As I wrote yesterday on the summary of changes to PCI DSS 1.2 coming October 1st to a city near you. Requirement 5:  Clarified that requirement for use of anti-virus software applies to all operating system types.

I was a little surprised because the prevailing wisdom that only Anti-virus protection applies to Microsoft windows platform really applied for PCI.

While still on the "marathon morning" webinar this morning:  Graham Cluley (his blog is here) of Sophos had an excellent and informative presentation "Viruses and Spam in 2008 - A look a the current security landscape and future trends"

Two Items of note related to PCI DSS and Anti-virus:

See:  http://www.sophos.com/pressoffice/news/articles/2008/06/machovdyA.html

See: http://www.sophos.com/pressoffice/news/articles/2008/02/rstbtool.html

I would say that the risk is low to OSX and Linux, but we are seeing attacks in 2008 on these platforms which does make the PCI DSS 1.2 Anti-Virus requirement clarification more reasonable. Expect to see AV for Linux, Mac and other platforms products being marketed towards the end of this year and 2009 and on.

So I’m on a webinar right now, listening to a gentlemen from Verisign talking about how the EV (Extended Validation) SSL Cert’s prevent Phishing among other things.  You have probably seen the Green Bar and SSL Certificate — The name next to the lock is embedded in the certificate, and the theory is that this cannot be modified by the attacker or phisher. Here is a picture courtesy of Versign:

I’ve asked the presenter to address the following XSS Attacks:

• Extended Validation certificates and XSS considered harmful
• PayPal XSS Vulnerability Undermines EV SSL Security

But, I’m hearing mostly about the  "Green Bar", and seeing statistics on how users like the "Green Bar" and sites that get increased transaction volume, transaction ticket sizes, as well as as reduced cart abandonment. Unfortunately the "Security" presentation has turned to a "Sales" presentation…

But with these XSS attacks:

The green address bar displayed by the web browser would assure users that they are looking at a website that can be trusted, even though the page they are looking at may contain scripts or HTML created by a remote attacker.

There were two press releases released by the Payment Card Industry Security Standards Council (PCIco) today:

• SUMMARY OF CHANGES TO NEXT VERSION OF PCI DATA SECURITY STANDARD
• HOST WEBINAR ON RELATIONSHIP BETWEEN DIFFERENT PCI SECURITY STANDARDS

The first item lists a summary of changes we should expect in PCI 1.2 which will be released in October 2008

Changes to the PCI DSS include clarifications and explanations to the requirements,
with these clarifications offering improved flexibility to address today’s security challenges in the payment card transaction environment

The following are the main highlights:

• WEP is no longer allowed and is being phased out
• Wireless must now be implemented according to industry best practices (e.g., IEEE 802.11x) using strong encryption for authentication and transmission.
• New implementations of WEP are not allowed after March 31, 2009.
• Current implementations must discontinue use of WEP after June 30, 2010
• Use of anti-virus software applies to all operating system types
• Flexibility to the patching requirement by specifying that a risk-based approach may be used to prioritize patch installation
• Various re-wording of items for clarification purposes.

Get the details here:

The Payment Card Industry Data Security Standard (DSS) v 1.2 will replace the DSS v. 1.1 on October 1, 2008. This Summary of Changes document provides an overview of the significant differences between the two versions.

https://www.pcisecuritystandards.org/pdfs/pci_dss_summary_of_changes_v1-2.pdf

The last item relates the the webinar:

"A Perfect Fit - Understanding the Interrelationship of the PCI Standards,” to be held on Thursday August 21, 2008 at 9:00 a.m. EDT and a second session the same day at 7:30 p.m. EDT.

 

Webinar participants will discover:

• How the PCI DSS, PA-DSS and PED Security Requirements interrelate;
• Why merchants should know about PA-DSS and PED;
• Why incorporating PCI standards is your best approach to protecting cardholder
data;
• Using PCI standards as a model for data security.

To register for the Thursday, September 4, 2008 session at 9:00 a.m. EDT session, visit
http://www.webcastgroup.com/client/start.asp?wid=0650904084240 or
http://www.webcastgroup.com/client/start.asp?wid=0650904084241 for the 7:30 p.m. EDT session. The morning webinar

On-Line Strategies is a Gold Sponsor for the 2008 - ATM, Debit & Prepaid Forum.

ATM, Debit & Prepaid Forum is a card and payments-based event in its 16th year, focusing on three distinct market segments (ATM, Debit & Prepaid), with an added track and additional focus on emerging payments, in one comprehensive program, designed for C-level executives from banks, financial institutions and non-traditional bankcard issuers.

• ATMs and the Future of Cash
• Surcharge-Free Networks
• ATM Service Delivery
• Debit Rewards
• Fraud Prevention
• Debit Product Development
• New Benchmarking Research
• Prepaid Innovation
• Reloadable Prepaid Cards
• Debate on the Size of the Prepaid Market
• Mobile Banking and Payments
• Serving the Underbanked and Youth Market
• Alternative Payments

I have a few invitations that I can send out to the show - these are special invitations that offer a discounted registration fee , please email me at david@paymentsystemsblog.com  before August 18th.

More info on the 2008 - ATM, Debit & Prepaid Forum here: http://www.sourcemediaconferences.com/ATMDebit08/

There seems to be a few companies that I’m continuously hearing more and more about in the interwebs.  One such company is one called Revolution Money. Revolution Money has two main products  Revolution Money and Revolution Exchange:

The RevolutionCard eliminates costly interchange fees for merchants while simultaneously providing consumers with enhanced PIN-based security, identity protection, and periodic merchant discounts and incentives. MoneyExchange offers an easy and secure way to send and receive money online between accountholders for free.[1]

Revolution Money comes at an interesting time with many merchant concerns of interchange fees:

The card’s chief advantage to merchants is its acceptance cost—0.5% of each purchase amount—which compares favorably to bank card discount fees at a time when merchants are disgruntled about the cost of accepting cards. [2]

The main challenge however with any new payment card/technology is merchant acceptance and cardholder issuance. This is true for a myriad of reasons, new terminals for merchants, integration of a new payment types of message formats to terminals, Point of Sale Systems, Payment Switches, and consumers to acquire another payment card and incentives to use that over the other bits of plastic that compete for their wallets, billfolds purses and handbags. But it appears that Revolution Money is planning for a million merchants by year end.

(June 20, 2008) Nine months after its official launch, Revolution Money Inc.’s PIN-secured credit card is being accepted at 150,000 merchants, a number a top executive at the St. Petersburg, Fla.-based alternative-payments provider says will reach 1 million by year’s end.[2]

I think that the bottom line is that this "Revolution" is set to challenge the ways of the current payment processors and payment networks, and add a new layer of competition, or at least the pressure of competition on interchange fees,  especially for merchants that are currently resorting to cash discounts if a payment card is not used.

[1] https://www.revolutionmoney.com/about_revolution_money.aspx

[2] http://www.digitaltransactions.net/newsstory.cfm?newsid=1820

There seems to be a few companies that I’m continuously hearing more and more about in the interwebs.  One such company is one called Obopay. If I had to describe it in one sentence, it would be that Obopay is like Paypal but with using your phone, instead of your email address/Paypal account.  Obopay has the tagline - "Money Transfer by Cell Phone or Web".

I signed up for an account today, received a text message to my cell, activated my account, and currently I’m in the process of waiting to confirm my bank account with a series of micro deposits, that I need to enter into Obopay to confirm my bank account.

Right now I can see this very useful, especially when I end up at a merchant or am at a vending machine and dry out of cash and cannot use plastic. I borrow some money, text a message to my friend, and everyone is happy.

The fee to transfer money recently increased from .10 to .25 a transaction, but note that this is for any transaction amount, there is not a transaction fee + % fee of transaction amount model.

I really don’t know how many merchants currently accept Obopay, but I suspect that this will be a popular payment option to certain market segments of consumers. Especially that it can be linked to either a bank account or credit/debit card.

After my bank account is confirmed I plan to use this when I can.

I wrote about this topic before: see here:

Now the latest perpetrator is an organization that:

is the global, not-for-profit leader in educating and certifying information security professionals throughout their careers. Recognized for Gold Standard certifications and world class education programs.

So when paying for my annual dues for a security certification: I see the following prompt for my "Security Code"

PCI 3.3.2:

"Do not store the card validation value or code (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions"

More here on the Visa CVV2 fact sheet:

Q. Can merchants store my 3-digit code?
A. No. To ensure information security, all merchants are prohibited from storing the 3-digit code in any format whether on paper drafts, receipts or electronically.

From : Rules for Visa Merchants

Avoid CVV2 Storage. All merchants are prohibited from storing CVV2 data.
When asking a cardholder for CVV2, merchants must not document this
information on any kind of paper order form or store it on any database.

A few months back I went to https://www.dtv2009.gov/ and registered for my two $40 TV Converter Box cards.

Congress created the TV Converter Box Coupon Program for households wishing to keep using their analog TV sets after February 17, 2009. The Program allows U.S. households to obtain up to two coupons, each worth $40, that can be applied toward the cost of eligible converter boxes.

I wanted one just to have, and to help two retailers each get $40.00 of revenue as a part of an economic stimulus plan …  and also because we implemented acceptance of these cards in our payment system, OLS.Switch.  You can read about it here, but basically we needed to add the "589732" Bin range to our switching logic/parameters, and create a rule that these transaction must have an amount of $40.00 and then we just switch them out to MasterCard. So with cards in hand, and actually realizing yesterday that they actually expired on August 6th and I only had that day to use them, I ran a few errands over lunch and made my way to a Wal-Mart and a Best Buy.

Finding the product on the shelf was easy.  Wal-Mart had the RCA model for $49.99. I had the cashier in the electronics department perform the checkout (assuming that they would have been better trained then the front of the store staff) The gentlemen that was my cashier was given his first opportunity to ring this type of up though. He didn’t know what to do when presented with the card, so he asked for help from another associate: "Oh - you run that just like a credit card, and have him sign for it," and then he needs to pay the difference."  I was in business and had me first TV converter box. The Sales receipt showed I used an Electronic Voucher for $40.00 and provided the approval code and last 4 digits of my TV converter card.  I asked for my card back, and was given a funny look, like you know you cannot use this again right ? — so the other associate told my cashier that they can either return the card or most of the time they just toss it  (The card does contain my Name in its Track 1 Data)

The Best Buy experience was a little smoother, find the Insignia TV Converter box, bring it to the front, give the card, pay the difference, and I’m on my way. Although the girl at Best Buy trashed my 2nd TV Converter Card — At least I have one left. So does any body have any old TV’s I can use these on ?

Article on CNN.com - http://www.cnn.com/2008/CRIME/08/05/card.fraud.charges/index.html

and MSNBC.com - http://www.msnbc.msn.com/id/26041151/

NEW YORK - The Department of Justice announced Tuesday that it had charged 11 people in connection with the hacking of nine major U.S. retailers and the theft and sale of more than 40 million credit and debit card numbers.

Under the indictments, three Miami, Florida, men — Albert "Segvec" Gonzalez, Christopher Scott and Damon Patrick Toey — are accused of hacking into the wireless computer networks of retailers including TJX Companies, whose stores include Marshall’s and T.J. Maxx, BJ’s Wholesale Club, OfficeMax, Barnes and Noble and Sports Authority, among others.

 

The three men installed "sniffer" programs designed to capture credit card numbers, passwords and account information as they moved through the retailers’ card processing networks, authorities said.

Consider Encrypting Traffic from within the PCI Zone as I wrote in this blog post as a prevent defense.

I’ll just say it; I’m proud of our release cycle for OLS.Switch.

It has been my experience (YMMV) both first hand running an authorization host/switch (issuing and acquiring) and as an IT Security Auditor and QSA - that either Core Banking applications or Payment Switches fall into one of the following when it relates to upgrades, changes, or security updates:

• "The Vendor set it up, we don’t touch it"
• "We don’t patch it because we are afraid"
• "We cringe everything we need to install a new release of the software"
• "Last time we did an upgrade, we had x amount of downtime"
• "It all goes smooth like clockwork" 

During Vulnerability Assessments and Penetration Testing on the Internal Networks that I performed– My observations from an operating system, database and application perspective - these systems are typically not keep current or run on a platform that the organization is not very familiar which and relies on outside support. The application was not cohesive to the rest of their operating environment: systems, technologies, and procedures.

Installing new releases of our software (or rather our clients installing releases of new software) is something that does not make me cringe. (and I used to not sleep very well in the past)  At least one of our clients seems to agree as well. (See Andy’s "A very simple platform to support")

We just rolled out a new release that was quite large (see Flexible Spending Accounts (New Initiatives, Part 3) and had changes that impacted pretty much every transaction path due to partial authorization and credit reversal support, and required heavy regression testing. Our agile based SDLC is a big help with this, we have very iterative development processes and frequent testing which also means less large bulking updates that break everything.

Another success factor is our simplicity of upgrading our program code and binaries. It is really as simple as:

• Stop the OLS.Switch Service or Daemon
• create a backup copy of the directory or file path where OLS.Switch is installed
• Start the OLS.Switch Service or Daemon
• Perform test transactions and monitor.
• The Back-Out plan is to stop the service and revert back to the backup copy.

Further, System Implementation Design can have a big impact on Up-time;  we run multiple independent application servers behind load balancers, that allows us to gracefully stop an application - which stops accepting new transactions when finishing to process those in its queue, and the load balancer stops routing transactions to this application server. Allowing an upgrade to be made while other application servers are still processing transactions. Uptime, not system uptime, but uptime processing transactions doesn’t have to suffer for "scheduled maintenance", or security related patches and reboots.

I think we have a low-risk upgrade/update path that our clients are very comfortable with - So in 7 months into the year - we have had a dozen releases to add additional functionality, address endpoint changes, and implement new transaction types.