Tuesday, March 30, 2010

Aberdeen Group Recommends End To End Encryption to All Merchants

In November 2009, Aberdeen Group published their research paper titled, “The 2009 PCI DSS and Protecting Cardholder Data Report.”

Some of the key findings include:

• While there have been years with minimal number of cards breached, the number of incidents continues to rise virtually every year and the trend in the number of cards compromised also continues to increase.

• In a survey of 1/3 large retailers(revenue >$1B) , 1/3 mid-size retailers(revenue between $50M and $1B) and 1/3 small retailers (revenue less than $50M), the best-in-class retailers spent $135,000 in annual PCI compliance costs while all others spent $300,000. The reason the best-in-class retailers had less annual PCI Compliance costs was their adoption of technologies

• “Similarly, with protecting cardholder data, the most effective way to protect it is not to block the attacker, but to take away the attacker’s target. While all companies should do a better job of leveraging … (technologies)… to protect cardholder data in the here and now, they should also pay close attention to collaborations between payment processors and technology solution providers to promote alternatives such as end-to-end encryption and tokenization for the elimination of stored cardholder data altogether.”

• A full copy of this study may be found here.

Monday, March 29, 2010

Aite Group: E2EE is the best fraud protection technology available today

Aite Group published a report in March 2010, titled “Card Fraud in the United States: The Case for Encryption. The full report is only available for purchase, but some of the key highlights are below:

• Aite Group estimates that the total cost of fraud in the United States is $8.6 billion per year, or 0.4% of the $2.1 trillion card payment industry. Of that total, just 15.9%, or $1.35 billion represents counterfeit card fraud, only 0.06% of annual card transaction volume.

• Those seeking to mitigate card fraud today should focus on encryption technologies, cutting off the source of card data for the carding networks.

• Upgrading of card technologies to EMV chip cards in the United States will not occur while U.S. Issuers and networks remain married to signature interchange. Fraud has not stopped since the introduction of EMV in the UK, but the type if fraud has moved.

• The report looked at three broad categories of solutions to combat fraud today. These were requiring additional information as part of the authorization, devaluing the magnetic stripe data and deploying higher level card technology.

• The following technologies were looked at as ways to require additional information as part of the authorization message to reduce fraud
o Address Verification Service
o Card Security Code
o 3D Secure
o Physical 2 Factor Token

• For devaluing magnetic stripe data, the following technologies were studied
o End to End Encryption
o Dynamic Card Data
o Magnetic Stripe Fingerprinting

Two technologies were reviewed for deploying higher level card technology
o Contactless

• Of these technologies, end to end encryption would have the greatest impact on reducing fraud. Aite Group states: “End-to-end encryption, if fully implemented nationally, would be likely to prove extremely effective in reducing counterfeit and card-not-present fraud, materially impacting the availability of U.S, Card data on the black market. Carding gangs would be forced to turn to easier pickings in less well-armored countries. We estimate that a national E2EE deployment would cut 90% of card-not-present and counterfeit cards in the United States.”

• Based on the…degree of fraud elimination, time to return in investment, time for deployment and the level of friction to adoption, end-to-end encryption provides the most thorough and feasible form of card fraud prevention today. Deployment costs would fall primarily on merchants, but this may be seen as acceptable in the context of removing some key areas of liability within the PCI DSS framework. Payback would take less than a couple of years, approximately the same time as it would for deployment.

80% of Retailers believe E2E Encryption is very important in protecting customer information.

Retail Systems Research recently published “Building Trust and Growing the Brand: The Role of Privacy and Security in Retail 2010.” (March 2010). In the report,

Eighty-eight percent consider firewalls to be very important technology enablers to protecting the customer’s security across the entire enterprise, while 80% ascribe the same value to encrypting data at every point in its movement through their organization.

The full study can be downloaded here.

QSA's Recommend End to End Encryption for Cardholder Data Protection

The Ponemon Institute recently published a study on PCI Compliance titled “PCI DSS Trends 2010: QSA Insights Report.” Published in March 2010, the study surveyed 155 QSAs worldwide to their opinions on PCI Compliance, PCI Compliance Costs, and encryption technology. Some of the more interesting findings include:

• Encryption is the favored technology for achieving end-to-end cardholder data protection. 60 percent of QSAs believe encryption is the best means to protect card dataend-to-end, compared to 35 percent for tokenization.

• Cost of annual audits averages $225,000 for the largest merchants. Excluding technology, operating, and staff costs, the world’s largest acceptors of credit cards (also known as Tier 1 merchants) are spending an average of $225,000 on auditor expenses. 10 percent of these businesses are spending $500,000 or more annually on PCI auditors. The average spend by Tier 1 retailers was:
15% <$100k 39% $101k - $200k 27% $201k - $300k 5% $301k - $400k 4% $401k - $500k 10% >$500k

• Almost half of the QSAs surveyed do not think their clients believe that PCI DSS improves data security. The results shown below are for the question, "Dlients don't believe PCI DSS improves data security?"
21% Strongly Agree
23% Agree
15% Unsure
19% Disagree
18% Strongly Agree

• When asked what are the most effective technologies for achieving PCI DSS compliance, 3 of the 4 top answers are encryption. The top 4 answers were:

1. Firewalls

2. Encryption for data at rest

3. Encryption for data in motion

4. Endpoint encryption solutions

• The QSAs surveyed think merchant networks are the most at risk systems for data breaches, followed by merchant databases and POS systems, all places where end to end encryption will protect cardholder data. The QSAs ranked the following systems as most at risk for a cardholder data breach. End to end encryption can protect data in each of these merchant systems.

51% Merchant Networks

43% Merchant Databases

33% Point of Sale Systems

30% Payment Applications

• When asked how to best protect cardholder data, encryption was the choice 51% of QSAs as for protecting cardholder data.

• A full copy of the study can be found by registering here.