business on your mobile as easily as sending a text is set to become a mainstream option in spring 2014, when the Payments Council launches the new mobile payments service. The service will be the first to link up every bank account in the country with a mobile number
  • In future, the wallet may be obsolete altogether as more payments become electronic and our phones become the hub of our financial transactions

Summarised details from the report

Debit cards are currently making gains in sectors previously dominated by cash and are likely to take a greater share as contactless cards reach mass adoption.

  • 28% of our spontaneous transactions are made on a debit card (a rise of 59% over the last five years), with the average transaction size at £42 and falling
  • 56% debit card purchases are between £10 and £50
  • 91% of all our one-off cash transactions were under £25
  • the contactless payment limit of £20 would allow many cash payments to potentially migrate onto cards. Debit card holding is widespread across all ages and socio-economic groups.

The triumph of the debit card, but has it passed its peak?

The arrival of the debit card in the 1980s, which was billed as the consumers’ alternative to the cheque, also provided customers with an alternative to the credit card. 84% of adults had a debit card in 2001, but they were less widely accepted, and many people still preferred cheques and cash. Spending was still just higher on credit cards (£93 billion) than debit cards (£77 billion) at the turn of the century. The balance tipped in favour of debit cards in 2001. As businesses like pubs, dentists and hairdressers began to accept the cards, thanks partly to the introduction of chip and PIN and to the rapid roll out of hand held point-of-sale devices, usage and card holding took off and the dominance of the debit card was secured.

Credit cards, by contrast, are more commonly used by people drawing higher incomes or in higher social classes. This reflects the fact that they are more able to access credit and pass credit scoring criteria. They also have greater spending power and appetite to accumulate rewards such as Air Miles and cashback through their credit cards. Credit cards account for one in twelve of our spontaneous payments with an average value of £56 per transaction.

Cheques account for just 1% of spontaneous transactions, but have an average value of £375, as they are more likely to be used for high value payments such as financial transfers (see section on cheques for more detail). There is now a quite narrow demographic profile for cheque usage which reflects its diminishing status as a mass payment method. Cheques tend to be favoured by older people who are used to paying that way, the self-employed and families with children who have to pay for childcare and children’s activities.

Between 2005 and 2011 the total value of plastic card spending increased by £179 billion. 91% of this growth was attributable to debit cards. In 2011, debit card spending in the UK amounted to £334 billion from 7.3 billion transactions. This was approximately two and half times the amount spent on credit cards of £140 billion from 2.1 billion transactions. This represented an increase of 252% on the corresponding amount spent in the year 2001, making this rate of growth three times higher than that recorded for consumer spending over the decade to 2011. In the next decade debit card spending in the UK could close to double – as we forecast £664 billion from 14 billion transactions, with credit card spending projected to be £204 billion from 3.1 billion transactions.

Debit card holding is much more widely spread across the social spectrum than credit cards, with 90% ownership across the adult population in 2011. 98% of AB adults held a debit card compared to 57% of E adults in 2011. For credit cards the figure is 77% v 26% respectively. The wide issuance of debit cards has positive social consequences as it means lower income consumers are able to access the world of e-commerce.

Without the mass adoption of cards the e-commerce industry could never have developed, and self-service in shops and filling stations would be non-existent.

In 2001 online purchases took just 3.3p in every £1 spent on a card. By 2011, that had risen almost quadrupling to 12.8p in every £1, and the total continues to grow.

Contactless functionality means debit cards can continue to take a greater share of our spending, but in the longer term, the future of the piece of plastic could be impacted by the arrival of mobile payments. The huge success of the debit card has opened the door to new technologies that could even lead to its own demise, or at least heavily impact its use. In the next few years, if card technology gets incorporated into mobile payments, it could become possible to use the physical phone to make a debit card type payment instead of the physical card in a shop and if this happens the debit card as we know it today could become a thing of the past. reach maturity

The demise of the debit cards is still some way off, as despite having saturated the market, the use of debit cards will continue to grow for the time being. By contrast, the credit card market has already matured and usage has been subdued since 2009. Credit card issuance grew very strongly in the 1990s and 2000s as credit was more easily available.

Credit cards are a very useful tool in our payments arsenal, but they are not the payments of choice for a lot of our day-to-day purchases. They are most useful where a large expense needs to be spread over a longer period, or for the protection offered under section 75 of the Consumer Credit Act 1974, or indeed because a credit card is ring-fenced away from a current account.

Rapid growth in consumer borrowing and the increase in credit card usage in the early 2000s meant that 69.9 million credit cards were in issue by 2005, along with 4.7 million charge cards. Two thirds of adults held a credit card. During the recession a greater focus on the need to borrow and lend responsibly saw consumer attitudes to credit card use change. By 2011, there were 15.4 million fewer credit cards in our wallets, compared to 2005.

Spending on credit cards has increased by just 7.7%, which was well below the cumulative rate of inflation over the period. Last year we spent £140 billion and made 2.1 billion purchases in the UK. During the recession, repayments increased and in 2011 around 60% of cardholders paid off their balance in full each month, up from 54% in 2003.

In terms of business-to-business payments, the trends stay true. Last year, spending on credit cards fell and cardholding was also down by 2.7% compared to 2010, resulting in a total of 1.9 million cards. Interestingly it is larger businesses that are most likely to use credit or charge cards, whereas smaller businesses use debit cards.

The final piece of the cards puzzle is the continued expansion in the usage of prepaid cards. They are already ubiquitous in replacing gift vouchers, but more sophisticated versions are available for example for business-to person disbursements such as payments under reward, loyalty and incentive schemes. The insurance sector is also starting to issue prepaid cards to claimants, for use in a specific retail sector to cover a claim. Another area where these cards are starting to forge ahead is in the travel industry. They seem to have become a more attractive proposition compared with traveller’s cheques as they can be used directly in shops or to withdraw cash, as well as offering competitive rates for fees and charges when used abroad. However, though this market continues to expand, it is still at a slower rate than in 2009. Ultimately it is hard to imagine prepaid cards developing beyond a small niche.

How will we pay for it in the future?

Contactless payment technology began in the UK in 2007, but those living in and around London would have been familiar with the principle, having had the contactless Oyster card since 2003 for using public transport. The London Olympics used its venues as a testing ground for contactless cards. In 2011, all the major UK card schemes (American Express, MasterCard and Visa) began processing contactless payments. By December 2011, six major UK issuers were issuing cards with contactless functionality and the number of these cards reached 23 million, an increase of 75% from the end of 2010. Adoption is still slow however, as retailers and consumers are yet to embrace the changes in a big way. This will change, but first requires more retailers to roll-out more terminals, and for banks to issue more cards.

Ironically contactless technology may eventually contribute to us becoming less reliant on a physical piece of plastic, as it can be incorporated into a mobile phone or any other popular item, rendering it a payment tool. Only ten years ago paying for items on your mobile was unthinkable, but now one wonders why it’s not here in a bigger way already. The increasing demand for convenience and accessibility, along with the rising penetration of smartphones has driven the growth in mobile payment. The bold prediction made by PayPal that by 2016 people will no longer need to take a wallet with them shopping may be premature but nevertheless at some point we may be leaving the house just asking ourselves ‘keys, phone?’ KPMG expect mobile payments to be mainstream within the next 2-4 years, while Visa, which recently released its digital wallet V.me in November 2012, expects half of all payments to be made through mobile devices by 2020.

New entrants are muscling in to help us pay in shops. Google Wallet which launched in the US last year has already agreed deals with 25 national retailers to support the system through MasterCard’s PayPass programme. Google’s rival, Apple has yet to launch a competing system, but with such a huge, loyal customer base, well used to making many small transactions through iTunes all the time, it will surely not be far off. Microsoft has already announced that there will be a wallet feature on the Windows Mobile 8 operating system. Three of the big telecoms operators, Verizon, T-Mobile and AT&T are developing a service known as Iris.

For tradesmen on the move, new hardware is also on the market. Payment method Square, a mobile app and phone attachment which serves as its own cash register, has been created by one of the founders of Twitter and is in use in the US. This sort of kit will reduce the reliance among mobile tradesmen on cash and cheques. O2 UK also launched a new service that enables retailers to accept card payments on a smartphone or tablet by using a special keypad that connects via Bluetooth. A free app then manages the card transaction and sends a receipt.

For moving our money around, Barclays already offers a mobile payment service (Pingit). Anyone with a mobile phone can sign up with Barclays to receive payments though Pingit, but only Barclay’s customers can send payments. A similar service has also been launched by phone provider O2, with customers able to transfer up to £500 via text message. Similarly, PayPal has also recently launched an app in the UK that allows users to pay for items with their mobile phones across a number.

In addition to all these competitive offerings in the collaborative space, the Payments Council is developing the industry-wide, central service that will make it possible to send or receive a payment using just a mobile number, no matter who you bank with. The new service could be a handy way to split a bill for dinner or pay a tradesman without needing to know their account details. Payments made using the service will be protected by a passcode or similar security feature, and arrive almost instantly.

Internationally, consumers have been quicker to take it up mobile payments in Asia than in the West. In France McDonalds is currently testing mobile payments method arranged with PayPal. With over 30,000 restaurants worldwide, a McDonald’s deal would represent a larger business and cultural footprint for PayPal than perhaps any other mobile payment system in operation. In Africa payments technology is leapfrogging the developed world. Starting with few branch networks, fixed line telecoms and low card or bank account holding, banking is going straight to consumers’ mobiles. Since 2007, Kenya has been using a system called M-Pesa which allows mobile money transfer through a text message, with over 50% of the population already using this service. The Payments Council’s mobile payments database will make payment by mobile a possibility for the UK too, but it will be developed using existing payment systems, such as the Faster Payments Service or the Link network.

Worldwide the UK presents a key growth area in the uptake of mobile payment. Businesses should be planning now or risk falling behind consumer demand. From a consumer perspective in terms of making purchases using our phones, the amount of devices and potential new options, on offer at the moment can be confusing as people still grapple with all the commercial developments. Whilst the future may be unclear, it is exciting, and it will bring convenience and choice far greater than we have known until now. Ultimately only a handful of providers and products will create the winning proposition. Undeniably these new technologies will transform the way we manage our finances and the way we pay over the next decade.

Adrian Kamellard, chief executive of the Payments Council, says: “We scarcely notice the steady changes in the way we pay, yet someone in their thirties today will see more change in their lifetime than in the entire history of money. Even recent innovations such as payment via a mobile phone, which ten years ago some felt to be science fiction, will soon be commonplace. The 2000s were the decade of the debit card. The 2010s are likely to be the decade of the mobile phone. Just as we can’t imagine how we ever did without the internet, many people will soon wonder how we used to be so dependent on cash and cheque. Twenty years from now even cards may seem archaic.”

He adds: “The quiet revolution in payments has enabled the creation of whole new industries such as e-shopping, it has changed our behaviour, and it has reduced transaction costs, and increased the speed and efficiency with which we can all pay each other. The next ten years will see even faster change. It’s easy to imagine a future where we merely pat our pockets for our keys and phone. The wallet could become a historical curiosity.”

View the Payments Council Press Release here.

.

PCI SSC releases its Best practices to help prevent card data compromise at ATMs

The PCI SSC has released their latest supplement, the ATM Security Guidelines Information Supplement. 

The guidelines were developed to provide guidance to ATM manufacturers on how to prevent credit cards from being compromised. 

The ATM Industry Association’s (ATMIA) 2012 ATM Global fraud survey reveals that skimming remains the leading global threat to ATMs because criminals use stolen information to produce counterfeit cards for fraudulent transactions, primarily ATM cash withdrawals. 

Also see Europol reveals €1.5 Billion Euro in Credit Card Fraud, how it is stolen and why they struggle to catch the criminals  

Skimming and other types of attacks on ATMs continue to be top of mind for our constituents,” said Bob Russo, general manager, PCI Security Standards Council. “There are already some excellent resources out there that help with various pieces of ATM security. What this guidance does is pull together these different best practices into one comprehensive set, which is what our stakeholders have been asking for.

The guidance document provides an introduction to ATM security and outlines best practices around the following key areas and objectives:

  • Integration of hardware components to avert magnetic-stripe and other account data compromise and PIN stealing
  • Security of basic software to avert magnetic-stripe skimming and PIN stealing
  • Device management/operation to ensure adequate management of: ATM during manufacturing, ATM in storage of deployed ATM estates and ATM’s individual security configuration
  • ATM application management to address security aspects of the ATM application.

ATM manufacturers, hardware and software integrators, and deployers of ATMs can use this guidance to aid in the secure development, deployment and maintenance of ATMs. As with all PCI guidance documents the ATM Security Guidelines Information Supplement does not replace or supersede the PCI Standards, nor is it to be used as a set of security requirements for the formal certification of ATMs. The PTS POI security requirements provide for the testing and approval of encrypting PIN pads and secure readers used in ATMS for handling PIN and account data, and organizations should continue to use this standard to address these components of ATM security.

For a link to the full document please use my PCI Resources page here.

.

Want to be PCI DSS compliant? Here are 5 mistakes to avoid.

Charles Denyer a QSA with NDB has produced a list of 5 Mistakes all people striving for PCI DSS compliance must avoid. 

  1. Not conducting a formal Readiness Assessment.  It’s important with PCI DSS compliance to truly understand all facets of the Payment Card Industry Data Security Standards (PCI DSS) provisions, which essentially means answering the “who, what, when, where, and why” of PCI with a comprehensive Readiness Assessment. And by no means should it be looked upon as yet another added cost to the engagement, rather, a proactive and necessary measure for properly defining and understanding many important facet of PCI, which by the way, is always a moving target, to say the least. A competent, well-skilled PCI-QSA, such as Charles Denyer of NDB Advisory, can provide your organization with a PCI DSS Readiness Assessment. Knowing what you are getting into is important! 
  2. Having no buy in from senior management and others. “Going it alone” as the saying goes, can have its risks and rewards – but in the case of PCI DSS compliance – it’s not only a bad idea, but one that creates real challenges for organizations. Sure management may very well be aware of their organization undertaking PCI compliance, but have they provided true operational and financial support, have they taken the time to really understand the commitment and effort needed? If not, then it’s time to make them aware of this, and soon.  Remember, setting expectations for PCI compliance is a must, no questions about it. 
  3. Failing to understand PCI Scope.  Organizations struggle with this immensely – after all – determining the actual scope for purposes of PCI compliance can be challenging, and it’s not always a black and white answer? Do you have a “flat” network? What is the true definition of the cardholder data environment (CDE)? What third-party providers are in scope? These, and many, many other questions, often require thoughtful consideration for PCI compliance. 
  4. Not conducting Remediation efforts.  As a PCI-QSA, I’m amazed at the lack of remediation efforts by companies pursuing PCI compliance.  What I find more troubling is that these remediation efforts – when even conducted – are only undertaken for a sample of system components, not the entire population of in-scope items. Being compliant with the Payment Card Industry Data Security Standards means meeting all the stated requirements for ALL in-scope systems components, not just a chosen few.  A PCI-QSA with true independence and professionalism will always tell their clients that, and that’s exactly what I’m doing here!  Simply put, remediate, and remediate all items that are in-scope for an actual PCI DSS assessment. 
  5. Failing to recognize the importance of policies and procedures.  Here’s an issue that seems to go unnoticed many times regarding PCI compliance – after all – how challenging and time-consuming can it really be to develop PCI policies and procedures?  Very challenging and time-consuming, just look at the amount of documents that’s required by PCI – policies for this, procedures for that – get the point?  Sure, PCI compliance is technical in nature, but don’t lose sight of one of the most important requirements, and that’s developing a comprehensive set of PCI policies and procedures.  As a PCI-QSA, my advice is to hire an expert consultant to develop a customized set of these policies (which is part of the services offered by NDB Advisory) or to use the high-quality PCI security policies from pcipolicyportal.com.

Supporting point 3 there is a good white paper “8 ways to reduce the scope of PCI DSS” here.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: