Yesterday, We hit a pretty big milestone on one of our implementations of OLS.Switch, and Andy and I made a screencast and narrative of it . Enjoy.

I was at my local chapter meetings of a combined ISACA and IIA group. The topic of the meeting was The Institute of Internal Auditors GTAG and GAIT programs that was presented by Hussain Hasan -of RSM McGladrey, Inc., who is also a member for the IIA’s Advanced Technology Committee.

Hussain pointed me to a case study on using GAIT for Business and IT Risk or GAIT-R to assist in with scope of PCI Compliance.

The GAIT-R methodology comprises eight steps:

1. Identify the business process and objectives for which the controls are to be assessed.
2. Identify the key business controls required to provide reasonable assurance that the business objectives will be achieved.
3. Identify the critical IT functionality relied upon, from among the key business controls.
4. Identify the significant applications where ITGCs need to be tested.
5. Identify ITGC process risks and related control objectives.
6. Identify the key ITGCs to test that address identified risk and related control objectives.
7. Perform a reasonable person holistic review of all key controls.
8. Determine the scope of the review and build an appropriate design and effectiveness testing program

Here are the two Case Studies of Using GAIT-R to Scope PCI Compliance.

Johannes Ullrich at SAN’s Internet Storm Center writes:

Thanks to our reader Glenn for alerting us of this scheme: He received an automated phone call, telling him that his ATM card has been deactivated. The system then offered him to re-activate it. He didn’t fall for it, and instead called his bank. His bank told him that they had multiple reports like that, and the calls are false.

Lessons learned:

• first of all, the bank should somehow identify itself by telling you something only they know. Your account number maybe?
• better: call them back at a listed number. Do not ask them what number to call. Usually, the fraudsters will use an automated system to call you, not a human (but they may).
• never provide confidential information like account numbers, social security numbers, PINs, passwords over the phone.

This is something to consider in your own customer service and information security training programs as well as "educate your customers"

Martin writes a great post titled: Why is your company storing credit card numbers?

Many of the merchants I’ve dealt with keep everything and I do mean everything.  I’ve run into systems that have card numbers in their databases that date back to the first time they opened up an e-commerce site in the late 80’s.  The majority of the card numbers in these systems have long since expired, but the merchant steadfastly refuses to purge any of the data ‘just in case it might be useful some day’.  In most cases, they don’t actually use the stored credit card numbers in any way, shape or form, but they feel the need to have the data just to have the data.  After all, we all know data is valuable, and what’s more valuable than a potential customer’s credit card number?

I have had similar experiences as well, even more so on the development side where "log everything" you never know when you will need it" was the mentality — you should be able to see why this is a problem.  

What Martin writes about is something that you *should* be doing anyway per PCI 3.1 — If you look at the testing procedures however, there is no test to tie the retention period documented in the policies to the actually data that is retained.

from: http://biz.yahoo.com/rb/081014/business_us_creditcards_discover.html

NEW YORK (Reuters) – Discover Financial Services Inc (NYSE:DFS – News) and card networks Visa Inc (NYSE:V – News) and MasterCard Inc (NYSE:MA – News) have settled an antitrust lawsuit, sending shares of the fourth-biggest U.S. credit card company up over 14 percent.

In 2004, Discover had filed a lawsuit against MasterCard and Visa seeking roughly $6 billion in damages, as it contended the card networks had harmed its business by preventing their member banks from issuing credit cards for Discover’s network.

One of the things that I discovered on my phone is that is has a bar code reader that can read both Data Matrix and QR (Quick Response) barcode formats, and I can create them as well.  It is like having a CueCat in your phone !!! Which to me is some pretty neat stuff.

The process is called mobile tagging -  and compliments of Wikipedia – here is a picture of the process:

And here is my business card in vCard format:

We are all back from the ATM, Debit and Prepaid Forum 2008 from Phoenix, AZ. We made some great friends with other exhibitors, and attendee.  We talked to many people about Payment Systems; including Payment Switches, Authorization Hosts and the benefits of our platform and our team. We shared a live demo with tools to simulate Point-of-Sale and other incoming messages from the acquiring side (from merchants) and switching them out to simulators (that used real connection and message formats of real endpoints) as well as to our own Issuing Authorization Host, that you can run in your data center, or in ours.

It was fun to run a transaction:  get a decline due to non-sufficient funds, add value to a card, set the card status to Blocked, and get an approval or declined message based on some of these different parameters. Transactions took ~30ms and was ran on hardware that costs ~$800 and was capable of running north of ~1/2 million transactions per day.

We also got to listen to some great speakers on topics that a reader of this blog could appreciate

With OLS being from Dallas, Texas – we hosted a Texas Hold’ em tournament and social party in which everyone had a blast and winners won some great prizes.

I also had the opportunity to promote this blog a little bit using some MOO mini-cards and hope to add a few more regular readers!

Thanks to Source Media for putting on the show.

If you have ever used Obopay or even social networking site Facebook, chances are that you have interacted with your mobile phone with these sites in some manner with your phone.  Obopay, is a little more obvious, but you receive text notifications when you send or received money on your mobile.  Facebook sends text messages to your registered mobile phone number for you to validate your account, Obopay also uses multi-factor authentication to validate the user of its website using a phone call and spoken code, or a text with a message and a code that need to type in a webpage. This is called Out-of-Band Authentication and your bank may have implemented something similar for its Internet banking.

Yesterday, I researched and implemented text notifications when you perform an Reload or Add Money transaction on our issuing platform to your prepaid card using an interface to a SMS Gateway. Check it out below: I’m using my Nokia E71 here.

I received a MSR505c Card Reader/Writer in the mail today. I use and have a need to create test cards that have magstripes for a variety of purposes; The main one being a way to test/demo our issuer based products from Point-of-Sale (POS) systems and payment terminals.

I thought I create a short screencast to show how this works, which is provided below:

Some considerations to note:

It is extremely easy to "clone" a payment card using a device such as this, and the entry point from a cost and availability perspective is low (~$300 range). In a follow-up blog post, I’ll write about Maktek’s MagneSafe and MagnePrint products to detect card cloning at a magstripe level.

Bags are packed, See you in Chandler!

Send me a note or stop by booth #30 if you are planning to attend the 2008 ATM Debit & Prepaid Forum.