Retail Payments

What the JCP CEO learned buildin the Apple Retail stores

2011-11-28T04:35:00.000-08:00

What I Learned Building the Apple Store
• By Ron Johnson
• November 22, 2011 |
• 10:41 am |
• http://www.wired.com/epicenter/2011/11/ron-johnson-apple-store/all/1

When I announced that I was leaving Apple to take the reins as CEO of J.C. Penney this month, the business press (and lots of others) began speculating about whether I could replicate the Apple Store’s success in such a dramatically different retail setting. One of the most common comments I heard was that the Apple Store succeeded because it carried Apple products and catered to the brand’s famously passionate customers. Well, yes, Apple products do pull people into stores. But you don’t need to stock iPads to create an irresistible retail environment. You have to create a store that’s more than a store to people.
People come to the Apple Store for the experience — and they’re willing to pay a premium for that
Think about this: Any store has to provide products people want to buy. That’s a given. But if Apple products were the key to the Stores’ success, how do you explain the fact that people flock to the stores to buy Apple products at full price when Wal-Mart, Best-Buy, and Target carry most of them, often discounted in various ways, and Amazon carries them all — and doesn’t charge sales tax!
People come to the Apple Store for the experience — and they’re willing to pay a premium for that. There are lots of components to that experience, but maybe the most important — and this is something that can translate to any retailer — is that the staff isn’t focused on selling stuff, it’s focused on building relationships and trying to make people’s lives better. That may sound hokey, but it’s true.
The staff is exceptionally well trained, and they’re not on commission, so it makes no difference to them if they sell you an expensive new computer or help you make your old one run better so you’re happy with it. Their job is to figure out what you need and help you get it, even if it’s a product Apple doesn’t carry. Compare that with other retailers where the emphasis is on cross-selling and upselling and, basically, encouraging customers to buy more, even if they don’t want or need it. That doesn’t enrich their lives, and it doesn’t deepen the retailer’s relationship with them. It just makes their wallets lighter.
So the challenge for retailers isn’t “how do we mimic the Apple Store” or any other store that seems like a good model. It’s a very different problem, one that’s conceptually similar to what Steve Jobs faced with the iPhone. He didn’t ask, “How do we build a phone that can achieve a two percent market share?” He asked, “How do we reinvent the telephone?” In the same way, retailers shouldn’t be asking, “How do we create a store that’s going to do $15 million a year?” They should be asking, “How do we reinvent the store to enrich our customers’ lives?”
It’s not easy, of course. People forget that the Apple Store encountered some bumps along the way. No one came to the Genius Bar during the first years. We even had Evian water in refrigerators for customers to try to get them to sit down and spend time at the bar. But we stuck with it because we knew that face-to-face support was the very best way to help customers. Three years after the Genius Bar launched, it was so popular we had to set up a reservation system.
There isn’t one solution. Each retailer will need to find its own unique formula. But I can say with confidence that the retailers that win the future are the ones that start from scratch and figure out how to create fundamentally new types of value for customers.
This blog post was first published on the HBR Online Forum, The Future of Retail.

Winning the battle for mobile at the retail POS

2011-11-23T06:42:00.001-08:00

November 22, 2011

http://www.ababj.com/tech-topics-plus/winning-the-battle-for-mobile-at-the-retail-pos-2481.html

The last year has seen a proliferation of digital wallet announcements, pilots, and launches, some of them promising to reshape the way consumers shop at brick-and-mortar stores.

Banks should respond by throwing their weight behind near field communication technology, according to a recent Celent report. Despite many reservations, such as availability of handsets, required infrastructure investments, and ongoing business model debates with the [mobile network operators], NFC offers the best opportunity for banks, other incumbents, and their partners to remain the architects of a redefined retail point of sale landscape.

“This isn’t just about NFC,” says Zilvinas Bareisis, senior analyst with Celent’s Banking Group and author of the report. “If banks play their cards right, NFC-based solutions offer them an opportunity to remain in control of merchant and consumer relationships. The alternative vision of commerce promoted by cloud-based mobile wallet providers, such as PayPal, is a lot less appealing to banks and other incumbents.”

The report investigates what it takes to bring mobile solutions to the retail point of sale. Key findings include:

• Over the last 12 months or so, there has been a considerable increase in the buzz around mobile and electronic wallets in the developed markets. New wallets have been launched (e.g., Google Wallet, AmexServe) with many more companies announcing their intent to compete in this space (e.g., Visa, PayPal, Isis, and others.) A number of industry leaders proclaimed (again) the end of physical wallets.

• Not all digital wallets are the same. Some are better suited for money transfers and m-commerce, while others aim to bring mobile to the physical retail point of sale. The latter type is the focus of this report.

• Celent's research and analysis indicate that the battle for mobile at the retail point of sale is being fought along four major domains:

1. POS communication technologies: Which technologies should be used to communicate the payments credentials to the merchant's POS: NFC vs. QR codes vs. sound-based data transfers, etc.?

2. Secure element location: Where should the payments credentials be stored—inside the phone (with further options) vs. the cloud?

3. Payment account: Which account is going to be used to settle with the merchant—card vs. bank account vs. mobile network operator vs. a new scheme, etc.?

4. Wallet interface and service provision: Whose app will the customer use more—the one offered by the wallet provider or by the provider of the payment credentials?

• There will be multiple competing wallets at the retail point of sale with customers being the ultimate judges of their success. Celent believes that anyone launching a mobile wallet should think along the following categories:

1. Wallet as a consumer product—availability, distribution, branding, customer service, etc.

2. Availability and management of payment credentials.

3. Provision of relevant information.

4. Availability of other, nonpayment services.

• The sophistication of features under each of those categories is likely to grow over time. When describing the requirements for a successful wallet, Celent distinguishes between:

1. Must-have characteristics, such as the wallet openness and ability to load and manage multiple payment credentials.

2. Features that successful wallets are likely to have, such as provision of digital receipts and integration of merchant offers.

3. Likely future capabilities, such as rule-based auto-selection of a payment mechanism at the time of purchase and ability to load and use other credentials found in most physical wallets today, such as a driver's license, various access cards, etc.

• Celent is skeptical that consumers will soon be able to get rid of their leather wallets. However, various new players, particularly cloud-based wallet providers, threaten to take over the banks' relationships with consumers and merchants at the point of sale.

http://www.celent.com/node/29321

Building a Mobile App Is Not a Mobile Strategy

2011-11-23T06:40:00.001-08:00

3:35 PM Monday November 21, 2011
by Jason Gurwin http://blogs.hbr.org/cs/2011/11/building_a_mobile_app_is_not_a.html

Everyone wants their own mobile application. In the last year, I have heard this consistently. In fact, mobile analytics firm Distimo claims 91 of the top 100 brands have their own mobile app (up from 51 just 18 months ago).
On the surface this sounds great, right? I can use my big brand name to get people to install my application, and then I can market to them via the palm of their hand whenever I want. If you're a big brand, I have no doubt you will get a ton of downloads. But downloads are a vanity metric; they don't measure success.
Most brands treat their mobile applications as an advertisement. No one wants to download an ad. I've seen it with grocery stores through my experience building a mobile grocery coupon company, Pushpins. They often underinvest in mobile and choose a form-fitted application — a cookie cutter white label that gets the job done but isn't a great solution for their consumers — to quickly get their brand in the hands of shoppers. Then they think it's enough.
Building a mobile strategy is more than just having your own application. It means working with third-party mobile apps, mobile ad networks, and using offline marketing to drive further use in mobile.
Here are four things to remember as you consider a mobile strategy — and some reasons why you should expand your mobile strategy past just your mobile app.
1. You don't launch a television station so you can market your brand on television. Imagine you're Dr. Pepper. You want to make sure that everyone knows about your new Dr. Pepper 10 soda. Do you launch Dr. Pepper TV? No! You find television networks and more specifically programs that can reach your relevant consumers. Why? Because even if you did launch your own TV network, it doesn't mean people are going to watch it. Don't build an app just to get downloads; build something people will actually use.
2. Building a mediocre app is just as bad as selling a mediocre product. The power of mobile is that you can interact with a consumer at any moment. However, would you want someone buying your new cereal if it tasted bad? No! They would never buy it again. So why would you want them to download a mediocre mobile app? If you are a billion dollar company, you shouldn't only be investing $50,000 in mobile. It's like airing a bad TV commercial; it will not end in the desired result.
3. It's ok to give up a little bit of control. Control is tempting. I get it. Creating your own app lets you control the message, and you don't have to worry about a third-party partner creating a bad experience for your customers. And yes, there are big brands that have made some amazing mobile applications. But just because you are big and have a brand name doesn't mean that you need to control the customer experience. For instance, P&G sponsored third-party bathroom finder app called "Sit or Squat" to reach Charmin users. Can a toilet paper brand find anything more targeted than this? There are successful third-party mobile apps that can reach your users better than you can. Embrace them.
4. Building your own app is not the only way to reach your consumers. Some people are going to use your app, and others are going to want to use third-party ones. It's like having a website. Just because you have your own destination doesn't mean you shouldn't use other channels to build relationships with your customers. United allows Expedia to sell tickets, even though you can book on United.com.
My advice is this: It's ok to have your own app, but your entire mobile marketing strategy should not stop at building one. But if you are going to invest in your own app, make it something that you would want to use. No one wants to download an ad.
Take a deep breath and look at the broader picture. It's ok to give up some control. Third-party apps are going to engage your consumers whether or not you are involved. Why not be a part of it?

Visa helping developers create payment apps

2011-11-17T03:24:00.000-08:00

Visa helping developers create payment apps

11/16/11
0 Comments 3In an effort to accelerate the development of its payment products, Visa Inc. today announced the launch of its Visa Developer Center. The center's primary purpose is provide approved application developers with easy access to tools needed for the creation and deployment of payment applications, said Jim McCarthy, global head of product, Visa, in a company press release.

The Visa Developer Center offers e-commerce and mobile application developers a pathway to create a seamless online purchase experience for consumers. Whether enabling the purchase of small in-game digital goods or the latest appliance from a big-box retailer, to enabling purchases with Visa's new digital wallet, developers now have access to application programming interfaces (APIs), simplified documentation, and software development kits needed to make online shopping with Visa fast, simple and secure, the company said.

"The convergence of Web, mobile and social networks is revolutionizing the way people buy and sell and is driving the creation of new and innovative ways to pay," McCarthy said in the release. "The Visa Developer Center ensures that application developers, especially those constructing eCommerce, mobile and social applications, have access to Visa capabilities, while still maintaining Visa's industry-leading security standards."

The center provides access to the payment expertise, open APIs and development tools offered by Visa and its subsidiaries, CyberSource, Authorize.Net and PlaySpan, McArthy said. It will enable e-commerce merchants, financial institutions, mobile network operators and gaming developers to integrate Visa payment functionality into their product offerings.

http://www.mobilepaymentstoday.com/article/187136/Visa-helping-developers-create-payment-apps

Inside Walmart Labs - How the World's Largest Retailer Hopes to Sell More By Getting Social

2011-11-17T02:56:00.000-08:00

Interesting story about Wal-Mart Labs. This is the division that purchased Grabble. Also interesting in that they are thinking of looking at social media tweets and facebook posts to determine users interests both individually to do targeted marketing and collectively in a geography to do merchandise planning for a store.

Inside Walmart Labs - How the World's Largest Retailer Hopes to Sell More By Getting Social

A Q&A with founder of Kosmix - Walmart reportedly acquired it for $300 Million
By WADE ROUSH, XCONOMY on August 1, 2011 - 10:02 a.m. PDT

http://www.baycitizen.org/technology/story/inside-walmart-labs/\

One of the most head-scratching tech headlines of April 2011 was the news that Kosmix, a Mountain View, CA-based startup best known for building a Twitter filtering tool called TweetBeat, had been acquired by Walmart. Yes, that Walmart—the one with 9,000 big-box stores spread across the American heartland.
For one thing, Walmart already has a large technology presence right here in the Bay Area: you can see the big “Walmart.com” sign on the e-commerce division’s building from Highway 101 in Brisbane. So it wasn’t clear why the company needed a second Silicon Valley redoubt. Even more puzzling, Kosmix’s so-called “social genome” platform, which the company had been applying in areas like news aggregation and categorization, didn’t seem to have much to do with Walmart’s business problems—such as narrowing the gap with e-commerce market leader Amazon, for example.
There was speculation that Walmart’s real interest was in Kosmix’s founders, Venky Harinarayan and Anand Rajaraman, who have unbeatable pedigrees in the world of e-commerce technology. The pioneering comparison shopping site they co-founded in 1996, Junglee, was acquired by Amazon in 1998 for $250 million; inside Amazon, the pair helped to create the e-retailer’s huge marketplace of third-party retailers and came up with the technology behind Amazon Mechanical Turk. Perhaps Walmart—which paid $300 million for Kosmix, according to AllThingsD’s Kara Swisher—wanted Harinarayan and Rajaraman to work similar miracles for Walmart.com?

Those were the questions on my mind when I drove down to the former Kosmix headquarters, now WalmartLabs, in Mountain View a couple of weeks ago. I talked for about hour with Rajaraman, who now shares the title of senior vice president of Walmart Global eCommerce with Harinarayan; he’s also an active Silicon Valley investor and writes about his big technology passion, data mining, at a blog called Datawocky. It turned out to be the most extensive interview that either Kosmix founder has given since the acquisition, and I learned a lot about why Walmart thought Kosmix was interesting, and what kinds of capabilities Rajaraman thinks his 70-person team can bring to their new employer.

A lot of it has to do with unsurprising things like improving the product recommendations that Internet users get when they go to Walmart.com, and tapping shoppers’ smartphones as a marketing channel. But Rajaraman also pointed to some more interesting applications for Kosmix’s social genome technology—like monitoring social media conversations in the vicinity of a physical Walmart store for signals about what goods that store should stock.

But we’ll have to wait a bit longer to see what concrete products, features, or campaigns emerge from the Kosmix acquisition. Rajaraman said his team is hard at work on some features that will likely make their debut before the 2011 holidays. He dropped heavy hints that smartphone apps and an enhanced presence for Walmart on Facebook will figure in the changes somehow, but stayed largely mum about the specifics. “In six to eight months the impact is going to be visible, for sure,” he said.

Here’s the interview transcript, edited for length.

Xconomy: What’s the big picture behind Walmart Labs—why would Walmart want a bigger presence in Silicon Valley?

Anand Rajaraman: Walmart is the biggest retailer in the world, but they are not the number-one player in e-commerce—Amazon is. About a year ago, Walmart decided that e-commerce is a strategic priority. It’s not like they had not been investing in e-commerce, but they said, ‘It’s time to go to the next level.’
When you do that, what’s important is to look at how the world has changed. Are there some assumptions that can be challenged, or some trends that can be used, to leapfrog the 800-pound gorilla in e-commerce?
If you think about the way the world has changed in the last two years, there are two big, disruptive changes that have happened, and one of them is social networking. People are spending more time on Twitter and Facebook and the like. And the other is smartphones. For the first time this year, more smartphones were sold in the US than feature phones.
If you put these two things together, they will be as disruptive to retailing as the advent of e-commerce was 15 years ago. The biggest disruptive change in the last century was the development of the highway system, which led to big-box retailing. Then came the invention of the Web. And the third disruption is social and mobile. In each case, the way people shop was changed. The goal of Walmart Labs is to make sure that Walmart is at the forefront of “e-commerce 2.0,” so that we help define it rather than playing catch-up.

X: Why do you think Walmart was attracted to acquiring Kosmix, specifically, as the nucleus for WalmartLabs?

AR: It’s a combination of things. The first is the platform we are building. The fundamental technology we were building at Kosmix is called semantic analysis. We understand the meaning of things. If somebody tweeted “I enjoyed Salt,” we would know that it was a movie with Angelina Jolie and not a food. We are applying semantic analysis to social media and trying to understand the connections between people, topics, places, and products.
We map that space, and we call it the “social genome.” We were using it to operate the Tweetbeat site, where you could find out the pulse of what was going on in social media. But if you look at the founders and management team of Kosmix, we have significant e-commerce experience, and it was pretty obvious to us that the social genome we were building had serious applications to e-commerce.
If you think about the evolution of e-commerce, Amazon did a lot of things right, but the key was using the data they gathered about customers to improve the customer experience. Telling you “People who bought this product also bought these other products”—things like that. Still, there are two significant limitations. One is that Amazon learns about users only by what they do on-site. The products I purchase are a very small window into me, and sometimes a misleading window. Whereas social media gives a much broader window. If you can, with the user’s permission, understand more about what people are passionate about, you can market to them much more accurately.
The second insight is that we can do this anytime if we put an app on their smartphone. When they walk into a Walmart store, we could tell them, ‘Hey, here is a product that we think you will be interested in.” It’s the combination of social and mobile with the Kosmix semantic analysis technology that was the attractive thing for Walmart.

X: Okay, now let me turn the question around. Why would Kosmix want to be part of Walmart? Why would a relatively small, nimble team of Silicon Valley innovators want to work for one of the largest companies in the world?

AR: What really motivates any technologist is the opportunity to build products that are used by hundreds of millions of people and make a big impact. The thing about Walmart is that we get that opportunity. We have this really big canvas to paint on. Any product we build will instantaneously be used by tens of millions of people.

X: But in a way, it still surprises me that a bunch of startup guys like yourselves would want to be part of Walmart, which, just by virtue of its size, has got to be a pretty bureaucratic place.

AR: You’d be surprised. Walmart has been one of the most innovative companies—they practically invented big box retailing, after all. They’ve made huge innovations around the supply chain and merchandising. I teach a class on data mining at Stanford, and interestingly, one of the examples we talk about is from Walmart, which was a pioneer in that space. Perhaps the one place where they didn’t innovate as fast as other companies was e-commerce where they clearly were not the leaders. But it would be wrong to say they do not innovate.

X: What was your company culture like at Kosmix, and how do you think you will fit within Walmart? What place will you have?

AR: My belief is that one of the best environments for innovation is graduate school. So that is the culture we have at Walmart Labs—it’s freewheeling and somewhat informal, with people yelling at each other, coming up with ideas all the time, having hallway discussions.
Within Walmart, it’s not like we will be the only people coming up with ideas. Walmart has 2.2 million associates, and there are many bright, talented, and committed people that I have had the pleasure of meeting, and they all have many ideas. But we can at least be a way to channel those ideas and bring some of them to reality. We are a place where if somebody has a great idea, they can come tell us.

X: Are there things you feel you can do to improve the way Walmart functions as a business?

AR: We talked about [using the social genome and semantic analysis for] building traffic at Walmart.com. Another kind of project we are doing will explain to you some of the scope of WalmartLabs. If you take any specific Walmart store, it lives in a community, and each one is different, and therefore the assortment of products at that store should reflect the needs of that community. So far, it has been a lot of guesswork to make the assortment reflect the community. But one of the things we can do is use semantic analysis to analyze the area around the store and find out what people’s interests are, and use that to influence the store. Image the impact of that across 9,000 stories with a billion visitors every month.
One of the [other] possibilities is to figure out if there is a new venue for e-commerce outside of Walmart.com. At the end of the day, retail is all about location. People put stores in downtown areas for a good reason. Where are people online these days? They are on Facebook So stay tuned.

X: I wrote about Shopkick recently—they have a technology for detecting whether customers are inside a bricks-and-mortar store and delivering digital reward points to their smartphones. Can you imagine bringing that kind of mobile interactivity into Walmart?

AR: Absolutely. When somebody walks into a store with their mobile, how can we inform them about things that are relevant to them? We have a Walmart mobile app already, and you could imagine simply connecting that with their Facebook account or their Twitter handle and effectively checking them into the store. It could be anything.
At a high level, we are asking what are the best and most innovative ways of connecting customers with products. Can we improve product search using social signals? Can we improve product recommendations? It’s been just two months [since the acquisition] and it takes longer than two months to launch something new. But we are making rapid progress, and I’m sure we’ll be talking very soon about some of the new things that we are working on. We’ll have something interesting for the holidays.

X: This may be my own chauvinism, but I don’t think of people who shop at Walmart as the most technology-savvy consumers. Are they really an interesting test audience for the social and mobile technologies you’re talking about?

AR: I had the same thought at first. But if you look at smartphone ownership, Walmart trends roughly with the U.S. population. The same fraction of Walmart shoppers have smartphones as the U.S. population in general. Also, roughly the same number of Walmart shoppers have Facebook accounts as in the U.S. population. So in some sense, it’s the ideal test audience. If owning a smartphone or having a Facebook account were limited to early adopters in Silicon Valley, then Walmart shoppers would not be the right demographic—but these things are mainstream now.

Focusing on the wrong benchmark for mobile commerce?

2011-11-12T03:58:00.000-08:00

Focusing on the wrong benchmark for mobile commerce?

By a MCD columnist
--------------------------------------------------------------------------------

November 9, 2011

Anand Raman is vice president of digital programs and resident mobile expert at inStream
By Anand Raman

A decade after we began talking about mobile commerce, we are still wondering if mainstream adoption has arrived. Here is the short answer: it has.

So if widespread adoption has taken place, why is there still confusion in the marketplace?

One reason for the lack of clarity stems from our focus on the wrong benchmark for measuring adoption.

Hitting the marks
If we judge by the percentage of all U.S. retail sales that take place via mobile commerce or the closely related ecommerce channels, it appears as if both channels are still in their infancy.

Despite predictions of bricks-and-mortar stores’ demise in favor of transactions executed digitally from consumers’ living rooms, a widespread transformation of ultimate point-of-purchase locations has not taken place.

Real estate still matters for most retailers. That is not to say that ecommerce and mobile commerce are still in their infancy, however.

While online sales accounted for only 8 percent of total U.S. retail sales in 2010, online content contributed to 48 percent of total sales the same year, suggesting that these channels are indeed widely adopted but are presently being used to satisfy a different consumer need.

Rather than completing transactions via phone or computer, the majority of U.S. consumers are using digital channels to begin or proceed along their path-to-purchase, educating themselves about products and services before proceeding to make purchases in their preferred retail stores.

Post-purchase, many consumers use those same digital channels to advocate for brands, sharing their experience with friends and the public at large.

As a result, it is fair to conclude that digital channels’ influence is significant to many consumer purchases and its adoption widespread even, if at this moment, they are not the channels where the majority of transactions are taking place.

So what can we expect for the future?

With mobile Web browsing set to outpace desktop Web browsing by 2013, we can expect to see more consumers using mobile commerce-ready Web sites to accompany them along their path-to-purchase in the near future.

Will we ever see more than a single-digit percentage of retail sales taking place on mobile channels?

Absolutely.

We cannot look to the evolution of ecommerce to project the next steps that mobile commerce will take as they are following different trajectories.

Right call?
Although initially there were parallels in their development, the smartphone changed the course of both channels.

The introduction of custom applications for the smartphone diverted resources away from ecommerce, stymieing its growth. It also slowed down mobile commerce adoption as retailers and brands had to choose one type of mobile presence over the other or stretch their resources to accomplish both.

HTML5 will unify these two paths, accelerating the overall growth in mobile commerce.

The emergence of a walled-garden approach to smartphone custom apps, which made their content inaccessible to mobile search, also inhibited the growth of mobile commerce.

Today, if consumers search for “Best HDTV deals during Black Friday,” their search results will only include deals available on the Web and will not include the specials available on Best Buy’s app.

A more integrated search capability that taps the broader universe of mobile content will spur ecommerce growth.

Finally, myriad differences in mobile phone design – bar, flip, sliders, swivel and mixed – have made it challenging to develop mobile-optimized content.

The good news is that we are beginning to see more consistency in design that will affect consumers’ ease of use.

Tips for path-to-purchase
In the end, continued growth in mobile commerce and ecommerce is directly correlated with ease of use.
Consumers expect technology to make their lives easier or, at least, not more complicated.

To guide consumers through their entire path-to-purchase, including concluding actual sales, retailers should:

1. Optimize their Web sites and any other program-landing pages for mobile consumption.

2. Develop smartphone apps that provide consumers with interactive and location-aware content.

3. Actively support SMS marketing, taking care to provide consumers with a hyperlink in all text messages to lead consumers to branded sites for further engagement. Sending plain text messages without the ability to “learn” from consumers viewing choices is a waste of resources.

4. Make it easy – one-click – to complete a transaction on every mobile channel.

The average time consumers spend browsing on mobile phones is considerably less than that conducted on their PC or laptop counterpart, given the nature of the device.

Making channels commerce-ready takes advantage of that time-limited window of opportunity to move consumers from consideration to purchase.

Anand Raman is vice president of digital programs and resident mobile expert at inStream, a cross-channel marketing company based in Boston. Reach him at araman@instreamglobal.com.

Investment Analysts: Mobile Wallets, NFC Payments May Be ‘Overhyped’

2011-11-08T16:59:00.000-08:00

PaymentsSource | Tuesday, November 8, 2011
By Kate Fitzgerald

LAS VEGAS—Established payment card networks are well-positioned to continue generating profits over the long haul, as long as they continue adapting to changing payments technology, a panel of investment industry analysts told attendees Nov. 3 at the ATM, Debit & Prepaid Forum. But Near Field Communication-based mobile payments and mobile wallets might fall short of expectations, the analysts suggested.
“I think mobile wallet and NFC is getting way too much hype,” Tien-tsin Huang, managing director and senior analyst with New York-based J.P. Morgan Securities LLC, said.

For NFC-based two-way mobile payments to catch on widely, thousands of larger merchants would need to upgrade their payment terminals to process transactions from mobile devices, and so far there is no compelling reason for them to do so, Huang suggested.

“Merchants aren’t really incentivized to invest in new terminals, which I think typically have a five-year life cycle,” he said, adding that the payments industry may evolve in other directions even beyond NFC.

As for mobile wallet initiatives such as Isis and Google Wallet, “all the business models changed within six months,” Huang said, noting that such rapid change is making it difficult for standards to emerge. “I think (mobile wallet development) will be pretty slow.”

While some of mobile payment’s promises are compelling, potential players are struggling over data-capture issues, Huang contended. “Everybody is fighting to see who will own that, and who will own search, at the point of sale,” which may bog down development.

Payments industry innovators must also avoid overloading consumer payment channels with marketing messages, which is a risk with NFC-based mobile payments enabling marketers to tout customized deals to consumers, warned Glenn Fodor, vice president, senior analyst, New York-based Morgan Stanley.

“(Targeting marketing) is where we see emerging tech really changing things, whether it’s mobile technology or social media,” Fodor said. “(But) I don’t need six alerts from Starbucks saying that there’s 50% off on a latte. A lot of good stuff going on but (payments players) must manage it properly or people will get turned off,” Fodor said.

The best mobile payments ideas are those based on what consumers are asking for, said Julio Quinteros, vice president and senior analyst, New York-based Goldman Sachs & Co.

The effect of combining customer details, preferences, location and payment capabilities in mobile payments could be “much more efficient” than existing payment methods, Quinteros suggests, but he says that evolution may take longer than many anticipate.

“Ultimately that stuff will take some time to materialize. From a numbers perspective, mobile is still small,” Quinteros said.
For payment card networks, the key to growth and profits over the next several years will be continued technological innovation and flexibility, the analysts agreed.
Winners will have “business models that are flexible and can adapt to how the industry changes,” Fodor said, noting that while credit card spending has been on the rise recently, a lot of that payment volume shifted away from debit to credit. “People are respending on existing cards, which is why flexible business models are more attractive” and can help networks and card issuers react to economic and consumer-behavior shifts, he said.

Observers can expect to see more consolidation among payment industry players, Huang said.

“Consolidation is going to be on the rise...we’ve seen a lot of it in the last 18 months,” he said, pointing to Visa’s 2010 acquisition of ecommerce specialist Cybersource Corp. as a good example of the way card networks are working to “leverage technology” to capture more data and “get closer to merchants, acquirers and customers.”

MasterCard, because of its lower market share in credit and debit card transactions and purchase volume, has placed itself in a position to “play more offense than defense with Visa,” Huang said, which bodes well for its prospects. But Visa has very strong long-term profit prospects, he said, especially as its purchase volume continues to grow outside the U.S.

Amex is also in a relatively strong position to increase profits long-term, given its proprietary network and recent moves to invest in new payment technology, Quinteros said. “(Amex) can do things that are definitely advantageous because of how they control their network...with prepaid (cards) and mobile wallet, they are taking all the steps they need to take.”

Serve, the mobile wallet platform Amex launched in March (see story), “could be a pretty powerful platform for them; that could be the angle for them to participate in cross-border (transactions) where they are missing some,” Huang said. “It feels like (Amex) has some good potential there, it’s just a question of how heavily they want to invest.”

Isis should be helping Google, for their benefit

2011-10-29T05:33:00.000-07:00

10/25/11 - Einar Rosenberg

Recently we’ve been hearing grumblings about how Verizon is blocking the Google Wallet on the upcoming Galaxy Nexus. One of the arguments is that Isis has a legal lock on any wallet that goes on an Isis carrier.

But let’s think about this for a second. Isis has no wallet right now; Google does. Why not let Google do the heavy lifting now, so that Isis can benefit later? Just because you have a mobile wallet means nothing.

Let's say there was no Google wallet. Isis would be basically alone. It would have to incur, with its partners the expense of promoting and educating the public. It would also have to gather and sell the merchants. Google can do this now, and save Isis time and expense in doing so.

So what does Isis have to fear? It might think, "Oh no, if we let Google in, it will lock up the market on the mobile wallet!" Sorry, folks, but it's software. And the phones change every year and a half. So the likelihood that any software player will have a lock is basically impossible.

What about gathering merchants? Would Google have an early edge on locking in merchants? Nope, wrong again. In payments, it’s the same Mastercard Paypass that Isis would be using, so getting Google to push for merchants means more locations all ready to use Isis when they do finally have a wallet.

But what about the value-add like coupons and loyalty that Isis plans to potentially profit from? With VeriFone/Hypercom becoming the de facto "standardizer," we’re likely to see them define the standards that both Google and Isis can use. The merchants will pick the best of the bunch and not get locked in for 20 years. Technology is moving faster and faster, and with that speed no one will be locking in anything for the near, or long, term future.

If Verizon simply allows Google Wallet on its network, it gets an edge over any other carrier in the U.S. today. That means a reduction in churn. Verizon also gets Google as a promoting partner to lock in consumers, get them to want mobile payments, get retailers secure on mobile payments, and, therefore, create the perfect situation – at near zero expense. It could have three to five times as many merchants next year accepting mobile payments than it would be if it blocks the Google Wallet.

Blocking the Google Wallet on the upcoming Galaxy Nexus would be Isis and Verizon shooting themselves in the foot. Let Google have its day. There are multiple wallets to come, all to be carried on a single phone. Google’s ambitions are global, something Isis can never dream of. So there is an advantage to both parties at this point in the early launch days of the mobile wallet.

Right now, Isis and Verizon need to see the Google Wallet as the geeky rich best friend from the movies, the one the mean girls takes advantage of. When Google Wallet gets everything built, they cut the rich girl off and take advantage of it. It doesn’t sound very nice, but we’re talking about a mobile carrier and a mobile wallet. Who ever thought this would be nice?

If Isis wants to slow down or screw up mobile payments, it blocks Google. But if it wants to create opportunities for itself, my suggestion is let the Google Wallet in. Let Google push. Let Google promote. Let Google sell. Then Isis can come in to the party with a bigger, better environment.

Verizon loses nothing today, but gains everything tomorrow.

EMV: What does it mean for Acquirers?

2011-10-20T08:38:00.000-07:00

EMV: What does it mean for Acquirers?
19 Oct, 2011 21:10
With Visa’s recently announced U.S. EMV initiative, massive infrastructure changes loom on the horizon for card acquirers. To ready themselves for this change, acquirers can think about breaking down the implementation into three buckets: device enhancements, enhancements to acquiring systems and customer service.
While daunting, the complexity of the EMV implementation can be somewhat tempered by installing the new hardware in two phases, starting more simply with EMV-capable devices that can be upgraded later down the line. Sometimes it is just a software upgrade that can bring the devices fully up to EMV when needed. In addition, EMV acceptance device configurations need to include key certificates.
In terms of system enhancements, acquirers need to update transaction processing systems to handle additional data processing elements and EMV scripts as well as update switch interfaces. Storage of Transaction Certificates – or EMV e-receipts that prove the transaction took place – need to be automated and have the ability to send changes in case of charge disputes. Lastly, acquirers need to think through how these infrastructure changes affect the customer service end of things: merchant training and support, consumer training and dispute management all need to be considered.
The clock is ticking as Visa has set an April 1, 2013 deadline for U.S. acquirer processors to support merchant acceptance of chip transactions. Are you ready?

PayPal Thinks Big Offline: Exploring PayPal’s Seamless Shopping Vision

2011-10-18T04:42:00.000-07:00

PayPal Thinks Big Offline: Exploring PayPal’s Seamless Shopping Vision
by RUSS JONES on OCTOBER 17, 2011
Every year I try to attend what I think of as the PayPal Developers Conference. This year what used to be the PayPal X Innovate Conference was expanded to include eBay app development, Magento app development, and –– most importantly –– X.commerce app development. X.commerce is eBay’s new end-to-end, multi-channel commerce technology platform. While most of the conference was focused on the X.commerce platform, this is the first of two posts reflecting on what’s new with PayPal.
Over the last several quarters eBay has beating the drum about extending PayPal’s momentum in online payments to point of sale in the offline world. More recently, PayPal starting talking about wanting to help brick-and-mortar retailers engage with consumers through the entire purchase process — from customer acquisition, to in-store engagement, payments, and post-purchase retention. This vision is nicely pulled together in a video entitled “PayPal: Future of Shopping” that PayPal released about a month ago.

So, with the marketing campaign in full force, much of the industry was waiting to see what PayPal would say at last week’s X.Commerce Innovate Conference in San Francisco. First, the bad news. None of the shopping capabilities shown in the video were announced. Now, the good news. To show how these shopping concepts might work in everyday life, PayPal did assemble a Shopping Showcase demonstration and provided access to experts to answer questions from curious developers.
The Showcase was divided into a number of “vignettes” that illustrated different end-to-end use cases. Most involved some sort of front-end customer engagement utilizing a combination of shopping list, local product inventory, purchase incentives, loyalty points, gift card balances, etc. The vignettes showed how these components could be combined when the consumer is out running errands and shopping on a typical Saturday afternoon.
It’s hard to say which scenario would be best received in the market, but there is no question that PayPal is swinging for the fence, so to speak, and rethinking how shopping could be made easier for both buyers and sellers. We especially liked the way a shopping list could be built online and then shared with the merchant upon in-store check-in to match what the consumer wants with product availability and purchase incentives from the merchant.
Presumedly, most of the merchandising capabilities would be drawn from the various acquisitions eBay and PayPal have made over the last 18 months –– companies like Milo, Where, etc. They might be accessed as their own app in a SmartPhone or integrated with the PayPal Mobile app. Besides the standard capabilities we’re familiar with today in the PayPal Mobile app, PayPal also imagines users would have a wallet capability that would hold the consumer’s payment methods, current offers, loyalty cards, gift cards, available points, purchase history, and digital receipts.
We’re always curious about who controls the wallet and where the payment data resides. In PayPal’s case, the wallet would be one of many functions inside the PayPal Mobile app. And the wallet in the app would act as the user interface to the consumer’s payment data in the cloud. This is in sharp contrast to the models being advocated by both Google and Isis, where the wallet is the app and the payment data is in the phone.
While all this merchandising stuff is interesting, let’s get to payments. PayPal envisions three different ways that a consumer might use PayPal for purchases in a brick-and-mortar setting.
Option #1 – PayPal Card
The PayPal Card is an unembossed, PIN-enabled payment card with the PayPal logo on the front and a magnetic stripe on the back. There is no visible customer name, card number, expiration date, or CVN on the outside of the card. The basic motion for the buyer would be to swipe the card, enter their PIN, and approve of the purchase amount. Essentially, the same motion of using a PIN debit card today. Funding would be drawn from the buyer’s default PayPal payment method.
Here’s how it would hypothetically work. When swiped at the point of sale, the merchant’s iPOS software would communicate over an Internet SSL connection with unannounced PayPal APIs to authenticate the buyer, access and apply relevant credits, capture the transaction, and generate a digital receipt. The digital receipt would be stored in the buyer’s PayPal account and a purchase alert sent to the buyer’s mobile device.
It’s not clear how consumers would get their PayPal card, but its easy to imagine existing PayPal users would simply ask for one on their PayPal dashboard so they could use their PayPal account at the POS. PayPal stressed a number of times that there is no hardware upgrade required by the merchant –– its simply a software integration. In addition, if the terminal has enough interactive capabilities, the merchant might want to ask the buyer if they want to apply relevant coupons or use loyalty points.
A point of clarification here — because this is a payment card used at the POS it’s natural to think there would be some underlying use made of the existing card industry infrastructure. But that’s not the case. The transaction does not use existing card industry “rails” nor is there necessarily a merchant acquirer involved.
Option #2 – Empty Hands
The second option, called “Empty Hands”, replaces the swipe of the PayPal Card with the terminal entry of a phone number and PIN. PayPal believes this is what a buyer would use when they don’t have a PayPal Card with them at the time of purchase. Essentially, they have empty hands. The basic motion would be to select PayPal as the payment option (Credit, Debit, PayPal), enter their registered phone number, enter their PIN, and approve the purchase amount. Like the PayPal Card option, funding would be drawn from the consumer’s default PayPal payment method.
Behind the scenes, the Empty Hands options would work very similar to the PayPal Card option. Instead of the PayPal Card being the “token” to locate the buyer’s PayPal account, it is the buyer’s phone number.
Option #3 – In-Aisle Purchase
With the third option, called an in-aisle purchase, the PayPal Mobile app is the exclusive interface for the purchase done in-store — and because PayPal fully controls the point of interaction on the mobile devices, it can provide a richer set of features. Instead of just accepting the default payment methods, the consumer might pre-select their preferred funding source for the purchase — and would be able to see and control how various offers and gift card balances might be applied to reduce the total “out the door” cost.
One innovation that PayPal imagines is being able to offer installment payments to qualified buyers. The buyer might, for example, want to break a $300 purchase into a series of three $100 installments transactions against the payment method of their choice. Installment payments are an especially interesting twist in the PayPal funding model because they potentially blur the traditional banking industry distinction between credit and debit.
Once the purchase is complete, the buyer receives their receipt electronically and can leave the store. In industry terminology, this is unassisted checkout so it will be up to the merchant how they want to verify payment prior to their customer leaving with the goods. For low-value goods or familiar customers it might just be the buyer flashing their phone receipt on the way out the store. Large ticket merchants might want to restrict in-aisle purchases to just goods that are picked up from the dock or delivered to their home.
Post Purchase Flexibility
Regardless of payment method, PayPal envisions offering certain qualified buyers the ability to adjust their funding methods after they leave the store, and potentially the option to set up installment payments for select purchases instead of one-time payments. This would have nothing to do with the merchant. They would get paid immediately in real-time for things they sell, irrespective of what funding method is used or when the funds are actually received by PayPal.
The capability, which PayPal believes will be unique in the industry, gives buyers the ability to sit down at the end of the day’s errands and adjust how they want to fund various purchases –– perhaps using their bank account for budgeted purchases, their credit card for discretionary purchases, and installment purchases for large ticket items. Not every buyer would qualify for installment payments, and the available installment options might not be the same. PayPal indicated, for example, that small ticket purchases might be available to be adjusted for 7 to 14 days, while larger ticket items might be adjustable up to 30 days.
How does this work? As indicated earlier, merchants get paid immediately by PayPal, meaning that purchases are credited in real-time to the merchant’s PayPal account. On the buyer side, PayPal would hold the default funding transactions for some amount of time, giving the buyer the chance to change which source they want to use. Simplistically, you might think of this as a user changing a pending ACH transaction to a pending credit card transaction before it is submitted into the appropriate network at the end of the day. But instead of submitting all transactions every night, as they do today, they would wait days or potentially weeks before they submit the transaction. In the case of installment payments, they are breaking down the single funding transaction into 3 or 6 equal installment transactions.
Sounds risky, but PayPal must obviously feel good about their ability to risk manage their customers and their transactions. And if you think about it, this model is not a lot different than their current model. Today, every merchant is funded immediately even though PayPal doesn’t collect the funds for several days, and is not guaranteed that funds will be available for bank-funded purchases.
Glenbrook’s Reaction
eBay has been very vocal about mobile starting to blur the distinction between online and offline, and that’s something we see very clearly as an important trend in the market. We think buyers and sellers don’t see the distinction today and, quite frankly, don’t care. Consumers just want to buy things and merchants just want to sell things.
It is interesting that PayPal is focused on optimizing the shopping experience, and not just the payment experience. As many have pointed out, it’s not just how long it takes to swipe your payment card at BestBuy –– it’s how long you have to wait in line for that privilege. Either way, you have to prove to the door police that you’ve paid for your purchase. So, the emphasis on the overall shopping experience instead of just the payments piece seems right.
Of course, the hard part about ramping up any sort of new payment paradigm is breaking open the chicken and egg problem. Here PayPal is working both sides of the hen house –– providing a rationale for merchants to adopt without the capital expense of redeploying terminals, and providing consumers with an incentive to use PayPal as a payment option at POS.
For merchants, the value proposition is clearly all about selling more –– auto alerting consumers when a store location a couple of blocks a way has an item in stock; auto matching shopping lists with inventory availability to apply coupons; in-aisle checkout to reduce line abandonment; 100 million active buyers with multiple payment methods on file, etc.
For consumers, the value proposition is all about convenience –– interactive access to coupons and credits; loyalty point management; digital receipt tracking and management; no-interest installment payments on large purchases; post-purchase reshuffling of payment methods to better manage daily or weekly budgeting; in-aisle purchasing to eliminate wait times to get out of the store; and on and on.
Will it work? Who knows? There are open questions on the actual products, real-world adoption challenges, strength of the value proposition, credibility of the initial partners, and overall economics and pricing. Still, PayPal’s vision is quite ambitious. If this whole thing doesn’t work out, it won’t because PayPal was thinking too small

http://digitaltransactions.net/news/story/3237

2011-10-14T11:03:00.000-07:00

PayPal to issue a plastic card for brick & mortar stores.
http://digitaltransactions.net/news/story/3237

Hotel groups unite to reduce PCI scope#.TphXOEYc0cc.twitter

2011-10-14T10:48:00.000-07:00

Hotel groups unite to reduce PCI scope#.TphXOEYc0cc.twitter

Lawmakers Propose Legislation To Repeal Durbin Amendment - PaymentsSource Article

2011-10-12T16:45:00.000-07:00

Lawmakers Propose Legislation To Repeal Durbin Amendment - PaymentsSource Article

Aberdeen Group Recommends End To End Encryption to All Merchants

2010-03-30T04:15:00.000-07:00

In November 2009, Aberdeen Group published their research paper titled, “The 2009 PCI DSS and Protecting Cardholder Data Report.”

Some of the key findings include:

• While there have been years with minimal number of cards breached, the number of incidents continues to rise virtually every year and the trend in the number of cards compromised also continues to increase.

• In a survey of 1/3 large retailers(revenue >$1B) , 1/3 mid-size retailers(revenue between $50M and $1B) and 1/3 small retailers (revenue less than $50M), the best-in-class retailers spent $135,000 in annual PCI compliance costs while all others spent $300,000. The reason the best-in-class retailers had less annual PCI Compliance costs was their adoption of technologies

• “Similarly, with protecting cardholder data, the most effective way to protect it is not to block the attacker, but to take away the attacker’s target. While all companies should do a better job of leveraging … (technologies)… to protect cardholder data in the here and now, they should also pay close attention to collaborations between payment processors and technology solution providers to promote alternatives such as end-to-end encryption and tokenization for the elimination of stored cardholder data altogether.”

• A full copy of this study may be found here.

Aite Group: E2EE is the best fraud protection technology available today

2010-03-29T16:55:00.000-07:00

Aite Group published a report in March 2010, titled “Card Fraud in the United States: The Case for Encryption. The full report is only available for purchase, but some of the key highlights are below:

• Aite Group estimates that the total cost of fraud in the United States is $8.6 billion per year, or 0.4% of the $2.1 trillion card payment industry. Of that total, just 15.9%, or $1.35 billion represents counterfeit card fraud, only 0.06% of annual card transaction volume.

• Those seeking to mitigate card fraud today should focus on encryption technologies, cutting off the source of card data for the carding networks.

• Upgrading of card technologies to EMV chip cards in the United States will not occur while U.S. Issuers and networks remain married to signature interchange. Fraud has not stopped since the introduction of EMV in the UK, but the type if fraud has moved.

• The report looked at three broad categories of solutions to combat fraud today. These were requiring additional information as part of the authorization, devaluing the magnetic stripe data and deploying higher level card technology.

• The following technologies were looked at as ways to require additional information as part of the authorization message to reduce fraud
o Address Verification Service
o Card Security Code
o 3D Secure
o Physical 2 Factor Token

• For devaluing magnetic stripe data, the following technologies were studied
o End to End Encryption
o Dynamic Card Data
o Magnetic Stripe Fingerprinting
•
Two technologies were reviewed for deploying higher level card technology
o EMV
o Contactless

• Of these technologies, end to end encryption would have the greatest impact on reducing fraud. Aite Group states: “End-to-end encryption, if fully implemented nationally, would be likely to prove extremely effective in reducing counterfeit and card-not-present fraud, materially impacting the availability of U.S, Card data on the black market. Carding gangs would be forced to turn to easier pickings in less well-armored countries. We estimate that a national E2EE deployment would cut 90% of card-not-present and counterfeit cards in the United States.”

• Based on the…degree of fraud elimination, time to return in investment, time for deployment and the level of friction to adoption, end-to-end encryption provides the most thorough and feasible form of card fraud prevention today. Deployment costs would fall primarily on merchants, but this may be seen as acceptable in the context of removing some key areas of liability within the PCI DSS framework. Payback would take less than a couple of years, approximately the same time as it would for deployment.

80% of Retailers believe E2E Encryption is very important in protecting customer information.

2010-03-29T12:18:00.000-07:00

Retail Systems Research recently published “Building Trust and Growing the Brand: The Role of Privacy and Security in Retail 2010.” (March 2010). In the report,

Eighty-eight percent consider firewalls to be very important technology enablers to protecting the customer’s security across the entire enterprise, while 80% ascribe the same value to encrypting data at every point in its movement through their organization.

The full study can be downloaded here.

QSA's Recommend End to End Encryption for Cardholder Data Protection

2010-03-29T09:53:00.000-07:00

The Ponemon Institute recently published a study on PCI Compliance titled “PCI DSS Trends 2010: QSA Insights Report.” Published in March 2010, the study surveyed 155 QSAs worldwide to their opinions on PCI Compliance, PCI Compliance Costs, and encryption technology. Some of the more interesting findings include:

• Encryption is the favored technology for achieving end-to-end cardholder data protection. 60 percent of QSAs believe encryption is the best means to protect card dataend-to-end, compared to 35 percent for tokenization.

• Cost of annual audits averages $225,000 for the largest merchants. Excluding technology, operating, and staff costs, the world’s largest acceptors of credit cards (also known as Tier 1 merchants) are spending an average of $225,000 on auditor expenses. 10 percent of these businesses are spending $500,000 or more annually on PCI auditors. The average spend by Tier 1 retailers was:
15% <$100k 39% $101k - $200k 27% $201k - $300k 5% $301k - $400k 4% $401k - $500k 10% >$500k

• Almost half of the QSAs surveyed do not think their clients believe that PCI DSS improves data security. The results shown below are for the question, "Dlients don't believe PCI DSS improves data security?"
21% Strongly Agree
23% Agree
15% Unsure
19% Disagree
18% Strongly Agree

• When asked what are the most effective technologies for achieving PCI DSS compliance, 3 of the 4 top answers are encryption. The top 4 answers were:

1. Firewalls

2. Encryption for data at rest

3. Encryption for data in motion

4. Endpoint encryption solutions

• The QSAs surveyed think merchant networks are the most at risk systems for data breaches, followed by merchant databases and POS systems, all places where end to end encryption will protect cardholder data. The QSAs ranked the following systems as most at risk for a cardholder data breach. End to end encryption can protect data in each of these merchant systems.

51% Merchant Networks

43% Merchant Databases

33% Point of Sale Systems

30% Payment Applications

• When asked how to best protect cardholder data, encryption was the choice 51% of QSAs as for protecting cardholder data.

• A full copy of the study can be found by registering here.

PCI DSS Releases FAQ about End to End Encryption

2010-02-04T04:39:00.000-08:00

While major updates to the PCI Data Security Standard get issues with new versions, such as the one to be published later this year, the PCI Security Standards Council often releases FAQ’s that provide clarification or guidance to merchants and QSA’s. In December, the PCI SSC published an FAQ dealing with the impact of end to end encryption on PCI Scope. While couched in several disclaimers, the highlighted section below says that encrypted data can be considered out of scope if the retailer does not have the means to decrypt the data. This is a huge win for retailers looking to implement end to end encryption technology both to improve the security of cardholder data in their environment as well as reduce their on-going PCI compliance and assessment costs.

As when implementing any new payment architecture or technology, you should consult with your QSA during the evaluation, planning and implementation processes to maximize the benefits you receive when implementing a new payment architecture or technology like end to end encryption.

Is encrypted cardholder data considered cardholder data that must be protected in accordance with PCI DSS?
The Council will be developing more formal guidance around this topic, leveraging information that is received through the various channels of the DSS lifecycle feedback process. Until further guidance is provided by the Council, the following should be taken into consideration regarding encrypted cardholder data.

Encryption solutions are only as good as the industry-approved algorithms and key management practices used, including security controls surrounding the encryption/decryption keys (“Keys”). If Keys are left unprotected and accessible, anyone can decrypt the data. The DSS has specific encryption key management controls (DSS 3.5 and 3.6), however, other DSS controls such as firewalls, user access controls, vulnerability management, scanning, logging and application security provide additional layers of security to prevent malicious users from gaining privileged access to networks or cardholder data environments that may grant them access to Keys. It is for this reason that encrypted cardholder data is in scope for PCI DSS.

However, encrypted data may be deemed out of scope if, and only if, it has been validated that the entity that possesses encrypted cardholder data does not have the means to decrypt it. Any technological implementation or vendor solution should be validated to ensure both physical and logical controls are in place in accordance with industry best practices, prohibiting the entity, or malicious users that may gain access to the entity’s environment, from obtaining access to Keys.

Furthermore, service providers or vendors that provide encryption solutions to merchants who have administrative access and controls to Keys along with the management of termination points for encryption to process transactions, are required to demonstrate physical and logical controls to protect cryptographic keys in accordance with industry best practices (such as NIST referenced in PCI DSS requirement 3.6), along with full compliance with PCI DSS.

Merchants should ensure their solution providers who provide key management services and/or act as the point of encryption/decryption are in compliance with PCI DSS. Merchants should be aware that encryption solutions most likely do not remove them completely from PCI DSS. Examples of where DSS would still be applicable include usage policies, agreements with service providers that deploy payment solutions, physical protection of payment assets and any legacy data and processes (such as billing, loyalty, marketing databases) within the merchant's environment that may still store, process or transmit clear text cardholder data, as that would remain in scope for PCI DSS.

The full PCI SSC FAQ’s can be found here. Click on the FAQ link in the left navigation bar. This specific FAQ can be found here.

Independent QSA Technical Assessment of VeriShield Protect

2010-01-21T08:19:00.000-08:00

VeriFone has contracted with Coalfire Systems, Inc. a leading IT security consulting firm and PCI QSA to conduct an independent technical assessment of VeriShield Protect. The goal of this assessment is to determine if VeriShield Protect meets and follows industry standards, how a proper implementation of VeriShield Protect can improve the security of a retailer’s cardholder environment and the impact VeriShield Protect can have on reducing PCI scope and compliance costs.

The assessment is complete and a white paper of the findings will be published in February. The assessment by Coalfire included lab testing of the system, evaluation of VeriShield Protect as implemented at a Tier 1 retailer and a review of all planned deployment scenarios.

At NRF, Kennet Westby, Coalfire co-founder and COO, presented the initial findings from their assessment to a breakfast meeting of retail CIO’s and security executives. An executive summary from the forthcoming whitepaper was also released at NRF.

Key points from this executive summary include:

• A properly deployed VeriShield Protect solution can provide significant risk mitigation of data compromise and may be one of the most effective controls available to merchants today.

• There can be very clear and dramatic reduction of PCI compliance scope with a properly deployed VeriShield Protect solution.

• The benefit to merchants is the VeriShield Protect solution can reduce the cost of PCI compliance assessment and validation and allow them to invest more of those dollars into risk mitigating controls.

• The VeriShield Protect solution integrates securely with PC based POS or cash registers without exposing card data, encryption keys or authentication data to these platforms.

• The format preserving VeriShield Hidden Encryption provided successful integration with all payment application, POS and back-office servers tested.

• The integration with tested payment applications and POS systems was quick, required very little customization and worked effectively with all post authorization, sales audit and refund transactions tested

• The VeriShield Protect solution meets all VISA Data Field Encryption Best Practices.

• VeriShield Hidden Encryption meets encryption best practices and standards for cryptographic algorithms and key strength. The format preserving methods meet industry standards and VISA best practice guidance.

• The key management processes of the VeriShield Protect solution remove most of the challenges of key management for the merchant that are found in many previous end point encryption solutions

• The VeriFone terminal should be the only point in a merchant environment that captures card data through swipe or keyed entry to achieve the greatest security and PCI compliance scope reduction

• A payment application or POS that is not PABP/PA-DSS validated can be taken out of PCI scope if all payment data is captured through the VeriShield Protect solution and the system is cleansed of all legacy card data.

• A deployment architecture that has all card data captured in a VeriShield Protect TRSM and communicates directly to a PCI compliant processer who manages all decryption services for the merchant provides the greatest security and compliance risk mitigation.

• A merchant should have ownership rights to the decryption keys but not have access or possession of keys to achieve the greatest PCI scope reduction.

• A merchant can remove PCI compliance scope for the majority of their retail environment if all electronic card data is captured in a VeriShield Protect TRSM and no decryption appliances or decryption keys exist in their environment.

• The VSDMS provides effective compliance and security auditing for the merchant and QSA. Store validation sampling of compliance is simplified with this tool set. Compliance reporting overtime is easily evidenced for auditors using the VSDMS.

• The VeriFone VeriShield Protect solution impressed the Coalfire technical assessment team and their QSA auditors. The technology and tools are well architected and effective. The maturing of the solution based on their assessment input, customer feedback and industry best practice was equally impressive. Solution support, technical capabilities and security expertise of both VeriFone and its technology partner have benefited early customers in achieving their security and compliance goals.

This full executive summary can be downloaded here.

VeriShield Protect Meets Visa Data Encryption Best Practices

2009-10-23T12:00:00.000-07:00

There has been much discussion this year about the benefits of end to end encryption protecting cardholder data. Proper end to end encryption solutions will improve the security of cardholder data, remove some retail systems from PCI DSS scope and will reduce both the costs of compliance as well as the cost of PCI DSS assessments. George Peabody of the Mercator Group projects that retailers will save 20% of their ongoing PCI compliance costs and 25% of their annual assessment costs. (1)

Until recently, merchants were left on their own to evaluate end to end encryption solutions to determine if indeed, the solution did properly protect cardholder data. Visa’s recently published Data Encryption Best Practices has finally provided guidance to retailers who are looking to implement end to end encryption.

While some of the best practices are technical and reference technical specifications, they incorporate generally accepted financial industry standards that are widely understood and used within the payments industry today for the protection of debit PINs and debit PIN encryption keys.

There are 14 Data Field Protection Best Practices which are grouped into 5 Data Field Protection Goals. These goals and the associated best practices are as follows:

Limit cleartext availability of cardholder data and sensitive authentication data to the point of encryption and the point of decryption.
1. Cardholder and sensitive authentication data must remain encrypted between the endpoints
2. ANSI or ISO approved strong encryption like TDES or AES must be used
3. The first 6 digits and last 4 digits of the PAN may be left in the clear for routing and receipt printing purposes, but the remaining track data must be encrypted
4. Per existing PCI DSS requirements and definitions, sensitive authentication must not be stored after authorization.

Use robust key management solutions consistent with international and/or regional standards.
5. Keys must be managed per ANSI X9.24/ISO 11568 or equivalent within Secure Cryptographic Devices (SCD) such as a PED Payment Terminals and Host Security Modules ( HSM).
6. Keys and key components must be generated using an approved random or pseudo-random process such as NIST SP 800-22.
7. The key management process must be documented
8. Keys may only be transmitted in a secure manner, for example, the key distribution method described in ANSI X9/TR-34.
9. The keys used for encryption must be unique per device and not used for any other purpose like debit PIN encryption or key exchange.

Use key-lengths and cryptographic algorithms consistent with international and/or regional standards.
10. Encryption keys shall have strength of at least 112 equivalent bit strength. (AES is 128 bytes.)
11. Format Preserving Encryption schemes must be evaluated by at least one independent security evaluation organization and subjected to a cryptographic peer review.

Protect devices used to perform cryptographic operations against physical/logical compromises.
12. Devices used to perform cryptographic operations should undergo independent assessment to ensure that the hardware and software they are using is resilient to attack.
13. Keys must be protected against physical and logical compromise as well as protected from substitution and authenticity shall be ensured.

Use an alternate account or transaction identifier for business processes that requires the primary account number to be utilized after authorization, such as processing of recurring payments, customer loyalty programs or fraud management.
14. If any cardholder data (e.g. the PAN) is needed after authorization, a single-use or multi-use transaction ID or token should be used instead.

These best practices should help retailers properly evaluate end to end encryption solutions.

The VeriShield Protect End to End Encryption solution meets or exceeds all of these requirements.

1. Cardholder data is encrypted as soon as the card is swiped and remains encrypted until it reaches the RBS datacenter.
2. VeriShield Protect uses strong AES encryption
3. The first 6 digits and last 4 digits of the PAN are left in the clear for routing and receipt printing purposes, but all other track data must is encrypted
4. No sensitive authentication is stored after authorization.
5. Keys are managed per ANSI X9.24/ISO 11568 within Secure Cryptographic Devices (SCD) such as a PED Payment Terminals and Host Security Modules ( HSM).
6. Keys and key components are generated using NIST SP 800-22 standards.
7. The key management process is documented
8. Keys are only be transmitted in a secure manner.
9. Keys used for encryption are unique per device and not used for any other purpose.
10. AES key strength is 128 bytes
11. VeriShield Protect has been evaluated by an independent security evaluation organization and subjected to a cryptographic peer review.
12. The VeriFone payment terminals used to perform cryptographic operations are PCI PED approved
13. All keys are protected against physical and logical compromise as well as protected from substitution and the authenticity of keys is proven.
14. After authorization, VeriShield Protect can produce a single-use or multi-use transaction ID or token.

Visa’s publication of Data Field Encryption Best Practices is likely to become the next PCI standard. The history of Visa PED, Visa CISP and Visa PABP all being adopted by the PCI Security Standards Council will likely continue to be followed with this set of best practices. Retailers should feel confident that by adopting VeriShield Protect not only will they better protect their consumers data and reduce their PCI compliance costs, but also that they will be ahead of the game for the next payment industry standard.

(1) “End to End Encryption: The Acquiring Side Responds to Data Loss and PCI Compliance”, George Peabody, Mercator Advisory Group, Inc. June 2009.

2009-10-20T05:53:00.000-07:00

I read the recent article "Tokenization Vs. End-to-End Encryption: Experts Weigh in" published in Bank Information Security yesterday and felt compelled to send the following letter to the editor to correct the mis-information it contained.

_____________________________________________________________

Linda McGlasson
Managing Editor, Bank Information Security

I read the recent article you published on Tokenization versus End-to-End Encryption and I think there are several errors or misconceptions that should be corrected. Perhaps some of this comes from the bias of the experts you interviewed.

First the entire discussion of tokenization versus end-to-end encryption does not even make sense. This is not an either or solution, nor is it a large versus small company decision. Both tokenization and end-to-end encryption can improve the security of cardholder data and can work well together in many environments.

By definition, tokenization cannot take place at the point of card swipe. Cardholder data must be sent throughput the authorization process to a secure token server before a token could be generated and sent back in the response message. This is the main reason why tokenization cannot stand alone in protecting cardholder data. It will remain unprotected in payment terminals, POS systems and retailer host systems where it may be captured by malware planted by criminals.

However, for long term data storage, tokenization may be the ideal solution for many retailers. We are partnering with several processors and merchants to deploy solutions which protect cardholder data in transit with end-to-end encryption and data at rest with tokenization.

The first important point about end-to-end encryption is that it should take place as soon as the card is swiped and remain protected as it traverses the payment infrastructure until it is decrypted. If that decryption takes place at the merchant’s acquiring processor, then there is no unencrypted cardholder data in the retailer’s environment.

And I will have to disagree with Anton Chuvakin that no one can roll out and end to end encryption solution and have it secure and useable. If the acquirer is involved and the payment terminal manufacturer provides a robust end to end encryption solution then smaller Level 4 merchants can remove cardholder data in the clear from their environment. By following industry encryption and key management standards, such as defined by Visa in their recent Data Field Encryption Best Practices, larger merchants can also implement a secure and useable end-to-end encryption solution.

Kevin Nixon, your independent security consultant needs to learn more about the end-to-end encryption solutions on the market. I suspect he is a QSA and fears that if security technology removes systems from PCI DSS scope he will be out of a job. It has nothing to do with doing security on the cheap, it has all to do with doing the best security. In fact, end-to-end encryption for many retailers will cost more than their annual PCI DSS assessment. Further, he argues such encryption could encrypt a worm and send it along. First, end –to-end encryption, done per Visa Data Field Encryption standards is done in the Tamper Resistant Security Module (TRMS) of the payment device which is protected by many of those layers Kevin talks about. And how could someone write a worm or malware and make it fit in the limited bytes of track data.

Perhaps next time you write an article about end-to-end encryption or tokenization you should consider talking to some of the vendors who are currently helping retailers protect sensitive cardholder data.

Jeff Wakefield
VP & General Manager, Global Security Solutions, VeriFone

Is state-of-the-art security going to become a new legal standard?

2009-09-25T20:19:00.000-07:00

In another recent case, a US District judge allowed a couple to bring a case against a bank, who alleged that the bank failed to implement state-of-the-art security technology, which resulted in their becoming victims of online bank account of about $26,000. The judge refused to dismiss the case, clearing the way for the court case to take place. The judge stated: “In light of citizens' apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs' account against fraudulent access.”

I'm sure this would apply for failure to implment PCI DSS requirements, but what about not using TDES after 7/1/10, or not implementing end to end encryption after several top retailer implement it?

http://www.securecomputing.net.au/News/156418,us-court-rules-that-bank-failed-to-protect-customer-against-fraud.aspx

Does a Retailers Requirements to Protect cardholder data go beyond PCI?

2009-09-25T20:00:00.001-07:00

Last week the US District Court in Maine threw out most of the claims in the class action lawsuits against Hannaford over their data breach. What they did not throw out was a claim that Hannaford had an implied duty to take reasonable measures to protect consumer data. What this means is in addition to several state laws that require protection of consumer data, retailers may become subject to an implied contract that they must protect the consumer data that they gather in the course of doing business. Other retailers have been assessed penalties for unfair practices in protecting consumer data by the Federal Trade Commission. While actual consumer damages in these breaches have been low because of the issuers card protection, I wonder if this opens the door for easier recovery of costs from merchants by the impacted financial institutions.

Former Congressman Does Not See Federal PCI Legislation Likely

2009-09-25T19:58:00.000-07:00

Tom Davis, former US Congressman currently at Deloitte gave the keynote speech at the PCI SSC community meeting this week in Las Vegas. After some very interesting insights about how presidential job approval impacts congressional elections which is what drives much of Congress, he talked about the current climate on the hill for cyber security initiates, including legislation covering PCI. His view was there is benefit in congressional hearings to draw attention to the issue get the industry to look harder at its own initiatives, and such hearings will continue. However, there is no benefit to any congressman in pushing cyber security legislation of any kind until there is some kind of cyber Armageddon. He believes any federal legislation that covers PCI will not occur for the next foreseeable number of years. This is not to be confused with someone filing a piece of legislation. He ended by saying the private sector is way ahead of the government sector on both cyber security policy and implementation.

End-to-End Encryption: What’s Next?

2009-08-19T08:16:00.001-07:00

While end to end encryption solutions like VeriShield Protect are valuable tools for retailers looking to protect their customers’ cardholder data, even more benefits are on the horizon.

The PCI Security Standards Council has engaged PricewaterhouseCoopers to conduct a study of new payment security technologies on securing cardholder data and achieving PCI DSS compliance.

The study, currently underway, is expected to recommend that if a true, secure end to end encryption scheme is implemented, many of the PCI DSS requirements would be met.

George Peabody of the Mercator Group estimates that retailers will save 80% of their on-going compliance costs and 75% of their PCI DSS audit costs by implementing a true end to end encryption solution like VeriShield Protect. In his analysis, that would translate to between $262,500 and $1,750,000 in annual savings to a retailer.

VeriShield Protect Offers Benefits Beyond End to End Encryotion of Cardholder Data

2009-08-19T08:10:00.000-07:00

In addition to the obvious benefits of encrypting cardholder data throughout a retailer’s enterprise, VeriShield Protect can assist retailers in improving the security of their systems and achieving PCI DSS compliance in many other ways.

While the PCI DSS requirements to not require cardholder data to be encrypted across private networks, retailers are challenged to maintain compliance with PCI DSS, and protection against breaches, 24x7 across their vast geographically disperse networks. Exploiting gaps in compliance or other weaknesses in retailers’ systems, criminals have been able to install Malware on retailers’ systems to capture cardholder data in transit. In the cat and mouse game of data theft and data protection, most retailers realize now that they need to protect cardholder data at all points in their systems, including data in motion during the authorization approval process. To protect cardholder data in transit, retailers often turn to solutions other than end to end encryption, like SSL connections between devices or software-based encryption schemes within their POS systems.

This presents challenges for many retailers however. Retailers with any of the following issues may find it difficult, if not impossible to provide the additional cardholder data protection they desire to properly protect their customers from the impact of a data breach. These challenges include:

· Retailers with older POS platforms
· Retailers who have mixed POS systems across their chain
· Retailers who are planning POS system upgrades in the next year or two
· Retailers who use public broadband networks for store communications
· Retailers with franchisees that make implementation of common systems difficult

The VeriShield Protect end to end encryption solution can overcome all of these challenges with a minimum of effort or disruption to the existing POS and store systems infrastructure.

Older systems with low processing bandwidth often cannot handle the processing overhead required to support encrypting communications between both the payment terminal and POS terminal, and between the POS terminal and the store server or host computer with SSL. In addition, older payment terminals and the DOS-based POS systems that are still installed usually cannot support SSL at all. VeriShield Protect, which does the encryption in the tamper-resistant security module (TRSM) within the payment terminal, overcomes the SSL limitation of older systems. And because VeriShield Protect uses Format Preserving Encryption (FPE), no changes are required to the POS systems in order to implement it.

Another challenge retailers are often faced with is the need to support multiple POS systems across their stores – due to store or chain acquisitions, different POS systems in different brands, or multi-year POS upgrades, often tied to store remodels. The challenge is the potential cost of implementing a data in transit protection scheme multiple times across each platform. Again, the Format Preserving Encryption of

VeriShield Protect solves this problem because it can be implemented across different POS systems without the need to change the POS system software.

In a similar fashion, VeriShield Protect can solve the challenge retailers who plan to upgrade their POS system in a few years face. These retailers are often reluctant to implement changes on their existing POS systems knowing the life of a project like this will be short, and they may prefer to use their resources getting a new POS system ready to deploy. Because VeriShield Protect can be implemented without any required POS changes, it is a great solution for retailers who want to protect their current system today, and then use the same solution for their new POS system in the future.

While most retailers use private networks, many find that using the public broadband infrastructure meets their requirements. PCI DSS requires that cardholder data which traverses public networks must be encrypted. VeriShield Protect with its transaction monitoring capability and its and secure key management functionality is an excellent way to meet this requirement without any impact on POS systems.

Retailers with franchise operators often face the most challenges of all. They may have multiple POS systems used by their operators and different systems they use in corporate stores. It is not uncommon for these retailers to have some operators access their network over a public broadband architecture. And finally, getting all of the franchise operators to implement common POS or store systems at the same time is usually impossible. By implementing a common payment terminal across all corporate and franchise locations that supports VeriShield Protect, retailers with franchise locations can insure that their customers’ cardholder will be protected whether they pay in a corporate or franchise owned store.

VeriShield Protect solution provides a wide range of benefits for all entities in the payment chain.

First, VeriShield Protect allows retailers to cost-effectively address three of the most difficult and expensive PCI DSS requirements.
· Requirement 3: Protect stored cardholder data
· Requirement 4: Encrypt transmission of cardholder data across open, public networks
· Requirement 5: Restrict physical access to data

Among the other key benefits are:
· Cardholder data is never exposed in the clear in the POS Environment
· Real-time monitoring improves encryption compliance and reduces the impact of costly audits, loss-prevention methods, and potential breaches
· There’s little or no impact on current POS systems and payment networks—no degradation of performance, and no changes required for most existing software
· BIN range checking continues to function as is, and nonpayment cards can be processed without encryption, if desired
· Cardholders are not impacted

For more information about VeriShield Protect and End-to-End Encryption, visit our web site www.verifone.com/verishield and download two white papers: “Protecting Cardholder Information: The Elusive Goal” and “Understanding End-to-End Encryption.”

California Financial Code and PCI Touchscreen Requirements

2009-08-19T05:15:00.000-07:00

There has been some confusion in the market about how to meet the California Financial Code requirements and still meet PCI requirements on touch screen terminals. This bulletin is intended to clear that confusion up.

The California Financial Code requires that retailers provide tactile keypads to allow PIN entry for sight impaired individuals. While California is the only state with this law, and the federal regulations at the moment do not require this, several organizations have pushed national retailers to make the same accommodations. These organizations include the American Council for the Blind and the American Federation for the Blind, and in some cases those group’s state organizations. Several retailers have negotiated settlements with these groups after legal action was initiated. The most recent was Target, which settled on May 14th this year. In that case, Target agreed to upgrade every payment device to have a tactile keypad. The California Financial Code requires retailers to have a tactile keypad at every lane, except those retailers with just two lanes, who are allowed to have a tactile keypad in only one of those two lanes.

While the California law does not spell out specifics for the keypad, the associations for the blind, and the Federal Code call out several very specific requirements including the number layout, the raised dot on the 5 key, and the colors and raised symbols on the clear, enter and cancel keys. VeriFone products with keypads such as the MX 800 Series, the PP1000SE and the Vx 810 all meet these requirements.

The PCI Security Standards Council is concerned with the integrity of the payments system, not its accessibility to persons with disabilities. That is why the PCI PED requirements do allow a virtual PIN Pad on touch screen only terminals. While it was not spelled out in the early PCI PED requirements, the more current versions clearly state that overlays of any kind are not allowed on touch screen. This includes both keypad overlays which would provide accessibility to sight impaired individuals as well as protective overlays. The reason for this is the potential for criminals to embed technology within any kind of touch screen overlay that could be used to capture an individual’s PIN number. Whether this is a real or perceived threat, both MasterCard and Visa have confirmed that any kind of overlay on a touch screen device is not PCI compliant.

Retailers wanting to meet both PCI requirements as well as provide access to sight impaired individuals have two choices. First install a product that has a tactile keypad built in like the MX830, MX850, MX860 or MX870, or second, for products with touch screen only keypads, add an attached PIN Pad like the PP1000SE.

Tactile PIN Debit Keypads required in all stores by 1/1/10.

2009-08-13T08:12:00.000-07:00

Several years ago, the California Legislature passed Financial Code 13082, which requires all point-of-sale devices that have a touch screen keypad to also offer a tactile keypad to allow visually impaired individuals to enter their PIN securely. As of January 1, 2010 all retailers must comply with this law, which requires all retailers with more than 2 such devices to equip each one with a tactile keypad, and those with 2 lanes or less to equip one such device.

The actual text of the California law follows.

California Financial Code 13082
Sourced at: http://www.leginfo.ca.gov/calaw.html

(a) Whenever a point-of-sale system is changed or modified to include a video touch screen or any other nontactile keypad, the point-of-sale device that would include the video touch screen or nontactile keypad shall also be equipped with a tactually discernible numerical keypad similar to a telephone keypad containing a raised dot with a dot base diameter between 1.5 millimeters and 1.6 millimeters and a height between 0.6 millimeters and 0.9 millimeters on the number 5 key that enables a visually impaired person to enter his or her own personal identification number or any other personal information necessary to process the transaction in a manner which provides the opportunity for the same degree of privacy input and output available to all individuals.

(b) (1) On or before January 1, 2010, any existing point-of-sale system, except as provided in paragraph (2), that includes a video touch screen or any other nontactile keypad shall also be equipped with a tactually discernable keypad as described in subdivision (a).
(2) At locations equipped with two or less point-of-sale machines, only one point-of-sale machine shall be required to be equipped with a tactually discernible keypad on or before January 1, 2010, as described in subdivision (a).

(c) On and after January 1, 2006, a manufacturer or distributor shall be required to offer for availability touch screen or other nontactile point-of-sale devices to be used and sold in this state that are equipped with tactually discernible keypads as described in subdivision (a) that enable a visually impaired person to enter his or her own personal identification number or any other personal information necessary to process a transaction in a manner that ensures personal privacy of the information being entered.

(d) As used in this section, "point-of-sale device" includes any device used by a customer for the purchase of a good or service where a personal identification number (PIN) is required, but does not include the following: (1) An automated teller machine as defined in subdivision (c) of Section 13020. (2) A point-of-sale device that is equipped to, or exclusively services, motor fuel dispensers. (e) This section shall not be construed to preclude or limit any other existing right or remedy as it pertains to point-of-sale devices and accessibility.

The Evolution of Payment Terminal Standards

2009-08-12T13:45:00.000-07:00

Almost since the inception of payment terminals, there has been concern about criminals tampering with these devices to capture card information for fraudulent purposes. In 1997, Visa issued the first security requirements for PIN Entry Devices. Effective January 1, 2008, all newly deployed PIN entry terminals were required to meet this standard. Manufacturers did not have to submit terminals to independent labs for certification against this standard; rather they simply attested that the standard was met. In 2002, Visa enhanced their PED security program with additional security requirements and the requirement that terminals be submitted to a Visa approved lab for approval. In May of 2003, Visa announced that effective January 1, 2004, all newly deployed terminals must meet this standard and as of July 1, 2010, all installed terminals must have met this standard and independently tested by a lab.

In 2004, MasterCard and Visa agreed to develop one set of PIN Entry Device requirements, which became known as PCI PED. As part of this agreement they announced that all newly deployed terminals after January 1, 2008 must meet this requirement.

In 2005, the card associations (American Express, Discover, JCB, MasterCard and Visa) formed the PCI Security Standards Council to standardize payment standards they required retailers to adhere to (The PCI DSS or Data Security Standard). In September 2006, the PCI SSC announced that they would take over the management and development of the PED Standard, and they released the PCI PED 2.0 Requirements in April of 2007. Next in the evolution of Payment Terminal Standards will be the introduction of the PTS (PIN Transaction Security Program) at the PCI SSC community meeting in September 2009.

The following chart illustrates the timeline of the evolution of payment terminal standards.

Interesting Skimmer Found in a US retailer

2009-08-12T03:42:00.000-07:00

Here is an interesting picture of a skimmer, apparently uncovered by Knoxville area law enforcement. Its the first time I have seen a picture of an the entire top case of a payment terminal being used as a skimming device!

The full article is

Wireless Check Deposit via the iPhone

2009-08-11T17:51:00.000-07:00

Pretty neat application from USAA which lets customers deposit checks wirelessly by taking a photo of both sides of the check using the iPhone's built-in camera, and then sending an image of a check directly to USAA where it can be verified and deposited.

See the complete story here

VeriFone ranked 3rd best peripherals vendor by retailers!

2009-07-29T12:51:00.000-07:00

The RIS News 2009 Hardware Leaderboard is out. This is the fourth year of the survey of retailers asking them to review their hardware vendors. Almost 500 retailer reviews were submitted covering 79 suppliers of hardware technology to retailers including POS systems, peripherals and digital signage and networking.

In the peripherals category, VeriFone ranked 3rd overall, 1st in technology innovation and 2nd in product features! In this category, VeriFone trailed only Epson and Dell. Hypercom and Ingenico again this year did not make the top ten.

In the kiosk category, VeriFone also ranked 3rd overall behind IBM and NCR, and ranked 2nd in product quality.

In the overall category of all POS hardware, VeriFone ranked 6th overall, including 3rd in Product Features and 3rd in Technology innovation.

The full study can be downloaded here.

Visa - Chip & Pin not coming to US for a long time

2009-07-27T13:44:00.000-07:00

The June/July issue of Cards&Payments has an article profiling Ellen Richey,head of global enterprise risk for Visa. Some interesting points from the article.

Q: Is it possible for companies to maintain compliance all the time?
A: Maintaining compliance is basically just disiplined execution. Security needs to be built into the business process so it is part of the everyday work.

Q: You said recently that Visa expects the US to adopt chip technology that is being used elsewhere to make purchases more secure. When do you think that will happen?
A: The fundamental technology will have to be consistent all around the world, and the EMV standard is what needs to be applied to maintain interoperability. But the U.S. is not going to be adopting a chip-and-PIN credit card or debit card any time in the very near future. What we're seeing today in the U.S. is contactless-chip technology rolling out.

Q: What will be the greatest security advance?
A: First, we think the industry ultimately needs to move toward dynamic data. Trying to protect static data within the system is going to be, I hope, less and less of a problem because the data will be less and less vulnerable. Once its stolen, it would be unusable. That would be the ultimate advance. Secondly, what I would like to see is continuously improving collaboration among all stakeholders - better communications and better cooperation to advance security - because we think security is absolutely a shared responsibility, and everybody has a role to play.

Visa's Latest PCI DSS Compliance Numbers

2009-07-27T13:38:00.000-07:00

From a session at the MWAA last week.

Level Companies %PCI DSS Compliant
1 362 93%
2 702 88%
3 2,627 57%
4 6m+ low

How Dealers Should Deal with PCI Compliance

2009-07-22T10:23:00.000-07:00

There were some interesting comments and ideas presented by Bob Goldberg, General Counsel of the RSPA, during the PCI Panel discussion I moderated in Las Vegas last week. After thinking about them, I want to expand on his comments and discuss what dealers should be doing with regards to making their customers PCI compliant.

For perspective, the RSPA (which used to be the IRCDA, then the Systems Dealer Association) membership is dealers. Not ISV’s or POS vendors, but dealers who provide local sales, support and service to millions of primarily level 4 merchants who want POS systems or ECR’s.

All players on the payment industry agree that the Level 4 merchant served by the RSPA members has the least amount of knowledge of PCI requirements. In addition these merchants do not usually have an IT staff, or at least not a large one, and they focus on what they doing best – selling stuff, cooking meals, or entertaining customers. Expecting them to understand the subtleties of liability shift as of July 1, 2010, when they do not even understand what to do for PCI Compliance is ludicrous.

The ultimate security solution for these Level 4 merchants is a solution with which they never have to think about payment card security. The industry needs provide them a secure card processing solution in the normal course of business. The only solution likely to meet those criteria is an end to end encryption solution. The end game is to make sure small merchants never have to think about payment card security.

This is some time away from widespread industry adoption, so I the meantime, dealers must develop alternative plans to protect their businesses and their customers.

While RSPA members generally understand the PCI programs and requirements, their customers most often do not. Focused on running their businesses in a challenging economy, these merchants often eschew these PCI related expenses due to many reasons including, but not limited to, the following reasons: lack of capital, no understanding of the impact of non-compliance, or the belief that a breach will never happen to them.

Where this becomes a real significant issue to a dealer is when their customer is breached. In that case, the dealer is often sued by the merchant for improper installation, or not telling them they need a software upgrade for PA-DSS, or some other reason to deflect blame away from the merchant, or to recoup some of the merchant’s expenses caused by the breach or the remediation after the breach.

So how can a dealer protect themselves when they are between the rocks of merchants who do not want to spend money for PCI compliance and the hard places of the card brands with their mandated PCI Compliance dates. There are several things retail dealers need to do to protect themselves.

First and foremost is education. Dealers need to understand the PCI standards, the compliance dates and the impact of non-compliance on themselves and their customers. They do not need to become experts in the details of each standard, but need to be comfortable talking about what retailers must do by what dates, and what the impact of not meeting the card association deadlines would be on their customers’ businesses.

Second, dealers must understand the PCI status if the products they sell. Do the software applications they re-sell meet current PA-DSS requirements? What is the installation process they need to follow to insure the software is installed properly? Do the payment terminals they sell meet the current requirements? What is the plan for the merchant’s acquirer to meet the upcoming TDES implementation date of July 1, 2010?

Next, dealers need to make sure they inform their customers about any deadlines to their customers based on the products they sell them. If a dealer sells POS applications, then they need to be sure to inform each of their customers when the deadline is for upgrading to the next PA-DSS validated version. If the dealer sells payment terminals or PIN pads they should communicate to their customers the July 1, 2010 dates for removal of non-certified devices and implementation of Triple-DES keys. In addition to just informing their customers about these dates, they need to document these conversations via an email or paper trail. Dealers need this documentation to prove they told their customers about impending compliance date in the event their customer is breached and wants to sue them.

Finally, dealers need to understand the installation requirements of the solutions which they sell. Part of the PA-DSS requirements is the requirement for a software vendor to provide installation instructions to make sure the software is properly installed. Other products that dealers sell and install must also be properly installed and configured such as changing default passwords, blocking unused ports, etc. Each dealer should develop a checklist of each of the proper installation requirements to be completed as their employees install or upgrade systems. At the end of the installation or upgrade, the installer should review the checklist with a customer representative and get them to sign the checklist indicating they installation was done in accordance with accepted PCI standards, and that going forward, it is the responsibility of the customer to maintain the PCI compliance of the system.

The recommendations here should go a long way in protecting a dealer in case one of their customers is breached, and should also position dealers who do this as a business advisor and payment security expert in addition to a retail systems expert. In the long-run, people buy systems from people they trust, and helping dealer customers protect their systems from a breach will benefit the dealers who bring more value to their customers.

Who is Minding the Legal Risk around PCI?

2009-07-21T11:17:00.000-07:00

David J. Navetta, Esq., CIPP, managing member InfoSecCompliance, LLC published an excellent article the April 2009 issue of the ISSA (International Systems Security Association) Journal titled "Who is Minding the Legal Risk around PCI?"

The article reviews the legal framework for PCI related compliance and lawsuits and should be a must read for anyone responsible for PCI compliance for their company.

A PDF of the article can be found here.

Does the Nevada Information Security Law apply to all retailers?

2009-07-21T09:46:00.001-07:00

David Navetta has a good post today about the implications of the Nevada Security of Personal Information Law on the InfoSec Compliance Blog.

He makes the point, as have others, that the law applies to almost any company whether you do business in Nevada or not. If you have but one customer from Nevada, even though your stores are not located there, and you accept credit or debit cards from a Nevada resident, then you are required to meet the PCI Data Security Standard and you are required to send the cardholder data in an encrypted format of it is sent outside of your enterprise.

Verizon Business reveals details of Encryption Key Compromises

2009-07-19T11:52:00.000-07:00

Verizon Business recently held a webinar titled “Don’t be the next victim on PIN-Based attacks.”

In the webinar, they revealed that there have been several PIN breaches, as well as the details behind the most common attacks against encrypted debit PIN’s. While the method of obtaining the encryption keys may vary, the commonality of these attacks is that they occur when criminal organizations enter a system in the payments infrastructure and are able to take over, or control, the HSM (Host Security Module) that is used for debit key translation between different payment system processors. These attacks can occur against both financial institutions as well as retailers that have installed HSN’s for PIN translation.

The top threats identified in the webinar are:
• PIN Block Translation Attack
• HSM API Brute Force Attack
• Lack of Unique Keys per Device/Zone
• Use of weak keys

The PIN Block Translation attack takes advantage of a weak PIN encryption format included in HSM’s for compatibility reasons. The format, called IBM/Diebold only has 10,000 possible PIN combinations. The standard ANSI x9.8 PIN Block format has 1,000,000,000,000,000,000,000,000,000 combinations. In this attack, criminals first breach the payment system network and then gain control of the HSM. Commands are entered to have the HSM build a table of all keys encrypted in the IM/Diebold format. They then use the PIN translation capability of the HSM to translate all DES or TDES encrypted PINs into the IBM/Diebold format, using the IBM/Diebold encryption key that they also load into the HSM. Then they simply look up the encrypted PIN in the table and they get the unencrypted PIN from the table.

A note – Verizon reports that gaining logical access to the HSM is easier than many people think and also occurs with much more frequency as well.

The HSM API Brute Force attack is similar to the PIN Block Translation Attack, but it does so without taking advantage of the IBM/Diebold format. Like the PIN Block Translation Attack, this also requires logical access to the HSM, gained by criminals after breaching the payment system network. Hackers break the encrypted PINs basically like solving an algebra problem by executing millions of commands to the HSM until they are able to determine the encrypted PIN. These commands are usually requested via batch or script files. This attack does not require a high degree of difficulty, but it does require much more time and processing power.

The Lack of Unique Keys per Device/Zone, is generally an attack that only occurs against retailers, although some ATM networks and gateways have also been breached as they are still using Master Session keys. This attack is usually aided by finding encrypted PIN block information in places like TLOG files and again uses a brute force type of attack against the encrypted PINs.

The fourth common method of attack against encrypted PINs takes advantage of weak DES (single DES) keys. In 1998 in a high-tech lab environment, DES keys were cracked in 56 hours. In 2007, DES keys can be cracked with a server costing less than $10,000 in 6 days.

There is also a Russian criminal gang that offers a fee-based DES cracking service. Ship a POS PED to the gang overnight and they will return the DES keys within 72 hours for $250,000, or you get your money back.

They also presented some best practices to reduce the impact of a PIN encryption key compromise as well as some ways to minimize the impact if a debit encryption key is breached.
• Replace any HSM’s that support the IBM/Diebold format, or upgrade the software so that it no longer supports the IBM/Diebold format.
• Do not use Master Session keys, as a breach of one location’s keys will provide them access to encrypted PIN’s from all devices.
• Review HSM logs and look for high volumes of unusual transactions like PIN translations.
• Review access to the HSM and make sure that only authorized programs are able to send it commands.
• Upgrade to TDES keys as they are much much more difficult to breach than single DES keys.
• Make sure you terminals are securely mounted and terminals in storage and transit are properly protected so they cannot be sent to Russian criminal gangs to have their encryption keys removed.
• As per current PCI requirements, a key should only be used for a single purpose. This limits the impact of a breach if one key is compromised. This is why the PCI PIN security requirements require encryption keys to be used for a single purpose only. (i.e. Debit PIN encryption, terminal authentication, end to end encryption, file signing, etc.)

The webinar was presented by Chris Novak, Managing Principal, Forensics Americas and Matthijs van de Wel, Managing Principal, Forensics EMEA

Mercator End to End Encryption Report

2009-07-19T08:34:00.000-07:00

Mercator Advisory Group recently published “End to End Encryption: The Acquiring Side Responds to Data Loss and PCI Compliance.” The report was written by George Peabody, Principal Analyst for Mercator and was published in June 2009.

Among the finding in the report:

• “PCI, as it is defined today, while necessary, is not sufficient. More robust approaches are required. And that is where card number encryption enters the scene, as another method of removing high value card numbers from merchant, processor and acquirer systems.”
• “Encryption is about making secret data economically and computationally impractical to steal. Having done that, cyber criminals have no ability to profit from what data they do manage to steal after they‘ve broken into the enterprise.”
• Mercator projects that the scope of PCI DSS audits should be reduced by 75% and annual compliance maintenance costs should be reduced by 80% by implementing a proper end to end encryption solution. In their analysis, that translates to between $262,500 and $1,750,000 in annual savings to a retailer.
• George Peabody believes that retailers should be given an interchange break for implementing an end to end encryption solution. “There is precedent for incentive interchange rates based on merchant deployment of fraud and risk controls. E2EE deployment by a merchant qualifies as a fraud and risk control. After all the PCI DSS expenditures made by merchants, under threat of a stick, a handful of basis points for good citizenship would let the Acquiring Team know that its efforts are appreciated. Since they have to play by the Issuing Team‘s rules, it is deserved.”
• “The only way E2EE becomes systemic is if it becomes mandated for all merchants or an interchange incentive is given or E2EE saves enough money and pain to compel merchants.... and upstream through to issuers.”

MasterCard Clarifies Remote Key Injection Requirements

2009-07-19T07:31:00.000-07:00

A month ago MasterCard issued a bulletin about how and what terminals can be upgraded to TDES keys for debit PIN encryption. The bulletin seemed to indicate that Remote Key Injection would not be allowed as a way to upgrade terminals to TDES keys.

Here is an updated statement from MasterCard:

"Last month, MasterCard issued a Security Bulletin to provide guidance on how point-of-sale terminals could be upgraded from triple-DES capable to triple-DES compliant encryption. In the Security Bulletin, MasterCard provided guidance stating that the most secure option to upgrade the terminals is to follow PCI PIN Security Requirements and have the upgrade performed at a key injection facility. However, our customers and vendors can use Remote Key Injection services to upgrade the terminals if those services meet all aspects of the PCI Pin Security Requirements."

This has also been clarified with an additional statement from MasterCard as follows:

"MasterCard has strict rules relating to Pre-PCI terminals, in order to assist our Acquirers meet the Visa Triple DES mandate we confirmed via the security bulletin that Pre-PCI terminals could provided they were Triple Des capable, (Which all Pre-PCI terminals should be) then they could be upgraded to become triple Des compliant.

Now in order to achieve this, the upgrade must be undertaken as per the PCI PIN Security Requirements ( This is our standard process been around for years nothing new or different). This has nothing to do with requiring the terminals to be PCI POS PED approved as per the latest articles. With regard to remote key injection, then as I have already mentioned, our preference is that vendors use a Key injection facility. However if you offer RKI, then provided you can confirm this will be undertaken as per the PIN Security Requirements then that is permitted.

With regard to PCI approved terminals being upgraded, as these terminals are still approved then these terminals can also be upgraded to TDES Compliant, again provided it is carried out against the PCI PIN Security Requirements, but as this was already allowed and nothing changed, we did not include it in our original bulletin."

The net of all this is that Remote Key Injection can be used, but it must be a process that meets the PCI PIN Security Requirements. These are a comprehensive set of requirements for protecting the integrity of encryption keys.

VISA 7/1/10 Mandate Clarifications

2009-07-17T06:27:00.000-07:00

There has been much confusion over the impact to a retailer who does not meet the Visa July 1, 2010 mandates for payment security.

To review, there are three different mandates from Visa that must be met by US merchants by July 1, 2010. These are:

· All non-certified payment terminals on which PIN debit transactions are conducted must be removed from service. This includes any terminal that is not either VISA PED or PCI PED.

· All debit card PINs must be encrypted in TDES from the payment terminal

· All applications that “store, process, or transmit cardholder information” must be PA-DSS or PABP compliant.

So what is the impact of not conforming to one or more of those mandates?

First, in all cases, if the retailer suffers a data breach and cardholder information is compromised, then all liability passes to the retailer if the breach was in part the result of the retailer not being compliant with these mandates. Various studies put the cost of a cardholder breach in the range of $125 to $225 per compromised record. (Not card records actually used fraudulently, but all cardholder records that were exposed by the breach.) The Ponemon Institute publishes an annual study of the cost of a data breach which is available on their web site.

The costs of a breach that a retailer would be subject to include the following:

·Investigation costs by themselves, the card associations and the banks that issued the compromised cards.

·The costs borne by the issuing banks to re-issue the compromised cards

·The actual costs of fraudulent purchases made on any of the compromised cards

·Fines from VISA which would be assessed against the acquiring bank who would pass them to the retailer’s processor who would pass them to the retailer

·In addition, the retailer would have their own legal, PR, IT, forensics and remediation costs, which of course they would also have to bear even if they were compliant at the time of the breach.

What costs would a retailer face if they are non-compliant with the July 1st, 2010 mandates? These may vary by which of the mandates the retailer is not compliant with.

·Use of non-certified payment terminals after July 1, 2010 (Does not apply to Fuel Dispensers, there are different requirements for that.)

- While Visa has not issued a statement about the enforcement of thus mandate, it is reasonable to expect that they will fine acquiring banks who have merchants using non-compliant terminals. This could start on July 1, 2010, or sometime after that date. VISA has not publically published their enforcement plan for this mandate yet. It would be pure speculation to estimate the size of these fines.

Use of Master Session or Single DES (DUKPT) after July 1, 2010
- Visa has already announced, in their April 2009 TDES update that they will begin fining acquires who have merchants using other then TDES on 8/1/12. It is safe to assume that in most cases those fines will be passed onto the merchants in non-conformance with the mandate.

·Use of non PA-DSS (or un-expired PABP) applications after July 1, 2010.
- Visa has confirmed verbally to me that they plan on fining acquirers as of July 1, 2010 if they have merchants that are not in compliance with this mandate. The amount of this fine is likely to be in the same range as the fines for PCI DSS non-conformance ($5,000 t0 $25,000 per month), although I expect a lower tier fine for Level 4 merchants. I would guess that these would be assessed monthly for as long as the merchant remains non-compliant.

In summary, there are two types of costs and fines a merchant could be subject to if they do not meet Visa’s July 1, 2010 mandates: first non-compliance fines for non-compliance with the mandates, some of which be assessed starting on that date; and breach fines and other breach related costs in the event of a breach that was in part based on the merchant’s non0compliance with these payment security mandates.

MasterCard Revises Level II SDP Merchant Compliance

2009-07-17T06:24:00.000-07:00

MasterCard has changed its requirements for Level II Merchant SDP Program Compliance. SDP, or Site Data Protection is the MasterCard program for cardholder security and is similar to the VISA CISP Program. Currently Level 2 MasterCard merchants can complete a PCI DSS Self-Assessment Questionnaire and submit that to MasterCard as part of their SDP certification process. Level 2 Merchants are defined by MasterCard as merchants doing between 1M and 6M annual MasterCard transactions annually or merchants whose transaction volume makes them a Level 2 merchant for another card brand. By December 31, 2010, all Level 2 MasterCard merchants must complete an onsite assessment conducted by a PCI SSC certified Qualified Security Assessor, and thereafter submit an annual onsite assessment conducted by a PCI SSC certified Qualified Security Assessor. These requirements are included on the MasterCard web site here: http://www.mastercard.com/us/sdp/merchants/merchant_levels.html

TJX Agrees to Security Pilot Programs and to push End to End Encryption

2009-06-25T04:18:00.000-07:00

There were some interesting terms agreed to by TJX in the TJX/State Settlement. First, TJX agrees to participate in pilot programs for new payment security technology, such as chip and pin, if asked to do so by MasterCard or Visa within 2 years of the date of the agreement. After two years, I guess they can say no.

Second, they agreed to take steps within the next 180 days to encourage the development of end to end encryption including seeking the cooperation of their acquiring bank.

The text of these section appears below. A copy of the entire agreement can be found at: http://storefrontbacktalk.com/story/TJX%20Agreement.pdf

The Attorneys General and TJX believe that the security of Cardholder Information collected in connection with retail transactions is an important priority. Protecting Cardholder Information is a dynamic challenge, because as security technologies available to retailers evolve, criminals attempt to develop more sophisticated ways of trying to circumvent such technologies. The Attorneys General and TJX therefore agree that possible improvements within the payment card system could aid the protection of consumers. To further that goal, TJX agrees as follows:

A. Pilot Programs. TJX will notify Visa and MasterCard in the United States and its acquiring bank(s) in the United States, simultaneous with the execution of this Assurance, that TJX desires to participate in pilot programs for testing new security-related payment card technology, such as the chip-and-PIN technology that is used in many other countries. TJX will participate in such program(s), if invited to do so, within two (2) years following the Effective Date of this Assurance, provided that any new security-related payment card technology and the terms and conditions of such participation are considered in good faith by TJX to be feasible and reasonable.

B. New Encryption Technologies. TJX will take steps over the one hundred eighty (180) days following the Effective Date of this Assurance, to encourage the development of new technologies within the Payment Card Industry to encrypt Cardholder Information during some or all of the bank authorization process with a goal of achieving "end-to-end" encryption of Cardholder Information (i.e, from PIN pad to acquiring ban). Such methods may include but are not limited to encouraging the development of new technologies and seeking the cooperation of TJX's acquiring bank(s) in the United States and other appropriate third parties. TJX will provide the Attorneys General, within one hundred eighty (180) days following the Effective Date, with a report specifying its progress in this effort.

Nevada Data Encryption Law Has Wide Coverage

2009-06-24T06:45:00.000-07:00

Nevada recently enacted a new Data Protection law which replaced the previous law that was in effect for less than a year. The new law has some broad-reaching implications. The law applies to any business that has any transactions or employees located in the state, no matter where their headquarters are located and requires those businesses that accept credit cards to “comply with the current version” of the PCI DSS.

The text of the law is as follows:

"If a data collector doing business in this State accepts a
payment card in connection with a sale of goods or services, the
data collector shall comply with the current version of the
Payment Card Industry (PCI) Data Security Standard, as adopted
by the PCI Security Standards Council or its successor
organization, with respect to those transactions, not later than the
date for compliance set forth in the Payment Card Industry (PCI)
Data Security Standard or by the PCI Security Standards Council
or its successor organization."

While the law requires data encryption for personal information transmitted outside of the enterprise, it does not apply for data transmission over a secure, private communication channel for approval or processing of negotiable instruments, electronic fund transfers or similar payment methods.

Data sent over public communication links needs to be encrypted, in a secure approved manner as spelled out in the law.

The previous version of the law defined personal information as unencrypted information consisting of an individual's last name and first name (or first initial), combined with his or her Social Security number, driver's license or identification card number, or financial account number plus password or access code.

The law also states that is a business (data collector in the law's terminology) is compliant with the law, then the business shall not be liable for damages unless there is gross misconduct involved.

The Nevada law is scheduled to go into effect January 1, 2010.
The full text of the law can be found here: https://www.leg.state.nv.us/75th2009/Bills/SB/SB227_EN.pdf

MasterCard Revises Level II SDP Merchant Compliance

2009-06-19T07:52:00.000-07:00

MasterCard has changed its requirements for Level II Merchant SDP Program Compliance. SDP, or Site Data Protection is the MasterCard program for cardholder security and is similar to the VISA CISP Program. Currently Level 2 MasterCard merchants can complete a PCI DSS Self-Assessment Questionnaire and submit that to MasterCard as part of their SDP certification process. Level 2 Merchants are defined by MasterCard as merchants doing between 1M and 6M annual MasterCard transactions annually or merchants whose transaction volume makes them a Level 2 merchant for another card brand. By December 31, 2010, all Level 2 MasterCard merchants must complete an onsite assessment conducted by a PCI SSC certified Qualified Security Assessor, and thereafter submit an annual onsite assessment conducted by a PCI SSC certified Qualified Security Assessor.
These requirements are included on the MasterCard web site here: http://www.mastercard.com/us/sdp/merchants/merchant_levels.html

DOJ warns of escalating criminal assault on the payment system

2009-06-18T11:30:00.000-07:00

Kimberly Peretti, Senior Counsel, Computer Crime Division, Department of Justice recently spoke at the MasterCard Global Risk Management Conference. Among the highlights of her presentation:

Criminals are now targeting HSM’s. With this, they could easily decrypt PIN's
DUKPT has been breached. In one case, criminals stole the data in 2004, but it took them 2 years to crack DUKPT. They were aided by having the full Track 2 data which includes the Pin Verification Value (PVV). Having done this once, they are more sophisticated now and should be able to crack encrypted PINS less time if they try it again.
The group that is targeting processors is still targeting retailers.
There has been a huge explosion of breached retail and financial industry networks in the last three years. There are numerous examples of network breaches without card data compromise. Its like exploring for oil but not drilling until the price is right, criminals are doing the same thing.

FBI Cyber Director warns industry of fraud risk

2009-06-18T11:13:00.000-07:00

Shaun Henry, Assistant Director, Cyber Division, FBI spoke recently at the MasterCard Global Risk Management Conference. Among the things I found either interesting or scary were:

Businesses don’t understand the cyber threat today. They can't feel it, touch it or imagine it, so it is hard to worry about is and prepare for it.
Criminals are breaching systems everyday and waiting for the opportune time to steal the information. Their breaches leave little trace until a compromise occurs. They cover their tracks and wait to harvest cardholder information. Their presence is not removed after scanning, reloading computers, password changes, network reconfiguration, etc.
Some Malware waits for specific vulnerabilities to appear before acting, for instance, when a patch is found that has not been applied. They go back to a breached system to see if the patch has been applied, and if not they exploit the vulnerability.
There are three types of groups that are attacking systems today.

1. Individuals and Hacker Groups

2. Terrorist Organizations and Sympathizers

3. Advanced and Developing Cyber States

Overall, criminal attacks are escalating

1st – Steal data for themselves and convert to cash
2nd – Steal data and sell it to others for exploitation
3rd – Hijack you systems for extortion (T-Mobile?)

You need to rethink everything, all your assumptions about data security.
How do you know your downloads are safe? How do you know they have not already been infected? How do you know the hallmark card an employee downloaded simply contained malicious software and not malware designed to steal cardholder data? Look for criminal entry and data exodus everywhere - not just where you might expect them.
Adversaries with the interest, ability and intent to get your information can and will breach your system.

Malware emerging as primary data breach weapon

2009-06-18T10:37:00.000-07:00

Chris Novak from Verizon provided an update at the MasterCard Global Risk Management Conference in Miami two weeks ago.

Malware is a rising method of attack, and in 25% of the Malware attacks, the software was written specifically for the environment that was attacked.

There are three new emerging kinds of attacks. Ram Scrappers running in memory, packet sniffers capturing data in motion, and malware that resides in unallocated disk space and is hard to locate.

MasterCard Global Risk Management Conference

2009-06-18T10:26:00.000-07:00

I attended the recent MasterCard Global Risk Management Conference in Miami a couple of weeks ago. I will be entering some posts based on some of the things that were covered by the speakers.

The opening speaker was Wendy Murdock, the Chief Franchise Officer for MasterCard. Some of her interesting and main points:

93% of the breached records from 2008 were from financial services firms
MasterCard processes 21B transactions a year from 24M acceptance points.
They estimate that cardholder data is stored in over 200,000 locations globally (Wow - lots of places to protect and lots of places for criminals to try to find an open window.)
She stated that if the industry can not solve the problem, it will force the government to put in place "burdensome regulations."
Financial institutions need "proper incentives" to insure compliance. (She did not share her thoughts on what they need to be.)
MasterCard needs better channels for sharing fraud information. (How about the SPVA and the PPISC?)
The industry must use all tools, whether PCI or targeted encryption solutions to solve the problem. (How about end to end encryption!)