Thursday, January 29, 2009

HomeATM Meets PCI 2.0 Requirements

Witham Labs Provides A=OK, Certification Next Step
Above photo courtesy of HomeATM CEO, Ken Mages

I am pleased to report that since October 2008, HomeATM's personal card swiping device has undergone the scrutiny and rigors of PCI 2.0 testing at  Witham Labs, and that as of today, 1/29, our SafeTPIN device has either met or exceeded  the PCI 2.0 requirements "for a PIN Entry Device for online PINs".

Congratulations are in order for our CTO, Ben Lo, who works out of our Hong Kong location.  Congrats to Ben and his team for their integral role in achieving this milestone! 

When you combine this news with the fact that HomeATM already provides "end to end encryption" which is only a topic of discussion for other processors, it escalates HomeATM to the top of the security ranks in the payments industry.

* E2EE = Continuous protection of the confidentiality and integrity of transmitted information by encrypting it at the origin and decrypting at its destination. For example, a virtual private network (VPN) uses end-to-end encryption.  Another example, HomeATM uses end-to-end encryption.

Back to our PCI 2.0 story.  Here's a sampling from the Witham Labs report:  Click on the graphics to enlarge and read.

Executive Summary

HomeATM of 1010 Sherbrooke West, Monreal, Quebec, Canada H3A 2R7, has designed and manufactured a PIN Entry Device named “SafeTPIN”. This PED has magnetic stripe reader.

Witham Laboratories was asked to study the SafeTPIN and comment on its compliance with the PCI requirements for PEDs, v2.0. Under NDA, working units were provided for destructive analysis, along with wiring schematics and layouts, test data, loader application and firmware source code. We tested and evaluated the submitted samples of the device.

This report presents our findings for compliance to the PCI-PED requirements (v2.0), with detailed analysis of each requirement, overview of architecture and methods and cost estimates of possible attacks.

Witham Laboratories was able to verify the compliance of the SafeTPIN with all applicable PCI requirements v2.0 for PIN entry devices.

This report details the results of the evaluation, and is suitable for submission to PCI.

“The PED uses tamper detection and response mechanisms which cause the PED to become immediately inoperable and results in the automatic and immediate erasure of any secret information which may be stored in the PED. These mechanisms protect against physical penetration of the device by means of (but not limited to) drills, lasers, chemical solvents, opening covers, splitting the casing (seams) and using ventilation openings and there is not  any demonstrable way to disable or defeat the mechanisms"

Reblog this post [with Zemanta]

Is Google Checking Out Austraila?

Is Google Going Down...Under?  The Herald Sun says it very well may be, mate. 

How do you want to pay? Google? | Herald Sun
GOOGLE Australia is considering a plan to take on payments giants such as Visa, Mastercard and B-Pay in the booming online payments market. The move comes as the search giant secured a financial services license from local regulators.

The Australian Securities and Investments Commission recently issued Google Australia with an authority to provide deposit and payments services to local merchants and shoppers.  While the licence does not permit Google to provide cash-based payments services to Australian clients, it will enable the group to facilitate digital or online transactions.

Web-based commerce is a hotly contested and lucrative market for payments providers and has spawned a raft of new players including E-Bay subsidiary PayPal.

The ASIC licence potentially opens a fresh revenue stream for Google which will be able to collect processing and transaction fees for bringing shoppers and merchants together via its websites.

Google Australia spokesman Rob Schilken confirmed that the company was working on options to roll out an internet payments platform in Australia.
  "It's a matter of doing the due diligence and the homework so that if we're in a position to launch we can do it," he said.

But no decision has been taken."  Through PayPal, EBay has stolen a march on Google in the Australian online payments arena.

Market research published earlier this month by Neilson Online found that 7.3 million Australians shop over the internet.

Reblog this post [with Zemanta]

Malware = $1 Trillion Problem

Malware Increased  by 400% in '08

DAVOS, Switzerland (Reuters) - Businesses risk losing over $1 trillion from loss or theft of data and other cybercrime, according to a study released on Thursday by security technology firm McAfee Inc.

The California-based company launched the survey after detecting a rapid acceleration of malicious software, or "malware," last year, CEO David DeWalt told Reuters. Malware increased by 400 percent in 2008, he said.

"This was a very insidious type of malware that was designed either to steal your data, steal your identity, steal your money, and in many cases the scale as well as the sophistication was very alarming," DeWalt said in an interview at the meeting of the World Economic Forum in Davos, Switzerland.

Editor's Note: In the wake of the Massive Heart(land) Attack some industry leaders are calling for end-to-end encryption. (E2EE)  HomeATM already incorporates E2EE and is awaiting PCI  2.0 certification for their personal swiping device with PIN Pad.

The survey of 800 companies in 8 countries showed that 80 percent of malware aimed to make a financial gain, in contrast to traditional viruses and worms which just had nuisance value.

In the survey, 42 percent of companies said that laid-off employees were the single biggest threat to their data security.

The increase in the availability and power of removable storage, such as mobile phones, laptops, and USB sticks, has made data loss or theft easier. And global supply chains mean that sensitive data is often stored abroad.

DeWalt said the survey showed that the average company has $12 million of data stored outside its home country -- often in countries with little intellectual property law.

Data lost accidentally or through theft can be expensive to replace or damaging to a company's reputation or brand.

In April last year, discount retailer TJX said it would pay up to $24 million as part of a settlement with MasterCard over a security breach that put credit card data for tens of millions of shoppers at risk.

The British government has been repeatedly embarrassed by losses of data, such as when the tax authority, HM Revenue and Customs, lost data on 25 million people exposing them to the risk of identity theft and fraud.

(Reporting by Jonathan Lynn; editing by Simon Jessop)

Reblog this post [with Zemanta]

Disqus for ePayment News