Sep
05
2014
September 5th, 2014 by Elma Jane

Businesses are rapidly adopting a third-party operations model that can put payment data at risk. Today, the PCI Security Standards Council, an open global forum for the development of payment card security standards, published guidance to help organizations and their business partners reduce this risk by better understanding their respective roles in securing card data. Developed by a PCI Special Interest Group (SIG) including merchants, banks and third-party service providers, the information supplement provides recommendations for meeting PCI Data Security Standard (PCI DSS) requirement 12.8 to ensure payment data and systems entrusted to third parties are maintained in a secure and compliant manner.

Breach reports continue to highlight security vulnerabilities introduced by third parties as a leading cause of data compromise. The leading mistake organizations make when entrusting sensitive and confidential consumer information to third-party vendors is not applying the same level of rigor to information security in vendor networks as they do in their own. Per PCI DSS Requirement 12.8, if a merchant or entity shares cardholder data with a third- party service provider, certain requirements apply to ensure continued protection of this data will be enforced by such providers. The Third-Party Security Assurance Information Supplement focuses on helping organizations and their business partners achieve this by implementing a robust third-party assurance program.

Produced with the expertise and real-world experience of more than 160 organizations involved in the Special Interest Group, the guidance includes practical recommendations on how to:

Conduct due diligence and risk assessment when engaging third party service providers to help organizations understand the services provided and how PCI DSS requirements will be met for those services.

Develop appropriate agreements, policies and procedures with third-party service providers that include considerations for the most common issues that arise in this type of relationship. 

Implement a consistent process for engaging third-parties that includes setting expectations, establishing a communication plan, and mapping third-party services and responsibilities to applicable PCI DSS requirements.

Implement an ongoing process for maintaining and managing third-party relationships throughout the lifetime of the engagement, including the development of a robust monitoring program. 

The guidance includes high-level suggestions and discussion points for clarifying how responsibilities for PCI DSS requirements may be shared between an entity and its third-party service provider, as well as a sample PCI DSS responsibility matrix that can assist in determining who will be responsible for each specific control area.

PCI Special Interest Groups are PCI community-selected and developed initiatives that provide additional guidance and clarifications or improvements to the PCI Standards and supporting programs. As part of its initial proposal, the group also made specific recommendations that were incorporated into PCI DSS requirements 12.8 and 12.9 in version 3.0 of the standard.One of the big focus areas in PCI DSS 3.0 is security as a shared responsibility. This guidance is an excellent companion document to the standard in helping merchants and their business partners work together to protect consumers’ valuable payment information.

Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security Tagged with: , , , , , , , , , , , , , , , , , , , , , ,

Sep
30
2013
September 30th, 2013 by Elma Jane

Facebook this week began testing a new feature dubbed “Autofill with Facebook” that aims to simplify mobile purchases by filling in customers’ credit card information for them, thus eliminating the need to type it in each time. This “Autofill with Facebook gives people the option to use their payment information already stored on Facebook to populate the payment form when they make a purchase in a mobile app,” Facebook spokesperson told the E-Commerce Times. “The app then processes and completes the payment.”  The feature “is designed to make it easier and faster for people to make a purchase in a mobile app by simply pre-populating your payment information.”During the test period, which began Monday evening, the feature will show up only to Facebook users who have already provided credit card information to the social network — in other words, those who have made in-game purchases or bought gifts for friends.

Facebook has partnered with PayPal, Braintree and Stripe as financial partners on the service, which is initially available only on the e-commerce iOS apps JackThreads and Mosaic.

Ironing Out the Wrinkles Autofill with Facebook isn’t a move to compete with PayPal and credit card companies, but to complement payment services by adding a layer for convenience, much the way Facebook, Google and Amazon have created a single login that works across a network of websites.

“Facebook is not interested in being a payments company,” an analyst, told the E-Commerce Times. “Instead, it is aiming to be the entity that irons out bumps in the payment process — something it is well-positioned to do. “With Autofill, Facebook will act as the lubricant that makes the commerce experience more seamless, providing a number of benefits to all stakeholders.”

Partners in the deal ensure that Facebook will succeed in Autofill with Facebook, it doesn’t care about payments, it cares about reaping the benefits that come from making the payment experience better.”

‘The Potential to Be Lucrative’ There could be significant financial benefits as well. “This approach has the potential to be lucrative for Facebook in that it will help plug the mobile conversion gap,” McKee suggested. “If Facebook can prove to its partner merchants that an ad on its site led to a purchase, the validity of its platform can easily be proven. Ideally, this will help convince other companies to advertise with Facebook as well.”

Taking it a step farther, Facebook will also gain transaction data, which McKee believes has considerable value. “Facebook can leverage transaction data with what it already knows about us for precision ad targeting. This will increase the relevance and placement of ads on Facebook.”

The Security Factor While many mobile customers will appreciate the Autofill function, security issues still lurk in the back of every consumer’s mind. Yet while privacy concerns have been an ongoing issue for Facebook, it has a good track record where security is concerned. “Facebook has been relatively incident-free when it comes to security breaches.”  “However, this is more a problem of consumer perception. Will consumers feel comfortable storing their payment credentials with a social media platform?

“Facebook is already approaching ‘big brother’ status, and this takes it one step further.” “To succeed, Facebook must provide visibility into what it plans to do with transaction data.”

‘It’s a No-Brainer’ The convenience factor, meanwhile, could be a compelling one for consumers. “It’s no-brainer useful to mobile users…who wants to enter their credit card on a mobile phone more than once?” “It could be more secure than mobile payment alternatives.” If Facebook gets past its hurdles, it will also succeed in building strengths in areas where it has been lacking to date.

“Right now Facebook isn’t super strong at the conversion side of  e-commerce.” “Autofill will give them a lot of data about purchases, which might help them remedy that.”

‘Strategic Smarts and Ambition’ As for those benefits to Facebook, there are potentially many. One example,”Autofill admits them to the online payments world.”

“This is another example of the strategic smarts and ambition of Zuck.” “One gets the sense that he wants to be a major competitor for everything online.”

Posted in Credit card Processing, Credit Card Security, Digital Wallet Privacy, e-commerce & m-commerce, Electronic Payments, Mobile Payments Tagged with: , , , , , , , , , , , , , , , , , ,