September 17th, 2013 by Admin
Payments
“Geofencing” a program that uses the global positioning system (GPS) or radio frequency identification (RFID) to define geographical bounderies. It creates the opportunities for new business models and generations. Allowing the use of mobile tools and services to not only interact with loyal customers, but also reach potentially new customers when they come into a geographic proximity, explained by a spokesperson from a Mobile and Wireless Group. So it does open the doors to some interesting new applications.
To date, radio positioning signals have been supplied to consumers primarily by the U.S. Military through a constellation called “GPS” or Global Positioning System. Essentially, receivers on the ground…. or in cars….interpret the signals and tell you roughly where you are.
Europe’s Galileo global satellite navigation system is expected to open up a variety of business opportunities. Big changes are in the air as a result of new more accurate systems on the way. One example: geofencing, a highly targeted form of tight, perimeter-based locating.
Galileo
A form of geofencing using the U.S. GPS is already used to monitor stolen vehicles, trucks and delivery drivers, among other things. GPS isn’t particularly accurate, though. With more accuracy, geofencing could be used to create a zone around a store or school, for example…or even a particular vending machine, in the world of commercial applications.
One of the new systems offering fresh potential in this area is Europe’s upcoming Global Satellite Navigation System, or GNSS, Known as Galileo.
“Global Applications”
Where Galileo gets particular interesting for us in the e-commerce world is that, buried deep in the European Space Agency’s promotional descriptions are some telling statements. For example, Galileo will offer a commercial service that will “allow global high-end and innovative applications” with accuracy down to a few centimeters.
For comparison , GPS maker Garmin says its latest GPS receivers are accurate to within 3 to 5 meters. Second, despite being a government project, Galileo will be under civilian control…not government control the way GPS is. It will be fully open to commercial applications. Then too, there’s aunthentication feature Galileo will include…an accurately timed, trusted location factor. The Galileo Commercial Service demonstrator will begin its proof of concept in 2014, with early service reckoned to start in 2016.
Possible Sensitive Transactions
Why do we care about all this? Simple: because of Geofencing.
Geofencing is currently used in mobile e-commerce to deliver ads and promotions based on a geographical region of interest. The GPS is used to define proximity so that an advertiser can know when you’re in the area.
Now add Galileo’s authentication to this mix, plus the microlocations obtainable with Galileo, and you’re in a defferent ballpark…almost literally. Sensitive transactions become possible, along with tracking to the millimeter… when you enter a building, go to the zoo or choose a concert seat. Turnstiles and the cost involved become redundant, for example.
Current location-based access control and payments solutions that use a GPS signal are authenticated through proprietary algorithms.
Security Improved
By virtue of its ability to enable transaction security and access control improvements, in fact, Galileo’s authentication feature will ultimately be perceived by industries such as banking to be a source of added value.
“For example, GNSS-based positioning and accurate timing could be integrated in the encryption algorithms to improve the security and payment process.
Location-based billing using existing GPS is already in use in limited areas including toll-road billing, and it’s being considered for parking as well. However, one of the big problems has been the availability of equipment that’s small enough and power-friendly enough to be practical.
The Technology on the ground…the device in our pocket, in other words…is a limiting factor. If you’ve ever tried to use your smartphone’s GPS chip for more than a few hours, you’ll know it kills the battery, even the the latest phones. Current vehicle geofencing trackers, meanwhile, are large, permanently mounted boxes. New chips will provide portability.
“This Previously Wasn’t Possible”
A mobile and wireless company, recently inroduced a battery-saving GNSS smartphone location chip with Geofence capabilities. The company’s BCM47521 chip lets an application receive an alert when a user enters or exits a virtual perimeter, and uses the current GPS, GLONASS, QZSS and SBAS constellations…all at the same time.
What is unique about this technology is that it’s able to monitor the user’s location as a background task, consuming less power. “This previously wasn’t possible, as the process of continually monitoring for a geofence would rapidly drain a mobile device’s battery”.
Near Field Communications radio standards can be used for the secure payment element, and the more widespread adoption of NFC for mobile payments will also generally help drive adoption of location-based payments.
“Geofencing creates the opportunities for new business models, allowing the use of mobile tools and services to not onl interact with loyal customers but also reach potentially new customers hen they come into a geogrphic proximity.” “So it does open the doors to some interesting new applications.”
“Security and Privacy Crucial”
A networking and connectivity subsidiary is also working on positioning. It’s IZ at location platform is geared towards precise indoor positioning for public places and provides 3- to 5-meter positioning inside.
GNSS will help enable location-based payments, but it’s not everything. “There will certainly be other augmentation technologies that will help to increase the propagation of this in the market. “Security and privacy will also be crucial to acceptance.”
Indeed today, the tested indoor services need to rely on antennas installed outside the target buildings to reproduce the GNSS signal. This requirement causes additional costs, challenging the economic viability of GNSS-based positioning as a means to reinforce the security of access and transactions. Add in the vast amounts of data gained by tracking user movements down to the centimeter, and you’ve got a whole other can of worms.
Posted in Credit Card Security, Electronic Payments, Mobile Payments Tagged with: Geofencing, GPS, payments, privacy, RFID, Satellite, Security, technology, transactions
September 10th, 2013 by Admin
Verizon annually releases it’s Data Breach Investigation Reports which probes data breaches in various industries and studies the nature of fraud reported by merchants and other agencies. In the past Verizon has worked with the U.S. Secret Service, now the information gathered on the electronic payment breaches have expanded to Police Central e-Crime Unit, Australian Federal Police, the Dutch National High Tech Crime Unit, and the Irish Reporting & Information Security Service in addition to the United States Secret Service.
One area that Verizon broke out and performed independent studies on was the healthcare industry. In 2010 the Health Information Technology for Economic and Clinical Health (HI TECH) Act included a provision to report healthcare and medical data breaches to a variety of outlets including the Secretary of Health and Human Services. Medical record protections keep the casual cyber criminal at bay but the majority of security data breaches are in large part targeted at information attackers can profit from. The data cybercriminals target most often includes health insurance data, personal and electronic payment transaction data. Hardware is another assett that is targeted both because of the data on the hardware and the cost of the hardware itself.
Remote data breaches on health care providers were typically carried out through some form of hacking or malware. That is consistent with other industries in the report and is considered the favorites among cybercriminal organizations. Exploiting of default or guessable credentials rang in at the top of the chart. Of those, point of sale payment systems and desktop computers were the highest targeted areas of the health care industry. Although electronic medical records and transcriptions stored on file and database servers were a target, those criminals were more likely interested in indentity theft and fraudulent loans than what was actually in any individuals medical records.
Point of sale payment terminals are the most targeted assett with POS servers and gateways as the second most targeted. Like all other sectors, professional criminals tend to follow the money trail and that ends up being at POS payment systems. So much so that even desktop computers and emails try to get malware onto medical systems to render security policies inneffective. To find out how to better protect medical and healthcare records from cybercriminals and data breaches read the reports here and here.
Posted in Best Practices for Merchants, Credit Card Security, Point of Sale Tagged with: Breach, breaches, electronic payment, gateways, healthcare, medical, point of sale, POS, Security, transactions, transcription
August 16th, 2013 by Admin
Today the PCI Security Standards Council (PCI SSC), an open, global forum for the development of electronic transaction security standards published PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) 3.0 Change Highlights as a preview of the new version of the standards coming in November 2013. The changes will help companies make PCI DSS part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and transaction security as a shared responsibility with merchant account holders.
The seven-page document is part of the Council’s commitment to provide as much information as possible during the development process and eliminate any perceived surprises for organizations in their PCI credit card security planning. Specifically, the summary will help PCI Participating Organizations and the assessment community as they prepare to review and discuss draft versions of the standards at the 2013 Community Meetings in September and October.
Changes to the standards are made based on feedback from the Council’s global constituents per the PCI DSS and PA-DSS development lifecycle and in response to market needs. Key drivers for version 3.0 updates include: lack of education and awareness; weak passwords, authorization, verification and authentication challenges; third party payment security challenges; slow self-detection in response to malware and other threats; inconsistency in assessments.
“Today, most organizations have a good understanding of PCI DSS and its importance in securing credit card data during transactions, but implementation and maintenance remains a struggle – especially in light of increasingly complex business and payment technology environments,” said Bob Russo, PCI SSC general manager. “The challenge for us now is providing the right balance of flexibility, rigor and consistency within the standards to help organizations make payment security business-as-usual. And that’s the focus of the changes we’re making with version 3.0.”
Based on feedback from the industry, in 2010 the Council moved from a two-year to a three-year standards development lifecycle. The additional year provides a longer period to gather feedback and more time for organizations to implement changes before a new version is released. Version 3.0 will introduce more changes than version 2.0, with several new sub-requirements. Proposed updates include:
- Recommendations on making PCI DSS business-as-usual and best practices for maintaining ongoing PCI DSS credit card compliance
- Security policy and operational procedures built into each requirement
- Guidance for all requirements with content from Navigating PCI DSS Guide
- Increased flexibility and education around password strength and complexity
- New requirements for point-of-sale terminal security
- More robust requirements for penetration testing and validating segmentation
- Considerations for credit card data in memory
- Enhanced testing procedures to clarify the level of validation expected for each requirement
- Expanded software development lifecycle security requirements for PA-DSS application vendors, including threat modeling
Note that these updates are still under review by the PCI community. Final changes will be determined after the PCI Community Meetings and incorporated into the final versions of the PCI DSS and PA-DSS published in November.
The change highlights document with tables outlining anticipated updates is available on the PCI SSC website:https://www.pcisecuritystandards.org/security_standards/documents.php
The Council will host a webinar series for the PCI community and the general public to outline the proposed changes. To register, visit: https://www.pcisecuritystandards.org/training/webinars.php
“PCI DSS and PA-DSS 3.0 will provide organizations the framework for assessing the risk involved with technologies and platforms and the flexibility to apply these principles to their unique payment and business environments, such as e-commerce, m-commerce, mobile acceptance or cloud computing,” added Troy Leach, PCI SSC chief technology officer.
PCI DSS and PA-DSS 3.0 will be published on 7 November 2013. The standards become effective 1 January 2014, but to ensure adequate time for the transition, version 2.0 will remain active until 31 December 2014.
For more information and to register for the 2013 Community Meetings, please visit:https://www.pcisecuritystandards.org/communitymeeting/2013/
About the PCI Security Standards Council
The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security. Founded in 2006 by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., the Council has more than 650 Participating Organizations representing merchants, banks, processors and vendors worldwide. To learn more about playing a part in securing payment card data globally, please visit: pcisecuritystandards.org.
Connect with the PCI Council on LinkedIn: http://www.linkedin.com/company/pci-security-standards-council
Join the conversation on Twitter: http://twitter.com/#!/PCISSC
Posted in Credit Card Security, Digital Wallet Privacy, Mobile Payments, Mobile Point of Sale, Point of Sale Tagged with: credit card, DSS, e-commerce, m-commerce, mobile, PA-DSS, PCI Compliance, Security, transaction
Cyber Crime InfoGraphic by Vericode.
Today anyone can have an e-commerce web site set up in mere minutes. There are a lot of open source e-commerce solutions that allow a web site owner to establish a site very easily, some require just a few clicks to get going. Once you have your color scheme chosen and your navigation all set a decision on how to accept payments is inevitable. e-commerce payment gateways allow your site to connect securely to a payment processor to accept your electronic transactions. These digital transactions can be used by hackers to target your site and your customers credit card information and much more. Whether the data targeted is stored on the merchants network or on the customers mobile device, business need to implement a cyber security strategy. Read more of this article »
Posted in Credit Card Security Tagged with: credit card, DSS, e-commerce, electronic, fraud, gateway, Malware, payment, PCI, Phishing, Processing, Security, Skimming, smartphone, SMSishing, tablet
The SD Association has a new ‘smart’ idea. New Micro SD cards, popular for use in Android smartphones and tablet devices, will soon be available. The new MicroSD cards will carry the NFC Secure Element which allows Near Field Communications smartphones communicate with a chip on the Micro SD card. These are mainly used in a digital wallet for electronic transactions known as m-commerce. The new SD Cards also support on-board applets for smartphones as well.
Many newer phones are shipping with NFC Radios mainly used with digital wallets. For security, Near Field Communication requires a special authentication method prior to encrypted communications. Now that can be be placed on a Micro SD in addition to additional memory for the smartphone or tablet. The card can also store small digital wallet applications for digital payments when combined with an NFC enabled phone or tablet. These are seen by consumers as a way to ditch plastic cards in favor of digital wallets, and you can also transfer the electronic wallet to different devices as you please.
Additionally the SDA supports Micro SD cards that have both the Secure Element security chip on board as well as a Near Field Communications Radio on the chip to give NFC capabilities to devices that don’t come with the technology. Changing devices seems even easier with these cards as they enable NFC on multiple devices as the user transfers the card. If the MicroSD card owner switches cellular carriers, the card can easily go from the old phone to a new one and the digital wallet user never skips a beat.
The SD Association claims that microSD cards account for 95% of all mobile memory card shipments and that 78% of all mobile phone shipments today have the microSD memory card slot. With the latest round of MicroSD cards with NFC radios and without, they hope new e-commerce and m-commerce applications are built to run on the memory cards. This greatly levels the playing field from vendor lock in as both cell phone carriers and device makers have their own aspirations toward digital payment systems.
Posted in smartSD Cards Tagged with: Android, Digital Wallet, e-commerce, m-commerce, Micro SD, microSD, near field communications, nfc, radio, Security, smartphone, smartSD Cards, tablet
