May 19th, 2015 by Elma Jane
We’re now nearly midway through 2015, and payment security still remains a topic that stirs up great concern and confusion. While there is seemingly unanimous agreement on the need for heightened security, there’s uncertainty about those who are tasked with actually implementing it. Let’s dig deeper into EMV, P2PE and tokenization. How each will play a part in the next generation of securing payments, and how without properly working together they might just fall short.
Europay, MasterCard, and Visa (EMV) – A powerful guard against credit card skimming. EMV also uses cryptography to create dynamic data for every transaction and relies on an integrated chip embedded into the card.
Downside: For Independent Software Vendor (ISVs), the biggest downside of EMV is the complexity of creating an EMV solution. ISVs interested in certifying PINpads with a few processors face up to 22 months of costly work, and because there are a large number of pending certifications, processors will be backed up over the next few years.
It’s not impossible for an ISV to build EMV solutions in-house, but it’s difficult and unnecessary when there are plug-and-play EMV solutions available. These solutions include pre-packaged and pre-certified APIs that remove most of the need for research, the complexity and the burden of time and cost.
Point to Point Encryption (P2PE) – Secures devices, apps and processes using encrypted data with cryptographic keys only known to the payment company or gateway from the earliest point of the transaction, from tech-savvy criminals, jumping at their chance to intercept POS systems and scrape the memory from Windows machines.
How does a key get into card reader? Through an algorithm called derived unique key per transaction (DUKPT), or “duck putt.” DUKPT generates a base key that’s shared with device manufacturers securely, where output cardholder data is rendered differently each time a card is swiped, making it impossible to reverse engineer the card data. P2PE not only benefits the cardholders, but also the ISVs and merchants. PA-DSS certification was designed to address the problems created with cardholder data which is not encrypted.
Downside: P2PE isn’t cheap if an organization wants to do it in-house. The secure cryptographic device needed to manage the keys, Hardware Security Module (HSM), can cost $30-40,000 but when it’s built out, that total cost can jump to $100,000.
TOKENIZATION – The best way to protect cardholder data when it’s stored is using tokenization, a process which the PCI Security Standards Council describes as one where the primary account number is replaced with a surrogate value a token. For merchants dealing with recurring billing, future payments, loyalty programs and more, tokenization is critical.
Downside: Tokenization doesn’t prevent malware that’s remotely installed on POS devices. It’s possible, as seen with recent retail card breaches, for data to be stolen before it is tokenized. That’s why it’s essential to group tokenization together with P2PE and EMV to offer optimal security.
Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: (POS) systems, account number, billing, card, card breaches, card reader, cardholder, cardholder data, chip, credit card, data, DSS, EMV, EuroPay, gateway, Independent Software Vendor, ISVs, MasterCard, merchants, p2pe, payment company, payment security, payments, PCI, PINpads, point-to-point encryption, POS devices, processors, Security, security standards council, token, tokenization, transaction, visa
May 8th, 2014 by Elma Jane
The complexity derives from PCI’s Data Security Standards (DSS), which include up to 13 requirements that specify the framework for a secure payment environment for companies that process, store or transmit credit card transactions.
Make PCI DSS Assessment Easier
Training and educating employees. Technical employees should obtain any certifications or training classes necessary so that they can operate and monitor the security control set in place. Non-technical employees must be trained on general security awareness practices such as password protection, spotting phishing attacks and recognizing social engineering. All the security controls and policies in the world will provide no protection if employees do not know how to operate the tools in a secure manner. Likewise, the strongest 42-character password with special characters, numbers, mixed case, etc. is utterly broken if an employee writes it on a sticky note attached to their monitor.
For an organization to effectively manage its own risk, it must complete a detailed risk analysis on its own environment. Risk analysis goal is to determine the threats and vulnerabilities to services performed and assets for the organization. As part of a risk assessment, organization should define critical assets including hardware, software, and sensitive information and then determine risk levels for those components. This in turn allows the organization to determine priorities for reducing risk. It is important to note that risks should be prioritized for systems that will be in-scope for PCI DSS and then other company systems and networks.
Once the risk assessment has been completed the organization should have a much clearer view of its security threats and risks and can begin determining the security posture of the organization. Policies and procedures form the foundation of any security program and comprise a large percentage of the PCI DSS requirements. Business leaders and department heads should be armed with the PCI DSS requirements and the results of the risk analysis to establish detailed security policies and procedures that address the requirements but are tailored to business processes and security controls within the organization.
Building upon the foundation of security policies, the committee of business leaders and department heads should now review the PCI DSS requirements in detail and discuss any potential compliance gaps and establish a remediation plan for closing those gaps. This is where it is important to have the full support of business leaders who can authorize necessary funds and manpower to implement any remediation activities.
This is also the time to schedule the required annual penetration testing. These are typically performed by third parties, but is not required to be performed by third parties, and can take some time to schedule, perform, and remediate (if necessary). The results of a PCI DSS assessment will be delayed until the penetration test is completed so now is the time to schedule the test.
At this point the organization is ready for a full-scale PCI DSS assessment and can now enter a maintenance mode where periodic internal audits occur and regular committee meetings are held to perform risk assessments and update policies, procedures, and security controls as necessary to respond to an ever changing threat landscape. PCI DSS must become integrated into the everyday operation of the organization so that the organization remains secure and to ease the burden of the annual assessments.
Payment Card Industry (PCI) compliance assessment is a major task for any size organization, but you can make it easier.
Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security Tagged with: assets, card, card transactions, compliance, compliance assessment, credit card transactions, credit-card, data security standards, DSS, networks, password protection, payment, Payment Card Industry, PCI, Phishing, process, risk, risk analysis, risk assessment, secure payment, Security, security control, security policy, transactions, transmit
May 5th, 2014 by Elma Jane
The Payment Card Industry (PCI) Data Security Standard (DSS) has come under criticism as high profile data breaches continue to expose flaws in retailers’ data security systems. But telecommunications firm Verizon Wireless concluded that the PCI DSS is working.
Some Responses to Criticisms
Nilson Report research from August 2013 that said card fraud cost the global payments market over $11 billion in 2012. Verizon added that the frequency of fraud schemes that the PCI DSS was designed to avoid is in fact growing. And yet most businesses are not fully compliant at the time of assessment. Only 51.1 percent of the companies it had audited had passed seven of the 12 requirements of the PCI DSS and only 11.1 percent of said companies had passed all 12.
Verizon addressed some of the criticisms leveled at the PCI DSS. One concern is that the standard promotes compliance as a test to be passed and forgotten, which distracts companies from focusing on improving security. Verizon responded by stating that breached businesses were less likely to be PCI DSS compliant than unaffected companies. It also said businesses improve their chances of not being breached by having the standard in place, and of minimizing the damage of a breach should one occur.
Another common complaint leveled at the standard is that it is too cumbersome and slow moving in relation to the quickly evolving threat landscape and nimble fraudsters ready to try new tactics. Verizon countered that the PCI DSS is meant to be a set of baseline security protocols. Achieving compliance with any standard is simply not enough, organizations must take responsibility for protecting both their reputation and their customers. Most attacks on networks are of the simple variety, with 78 percent of hacking techniques considered low or very low in sophistication. Data Breach Investigations Report (DBIR) research shows that while perpetrators are upping the ante, trying new techniques and leveraging far greater resources, less than 1 percent of the breaches use tactics rated as high on the VERIS (Verizon’s Data breach Analysis Database) difficulty scale for initial compromise.
Recommendations
There’s an initial dip in compliance whenever a major update to the standard is released, so organizations will have to put in additional effort to prepare for achieving compliance with DSS 3.0.
The newest version of the standard, PCI DSS 3.0, went into effect Jan. 1, 2014. Businesses have until Jan. 1, 2015, to implement it. The updated standard has new requirements and clarifications to version 2.0 that will take time for businesses to understand and implement, and this will result in more organizations being out of compliance.
To help businesses deal with their PCI DSS compliance obligations the firm offered five approaches:
Don’t leave compliance to information technology security teams, but enlist application developers, system administrators, executives and other staff in helping further along the process.
Embed compliance in everyday business practices so that it is sustainable.
Integrate compliance programs into enterprise-wide governance, risk and compliance strategies.
Learn how to reduce the scope of organizations’ compliance responsibilities, chiefly by figuring out how to store less data on fewer systems.
Think of compliance as an opportunity to improve overall business processes, rather than as a burden.
Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, Electronic Payments, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: attacks on networks, Breach, breached, business processes, compliance, compliant, data breach investigators, data breaches, data security systems, database, DSS, fraud schemes, global payments, hacking, information technology, Payment Card Industry, PCI, retailers, Security, security protocols, standard, system administrators, wireless
April 11th, 2014 by Elma Jane
PCI DSS 3.0 standard, which took effect January 1st, introduces changes that extend across all 12 requirements, aimed to improve security of payment card data and reducing fraud. There will be some shakeups for many organizations when it comes to their day-to-day culture and operations. Transitioning to meet the new requirements will help e-business build a stronger, safer, lower-risk environment for their customers.
While the growing number of digital payment avenues offers convenience to customers, it also offers a larger attack surface for criminals.
As cloud technologies and e-commerce environments continue to grow, creating multiple points of access to cardholder data and online retailers will only become more appealing targets for hackers. Cybercriminals are cunning and determined. They understand payment card infrastructures as well as the engineers who designed them.
A scary proposition and it’s exactly why the payment card industry is so determined to help keep e-commerce organizations protected. Meeting the new standard, businesses will be better armed to fight evolving threats. Changes will also drive more consistency among assessors, help business reduce risk of compromise and create more transparent provider-customer relationships.
Transitioning to PCI DSS 3.0 will involve some work, but doing that work on the front end is going to save much work down the line. Adopting the new standard ultimately will drive your e-commerce business into a secure and efficient era.
Cultural Changes – One of the main themes of 3.0 is shifting from an annual compliance approach to embedding security in daily processes. Threats don’t change just once a year. They’re constantly evolving and that means e-commerce organizations must adopt a culture of vigilance. Only through a proactive business-as-usual approach to security can you achieve true DSS compliance. Realistically, this could mean the need to provide more education and build awareness with staff, partners and providers, so that everyone understands why and how new processes are in place.
Operational Changes – The 3.0 standard addresses common vulnerabilities that probably will ring a bell with many of you. These include weak passwords and authentication procedures, as well as insufficient malware detection systems and vulnerability assessments, just to name a few. Depending on your current security controls program, this could mean you’ll need to step up in these areas by strengthening credential requirements, resolving self-detection challenges, testing and documenting your cardholder data environment and making other corrections.
Overview Changes – How much work lands on your plate will depend on your current security program. Examining your current security strategies and program is a good idea. Below are the areas requiring your attention, which this series will explore in more detail in future installments.
Service Provider Changes – Some organizations made unsafe assumptions in the past when it comes to third-party providers. Some have paid the price, from failed audits to breaches. One reason that the new standard is designed to eliminate any confusion over compliance responsibilities. Responsibilities, specifically for management, operations, security and reporting all will need to be spelled out in detailed contracts. In addition to improved communication, an intensified focus on transparency means that you should have a clear view of your provider’s infrastructure, data storage and security controls, along with subcontractors that can impact your environment. So if your organization isn’t exactly clear on which PCI DSS requirements you manage and which ones your providers handle, prepare to get all of that hammered out.
The Compliance Rewards – The path to preparing for the 3.0 deadline in January 2015 sounds like it’s a lot of work. So to get started request your QSA’s opinion on how the changes will impact your organization, by doing the gap assessment and you’ll be able to address any shortcomings.
Meeting the new 3.0 requirements isn’t just about passing audits. In fast paced payment IT landscape, staying smart and protected is part of our commitment to our customers. Beefing up security game not only reduce audit headaches, but also enjoy stronger brand reputation as a safe and reliable e-commerce business.
Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, e-commerce & m-commerce, Electronic Payments, Financial Services, Payment Card Industry PCI Security, Small Business Improvement, Visa MasterCard American Express Tagged with: 3.0, attack surface, authentication, breaches, businesses, cardholder data, complance, compliant, credential, cybercriminals, digital payment, DSS, e-business, e-commerce, embedding, hackers, lower-risk, online retailers, passing audits, payment card infrastructures, PCI, processes, reducing fraud, requirements, risk of compromise, security controls, security of payment card data, security program, standards
December 5th, 2013 by Elma Jane
Three key benefits mPOS can provide PSPs. mPOS:
1. Maintains A Continuity Of Operations
mPOS solutions also ease the process of accepting and approving payments, according to the white paper. By enabling face-to-face card present transactions, mPOS allows transactions to be conducted in a highly secure manner. Further, once the encrypted transaction data is decrypted securely by the PSP at the payment gateway (with no access granted to the merchant), the onward presentation of the data into the acquiring network is consistent with that used historically for traditional POS terminals.
2. Simplifies Merchant Support
Thales suggests the biggest benefit to PSPs is that mPOS reduces the variety of costs PSPs need to cover to support merchants, cutting expenses related to equipment, security and PCI DSS compliance. This, the white paper says, allows PSPs that utilize mPOS to better allocate resources toward handling higher transaction volumes and acquiring business.
3. Supports Both Magnetic Stripe and EMV Cards
Another benefit to PSPs is that mPOS, despite its recent entrance to the market, is already widely available. The white paper explains that since the mPOS revolution quickly migrated from the U.S. abroad, mPOS solutions now exist to serve the unique needs of both markets. While this means challenges for merchants operating globally, PSPs benefit from being able to address the needs of merchants who want to opt for any and all available market solutions.
Much has been said about the recent explosion of the mobile point-of-sale (mPOS) market and how micromerchants are driving this payments revolution. But, what this story doesn’t communicate effectively is that small merchants aren’t the only stakeholders benefiting from the ongoing mPOS migration.
Payment service providers (PSPs) are another member of the mPOS value chain that can gain flexibility and security through these solutions, new research from data protection solution provider Thales suggests.
“Both merchants and PSPs have operational and logistical issues with traditional POS terminals associated mainly with the highly controlled and certified environment in which they must be used,” Thales writes in its latest white paper on the topic, “mPOS: Secure Mobile Card Acceptance.”
The 27-page white paper provides an extensive overview of the ongoing POS revolution, explaining how mPOS can reduce friction and costs for merchants, illustrating how the technology works step-by-step and highlighting the roles that each stakeholder plays along the value chain.
Posted in Electronic Payments, Mobile Payments, Mobile Point of Sale, Payment Card Industry PCI Security, Point of Sale, Smartphone Tagged with: acceptance, acquiring network, card present, compliance, decrypted, DSS, emv cards, encrypted, face-to-face, magnetic stripe, merchant, micromerchants, migration, mobile card, mobile point of sale, MPOS, payment gateway, payment service providers, payments, PCI, POS, psps, secure, securely, Security, terminals, transactions
November 15th, 2013 by Elma Jane
November 7, 2013 – Payment Card Industry (PCI) Council’s recent acceptance of the world’s first Point-To-Point Encryption-validated solution is great news for both acquirers and merchants, and will aid in reducing merchant scope and increasing business security worldwide. If your P2PE know-how is a little spotty, here are the basics.
What is P2PE?
Point-To-Point Encryption (P2PE) is the combination of hardware and processes that encrypts customer credit/debit card data from the point of interaction until it reaches a merchant solution provider’s environment for processing. Because card data is immediately encrypted as the card is swiped (or dipped), it prevents clear-text information from residing on the payment environment. Encrypted card data is then transferred to, decrypted by, and processed through the solution provider processor who is the sole holder of the decryption key.
In a POS environment, merchants often store decryption keys on their backend servers. Bad idea. If a cybercriminal hacks into that environment, they not only have access to the encrypted card numbers, but the decryption key as well. Hacker jackpot. Many question the difference between P2PE and typical point of sale (POS) encryption.
The reason P2PE is arguably the most secure way to process is because merchants don’t have access to decryption keys. If a hacker breaches a merchant using a validated P2PE solution, he/she will only recover a long string of useless encrypted card numbers with no way to decode them.
Why use P2PE?
Basically, P2PE increases data security and has the ability to make a merchant’s job of reaching PCI compliance easier. The main point of using a P2PE-valiated solution is to significantly lessen the scope of security efforts through PCI Data Security Standard (DSS) requirement and P2PE Self-Assessment Questionnaire (SAQ) reduction. Compared to the 80+ questions required of mainstream merchant SAQs, the P2PE-HW SAQ only requires merchants to answer 18 questions.
Are all P2PE solutions created equal?
Answer is no. Many P2PE solution vendors claim their solution reduces scope, but in order for a merchant to qualify, they must select only P2PE-validated solutions listed on the PCI Council’s website.
To get P2PE solutions and applications listed on the approved website, solution provider processors must go through a rigorous testing process performed by a qualified P2PE Qualified Security Assessor (QSA). P2PE QSAs help entities thorough the 210-page document of P2PE requirements, testing procedures, and controls required to keep cardholder data secure – a task which only a few companies in the world can do.
As of this post, the only P2PE hardware solution approved by the PCI Council is European Payment Services’ (EPS) Total Care P2PE solution, validated by P2PE QSA SecurityMetrics. A number of other P2PE solutions are currently undergoing the review process and will be added to the list once approved.
Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, Electronic Payments, Merchant Services Account, Payment Card Industry PCI Security, Point of Sale, Visa MasterCard American Express Tagged with: acceptance, acquirers, backend, cardholder, credit/debit, cybercriminal, data, decode, decrypted, decryption, DSS, encrypted, encryption, encrypts, hacker, hardware, key, Merchant's, p2pe, p2pe-hw, Payment Card Industry, PCI Council, point of sale, point-to-point, POS, process, processed, processes, Processing, processor, provider's, saqs, secure, solution, transferred, validated
August 16th, 2013 by Admin
Today the PCI Security Standards Council (PCI SSC), an open, global forum for the development of electronic transaction security standards published PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) 3.0 Change Highlights as a preview of the new version of the standards coming in November 2013. The changes will help companies make PCI DSS part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and transaction security as a shared responsibility with merchant account holders.
The seven-page document is part of the Council’s commitment to provide as much information as possible during the development process and eliminate any perceived surprises for organizations in their PCI credit card security planning. Specifically, the summary will help PCI Participating Organizations and the assessment community as they prepare to review and discuss draft versions of the standards at the 2013 Community Meetings in September and October.
Changes to the standards are made based on feedback from the Council’s global constituents per the PCI DSS and PA-DSS development lifecycle and in response to market needs. Key drivers for version 3.0 updates include: lack of education and awareness; weak passwords, authorization, verification and authentication challenges; third party payment security challenges; slow self-detection in response to malware and other threats; inconsistency in assessments.
“Today, most organizations have a good understanding of PCI DSS and its importance in securing credit card data during transactions, but implementation and maintenance remains a struggle – especially in light of increasingly complex business and payment technology environments,” said Bob Russo, PCI SSC general manager. “The challenge for us now is providing the right balance of flexibility, rigor and consistency within the standards to help organizations make payment security business-as-usual. And that’s the focus of the changes we’re making with version 3.0.”
Based on feedback from the industry, in 2010 the Council moved from a two-year to a three-year standards development lifecycle. The additional year provides a longer period to gather feedback and more time for organizations to implement changes before a new version is released. Version 3.0 will introduce more changes than version 2.0, with several new sub-requirements. Proposed updates include:
- Recommendations on making PCI DSS business-as-usual and best practices for maintaining ongoing PCI DSS credit card compliance
- Security policy and operational procedures built into each requirement
- Guidance for all requirements with content from Navigating PCI DSS Guide
- Increased flexibility and education around password strength and complexity
- New requirements for point-of-sale terminal security
- More robust requirements for penetration testing and validating segmentation
- Considerations for credit card data in memory
- Enhanced testing procedures to clarify the level of validation expected for each requirement
- Expanded software development lifecycle security requirements for PA-DSS application vendors, including threat modeling
Note that these updates are still under review by the PCI community. Final changes will be determined after the PCI Community Meetings and incorporated into the final versions of the PCI DSS and PA-DSS published in November.
The change highlights document with tables outlining anticipated updates is available on the PCI SSC website:https://www.pcisecuritystandards.org/security_standards/documents.php
The Council will host a webinar series for the PCI community and the general public to outline the proposed changes. To register, visit: https://www.pcisecuritystandards.org/training/webinars.php
“PCI DSS and PA-DSS 3.0 will provide organizations the framework for assessing the risk involved with technologies and platforms and the flexibility to apply these principles to their unique payment and business environments, such as e-commerce, m-commerce, mobile acceptance or cloud computing,” added Troy Leach, PCI SSC chief technology officer.
PCI DSS and PA-DSS 3.0 will be published on 7 November 2013. The standards become effective 1 January 2014, but to ensure adequate time for the transition, version 2.0 will remain active until 31 December 2014.
For more information and to register for the 2013 Community Meetings, please visit:https://www.pcisecuritystandards.org/communitymeeting/2013/
About the PCI Security Standards Council
The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security. Founded in 2006 by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., the Council has more than 650 Participating Organizations representing merchants, banks, processors and vendors worldwide. To learn more about playing a part in securing payment card data globally, please visit: pcisecuritystandards.org.
Connect with the PCI Council on LinkedIn: http://www.linkedin.com/company/pci-security-standards-council
Join the conversation on Twitter: http://twitter.com/#!/PCISSC
Posted in Credit Card Security, Digital Wallet Privacy, Mobile Payments, Mobile Point of Sale, Point of Sale Tagged with: credit card, DSS, e-commerce, m-commerce, mobile, PA-DSS, PCI Compliance, Security, transaction
New legislation is working its way through congress to require e-commerce retailers and mail order telephone order business to collect local sales taxes on transactions. e-commerce web sites and mail order telephone order businesses that conduct over $1 million gross sales and sell products and services in states where they don’t maintain brick and mortar presences would be required to collect and pay local and state taxes in those states. Targeting remote retailers that engage in interstate commerce the most obvious being mail order and telephone order as well as e-commerce shopping cart sites. Read more of this article »
Posted in Electronic Payments Tagged with: brick and mortar, DSS, e-commerce, electronic payment, mail order, merchant, merchant account, PCI, shopping cart, tax, taxes, telephone order
Any business that acknowledges Credit Card payments should be compliant with the directions and guidelines set out by the Payment Card Industry or be what is called ‘PCI compliant’. This is not commonly understood but any merchant, despite of the number of transactions, which acknowledges or conveys any cardholder information, either by phone or electronically must be PCI compliant. It’s all about holding customer’s facts and figures safe and not leaving your business revealed to hackers. And with an ever expanding use of cards, be they debit or Credit Cards, this is evolving a very important theme. Read more of this article »
Posted in Uncategorized Tagged with: American Express, credit card processing, Data Security Standard, DSS, MasterCard, Microsoft Windows Server, Payment Card Industry, PCI, Visa MasterCard American Express, Workstation 2000
Cyber Crime InfoGraphic by Vericode.
Today anyone can have an e-commerce web site set up in mere minutes. There are a lot of open source e-commerce solutions that allow a web site owner to establish a site very easily, some require just a few clicks to get going. Once you have your color scheme chosen and your navigation all set a decision on how to accept payments is inevitable. e-commerce payment gateways allow your site to connect securely to a payment processor to accept your electronic transactions. These digital transactions can be used by hackers to target your site and your customers credit card information and much more. Whether the data targeted is stored on the merchants network or on the customers mobile device, business need to implement a cyber security strategy. Read more of this article »
Posted in Credit Card Security Tagged with: credit card, DSS, e-commerce, electronic, fraud, gateway, Malware, payment, PCI, Phishing, Processing, Security, Skimming, smartphone, SMSishing, tablet