Apr
11
2014
April 11th, 2014 by Elma Jane

PCI DSS 3.0 standard, which took effect January 1st, introduces changes that extend across all 12 requirements, aimed to improve security of payment card data and reducing fraud. There will be some shakeups for many organizations when it comes to their day-to-day culture and operations. Transitioning to meet the new requirements will help e-business build a stronger, safer, lower-risk environment for their customers.

While the growing number of digital payment avenues offers convenience to customers, it also offers a larger attack surface for criminals.

As cloud technologies and e-commerce environments continue to grow, creating multiple points of access to cardholder data and online retailers will only become more appealing targets for hackers. Cybercriminals are cunning and determined. They understand payment card infrastructures as well as the engineers who designed them.

A scary proposition and it’s exactly why the payment card industry is so determined to help keep e-commerce organizations protected. Meeting the new standard, businesses will be better armed to fight evolving threats. Changes will also drive more consistency among assessors, help business reduce risk of compromise and create more transparent provider-customer relationships.

Transitioning to PCI DSS 3.0 will involve some work, but doing that work on the front end is going to save much work down the line. Adopting the new standard ultimately will drive your e-commerce business into a secure and efficient era.

Cultural Changes – One of the main themes of 3.0 is shifting from an annual compliance approach to embedding security in daily processes. Threats don’t change just once a year. They’re constantly evolving and that means e-commerce organizations must adopt a culture of vigilance. Only through a proactive business-as-usual approach to security can you achieve true DSS compliance. Realistically, this could mean the need to provide more education and build awareness with staff, partners and providers, so that everyone understands why and how new processes are in place.  

Operational Changes – The 3.0 standard addresses common vulnerabilities that probably will ring a bell with many of you. These include weak passwords and authentication procedures, as well as insufficient malware detection systems and vulnerability assessments, just to name a few. Depending on your current security controls program, this could mean you’ll need to step up in these areas by strengthening credential requirements, resolving self-detection challenges, testing and documenting your cardholder data environment and making other corrections.

Overview Changes – How much work lands on your plate will depend on your current security program. Examining your current security strategies and program is a good idea. Below are the areas requiring your attention, which this series will explore in more detail in future installments.

Service Provider Changes –  Some organizations made unsafe assumptions in the past when it comes to third-party providers. Some have paid the price, from failed audits to breaches. One reason that the new standard is designed to eliminate any confusion over compliance responsibilities. Responsibilities, specifically for management, operations, security and reporting all will need to be spelled out in detailed contracts. In addition to improved communication, an intensified focus on transparency means that you should have a clear view of your provider’s infrastructure, data storage and security controls, along with subcontractors that can impact your environment. So if your organization isn’t exactly clear on which PCI DSS requirements you manage and which ones your providers handle, prepare to get all of that hammered out.

The Compliance Rewards – The path to preparing for the 3.0 deadline in January 2015 sounds like it’s a lot of work. So to get started request your QSA’s opinion on how the changes will impact your organization, by doing the gap assessment and you’ll be able to address any shortcomings.    

Meeting the new 3.0 requirements isn’t just about passing audits. In fast paced payment IT landscape, staying smart and protected is part of our commitment to our customers. Beefing up security game not only reduce audit headaches, but also enjoy stronger brand reputation as a safe and reliable e-commerce business.

Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, e-commerce & m-commerce, Electronic Payments, Financial Services, Payment Card Industry PCI Security, Small Business Improvement, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Nov
15
2013
November 15th, 2013 by Elma Jane

November 7, 2013 –  Payment Card Industry (PCI) Council’s recent acceptance of the world’s first Point-To-Point Encryption-validated solution is great news for both acquirers and merchants, and will aid in reducing merchant scope and increasing business security worldwide. If your P2PE know-how is a little spotty, here are the basics.

What is P2PE?

Point-To-Point Encryption (P2PE) is the combination of hardware and processes that encrypts customer credit/debit card data from the point of interaction until it reaches a merchant solution provider’s environment for processing. Because card data is immediately encrypted as the card is swiped (or dipped), it prevents clear-text information from residing on the payment environment. Encrypted card data is then transferred to, decrypted by, and processed through the solution provider processor who is the sole holder of the decryption key.

In a POS environment, merchants often store decryption keys on their backend servers. Bad idea. If a cybercriminal hacks into that environment, they not only have access to the encrypted card numbers, but the decryption key as well. Hacker jackpot. Many question the difference between P2PE and typical point of sale (POS) encryption.

The reason P2PE is arguably the most secure way to process is because merchants don’t have access to decryption keys. If a hacker breaches a merchant using a validated P2PE solution, he/she will only recover a long string of useless encrypted card numbers with no way to decode them.

Why use P2PE?

Basically, P2PE increases data security and has the ability to make a merchant’s job of reaching PCI compliance easier. The main point of using a P2PE-valiated solution is to significantly lessen the scope of security efforts through PCI Data Security Standard (DSS) requirement and P2PE Self-Assessment Questionnaire (SAQ) reduction. Compared to the 80+ questions required of mainstream merchant SAQs, the P2PE-HW SAQ only requires merchants to answer 18 questions.

Are all P2PE solutions created equal?

Answer is no. Many P2PE solution vendors claim their solution reduces scope, but in order for a merchant to qualify, they must select only P2PE-validated solutions listed on the PCI Council’s website.

To get P2PE solutions and applications listed on the approved website, solution provider processors must go through a rigorous testing process performed by a qualified P2PE Qualified Security Assessor (QSA). P2PE QSAs help entities thorough the 210-page document of P2PE requirements, testing procedures, and controls required to keep cardholder data secure – a task which only a few companies in the world can do.

As of this post, the only P2PE hardware solution approved by the PCI Council is European Payment Services’ (EPS) Total Care P2PE solution, validated by P2PE QSA SecurityMetrics. A number of other P2PE solutions are currently undergoing the review process and will be added to the list once approved.

Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, Electronic Payments, Merchant Services Account, Payment Card Industry PCI Security, Point of Sale, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Sep
30
2013
September 30th, 2013 by Elma Jane

Facebook this week began testing a new feature dubbed “Autofill with Facebook” that aims to simplify mobile purchases by filling in customers’ credit card information for them, thus eliminating the need to type it in each time. This “Autofill with Facebook gives people the option to use their payment information already stored on Facebook to populate the payment form when they make a purchase in a mobile app,” Facebook spokesperson told the E-Commerce Times. “The app then processes and completes the payment.”  The feature “is designed to make it easier and faster for people to make a purchase in a mobile app by simply pre-populating your payment information.”During the test period, which began Monday evening, the feature will show up only to Facebook users who have already provided credit card information to the social network — in other words, those who have made in-game purchases or bought gifts for friends.

Facebook has partnered with PayPal, Braintree and Stripe as financial partners on the service, which is initially available only on the e-commerce iOS apps JackThreads and Mosaic.

Ironing Out the Wrinkles Autofill with Facebook isn’t a move to compete with PayPal and credit card companies, but to complement payment services by adding a layer for convenience, much the way Facebook, Google and Amazon have created a single login that works across a network of websites.

“Facebook is not interested in being a payments company,” an analyst, told the E-Commerce Times. “Instead, it is aiming to be the entity that irons out bumps in the payment process — something it is well-positioned to do. “With Autofill, Facebook will act as the lubricant that makes the commerce experience more seamless, providing a number of benefits to all stakeholders.”

Partners in the deal ensure that Facebook will succeed in Autofill with Facebook, it doesn’t care about payments, it cares about reaping the benefits that come from making the payment experience better.”

‘The Potential to Be Lucrative’ There could be significant financial benefits as well. “This approach has the potential to be lucrative for Facebook in that it will help plug the mobile conversion gap,” McKee suggested. “If Facebook can prove to its partner merchants that an ad on its site led to a purchase, the validity of its platform can easily be proven. Ideally, this will help convince other companies to advertise with Facebook as well.”

Taking it a step farther, Facebook will also gain transaction data, which McKee believes has considerable value. “Facebook can leverage transaction data with what it already knows about us for precision ad targeting. This will increase the relevance and placement of ads on Facebook.”

The Security Factor While many mobile customers will appreciate the Autofill function, security issues still lurk in the back of every consumer’s mind. Yet while privacy concerns have been an ongoing issue for Facebook, it has a good track record where security is concerned. “Facebook has been relatively incident-free when it comes to security breaches.”  “However, this is more a problem of consumer perception. Will consumers feel comfortable storing their payment credentials with a social media platform?

“Facebook is already approaching ‘big brother’ status, and this takes it one step further.” “To succeed, Facebook must provide visibility into what it plans to do with transaction data.”

‘It’s a No-Brainer’ The convenience factor, meanwhile, could be a compelling one for consumers. “It’s no-brainer useful to mobile users…who wants to enter their credit card on a mobile phone more than once?” “It could be more secure than mobile payment alternatives.” If Facebook gets past its hurdles, it will also succeed in building strengths in areas where it has been lacking to date.

“Right now Facebook isn’t super strong at the conversion side of  e-commerce.” “Autofill will give them a lot of data about purchases, which might help them remedy that.”

‘Strategic Smarts and Ambition’ As for those benefits to Facebook, there are potentially many. One example,”Autofill admits them to the online payments world.”

“This is another example of the strategic smarts and ambition of Zuck.” “One gets the sense that he wants to be a major competitor for everything online.”

Posted in Credit card Processing, Credit Card Security, Digital Wallet Privacy, e-commerce & m-commerce, Electronic Payments, Mobile Payments Tagged with: , , , , , , , , , , , , , , , , , ,