Archive for the ‘General’ Category
| |
|
|
Posted ( db) in General on September-8-2008 |
|
|
|
|
|
|
|
| |
|
|
Posted ( db) in General on September-4-2008 |
|
|
 While on the "A Perfect Fit: Understanding the PCI Security Standards" Webcast this morning.
There were a few things that I took note of that are worth repeating:
- PCI Compliance (Fines, Dates, etc) is enforced by Card Associations/Brands and their Acquirers not the PCI Council.
- There was a neat chart that depicted the relationship between the different standards:
I learned of three new "Fact Sheets" published by PCICo From: https://www.pcisecuritystandards.org/education/fact_sheets.shtml
Payment Card Industry Security Standards Overview
PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect cardholder payment data.
Getting Started with PCI Data Security Standard
PCI security for merchants and payment card processors is the vital byproduct of applying information security best practices in the Payment Card Industry Data Security Standard (PCI DSS).
Ten Common Myths of PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) secures cardholder payment data that is stored, processed or transmitted by merchants and processors.
The Ten Commons Myths of PCI DSS is quite good (I especially like the first 4 of these),
Myth 1 – One vendor and product will make us compliant
Many vendors offer an array of software and services for PCI compliance. No single vendor or product, however, fully addresses all 12 requirements of PCI DSS. When marketing focuses on one product’s capabilities and excludes positioning these with other requirements of PCI DSS, the resulting perception of a “silver bullet” might lead some to believe that the point product provides “compliance,” when it’s really implementing just one or a few pieces of the standard.
– Take a second and read through the audit procedures, especially section 12, how is a product going to to this ? find all of the other sections that a product cannot address., in my experience products can address a fraction of the requirements, they are met by processes around systems and their logical controls. Products can you you address Encryption, Log Management, Firewalling, IDS/IPS, File Integrity Monitoring, Anti-Virus/Malware, Vulnerability Assessment, among others — but each of these still will require operational processes and monitoring controls.
Myth 2 – Outsourcing card processing makes us compliant
Outsourcing simplifies payment card processing but does not provide automatic compliance. Don’t forget to address policies and procedures for cardholder transactions and data processing. Your business must protect cardholder payment data when you receive it, and process charge backs and refunds. You must also ensure that providers’ applications and card payment terminals comply with respective PCI standards and do not store sensitive cardholder data. You should request a certificate of compliance annually from providers.
– There are other business processes in place that deal with payment cards that are not necessary apparent, and while you can use out-sourcing to reduce scope, you will still have work to do. There are no real shortcuts here.
Myth 3 – PCI compliance is an IT project
The IT staff implements technical and operational aspects of PCI-related systems, but compliance to the payment brand’s programs is much more than a “project” with a beginning and end – it’s an ongoing process of assessment, remediation and reporting. PCI compliance is a business issue that is best addressed by a multi-disciplinary team. The risks of compromise are financial and reputational, so they affect the whole organization. Be sure your business addresses policies and procedures as they apply to the entire card payment acceptance and
processing workflow.
– Too many times have I seem IT Audits or IT Reviews dropped on a IT Manager because it has "IT" in it, There is much more business and process and operational and organization controls then logical controls in the PCI Standard. IT supports business processes and is an enabler, you need business and department heads involved with PCI Compliance, especially to explain and understand the flow of cardholder data that IT may not know about.
Myth 4 – PCI will make us secure
Successful completion of a system scan or audit for PCI is but a snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data.
– Compliance != Security && Security != Risk Management (Compliance does not equal Security and Security does not equal Risk Management) — The PCI Standard is a baseline that is a best-practice approach to payment card security, it is not a risk based approach that is tied to your your organizational Risk Assessments and will not address non-payment assets or information. Compliance is a snapshot in time, you need to make sure that the processes are operating effectively after the review/audit has been performed. The process should also include continuous assessment of risk and implementation of controls to reduce the risk of new threats.
|
|
|
|
| |
|
|
Posted ( db) in General on September-3-2008 |
|
|
 |
I just signed up for the Certified Payment-Card Industry Security Manager or CPISM. So I’ll be in Dallas, TX from November 5th - November 7th — If you are in the area or are also taking the exam, please feel free to drop me a note.
Here is the link to sign up:
CPISM Training and Exam on Wed 5-Nov-08 8:30 AM
|
The CPISM measures aptitude in eight knowledge domains that were were generated and validated by industry experts. These domains constitute the knowledge that a security manager in the payment card industry needs to protect data. The domains follow:
* Payment card industry structure
* Payment card structure and data
* Payment card transaction processing
* Compromise fraud statistics and trends
* Merchant risk analysis
* Laws and the regulatory environment
* Payment card security programs
* Third party relationships
See more info here: http://www.paymentsecuritypros.com/CPISM/
Since I’m in payment processing, and a former QSA this just really makes sense for me and will help us serve and support our clients better.
|
|
|
|
|
| |
|
|
Posted ( db) in General on August-19-2008 |
|
|
 |
As I wrote yesterday on the summary of changes to PCI DSS 1.2 coming October 1st to a city near you.
Requirement 5: Clarified that requirement for use of anti-virus software applies to all operating system types. |
I was a little surprised because the prevailing wisdom that only Anti-virus protection applies to Microsoft windows platform really applied for PCI.
While still on the "marathon morning" webinar this morning: Graham Cluley (his blog is here) of Sophos had an excellent and informative presentation "Viruses and Spam in 2008 - A look a the current security landscape and future trends"
Two Items of note related to PCI DSS and Anti-virus:
I would say that the risk is low to OSX and Linux, but we are seeing attacks in 2008 on these platforms which does make the PCI DSS 1.2 Anti-Virus requirement clarification more reasonable. Expect to see AV for Linux, Mac and other platforms products being marketed towards the end of this year and 2009 and on.
|
|
|
|
| |
|
|
Posted ( db) in General on August-19-2008 |
|
|
 |
So I’m on a webinar right now, listening to a gentlemen from Verisign talking about how the EV (Extended Validation) SSL Cert’s prevent Phishing among other things. You have probably seen the Green Bar and SSL Certificate — The name next to the lock is embedded in the certificate, and the theory is that this cannot be modified by the attacker or phisher. Here is a picture courtesy of Versign: |
I’ve asked the presenter to address the following XSS Attacks:
But, I’m hearing mostly about the “Green Bar”, and seeing statistics on how users like the “Green Bar” and sites that get increased transaction volume, transaction ticket sizes, as well as as reduced cart abandonment. Unfortunately the “Security” presentation has turned to a “Sales” presentation…
But with these XSS attacks:
The green address bar displayed by the web browser would assure users that they are looking at a website that can be trusted, even though the page they are looking at may contain scripts or HTML created by a remote attacker.
|
|
|
|
| |
|
|
Posted ( db) in General on August-18-2008 |
|
|
There were two press releases released by the Payment Card Industry Security Standards Council (PCIco) today:
The first item lists a summary of changes we should expect in PCI 1.2 which will be released in October 2008
Changes to the PCI DSS include clarifications and explanations to the requirements,
with these clarifications offering improved flexibility to address today’s security challenges in the payment card transaction environment
The following are the main highlights:
- WEP is no longer allowed and is being phased out
- Wireless must now be implemented according to industry best practices (e.g., IEEE 802.11x) using strong encryption for authentication and transmission.
- New implementations of WEP are not allowed after March 31, 2009.
- Current implementations must discontinue use of WEP after June 30, 2010
- Use of anti-virus software applies to all operating system types
- Flexibility to the patching requirement by specifying that a risk-based approach may be used to prioritize patch installation
- Various re-wording of items for clarification purposes.
Get the details here:
The Payment Card Industry Data Security Standard (DSS) v 1.2 will replace the DSS v. 1.1 on October 1, 2008. This Summary of Changes document provides an overview of the significant differences between the two versions.
https://www.pcisecuritystandards.org/pdfs/pci_dss_summary_of_changes_v1-2.pdf
The last item relates the the webinar:
"A Perfect Fit - Understanding the Interrelationship of the PCI Standards,” to be held on Thursday August 21, 2008 at 9:00 a.m. EDT and a second session the same day at 7:30 p.m. EDT.
Webinar participants will discover:
• How the PCI DSS, PA-DSS and PED Security Requirements interrelate;
• Why merchants should know about PA-DSS and PED;
• Why incorporating PCI standards is your best approach to protecting cardholder
data;
• Using PCI standards as a model for data security.
To register for the Thursday, September 4, 2008 session at 9:00 a.m. EDT session, visit
http://www.webcastgroup.com/client/start.asp?wid=0650904084240 or
http://www.webcastgroup.com/client/start.asp?wid=0650904084241 for the 7:30 p.m. EDT session. The morning webinar
|
|
|
|
| |
|
|
Posted ( db) in General on August-11-2008 |
|
|
On-Line Strategies is a Gold Sponsor for the 2008 - ATM, Debit & Prepaid Forum.
ATM, Debit & Prepaid Forum is a card and payments-based event in its 16th year, focusing on three distinct market segments (ATM, Debit & Prepaid), with an added track and additional focus on emerging payments, in one comprehensive program, designed for C-level executives from banks, financial institutions and non-traditional bankcard issuers.
- ATMs and the Future of Cash
- Surcharge-Free Networks
- ATM Service Delivery
- Debit Rewards
- Fraud Prevention
- Debit Product Development
- New Benchmarking Research
- Prepaid Innovation
- Reloadable Prepaid Cards
- Debate on the Size of the Prepaid Market
- Mobile Banking and Payments
- Serving the Underbanked and Youth Market
- Alternative Payments
I have a few invitations that I can send out to the show - these are special invitations that offer a discounted registration fee , please email me at david@paymentsystemsblog.com before August 18th.
More info on the 2008 - ATM, Debit & Prepaid Forum here: http://www.sourcemediaconferences.com/ATMDebit08/
|
|
|
|
| |
|
|
Posted ( db) in General on August-7-2008 |
|
|
There seems to be a few companies that I’m continuously hearing more and more about in the interwebs. One such company is one called Revolution Money. Revolution Money has two main products Revolution Money and Revolution Exchange:
The RevolutionCard eliminates costly interchange fees for merchants while simultaneously providing consumers with enhanced PIN-based security, identity protection, and periodic merchant discounts and incentives. MoneyExchange offers an easy and secure way to send and receive money online between accountholders for free.[1]
Revolution Money comes at an interesting time with many merchant concerns of interchange fees:
The card’s chief advantage to merchants is its acceptance cost—0.5% of each purchase amount—which compares favorably to bank card discount fees at a time when merchants are disgruntled about the cost of accepting cards. [2]
The main challenge however with any new payment card/technology is merchant acceptance and cardholder issuance. This is true for a myriad of reasons, new terminals for merchants, integration of a new payment types of message formats to terminals, Point of Sale Systems, Payment Switches, and consumers to acquire another payment card and incentives to use that over the other bits of plastic that compete for their wallets, billfolds purses and handbags. But it appears that Revolution Money is planning for a million merchants by year end.
(June 20, 2008) Nine months after its official launch, Revolution Money Inc.’s PIN-secured credit card is being accepted at 150,000 merchants, a number a top executive at the St. Petersburg, Fla.-based alternative-payments provider says will reach 1 million by year’s end.[2]
I think that the bottom line is that this "Revolution" is set to challenge the ways of the current payment processors and payment networks, and add a new layer of competition, or at least the pressure of competition on interchange fees, especially for merchants that are currently resorting to cash discounts if a payment card is not used.
[1] https://www.revolutionmoney.com/about_revolution_money.aspx
[2] http://www.digitaltransactions.net/newsstory.cfm?newsid=1820
|
|
|
|
| |
|
|
Posted ( db) in General on August-7-2008 |
|
|
 There seems to be a few companies that I’m continuously hearing more and more about in the interwebs. One such company is one called Obopay. If I had to describe it in one sentence, it would be that Obopay is like Paypal but with using your phone, instead of your email address/Paypal account. Obopay has the tagline - "Money Transfer by Cell Phone or Web".
I signed up for an account today, received a text message to my cell, activated my account, and currently I’m in the process of waiting to confirm my bank account with a series of micro deposits, that I need to enter into Obopay to confirm my bank account.
Right now I can see this very useful, especially when I end up at a merchant or am at a vending machine and dry out of cash and cannot use plastic. I borrow some money, text a message to my friend, and everyone is happy.
The fee to transfer money recently increased from .10 to .25 a transaction, but note that this is for any transaction amount, there is not a transaction fee + % fee of transaction amount model.
I really don’t know how many merchants currently accept Obopay, but I suspect that this will be a popular payment option to certain market segments of consumers. Especially that it can be linked to either a bank account or credit/debit card.
After my bank account is confirmed I plan to use this when I can.
|
1) So give it a try your self: click the link below to get an account:
|
|
2) And try a test transactions by sending me $1 below.  :)
|
|
|
|
|
| |
|
|
Posted ( db) in General on August-7-2008 |
|
|
I wrote about this topic before: see here:
Now the latest perpetrator is an organization that:
is the global, not-for-profit leader in educating and certifying information security professionals throughout their careers. Recognized for Gold Standard certifications and world class education programs.
So when paying for my annual dues for a security certification: I see the following prompt for my "Security Code"
PCI 3.3.2:
"Do not store the card validation value or code (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions"
More here on the Visa CVV2 fact sheet:
Q. Can merchants store my 3-digit code?
A. No. To ensure information security, all merchants are prohibited from storing the 3-digit code in any format whether on paper drafts, receipts or electronically.
From : Rules for Visa Merchants
Avoid CVV2 Storage. All merchants are prohibited from storing CVV2 data.
When asking a cardholder for CVV2, merchants must not document this
information on any kind of paper order form or store it on any database.
|
|
|
|
|
|
