Category: Payment Card Industry PCI Security
April 7th, 2014 by Elma Jane
Integrate Cloud-Based Platforms
E-commerce businesses increasingly rely on cloud-based applications, such as hosted shopping carts, analytics platforms, cloud-based accounting, customer service tools, and more.
To operating smoothly, a merchant’s cloud-based apps should integrate with each other, to save time and to otherwise prevent data loss and ensure accurate reporting.
It’s important, therefore, to have an integration mindset when choosing and using software-as-a-service solutions.
Some tips:
Ask Around
As with evaluating any vendor for your company, go beyond the company’s website. Ask the vendor about other customers. Get references. Contact those companies and ask how the platform is working. Is it easy to set-up? Does it integrate seamlessly with other apps? How long does it take to transfer data from one app to the other? These are just some of the questions you need to ask when evaluating an app. Also check social media sites for any discussions pertaining to the program. Read what people are tweeting. Check relevant LinkedIn groups.
Check the Company’s Integrations Page or API
When evaluating a software-as-a-service (SaaS) solution, first determine if it integrates with the platforms that you’re already using. Pre-built integrations will save much time. Alternatively, if a company has an application programming interface (API), use it to integrate the app with your existing systems.
If you can’t find the integration you need or if you want to avoid the API option, contact the vendor directly and ask if it can make its platform sync with your existing solutions. Don’t underestimate the power of reaching out to your vendors.
Use Cloud App Integration Services
Another option is to use SaaS integration services. You have plenty of choices, depending on what you need to connect. If you just need to integrate two apps, like Dropbox to Gmail, for instance, you can use (IFTTT) If This Then That – a service that lets you assign triggers and actions to each app through a drag-and-drop interface. When one program does something, it will automatically trigger another app to perform an action. For example, you can create a recipe wherein all your Gmail attachments are automatically saved to your Dropbox folder. IFTTT is free to use, to integrate up to 80 apps.
A similar service, Zapier, lets you do the same thing, but on a larger scale. It supports more than 250 applications, including Salesforce, Zoho CRM, Xero accounting, Campaign Monitor email, and more. Zapier is free for five integrations. It also offers Basic, Business, and Business Plus plans that cost $15, $49, and $99 per month, respectively.
IFTTT and Zapier work well to integrate two cloud applications. However, if you’re running a combination of cloud and on-premise applications, or if you have an ecosystem of apps and data sources that have to connect and exchange data, you need more sophisticated options.
That’s where services such as Dell Boomi and SnapLogic come in. Like IFTTT and Zapier, these solutions use a drag-and-drop interface, but at a larger scale. They connect multiple combinations of cloud and on-premise applications.
Use Free Trials
Always test-drive your apps or integration services. Most SaaS platforms offer free trials. Take note of user-friendliness, functionality, and observe how they function with programs you already have.
Posted in Best Practices for Merchants, Credit card Processing, e-commerce & m-commerce, Financial Services, Internet Payment Gateway, Payment Card Industry PCI Security, Small Business Improvement, Visa MasterCard American Express Tagged with: api, apps and data sources, cloud applicaitons, cloud based applications, cloud based apps, cloud-based accounting, customer service, dropbox, e-commerce, ecommerce, exchange data, existing systems, gmail, integration, SAAS, salesforce, shopping carts, social media, software-as-a-service, sync, zapier
April 7th, 2014 by Elma Jane
Payment processors share an inherent responsibility to keep their systems secure. It requires a system of governance that includes a broad array of policies, procedures, planning activities, responsibilities, practices and resources for implementing and maintaining a secure system and network operating environment.
To help organizations identify the best payment processors, a recent white paper from i2c outlines the various governance and security best practices processors should use. And it all starts from the top.
Good governance calls for establishing internal audit, compliance, and information security groups within the organization that have separate reporting channels to upper management and/or a board-level audit committee, the report notes. This organizational structure ensures that all security and operational-related risks are appropriately addressed and that all internal processes and practices remain in compliance with the organization’s defined policies and procedures, which in turn should align with applicable external security standards, regulatory laws and payment systems operating rules.
Resource Dedication
Payment processors also need to dedicate proper resources to the task of understanding, and complying with all applicable government, industry, association, legal and regulatory requirements that are relevant to each of their operating regions, according to the paper. Such applicable requirements need to be carefully identified, documented, applied, and updated on a regular basis.
Payment processors’ compliance activities need to cover not only the applicable government, industry, association operating rules and legal/regulatory requirements pertaining to their operations, but they also need to understand and comply with the applicable rules and regulatory requirements pertaining to their client partners. Let say you process customer data on behalf of a partner whose data is governed by a given regulatory rule, then you as their third-party provider must also apply those regulatory rules when handling their data.
Policies and procedures should be developed and put into practice that ensure the payment processor remains in compliance with these various requirements.
Risk Management
Risk management should be incorporated into every payment processors’ system of governance. It provides a framework for identifying and addressing risks within the organization and provides a process for regular operational review and improvement, according to the report. An effective risk management process should adopt an appropriate risk management methodology to identify, evaluate, mitigate and monitor risks pertaining to critical business assets and operations.
Security best practices also call for a defense-in-depth strategy to ensure the protection of information assets and overall risk reduction. A defense-in-depth approach ensures that the failure of any one control does not lead to successful penetration. By providing multiple layers of protection, the controls collectively ensure the confidentiality, integrity, and availability of critical system assets and data.
Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security, Small Business Improvement, Visa MasterCard American Express Tagged with: availability, confidentiality, defense-in-depth, information security, internal audit, layers of protection, network operating, payment processors, risk reduction, secure system, security best practices, system assets and data, system operating rules, systems secure
March 31st, 2014 by Elma Jane
A payment processor is a company often a third party appointed by a merchant to handle credit card transactions for merchant acquiring banks. They are usually broken down into two types: Back and Front-End.
Back-End Processors accept settlements from Front-End Processors and, via The Federal Reserve Bank, move the money from the issuing bank to the merchant bank.
Front-End Processors have connections to various card associations and supply authorization and settlement services to the merchant banks’ merchants. In an operation that will usually take a few seconds, the payment processor will both check the details received by forwarding them to the respective card’s issuing bank or card association for verification, and also carry out a series of anti-fraud measures against the transaction.
Additional parameters, including the card’s country of issue and its previous payment history, are also used to gauge the probability of the transaction being approved.
Once the payment processor has received confirmation that the credit card details have been verified, the information will be relayed back via the payment gateway to the merchant, who will then complete the payment transaction. If verification is denied by the card association, the payment processor will relay the information to the merchant, who will then decline the transaction.
Modern Payment Processing
Due to the many regulatory requirements levied on businesses, the modern payment processor is usually partnered with merchants through a concept known as software-as-a-service (SaaS). SaaS payment processors offer a single, regulatory-compliant electronic portal that enables a merchant to scan checks “often called remote deposit capture or RDC”, process single and recurring credit card payments (without the merchant storing the card data at the merchant site), process single and recurring ACH and cash transactions, process remittances and Web payments. These cloud-based features occur regardless of origination through the payment processor’s integrated receivables management platform. This results in cost reductions, accelerated time-to-market, and improved transaction processing quality.
Payment Processing Network Architecture
Typical network architecture for modern online payment systems is a chain of service providers, each providing unique value to the payment transaction, and each adding cost to the transaction. Merchant>Point-of-sale SaaS> Aggregator >Credit Card Network> Bank. The merchant can be a brick-and-mortar outlet or an online outlet. The Point-of-sale (POS) SaaS provider is usually a smaller company that provides customer support to the merchant and is the receiver of the merchant’s transactions. The POS provider represents the Aggregator to merchants. The POS provider transaction volumes are small compared to the Aggregator transaction volumes. The POS provider does not handle enough traffic to warrant a direct connection to the major credit card networks. The merchant also does not handle enough traffic to warrant a direct connection to the Aggregator. In this way, scope and responsibilities are divided among the various business partners to easily manage the technical issues that arise.
Transaction Processing Quality
Electronic payments are highly susceptible to fraud and abuse. Liability to merchants for misuse of credit card data creates a huge expense on merchants, if the business were to attempt mitigation on their own. One way to lower this cost and liability exposure is to segment the transaction of the sale from the payment of the amount due. Some merchants have a requirement to collect money from a customer every month. SaaS Payment Processors relieve the responsibility of the management of recurring payments from the merchant and maintain safe and secure the payment information, passing back to the merchant a payment token. Merchants use this token to actually process a charge which makes the merchant system fully PCI-compliant. Some payment processors also specialize in high-risk processing for industries that are subject to frequent chargebacks, such as adult video distribution.
Posted in Best Practices for Merchants, Credit card Processing, Electronic Check Services, Electronic Payments, Internet Payment Gateway, Merchant Services Account, Payment Card Industry PCI Security, Point of Sale, Visa MasterCard American Express Tagged with: aggregator, aggregator transaction volumes, back end, card associations, card data, chargebacks, credit card transactions, electronic portal, front end, front-end processors, issuing bank, merchant, merchant bank, network architecture, online payment systems, payment gateway, payment processing, payment processor, payment transaction, pci-compliant, point of sale, POS, SAAS
March 17th, 2014 by Elma Jane
Lots of talk has gone on since the recent spate of merchant data breaches on ways to potentially prevent hackers from gaining access to stored payment card data. Use of biometric information, such as a fingerprint, to access stored credentials is among the solutions often bandied about.
The prospects of using individuals’ biometric information for credentialing is fairly scary. Security may be what biometrics is trying to achieve, but it’s also its biggest flaw. Imagine having your fingerprint information stored at Target this holiday season, that information would now be in the hands of lots of people not intended to have access to it. Unlike a password, someone can’t change his or her fingerprint. So once someone has the print, they have it forever. So even if something is biometric based, it also has to have a lot of other security measures, and that could include GPS-based location services tied to an individual’s smartphone.
Biometrics alone won’t work. It’s very scary that that information could be stored in a way that someone could figure out how to get it. Even if encrypted, that’s a huge security concern. You can’t change your fingerprint.
Posted in Credit card Processing, Credit Card Security, Electronic Payments, Payment Card Industry PCI Security, Smartphone Tagged with: biometric, card data, credentialing, encrypted, fingerprint, gaining access, gps-based, merchant data breaches, password, prevent hackers, Security, security measures, smartphone, stored credentials
March 14th, 2014 by Elma Jane
Merchant and Consumer Groups Seek Senate Support To Forego EMV Chip and Signature As Breach Concerns Rise
There’s no shortage of answers in trying to put a stop to hackers set on throwing chaos into the way consumers transact at the point of sale, or online for that matter. Yesterday, the Banking, Housing and Urban Affairs subcommittee on national security and international trade and finance got its chance to hear some of them.
During the hearing, William Noonan, deputy special agent in charge, U.S. Secret Service, noted the advances in computer technology and greater access to personally identifiable information online, which have created a virtual marketplace for transnational cyber criminals to share stolen information and criminal methodologies. As a result, the Secret Service has observed a marked increase in the quality, quantity, and complexity of cyber crimes targeting private industry and critical infrastructure. These crimes include network intrusions, hacking attacks, malicious software, and account takeovers leading to significant data breaches affecting every sector of the world economy.
The recently reported data breaches of Target and Neiman Marcus represent only the most recent, well-publicized examples of this decade-long trend of major data breaches perpetrated by cyber criminals intent on targeting the nation’s retailers and financial payment systems. The increasing level of collaboration among cyber-criminals allows them to compartmentalize their operations, greatly increasing the sophistication of their criminal endeavors and allowing for development of expert specialization. These specialties raise both the complexity of investigating these cases, as well as the level of potential harm to companies and individuals.
So how should the industry react to prevent further breaches? Those opinions provided during testimony at the hearing varied widely, though both consumer and merchant groups would like the card networks to give up requiring only signatures for smart card purchases at the point of sale.
Consumer program director at the U.S. Public Interest Research Group, called for myriad of changes, citing that the greater risk from the recent breaches is less related to identity theft than it is to fraud on existing accounts, and he said it’s time for players on both sides of the transaction to focus more on protecting consumers than on managing their own risk.
Until now, both banks and merchants have looked at fraud and identity theft as a modest cost of doing business and have not protected the payment system well enough. They have failed to look seriously at harms to their customers from fraud and identity theft -including not just monetary losses and the hassles of restoring their good names, but also the emotional harm that they must face as they wonder whether future credit applications will be rejected due to the fraudulent accounts.
As a first step, Congress should institute the same fraud cap, $50, on debit/ATM cards that exists on credit cards, or eliminate the $50 cap entirely, since it is never imposed because of the zero-liability policies issuers have voluntarily have imposed. Congress also should provide debit and prepaid card customers with the stronger billing-dispute rights and rights to dispute payment for products that do not arrive or do not work as promised, just as many credit card users enjoy.
Congress should endorse a specific technology, such as EMV smart cards and if it does, require the use of PINs when initiating smart card transactions. The current pending U.S. rollout of chip cards will allow use of the less-secure chip-and-signature cards rather than the more-secure chip-and-PIN cards. Why not go to the higher-and-PIN authentication standard immediately and skip past chip and signature? There is still time to make this improvement.”
Retailers have spent billions of dollars on card-security measures and upgrades to comply with PCI card security requirements, but it hasn’t made them immune to data breaches and fraud. The card networks have made those decisions for merchants, and the increases in fraud demonstrate that their decisions have not been as effective as they should have been.
The card networks should forego chip and signature and go straight to chip and PIN. To do otherwise would mean that merchants would spend billions to install new card readers without they or their customers obtaining PINs’ fraud-reducing benefits. We would essentially be spending billions to combine a 1990’s technology chips with a 1960’s relic signature in the face of 21st century threats.
Posted in Best Practices for Merchants, Credit card Processing, Credit Card Reader Terminal, Credit Card Security, Digital Wallet Privacy, Electronic Payments, EMV EuroPay MasterCard Visa, Financial Services, Merchant Services Account, Payment Card Industry PCI Security, Point of Sale, Small Business Improvement, Visa MasterCard American Express Tagged with: banking, Breach, card networks, card-security, chip and signature, chip cards, chip-and-PIN cards, computer technology, credit applications, credit cards, critical infrastructure, cyber crimes, cyber-criminals, data breaches, debit atm cards, EMV, hackers, hacking attacks, international trade and finance, malicious software, managing risk, merchant, national security, netwrok intrusions, new card readers, online, payment system, pci card security requirements, PIN, point of sale, prepaid card customers, smart card transactions, technology chips, the secret service, transnational cyber criminals, virtual marketplace, world economy
February 20th, 2014 by Elma Jane
Android-iPhone-Credit-Card-Reader
Several options exist for mobile credit card processing.
Credit card processing on iPhone/ipad/Android/BlackBerry or Tablets – Using NTC’s portable credit card readers, merchants can now swipe credit cards on iPad or Android tablet devices. NTC’s Virtual Merchant solution allows users to download a secure application to interfere your smartphone with our merchant account services seamlessly. The application and credit card processing data on the carriers network or a WiFi connection to the internet.
NTC’s MagTek Bullet Swipe Credit Card Reader for Android Phones and Tablets.
Using any Android 2.2. or higher device you can process credit card transactions securely to the smartphone via Bluetooth and utilize wireless devices internet connection (WiFi or Carrier) to send the credit card processing data encrypted for processing approval.
Security anywhere. With the BulleT Secure Credit Card Reader Authenticator (SCRA), security comes with the flexibility and portability of a Bluetooth wireless interface. Small enough to fit into the palm of your hand, the BulleT enables secure wireless communications with a PC or mobile phone using the popular Bluetooth interface. Not only does the BulleT encrypt card data from the moment the card is swiped, but it also enables card authentication to immediately detect counterfeit or altered cards.
Ideal for merchant services accounts and financial institutions’’ mobile credit card processing, NTC’s BulleT offers MagnaSafe credit card processing security features with the convenience of a Bluetooth interface. This powerful combination assures credit card data protection, transaction security and convenience needed to secure mobile credit card processing with strong encryption and 2-factor authentication. The BulleT is specifically designed to leverage the existing magnetic stripe credit card reader as a secure token empowering cardholders with the freedom and confidence of knowing that their credit card transactions are secure and protected anytime, anywhere. Android Credit Card Swipe Reader for Android Phones and Tablets on your wireless mobile merchant account.
NTC’s MagTek iDynamo Credit Card processing swipe reader for iPhone and Ipad.
Credit card processing on an iPhone has never been easier. Simply attach NTC’s iDynamo card reader to your iPhone or iPad device, install our Virtual Merchant software from the App Store and you’re ready to go. Take advantage of lower credit card processing rates by processing swiped transactions instead of keying the credit card in later and get paid faster. From the company that leads with Security from the Inside MagTek has done it again with the iDynamo, a secure card reader authenticator (SCRA) designed to work with the iPhone and iPad. The iDynamo offers MagnasafeTM security and delivers open standards encryptions with simple, yet proven DUKPT key management, immediate tokenization of card data and MagnePrint card authentication to maximize data protection and prevent the use of counterfeit cards. Mobile merchants can now leverage the power of their iPhone/iPod Touch products without the worries of handling or storing sensitive card data at any time. Ideal for wireless mobile merchant accounts and mobile credit card processing, the iDynamo offers MagneSafe security features combined with the power of iPhone and iPod Touch products. This powerful combination assures convenience and cost savings, while maximizing credit card data protection and credit card transaction security from the moment the card is swiped all the way to authorization. No other credit card reader beats the protection offered by a MagnaSafe product.
Other credit card devices claim to encrypt data in the reader. NTC’s iDynamo encrypts the data inside the read head, closest to the magnetic stripe and offers additional credit card security layers with immediate tokenization of card data and MagnePrint card authentication. This layered approach to security far exceeds the protection of encryption by itself, decreases the scope of PCI compliance, and reduces fraud.
NTC’s iDynamo is rugged and affordable, so it not only withstands real world use, it performs to the high standards set by MagTek as the leader in magnetic credit card swipe reading products for nearly 40 years.
Posted in Credit card Processing, Credit Card Reader Terminal, Credit Card Security, Digital Wallet Privacy, e-commerce & m-commerce, Electronic Payments, Internet Payment Gateway, Merchant Services Account, Mobile Payments, Mobile Point of Sale, Payment Card Industry PCI Security, Smartphone Tagged with: Android, android phones and tablets, authenticator, blackberry, bluetooth, card authentication, credit card processing data, devices, encrypt card data, encrypted, internet, ipad, Iphone, magnetic stripe, magtek bullet, merchant account, merchant services accounts, Merchant's, mobile credit card processing, portable credit card readers, process credit card transactions, processing approval, secure, secure application, secure token, smartphone, swipe credit card reader, swipe credit cards, tablets, transaction security, virtual merchant, wifi, wireless devices internet connection
February 18th, 2014 by Elma Jane
Payment Tokenization Standards
Tokenization is the process of replacing a traditional card account number with a unique payment token that is restricted in how it can be used with a specific device, merchant, transaction type or channel. When using tokenization, merchants and digital wallet operators do not need to store card account numbers; instead they are able to store payment tokens that can only be used for their designated purpose. The tokenization process happens in the background in a manner that is expected to be invisible to the consumer.
EMVCo – which is collectively owned by American Express, Discover, JCB, MasterCard, UnionPay and Visa – has announced that it is expanding its scope to lead the payments industry’s work to standardize payment tokenization. EMVCo says that the new specification will help provide the payments community with a consistent, secure and interoperable environment to make digital payments when using a mobile handset, tablet, personal computer or other smart device.
Key elements of EMVCo’s work include adding new data fields to provide richer industry information about the transaction, which will improve transaction efficiency and enhance the consumer and merchant payment experience by helping to prevent fraudulent card account use. EMVCo will also create a consistent approach to identify and verify the valid use of a token during payment processing including authorization, capture, clearing and settlement.
EMVCo’s announcement follows an earlier joint announcement from MasterCard, Visa and American Express that proposed an initial framework for industry collaboration to standardize payment tokenization. EMVCo says it will now build on this framework with collective input from all of its members and the industry as a whole.
Posted in Credit card Processing, Credit Card Reader Terminal, Credit Card Security, Digital Wallet Privacy, Electronic Payments, Financial Services, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: American Express, authorization, capture, card account numbers, clearing, data fields, device, digital payments, Digital Wallet, Discover, EMV, emvco, fraudulent card account, interoperable, jcb, MasterCard, merchant, mobile handset, payment, payment processing, payment token, secure, security standards, settlement, smart device, specification, standardize, tablet, token, tokenization, transaction, visa
February 17th, 2014 by Elma Jane
Facts about Chargeback
Merchants know chargebacks are bad, but many aren’t aware of simple facts that can help them better understand and guard against fraud accordingly.
Do you know which month is the worst for fraud charge backs?
which transaction amounts are the most likely to be disputed?
or which U.S. states are the biggest offenders?
If not, a Big Data fraud science firm – will help you prepare for a smoother 2014.
Facts you’ll learn:
The most common fraudulent chargeback amount.
The day of the week when chargebacks are most likely to occur.
The time of year charge backs are most likely to occur.
49% of all fraudulent chargebacks happen after 60 days or more from date of purchase.
$1,000 is the most common attempted unauthorized sales amount (followed by $2,500, $2,000, $1,500 and $5,000).
11% of all fraudulent transactions fall under the Merchant category “Code of 7299”.
Services. The word most often found in registered fictitious names for fraudulent merchant accounts is “Services”.
Wednesday Is the day of the week when the most chargebacks (19%) occur.
One-Third of all fraud chargebacks happen in the fall (September to November).
California Republic is the top state registered by fraudulent businesses, accounting for 14% of chargebacks the U.S. total.
Florida, Texas and New York round out the top four states with 12%, 9% and 7% respectively.
Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, Electronic Payments, Merchant Services Account, Payment Card Industry PCI Security Tagged with: big data, charge backs, chargeback, disputed, fraudulent businesses, fraudulent transactions, guard against fraud, merchant accounts, unauthorized sales
February 14th, 2014 by Elma Jane
News from Target, increasing the number of cards compromised to 70 million and the expansion of data loss to mailing and email addresses, phone numbers and names, affirms that we are in a security crisis.
Card data is from a brand and business perspective, the new radioactive material. Add personally identifiable information (PII) to the list of toxic isotopes.
The depressing vulnerabilities these breaches reveal are a result of skilled hackers, the Internet’s lack of inherent security, inadequate protections through misapplied tools or their outright absence. Security is very very hard when it comes to playing defense.
There is a set of new technologies that could, in a combination produce a defense in depth that we have not enjoyed for some time.
Looking at the Age of Context (ACTs)
Age of Context released, a book based on the hundreds of interviews conducted with tech start-up and established company leaders. A wide-ranging survey. They examine what happens when our location and to whom we are connected are combined with the histories of where and when we shop. Result is a very clear picture of our needs, wants and even what we may do next.
Combining the smartphone and the cloud, five Age of Context technologies ACTs, will change how we live, interact, market, sell and navigate through our daily and transactional lives. The five technologies are:
1. Big Data. Ocean of data generated from mobile streams and our online activity, can be examined to develop rich behavioral data sets. This data enables merchants to mold individually targeted marketing messages or to let financial institutions improve risk management at an individual level.
2. Geolocation. Nearly every cell phone is equipped with GPS. Mobile network operators and an array of service providers can now take that data to predict travel patterns, improve advertising efficiency and more.
3. Mobile Devices and Communications. These are aggregation points for cloud-based services, sending to the cloud torrents of very specific data.
4. Sensors. Smartphones, wearables (think Fitbits, smart watches and Google Glass) and other devices are armed with accelerometers, cameras, fingerprint readers and other sensors. Sensors enable highly granular contextual placement. A merchant could know not only which building we are at and the checkout line we are standing in but even which stack of jeans we are perusing.
5. Social. Social networks map the relationships between people and the groups they belong to, becoming powerful predictors of behavior, affiliations, likes, dislikes and even health. Their role in risk assessment is already growing.
The many combinations and intersections of these technologies are raising expectations and concerns over what is to come. Everyone has a stake in the outcome: consumers, retailers, major CPG brands, watchdog organizations, regulators, politicians and the likes of Google, Apple, Microsoft, Amazon, eBay / PayPal and the entire payments industry.
We are at the beginning of the process. We should have misgivings about this and as an industry, individuals and as a society, we need to do better with respect to privacy and certainly with respect to relevance.
Provided we can manage privacy permissions we grant and the occasionally creepy sense that someone knows way too much about us, the intersections of these tools should provide more relevant information and services to us than what we have today. Anyone who has sighed at the sight of yet another web ad for a product long since purchased or completely inappropriate to you understands that personalized commerce has a long way to go. That’s part of what the Age of Context technologies promise to provide.
ACTs in Security
ACTs role in commerce is one albeit essential application. They have the potential to power security services as well, specially authentication and identity-based approaches. We can combine data from two or more of these technologies to generate more accurate and timely risk assessments.
It doesn’t take the use of all five to make improvements. One firm have demonstrated that the correlation of just two data points is useful, it demonstrated that if you can show that a POS transaction took place in the same state as the cardholder’s location then you can improve risk assessment substantially. (based off of triangulated cell phone tower data).
Powerful questions of each technology that ACTs let us ask:
Data – What have I done in the past? Is there a pattern? How does that fit with what I’m doing now?
Geolocation – What building am I in? Is it where the transaction should be? Which direction am I going in or am I running away?
Mobile – Where does device typically operate? How’s the device configured? Is the current profile consistent with the past?
Sensors – Where am I standing? What am I looking at? Is this my typical walking gait? What is my heart rate and temperature?
Social – Am I a real person? Who am I connected to? What is their reputation?
Knowing just a fraction of the answers to these questions places the customer’s transaction origination, the profiles of the devices used to initiate that transaction and the merchant location into a precise context. The result should improve payment security.
More payments security firms are making use of data signals from non-payment sources, going beyond the traditional approach of assessing risk based primarily on payment data. One firm have added social data to improve fraud detection for ecommerce payment risk scoring. Another firm, calling its approach Social Biometrics, evaluates the authenticity of social profiles across multiple social networks including Facebook, Google+, LinkedIn, Twitter and email with the goal of identifying bogus profiles. These tools are of course attractive to ecommerce merchants and others employing social sign on to simplify site registration. That ability to ferret out bogus accounts supports payment fraud detection as well.
This triangulation of information is what creates notion of context. Apply it to security. If you can add the cardholder’s current location based on mobile GPS to the access device’s digital fingerprint to the payment card, to the time of the day when she typically shops, then the risk becomes negligible. Such precise contextual information could pave the way for the retirement of the distinction between card present and card-not-present transactions to generate a card-holder-present status to guide risk decision-making.
Sales First, Then Security
The use of ACT generated and derived signals will be based on the anticipated return for the investment. Merchants and financial institutions are more willing to pay to increase sales than pay for potential cost savings from security services. As a result, the ACTs will impact commerce decision making first-who to display an ad to, who to provide an incentive to.
New Combinations
Behind the scene, the impact of the ACTs on security will be fascinating and important to watch. From a privacy perspective, the use of the ACTs in security should prove less controversial because their application in security serves the individual, merchant and the community.
Determining the optimal mix of these tools will take time. How different are the risks for QR-code initiated transactions vs. a contactless NFC transaction? What’s the right set of tools to apply in that case? What sensor-generated data will prove useful? Is geolocation sufficient? Will we find social relationships to be strong predictor of payment risk or are these more relevant for lending? And what level of data sharing will the user allow-a question that grows in importance as data generation and consumption is shared more broadly and across organizational boundaries. It will be important for providers of security tools to identify the minimum data for the maximum result.
I expect the ACT’s to generate both a proliferation of tools to choose from and a period of intense competition. The ability to smoothly integrate these disparate tools sets will be a competitive differentiator because the difficulty of deployment for many merchants is as important as cost. Similar APIs would be a start.
Getting More from What We Already Have
The relying parties in a transaction – consumers, merchants, banks, suppliers – have acquired their own tools to manage those relationships. Multi-factor authentication is one tool kit. Banks, of course issue payment credentials that represent an account and proxy for the card holder herself at the point of sale or online. Financial institutions at account opening perform know your customer work to assure identity and lower risk.
Those siloed efforts are now entering an era where the federated exchange of this user and transactional data is becoming practical. Firms are building tools and the economic models to leverage these novel combinations of established attributes and ACT generated data.
The ACTs are already impacting the evolution of the payments security market. Payment security incumbents, choose just two from the social side, find themselves in an innovation rich period. Done well, society’s security posture could strengthen.
Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, e-commerce & m-commerce, Electronic Payments, Internet Payment Gateway, Payment Card Industry PCI Security, Point of Sale, Smartphone, Visa MasterCard American Express Tagged with: big data, breaches, card data, cardholders, checkout lines, commerce, data loss, data sets, digital, ecommerce, geolocation, GPS, inherent security, Merchant's, Mobile Devices, mobile network, online activity, personally identifiable information, pii, POS, Security, security crisis, sensors, smartphone, social networks, transaction, transactional, travel patterns, vulnerabilities
February 13th, 2014 by Elma Jane
Core Elements of PCI’s Data Security Standard
This organization provides an international platform for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. It is impossible to be involved in the credit card processing industry and not be aware of the PCI Security Standards Council.
As such it is important to be aware of the core elements of the PCI’s Data Security Standard (DSS).
The following are the current fundamental principles and requirements:
Build and Maintain a Secure Network
Requirement a. Install and maintain a firewall configuration to protect cardholder data
Requirement b. Do not use vendor-supplied defaults for system passwords and other security parameters
Implement Strong Access Control Measures
Requirement c. Restrict access to cardholder data by business need-to-know
Requirement d. Assign a unique ID to each person with computer access
Requirement e. Restrict physical access to cardholder data
Maintain a Vulnerability Management Program
Requirement f. Use and regularly update anti-virus software
Requirement g. Develop and maintain secure systems and applications
Maintain an Information Security Policy
Requirement h. Maintain a policy that addresses information security
Protect Cardholder Data
Requirement i. Protect stored cardholder data
Requirement j. Encrypt transmission of cardholder data across open, public networks
Regularly Monitor and Test Networks
Requirement k. Track and monitor all access to network resources and cardholder data
Requirement l. Regularly test security systems and processes
Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, Payment Card Industry PCI Security Tagged with: account data protection, cardholder data, credit card processing, information security, open public networks, PCI Data Security Standard, secure network, secure systems and applications, security standards council, security systems and processes, vulnerability management