Apr
11
2014
April 11th, 2014 by Elma Jane

PCI DSS 3.0 standard, which took effect January 1st, introduces changes that extend across all 12 requirements, aimed to improve security of payment card data and reducing fraud. There will be some shakeups for many organizations when it comes to their day-to-day culture and operations. Transitioning to meet the new requirements will help e-business build a stronger, safer, lower-risk environment for their customers.

While the growing number of digital payment avenues offers convenience to customers, it also offers a larger attack surface for criminals.

As cloud technologies and e-commerce environments continue to grow, creating multiple points of access to cardholder data and online retailers will only become more appealing targets for hackers. Cybercriminals are cunning and determined. They understand payment card infrastructures as well as the engineers who designed them.

A scary proposition and it’s exactly why the payment card industry is so determined to help keep e-commerce organizations protected. Meeting the new standard, businesses will be better armed to fight evolving threats. Changes will also drive more consistency among assessors, help business reduce risk of compromise and create more transparent provider-customer relationships.

Transitioning to PCI DSS 3.0 will involve some work, but doing that work on the front end is going to save much work down the line. Adopting the new standard ultimately will drive your e-commerce business into a secure and efficient era.

Cultural Changes – One of the main themes of 3.0 is shifting from an annual compliance approach to embedding security in daily processes. Threats don’t change just once a year. They’re constantly evolving and that means e-commerce organizations must adopt a culture of vigilance. Only through a proactive business-as-usual approach to security can you achieve true DSS compliance. Realistically, this could mean the need to provide more education and build awareness with staff, partners and providers, so that everyone understands why and how new processes are in place.  

Operational Changes – The 3.0 standard addresses common vulnerabilities that probably will ring a bell with many of you. These include weak passwords and authentication procedures, as well as insufficient malware detection systems and vulnerability assessments, just to name a few. Depending on your current security controls program, this could mean you’ll need to step up in these areas by strengthening credential requirements, resolving self-detection challenges, testing and documenting your cardholder data environment and making other corrections.

Overview Changes – How much work lands on your plate will depend on your current security program. Examining your current security strategies and program is a good idea. Below are the areas requiring your attention, which this series will explore in more detail in future installments.

Service Provider Changes –  Some organizations made unsafe assumptions in the past when it comes to third-party providers. Some have paid the price, from failed audits to breaches. One reason that the new standard is designed to eliminate any confusion over compliance responsibilities. Responsibilities, specifically for management, operations, security and reporting all will need to be spelled out in detailed contracts. In addition to improved communication, an intensified focus on transparency means that you should have a clear view of your provider’s infrastructure, data storage and security controls, along with subcontractors that can impact your environment. So if your organization isn’t exactly clear on which PCI DSS requirements you manage and which ones your providers handle, prepare to get all of that hammered out.

The Compliance Rewards – The path to preparing for the 3.0 deadline in January 2015 sounds like it’s a lot of work. So to get started request your QSA’s opinion on how the changes will impact your organization, by doing the gap assessment and you’ll be able to address any shortcomings.    

Meeting the new 3.0 requirements isn’t just about passing audits. In fast paced payment IT landscape, staying smart and protected is part of our commitment to our customers. Beefing up security game not only reduce audit headaches, but also enjoy stronger brand reputation as a safe and reliable e-commerce business.

Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, e-commerce & m-commerce, Electronic Payments, Financial Services, Payment Card Industry PCI Security, Small Business Improvement, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Mar
14
2014
March 14th, 2014 by Elma Jane

Merchant and Consumer Groups Seek Senate Support To Forego EMV Chip and Signature As Breach Concerns Rise

There’s no shortage of answers  in trying to put a stop to hackers set on throwing chaos into the way consumers transact at the point of sale, or online for  that matter. Yesterday, the Banking, Housing and Urban Affairs subcommittee on national security and international trade and finance got its chance to hear some of them.

During the hearing, William Noonan, deputy special agent in charge, U.S. Secret Service, noted the advances in computer technology and greater access to personally identifiable information online, which have created a virtual marketplace for transnational cyber criminals to share stolen information and criminal methodologies. As a result, the Secret Service has observed a marked increase in the quality, quantity, and complexity of cyber crimes targeting private industry and critical infrastructure. These crimes include network intrusions, hacking attacks, malicious software, and account takeovers leading to significant data breaches affecting every sector of the world economy.

The recently reported data breaches of Target and Neiman Marcus represent only the most recent, well-publicized examples of this decade-long trend of major data breaches perpetrated by cyber criminals intent on targeting the nation’s retailers and financial payment systems.  The increasing level of collaboration among cyber-criminals allows them to compartmentalize their operations, greatly increasing the sophistication of their criminal endeavors and allowing for development of expert specialization. These specialties raise both the complexity of investigating these cases, as well as the level of potential harm to companies and  individuals.

So how should the industry react to prevent further breaches? Those opinions provided during testimony at the hearing varied widely, though both consumer and merchant groups would like the card networks to give up requiring only signatures for smart card purchases at the point of sale.

Consumer program director at the U.S. Public Interest Research Group, called for myriad of changes, citing that the greater risk from the recent breaches is less related to identity theft than it is to fraud on existing accounts,  and he said it’s time for players on both sides of the transaction to focus more on protecting consumers than on managing their own risk.

Until now, both banks and merchants have looked at fraud and identity theft as a modest cost of doing business and have not protected the payment system well enough. They have failed to look seriously at harms to their customers from fraud and identity theft -including not just monetary losses and the hassles of restoring their good names, but also the emotional harm that they must face as they wonder whether future credit applications will be rejected due to the fraudulent accounts.

As a first step, Congress should institute the same fraud cap, $50, on debit/ATM cards that exists on credit cards, or eliminate the $50 cap entirely, since it is never imposed because of the zero-liability policies issuers have voluntarily have imposed. Congress also should provide debit and prepaid card customers with the stronger billing-dispute rights and rights to dispute payment for products that do not arrive or do not work as promised, just as many credit card users enjoy.

Congress should  endorse a specific technology, such as EMV smart cards and if it does, require the use of PINs when initiating smart card transactions. The current pending U.S. rollout of chip cards will allow use of the less-secure chip-and-signature cards rather than the more-secure chip-and-PIN cards. Why not go to the higher-and-PIN authentication standard immediately and skip past chip and signature? There is still time to make this improvement.”

Retailers have spent billions of dollars on card-security measures and upgrades to comply with PCI card security requirements, but it hasn’t made them immune to data breaches and fraud. The card networks have made those decisions for merchants, and the increases in fraud demonstrate that their decisions have not been as effective as they should have been.

The card networks should forego chip and signature and go straight to chip and PIN. To do otherwise would mean that merchants would spend billions to install new card readers without they or their customers obtaining PINs’ fraud-reducing benefits. We would essentially be spending billions to combine a 1990’s technology chips with a 1960’s relic signature in the face of 21st century threats.

Posted in Best Practices for Merchants, Credit card Processing, Credit Card Reader Terminal, Credit Card Security, Digital Wallet Privacy, Electronic Payments, EMV EuroPay MasterCard Visa, Financial Services, Merchant Services Account, Payment Card Industry PCI Security, Point of Sale, Small Business Improvement, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Oct
21
2013
October 21st, 2013 by Elma Jane

UL’s (Underwriter Laboratories) latest contribution to the future of payments has been accomplished through its three years of work with National Security, a French biometrics company that has created a commercially viable biometric technology solution for the point of sale.

The move positions UL and National Security at the forefront of an industry that is expected to expand by 140 percent to reach $12 billion in revenue over the next five years, potentially transforming online, mobile and in-store commerce by increasing the speed of transactions in the process.

Still, arguments can be made that biometric use at the point of sale will remain limited. Why does UL believe the market is right for biometrics, and how did it successfully ensure biometric payments will be ready for all parts of the payment process?

Why The Time Is Now For Biometrics 
Consumer concerns regarding identity theft and violence are on the rise, and the solution according to many is a viable biometrics payment solution. Reports show that there is already strong demand in the U.S. and Asian markets for such products, and major research outlets have put their support behind the technology.

UL’s case study elaborates on the benefits illustrating how biometric data has been developed to be harder for hackers to infiltrate and compliant with EMV security standards.
Developing The Technology 
UL’s work to ensure biometrics will remove friction at the POS has been extensive. For example, its latest case study profiles how UL developed the underlying technology to overcome challenges and work in harmony with wireless technologies such as bluetooth and Wi-Fi. Further, it explains how UL assessed the human health impact of National Security’s biometric solutions.

Posted in Credit card Processing, Electronic Payments, EMV EuroPay MasterCard Visa, Mobile Point of Sale, Near Field Communication, Point of Sale Tagged with: , , , , , , , , , , , , , , , , , , , , , , , ,