Quantcast StorefrontBacktalk » Blog Archive » Data Security Slugfest: Tokenization Vs End-to-End Encryption
advertisement
advertisement

Data Security Slugfest: Tokenization Vs End-to-End Encryption

Written by David Taylor
April 15th, 2009
Like this story? Share it
To share this story with people in your social network, please click on the network icons below.

GuestView Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

In a land “Beyond PCI,” there’s trouble brewing. Issues involving everything from tokenization to end-to-end encryption are being debated and the PCI SSC is hiring a consulting firm to look into the implications of these (and other) technologies and processes.

This all raises the issue of “should retailers wait for the PCI SSC to ‘bless’ or integrate so called ‘beyond PCI’ technologies into the standards?” My answer is a profound “no.” There are too many changes in IT happening too quickly for an organization to wait for a standards committee to issue a clear pronouncement on each of them. Rather, I would suggest that retailers begin now to investigate the value of these technologies, especially tokenization and end-to-end encryption, to determine where one or the other, or both of them, can be used to protect confidential data and business risk and compliance costs.

  • Why many current encryption implementations are insufficient
    Encryption is too easy and also too hard. For many companies, encryption is not centrally managed. It is a feature that is easily added to applications, it’s built into operating systems, databases, POS devices, etc. Even within the cardholder environment (such as it is), it’s not uncommon to find a half-dozen different implementations of encryption and multiple key management systems. In this situation, card data may have to pass through multiple systems internally, and on the way to the acquiring bank or processor. The result is the dreaded “encrypt, decrypt, re-encrypt” scenario which opens up holes to external hackers and unauthorized insiders. A recent report suggests that hackers are using new techniques to decrypt encrypted PIN blocks, which would suggest that the myriad different encryption techniques and ciphers in use today must be “beefed up” to, say AES 256 or TDES, and centrally managed.

    Our research suggests there are far too many people who believe that encryption, by itself, is sufficient to prevent breaches or fraud — in fact, many of the 44 US state breach laws provide for an exemption from reporting breaches if the data is encrypted, with the quality of that encryption often poorly defined. Our take on current “tactical” implementations of encryption is that they have many problems and gaps (e.g., failure to encrypt confidential data in transit over private networks) that can be exploited by both internal and external sources. End-to-end encryption can be a major improvement.

    Pages: 1 2

    • Posted in E-Commerce, IT Strategy/Industry, In-Store, Payment Systems, Security/Fraud, Software, Supply Chain
    advertisement

    5 Comments | Read Data Security Slugfest: Tokenization Vs End-to-End Encryption

    1. Chris Miller Says:
      April 16th, 2009 at 8:10 am

      What are you thoughts about efforts that some retailers are taking to get their POS systems out of PCI scope altogether by moving card processing off to a seperate device (that only communicates the most basic transaction information – not card data – back to POS). Regis Salon has implemented this. We are loking at it very seriously. Seems like McDonalds is doing the same. For smaller speciality stores, this appears to be a long term cost saving option and would make maintaining compliance much easier. I’m interested in your thoughts.

    2. Mark Bower Says:
      April 16th, 2009 at 5:40 pm

      With respect to “The result is the dreaded “encrypt, decrypt, re-encrypt” scenario which opens up holes to external hackers and unauthorized insiders”

      Any legacy approach will suffer this exact problem – but that is now a completely solved problem. As I’ve mentioned here before, an entirely practical solution here is FFSEM Mode AES aka FPE, or Format Preserving Encryption (see it on the NIST AES modes site if you want to learn more about the method). FPE can do this:

      • Encrypt 12/15/16 digit credit card numbers to a 12/15/16 Digit credit card numbers that’s useless to anyone except the trusted entities but still works in POS systems, or,
      • Encrypt first 12 say only, encrypt internal account # digits, leave routing/BIN etc in clear, maintain Luhn etc. whatever combination is needed to suit the business purpose. Separate sub fields can be independently encrypted so different systems can use them independently – separating access right down at a sub field level – think firewalls around the data itself.
      • FPE can be applied to not only cards, but SSN and other data- names, address, customer field notes – whatever.
      • FPE can encrypt columns that are indexes or have primary and foreign key relationships – it does not matter- referential integrity is preserved
      • Any data encrypted with FPE can also be used immediately in a QA system as masked QA/Test Data – no need to regenerate DB test data.
      • Use IBE (Identity Based Encryption, RFC 5091) and FPE for Stateless Key Management – solve the complexity of key management to almost no management overhead and one way encryption at capture.

      Therefore, with respect to the lifecycle of the data from capture storage, there is no need to open up the data -the data can be used in its encrypted form – as is, no decrypt, no risk, no keys present, no PCI scope.

      Tokenization systems on the other hand simply shift the problem and put the burden of managing a massive amount of additional state information (token/card mapping data) to the operator of the token scheme – hence the often quoted transaction or service subscription costs. Tokenization approaches essentially create a parallel universe of cardholder data to manage. This has obvious scale limits and hence why tokens must expire – and hence destroy any business intelligence processes a business may require when operating e.g. a data warehouse, data mining etc. Tokenization systems also require a call to the token generator per transaction, thus must be online at all times. This results in incremental overheads per transaction, don’t solve offline processing, and creates addition network hops and attack vectors as the clear data is now traversing a potentially large path to the token provider. The tokenization vendors seem to forget to mention that encryption is required – “end to end encryption” ideally – from the capture point to the token generator, and vice versa at the point where the data is required in clear form for eventual clearing.

      FPE solves that problem in situ and stops those who deploy it from having to worry about that parallel universe of card data.

      Regards,
      Mark
      VP Product Management
      Voltage Security

      Full disclosure: I work for a firm who creates products for privacy and payments systems using FPE technology.

    3. Steve Sommers Says:
      April 20th, 2009 at 6:11 pm

      Mark, You are incorrect in your blanket statement – Shift4 is a tokenization vendor and we do detail this. We always mention that end-to-end encryption is required and we provide the means as well that offloads the key management and in most cases is transparent to the POS – state of the art or legacy. The biggest difference in FPE vs. tokenization is that encrypted card holder data is still card holder data whereas a token is not. You’ll get different opinions among QSA’s as to whether or not FPE removes applications from PCI scope whereas most QSA’s agree that our end-to-end encryption/tokenization model does (just for clarification: can remove applications from scope, not merchants).

      Both solutions have their pro’s and con’s. I give more pro’s to a properly implemented tokenization solution that includes end-to-end encryption (bypassing the POS). I’m guessing that you give more pro’s to FPE. To me, either solution is much more secure than the POS receiving unencrypted card holder data and trusting the POS provider to properly secure this data within the application and the merchant’s network, and with adequate key management controls.

      In the not so distant future, the ultimate solution might be the combining of technologies.

      Steve Sommers
      Sr. VP Applications Development
      Shift4 Corporation

    4. Kim Singletary Says:
      April 23rd, 2009 at 11:59 pm

      A healthy debate going on – but both scenarios require attention to the configuration and management of either the encryption or tokenization solution. Doing anyone of these tactics still requires additional PCI controls to ensure compliance – however many are positioning these investments as the silver bullet. As David refers to in his last point these will be another means to defend this data and mitigate risk. But my concern is today’s and tomorrows systems (here and now) – how fast and at what cost can the individual Merchant of any size and with limited spend go beyond PCI compliance. Runtime control with dynamic whitelisting and memory protection is another means to provide for secure systems today without code or database changes. The technology whitelists known good systems taking inventory of all executable code (.exe, scripts, java, and .dll’s) and of the system and application configuration, identifies authorized processes that are pre-trusted to provide automatic updates to the system then denies all other types of changes. In addition currently running applications and local data, registry entries and configuration files can be read/write protected so they are only usable and visible to their native applications or those that require them for processing. Easy implementation, no application or change of current business delivered with a single solution that goes beyond PCI compliance but that also fulfills many of the current PCI requirements like protecting from malware today and future malware and file integrity monitoring. This method is accessible to all Merchants today and many may even find their POS vendor reselling or embedding the capability into their systems providing PCI-ready devices.

      Kim Singletary
      Director, OEM & Compliance Solutions
      Solidcore.com

    5. Data Protection Says:
      November 5th, 2009 at 11:17 am

      The solution to the encryption conundrum is simple: define and stand by a standard. Unfortunately, there are too many hands in the encryption cookie jar for this to ever happen. Some fear that a single standard would be a bad thing, because if it were ever hacked, the losses could be staggering. Still, with a single standard comes increased strength and progress made in methods, along with more streamlined updates and implementation. Th result would be a much smaller chance for a successful attack, rather than a larger chance.

    Leave a Reply

    Newsletter

    Quickly catch-up on the latest in E-Commerce and Retail Tech with our free weekly newsletter, with urgent bulletins as news merits.
    advertisement

    Most Recent Comments

    "This "clarification" is causing a lot of panic with large FS clients who now appear to be non-compliant after spending 7 figure sums on their compliance programs." -J- R

    Cambridge University Calls Verified By Visa Secure Protocol Terrible Security

    E t Voorde
    One bank using the card PIN as 3DS password doesn't prove that the whole protocol is useless. Besides that, the protocol might not be perfect, it does prevent from a lot of very simple Card Not Present fraud happening today. Offtopic: saying that with EMV the ATM PIN is used for POS is typically UK, because whole Europe was already using PIN in POS in magstripe debit transactions for years! Read more...
    A reader
    Nice paper. Factual conclusions. Utterly useless. It won't get fixed. Remember that Visa is perversely opposed to providing true security for transactions. It won't get fixed because the current screwed up system is too profitable for Visa. How screwed up is that? Read more...

    Retail Vendors: Forget New Functions. Just Make It Simple And Cheap

    Joe
    The costs for delivering 5 second credit card processing through high speed connections integrated with POS (and associated PCI costs) are excessive if the transactional volume is not sufficient. Much cheaper, yet slower, to use the old stand alone terminals. Read more...

    Mobile Sites Are Supposed To Be Slow, But Not This Slow

    Wayne Brown
    What happened at these retailers, is that full-screen, non-mobile-centric developers were used. The best mobile apps do not come from the minds of full-screen, PC/Server, type programmers. I'll bet that the retailers criteria matrix didn't even include performance benchmarking. Why, because they are thinking like PC/Server developers....... Read more...
    mobile sites
    I agree. Stick with XHTML MP or something light-weight. Most anyway mobile browsers can't process fancy stuff like flash. Read more...

    What’s The Rush For New PCI Call Center Requirements?

    Mike Pruden
    And I have not heard anyone mention the impact on companies who provide quality improvement services. Many merchants hire quality improvement companies to review their audio recordings to provide guidance on how to improve their sales staff’s effectiveness in customer service and sales retention. PCI Council needs to rethink this requirement until there is a widely available commercially viable solution. Read more...
    Geoff Miller
    Another ridiculous decision where regulators don't think critically enough about the unintended consequences of their decision. This will be a huge problem for the credit and collections industry. We have to keep all recorded calls for other reasons not related to cc information. We can't purge all of our calls and we don't have the technology to not record part of the conversation. Even if we did, I am not sure we could afford it. Read more...
    J- R
    This "clarification" is causing a lot of panic with large FS clients who now appear to be non-compliant after spending 7 figure sums on their compliance programs. The only alternative to call recording would now appear to be some sort of IVR/push button type interrupt to take card data away from the contact centre. The council is a position to force that sort of process and technology change and this may backfire on them and the vendors that lobbied hard for this clarification. Read more...
    Kemil Carbuccia
    PCI council has made a one-sided decision; They should have done a much more in-depth research that could have provided more insight on what regards to the implications of such decision. Read more...

    Trying To Force Strong Passwords Futile, Counterproductive

    Steve Sommers
    Another factor, assuming a user is not using post-it's, is that passwords will be lost more frequently -- expecially in systems users don't use frequently. This moves the risk from the login authentication, to the password reset/reassignment authentication and these areas of many applications are less secure and usually more vulnerable to social engineering attacks. Read more...

    HSN: Where Multi-Channel Becomes Even More Multi

    Suzy Meriwether
    I think 'even more multi' is right on. I think it's multi-channel, mult-times, and retailers, service providers and others need to understand that. I'll see it on TV, I'll go on line ot look up details, I'll tweet about it to see if friends have used it, go to the store to look at it then buy on-line. Read more...
    Fabien Tiburce
    What a great reminder that we should never deploy technology just "because we can." Consumer behavior and usability (watch what users do, not what they say), not technology for its own sake, ought to drive technology selection. Read more...

    Burger King Sues Franchisees Who Didn't Upgrade POS

    Fabien Tiburce
    Having attended a number of franchising shows and seen what retail brands will do (and how much they spend) to attract would-be franchisees, I can't help thinking this is, at the very least, a PR disaster for the brand. Read more...

    Data Breach Cost Numbers Games

    Gray Taylor
    You rightly point out that there is no safe harbor through compliance - you are compliant until you are breached, and then you are not. Retailers I work with are wondering "If we implement rational security practices, who cares about compliance?", and that is hard to argue with. In essence, PCI compliance has become less of a data security exercise, and more of a fine avoidance strategy. Read more...

    Social Unstructured Data Is Not Unusable

    Michelle de Haaff
    This information is hugely valuable. We analyze it for real use and action with retailers everyday. There is so much real-action insights in social media... Some examples:*Cries for help! - are customers complaining about something online that you can answer? We find it, analyze it and route it to people to get involved in the conversation. Read more...

    Will Old OS Cause PCI Violation? No, But Marketing Still Says So

    Jacob Ansari
    This is an interesting issue, because there's more to it than what's apparent on the surface. PA-DSS requires supported and patched operating systems and other software components (e.g., databases, libraries, Java, etc.) per PA-DSS 7.1.b and 8.1, and the option for compensating controls simply isn't there. Merchants can make use of compensating controls for most PCI DSS requirements, but only when legitimate constraints exist and only in ways that meet the intent and rigor of the requirement and go above and beyond the other PCI DSS requirements. Read more...
    Cranston Snoard
    Why would one automatically upgrade to a "new" OS -- some of the older versions of certain OS-es are more stable and more robust than the crap being peddled today. This is yet another clear example of PCI SSC being out of touch with reality. Rather than requiring a "current" OS, the requirement should be to demonstrate the OS in use is stable and robust, and is adequately hardened against threats. Read more...
    Steve Sommers
    There are compensating controls that encrypt the swipe at the driver level as it enter the PC, there are hardware encrypting card swipes so the cardholder data is already encrypted before it comes to the PC -- either of these, especially the second, would remove the OS entirely from a cardholder data risk profile. Read more...
    Lucas Zaichkowsky
    In my opinion, the only thing the vendor did wrong was they didn’t know of that FAQ entry. Even if they did, it changes nothing about the need for merchants to update software that no longer receives updates. Read more...

    Helicopter Parents May Ruin The Retail IT Industry

    Marty
    My son (non-IT) was considering a promissing post-college stint in minor baseball a few years ago. He informed me, "If I don't make the Bigs and have to take a regular job, it better not be entry-level." My response (after the laughter) "Are you kidding me?" But he was very serious. Read more...

    Forget Your Well-Thought-Out Mobile Strategy: You Now Need Three

    David Dorf
    I have spoken with a couple companies that claim to automatically build native apps for different platforms from one source. If each retailers builds 1-3 apps for 1-3 platforms, consumers will be overwhelmed. As more retailers enter this area, its going to get tougher to differentiate. A few will get this right and lead the market. Read more...
    Fabien Tiburce / Compliantia
    The value proposition of mobility is multi-faceted because mobility is an enabler, not an end it itself. Mobility is actually a lot harder to do well than web-based applications. Networks are slower, devices are smaller (usability does matter) and there is no default mobile platform (hence the reason for carrying 3 phones) unlike the PC/Windows monopoly we love to hate. Read more...

    Holiday Season Dollars: We (Somehow) Were Right

    Doron Levy
    I have to admit, I was part of the naysayer camp before Christmas and I'm encouraged by the increase but (and this is a big but) we shouldn't be jumping for joy for 1.1 percent. You can't tell me that cost of goods sold and overhead didn't increase at least 1.1%! Read more...
    Evan Schuman
    Editor's Note: Doron's right. The key point we were initially trying to make was that, back in October, with all of the data then available, we simply couldn't see how the 2090 holiday could have been worse than the prior year's disaster. Pentup demand, among about 20 other factors, simply wouldn't allow that, unless some other catastrophe kicked in, which (fortunately) didn't happen. But to Doron's point, yes, continued annual increases of 1.1 percent--especially measured against the increased cost of sales--will be very bad news. Read more...

    Announce Breach. Blink. Be Sued

    Steve Sommers
    Sounds like a possible industry in the making: Hacking cardholder data, not with the intent on using the compromised information, but instead with the intent to win the litigation lottery. Read more...

    Beware Of The Side Effects of Software-As-A-Service

    Fabien Tiburce
    Asking the IT department what they think of Software-as-a-Service is akin to asking the Detroit auto-makers what they think of public transportation. Your points remain valid. SaaS is not a silver bullet but SaaS does alleviate a lot of problems that have plagued large organizations for some time. Read more...
    Kevin Ertell
    I'm not sure it's fair to lump all SaaS models under the same umbrella. Some require more integration that others. The world is changing incredibly quickly, and keeping up with those changes requires adapting technically. Sometimes, SaaS presents the best option, even if that means more integration effort by internal teams. Read more...
    Alex
    It is certainly very valid that integration is an important factor to consider when looking to go SaaS (and on-premise for matter). Would you consider that some systems are better suited to SaaS than others? For example, email seems to be an early suitor? Read more...

    Last Driver-License Scanning Holdout—Nebraska—May Be About To Cave

    James Loar
    Who would write software just for NE? Obviously the applications are written to cover the requirements of the whole country; then during installation you would expect to configure what data to collect -- that's the decision of the retailer - not the software developer. Perhaps NE is worried that a data aggressive retailer will install a floor scale and overhead height sensor in front of the cashier to validate that the driver's license data matches the person after the card is scanned. Mmmm. Read more...
    Todd Ablowitz
    Wow. It's amazing that Nebraska is in this position. Restrict usage or storage of the info? Fine. To be an outlier this long on such an obvious benefit to the people of Nebraska? That's already shocking, but to put a target on the developers? Even worse. Read more...

    Will Best Buy's Pushback Against Visa Contactless Payment Change The Market Or Is It Irrelevant?

    Duncan Taylor
    I applaud Best Buy's stance here, but to think that the card methods will not advance in this direction is short sighted. Clearly VISA needs to overcome the interchange fee concerns, and the contactless payment method is bound to evolve and fold into cell phone payment. Read more...
    Dan Stiel
    The real Best Buy message to fellow merchants: It is o.k. to say no to enhancements that increase costs - especially when there is no meaningful impact on the customer experience. Read more...

    McDonald's: IT Must Be Comfortable Failing, But "Fail Really Small"

    Terrell Jones
    I really agree with failing small and fast. But I can't agree with the PC designation of 'sub optimal business case outcome" Baseball players don't have sub optimal batting experiences, they 'strike out'. Teams don't have a sub optimal game experience, they LOSE the game. Failure is a strong word, but by getting people to look at why and how the project failed and to kill the project while coaching the person is the path to success. Read more...
    Fabien Tiburce
    Of course retailers should accept the possibility of failure if it helps fosters innovation. And what is the best way to fail small and fail fast? a) Rapid prototyping, b) pilots and c) software-as-as-service. Combine all three and you have the ability to try out new ideas, at no or a nominal cost, get feedback quickly, adjust and iterate until you can improve or reject the methodology. Read more...
    Lee
    "sub-optimal business case outcome" is definitely preferable to 'failure'! Seriously, I'm pleased Roberts in conscious of language. You are up against millennia of conditioning if you try to get people to accept 'failure' as ok. Read more...

    For How Long Will Consumers Forgive Mobile Slowness?

    Fabien Tiburce
    The apparent (but incomplete. read on...) message is clear: capacity planning is very inconsistent across the industry. Performance under load is predicated on the site's architecture and infrastructure. While money (and expertise) can address infrastructure bottlenecks, only foresight can produce a solid architecture that will help a system scale and distribute its load. Read more...

    Target Admits It Was Breached

    Steve Sommers
    The question I ask myself is "What did they do differently to stay under the radar and out of the press?" While they state "only a tiny fraction of guest credit and debit card data" were compromised, they process a lot of transactions and a "tiny fraction" could easily be thousands of cards. I know I've seen headlines about breaches with fewer than a thousand cards compromised so I go back to my question, what did they do differently? Read more...

    MasterCard: December PCI Deadline Change Not For Holiday Conflict

    Hybrid Forge eCommerce
    This announcement did take some pressure off but PCI must be taken seriously by e-tailers. Read more...
    National Retail Federation
    NRF's CIO Council and IT Audit Committee, along with many retailers, sent numerous communications to MasterCard about our concerns regarding the proposed changes and timeline. It is both unfortunate and troubling that those concerns were never communicated effectively within their organization. Read more...

    Best Buy Kicks Visa Contactless Out Of The Building

    Steve Sommers
    Since these cards can be swiped, I think Visa has much more to lose in this battle than Best Buy. Read more...
    Todd Ablowitz
    Is Best Buy starting a trend? Will this impact Visa's approach? What is Best Buy losing by turning off PayWave cards? What is Visa losing by not having contactless acceptance at Best Buy? Most importantly, I wonder what the long term effect will be. Will this move the needle either way? Read more...
    Mobile Payments
    It won't be long until we are all paying via our mobile payments account, and no longer carrying plastic. Just wave your phone in front of the reader, and it will be paid. Exciting things are in the works. Read more...
    sleze
    Meh. None of my credit cards have pins. I always sign. Read more...

    Amazon Pricing Needed Serious Optimization, As It Sold A $3 Billion Win98 CD-ROM

    Lee
    What ended up on Brian Klug's charge card? Read more...
    Blue Bird
    How would one react to a $ 1.5 million shoe on Amazon! (Yes, we have captured it.) Read more...

    A Look at PCI in 2010

    Janice Gaines
    Anyone else here reading “I.T. WARS”? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors. Read more...
    Dave CISA/M/SP
    Is anyone seeing movement towards revoking the "free pass" for transferring data unencrypted over private networks? In both Heartland and Hannaford data was being sniffed "on-the-fly". Will the continuing trend towards malware-based data collection attacks drive the council to consider requiring the encryption of data "in flight"? Read more...

    When It Comes To PCI Compliance, Franchisors Are Screwed

    PoS Manager
    There's so much involved with compliance. Just because the PoS software is PA-DSS, doesn't mean the entire hardware solution is. Just because the physical devices are, doesn't mean the user is using 'best practices' and eating the PCI dogfood. Read more...

    MasterCard Blinks, Drops Dec. 31 Level 2 PCI Deadline

    Dave CISA/M/SP
    Reciprocity between MasterCard and Visa was always been a factor in Acquirer merchant level assignments. The brief removal of reciprocity generated a great deal of interest in being able to be classified at a lower level in MasterCard's world. Nevertheless the return of the reciprocity language in the December changes did not effectively create any new Level 2 merchants, but it DID dash the hopes of a lot of them.... :-( Read more...
    Cranston Snoard
    Let's given them credit??? For being idiotic in the first place? Not on your life! Everyone has just had to scramble and include the costs of the previously announced M/C requirement in their 2010 budgets, and start negotiating with the QSAs for the additional services. All for naught! Read more...
    Dave CISA/M/SP
    "A bunch of Level 3 and Level 4 merchants just became Level 2s". Is this an accurate statement? MasterCard & Visa have historically included the caveat "or is a Level X in another brand" in their level setting criteria. MasterCard appeared to back way from this in the June pronouncement, and have simply returned to the status quo. Have Acquirers have been tracking and reporting merchants at separate levels by brand? Read more...
    Walt Conway
    I stick by my comment (quoted in the column) about a bunch of L3 and L4 merchants becoming L2s and requiring an onsite. To me, what made MasterCard's original requirement for an onsite assessment for L2s palatable was that they took away their reciprocity provision. That is, they seemed to focus on larger merchants with over a million MasterCard trans/year. With reciprocity in place, a lot of smaller merchants are pulled into the onsite requirement. Rather than causing confusion, I think reciprocity will lead to additional work for processors and acquirers. Read more...

    Why Are You More Afraid Of A QSA Than A Cyberthief?

    Biff Matthews
    I believe the issue is one of expense, the known absolute expense of addressing an assessor's finding versus the unknown and possibly no expense if a breach does not occur. What is the probability of being breached, therefore the cost versus the cost of implementing greater security that may or may not be breachable. Read more...
    Ryan Barnett
    I work for Web Application Firewall (WAF) vendor Breach Security and I couldn't agree with you more about the unfortunate *gotcha* related to merchants attempting to address Requirement 6.6 by deploying a WAF however they never move into an actual blocking configuration. The intent of 6.6 is Remediation and if you aren't blocking with your WAF then you missed the point. Read more...

    Windows File Deletion: Going, Going, Still There

    PCI Guy
    Sadly, the clueless folks at the PCI Security Council don't understand how modern file systems work, and they have been stupidly requiring software developers to "securely delete" sensitive data. The thing is, that's not really possible, and the old technique of overwriting confidential data multiple times simply generates a few more allocated disk sectors, while leaving the original "confidential" data untouched. Read more...

    Instant Credit Income Verification: A Retail IT Migraine On The Horizon?

    Chris Phillips
    The requirements to consider income and liabilities is certainly a huge impediment to instant issue credit cards. Thoughtful concerns have been and are being lodged with the Fed. These rules (to me) seem to be solutions in search of a problem. Failure of consumers to repay private label credit cards did not cause the current crisis. Mortgage companies are now required to verify income, which seems somewhat more on target. Read more...
    James Loar
    This would be a great means to kill off the credit concept and force people to only buy what they can afford - in cash. Maybe that's the real goal? Read more...

    Blackberry NFC Trial Getting Pushy

    Cranston Snoard
    So how would this impact fraud detection routines? Could I use my PayPass card at one location and my spouse using my "tagged" Blackberry at another store next door? Read more...

    The Corporate Travel Card PCI Challenge

    Jay Libove, CISSP, CIPP
    I realize that the question ultimately lies in who has the liability for damages caused to an information security breach of a 'corporate card' program? If the "cardmember" rules which apply to a corporate card lay all of the liability with the business on whose behalf the cards are issued, then the card brands have little standing to impose PCI DSS, as the card brands have little to lose. Read more...
    Jay Libove, CISSP, CIPP
    The question ultimately lies in who has the liability for damages caused to an information security breach of a 'corporate card' program? If the "cardmember" rules which apply to a corporate card lay all of the liability with the business on whose behalf the cards are issued, then the card brands have little standing to impose PCI DSS, as the card brands have little to lose. Read more...

    The E-Commerce SEO Game May Soon Have To Deal With Page Load Speed

    surfvoucher
    I'm not going to believe that just by having a faster site than my competitors I'll rank over them. I personally believe that what google is saying is that if you have a site slower than the average you might get some sort of penalization in your rankings. Read more...

    In The M-Commerce Page Load World: Target, Sears Slow; Amazon, QVC Fast

    Jack Taylor
    The Target vs. Amazon results are really interesting, seeing as how Amazon runs Target's site. Looks like someone missed some clauses in the contract on performance. Read more...

    The E-Commerce SEO Game May Soon Have To Deal With Page Load Speed

    Adam Brown
    Very often performance is overlooked when specifying a web application and is often thought about at the end of the development process when it’s too late or expensive to do anything about. Perhaps now when the benefits of having a high performance web app have a direct impact on bottom line performance will become something that designers and engineers look at from the beginning. Read more...

    A Chilling Reminder Of The Internal Security Threat

    A reader
    Clearly a systems-based internal theft these days could do a lot more than empty a few tills of their change funds. But how often is it really happening, and how will we ever know unless Loss Prevention departments start publishing their figures? Read more...

    Black Friday, By The Numbers

    Doron Levy
    Wow, I'm not sure if this story is good or bad news. Looks like online retail will be the shining star this holiday season as the numbers at the physical store aren't so full of good cheer. This story also confirms what we already know, Amazon is a key player in online shopping and they set the standard for customer experience. I believe that this seasons results will change the way Black Friday is deployed next year. Read more...

    The Best Way To Stop Marketing From Getting Around IT: Teach 'Em

    bill bittner
    There is nothing worse than the marketing side over promising and the supply side under delivering. I agree the new media present challenges, but I think your analysis under estimates the coordinating function of IT. The IT department does not only implement individual projects, they are often the ones who know what both the left and the right hands of an organization are trying to do and can coordinate business processes in addition to technology. Read more...

    Retailers Sue POS Vendor, Questions Raised Where PCI Duties Stop

    A reader
    I would add a couple more questions: "did the breach involve the use of the default passwords?" (The story doesn't say.) And "were the default passwords used by Computer World to remotely administer the store systems?" "where is the PCI auditor in all this?" Did the restaurant group think they didn't need an audit because Radiant was (mis)representing Aloha as PCI compliant? How is a retailer or even a PCI auditor to know otherwise? A PCI auditor is not necessarily a qualified computer forensic investigator capable of finding the card data on the hard drives. They can only base a decision on information given to them by others. Read more...
    David Dorf
    There are so many holes in the process it will be difficult to pin blame on just one constituent. It is ridiculous that the technology exists to better secure these transactions (PIN, EMV, etc) yet banks won't use them. Only the banks or government can force this change, and retailers will suffer until then. Read more...
    Jim Janke
    A major issue in this case will be if the restaurants had any support agreements in place with Computer World and if so what those agreements say. In my experience many single unit/small operators choose to skip the support agreements in favor of a "pay as you go" arrangement. In this scenario I can't imagine how the POS VAR can be held responsible for a system they don't own nor exclusively manage. Read more...
    Steve Sommers
    There is a big difference in having the POS installation guide say "make sure you set this password because the security of your CHD depends on this" vs. a POS application not storing the CHD in the first place. Traditionally only the merchant was liable for breaches and PCI related fees (fines). Maybe dragging some of the vendors into the liability mud fight will open the eyes of some of these vendors. Read more...

    PCI Human Train Wreck Coming Next Year For Level 2s

    John Bailey
    This is retail, folks. Year end deadlines are really unacceptable and should be moved to mid-year...July 31st for example. If you're like my company....nothing can happen in the last 6 weeks of the year as we lock down for the holidays. These people totally have their heads in the sand. Read more...
    Walt Conway
    I am regularly mystified by how particular dates get picked by the PCI Council and other bodies. For example, what's special about June 30 for replacing WEP encryption (or the March 31, 2009 end date for new WEP applications) or October for the updated DSS? But these really pale compared to the year-end date chosen by MasterCard which conflicts with seasonal system freezes...including their own! Read more...
    Gray Taylor
    Not surprisingly, some acquirers are questioning the veracity of the relaxation of "reciprocity". Is there anything in the public domain from MC to substantiate this? I have been constantly surprised at the lack of knowledge about retailing exhibited by those setting mandates (cost burdens to be added to timing issue). Acquirers are in the same boat as merchants - not knowing/understanding what is coming down the pipe next. Only recourse is to get involved in the process and get vocal! Read more...

    Should Credit Card Transactions Be Free? There May Be A Way

    Mathieu
    Here in the Netherlands, where the population is notoriously penny-pinching, credit card acceptance is amazingly low. It's both a result of the consumer not wanting to pay interest on everyday purchases as well as merchants not giving up a slice of the action. It is both legal and common to pass the processing fee onto the customer as a surcharge. Now things are moving to leave the credit cards behind: mobile phone payments are becoming more and more common here, and the transaction fees are minimal. Parking and entertainment (movie/concert tickets, nightclubs) have been amongst the first, and it's rapidly gaining momentum because the market has been hungry for the convenience at a price it is willing to pay. Read more...
    Trey Gourley
    "Free" is an illusion. Don't charge one person but charge double to someone else. I am very skeptical on anyone who says that advertising will create valid cashflow. Just look at the advertising struggles in a TiVo world. And if you sell your customers data, just be warned that the one group that might have issue with that are you customers (which to me is very important to cashflow. Read more...
    Jestep
    Another factor not mentioned here is the impending costs that the processors and issuers are going to incur when someone decides on an end-to-end encryption method, and it then becomes government mandated. I can guarantee that this is a when question and not an if question. The back-end networks are pretty antiquated right now, and it's going to cost billions to replace everything. The cost of tech may be going down, but the cost of replacing millions of servers and hardware, and creating new, proprietary, software is still really expensive. Read more...
    Dan Stiel
    Accepting credit cards are not "risk-free" for merchants, contrary to Jim's comments above. Chargebacks are an expense - both in terms of actual transaction reversals and costs associated with managing the process. Chargeback rules and expenses can be everything from a thorny issue to an onerous expense for some merchants, especially for convenience stores that allow customers to pay for gasoline at the pump, or other retailers that allow in-store self-checkout options. Read more...
    Bryan Larkin
    I've wondered for years why the price of transactions has been so high. Phone companies long ago started offering unlimited calling for flat rates because they understood that in many cases it cost more to report on the transactions (calls) than it did to fulfill them. Read more...
    Todd Michaud
    If a home-owner defaults on the mortgage, who is taking the risk? The bank making the loan to the consumer or the person selling the house? It is obviously the bank that takes this risk and is rewarded for that risk through interest rate charges. In my mind, we have mixed together two distinct and unrelated transactions. Read more...
    Jim Johnson
    The one big factor not mentioned in this article is who will take over the risk ? Taking credit cards is risk free to merchants and the issuing Banks take the risk if a customer defaults on the payments ! If you had a "interchange free" payment system will the merchants assume the risk ? Also, if there isn't enough profit for the issuing banks they will stop issuing credit cards which will in turn kill our economy. Read more...

    A&P Opts For 2-Way CRM Strategy With Digital Coupons

    bill bittner
    The A&P and Zavers approach to POS discounts makes all the sense in the world. Even though it is still a long way off, retailers must begin preparing for the long term separation of their marketing and distribution roles. The Internet will become the key marketing vehicle and the store will continue to focus on its distribution role. Read more...

    MasterCard Goes Mobile With Chip-And-PIN Displays

    Mike Lyons
    I concur Mr. Mahoney. Any safeguards in place to prevent money laundering through virtual bank accounts and unlicensed money remitters? Read more...
    Tom Mahoney
    Just what we all need, another big security hole for the bad guys to get into. Read more...

    The Dangerous Out-Of-Scope PCI Charade

    Steve Sommers
    If tokens are ever deemed in-scope, then where does the line stop? I ask this because it would mean that all timestamps, sequential number, random numbers or any other piece of information that may or may not be used to generate a token is within scope -- all data a POS uses and stores, not just payment data. Read more...
    Mark Bower
    Having the ability to do both Tokenization and End to End Encryption (not mere point to point) can have tremendous scope and risk reduction benefits and agility to adapt to change in this fast moving compliance landscape. Being able to have both on tap from a single platform is a solid approach to avoiding the pitfalls. Read more...
    Evan Schuman
    But the consumer walks into a particular retail chain, gives their payment card to someone wearing that chain's uniform and the card is swiped. If, six months later, there's a breach and that card was misused, it's the retailer who will in the spotlight. They're the deep pocket and, therefore, the target. If the consumer is angry and wants to cut off business, it will hit the retailer. Therefore, if the retailer is going to end up being blamed no matter what, they have to stay involved. Read more...
    Kevin Thompson
    True, that someone may be storing a token-to-PAN cross reference. But that would be the bank, not the retailer. If the bank is not sure they can keep their data secure, then there are bigger problems to be addressed than bringing tokens into scope. Read more...
    Evan Schuman
    Good general point, Steve, but for the record, not all tokenization is done the same way. Many tokens are associated with lookup lists that allow for them to re-matched to the card data if it's needed, such as for a chargeback. A token doesn't have to be decryptable (is that a word?) for there to be a way to access the original data. Read more...
    Steve Sommers
    The out-of-scope argument is very valid but in reference to tokens, the premise of temporarily out-of-scope or abruptly deemed in-scope is flawed. Conway was quoted “anything that could be made unreadable can, in various ways, be made readable again,” this statement is true when talking about encryption technologies (all encryption technologies) but not so with true tokens. True tokens are in no way related to the original data other than as a reference key. Read more...

    Retailers Urge Supreme Court Smackdown Of Process Patents

    staff
    Patents may only be issued on novel inventions, meaning if it existed before you discovered/created it, it cannot be patented. If a patent should be issued in spite of a lack of novelty, it will be invalidated in court if an accused infringer can provide proof that the invention was not novel. Read more...