Friday, May 1, 2009

3DES, DUKPT and E2EE Explained

I received a couple questions via email and wanted to take the time to provide a "coupla" of answers.  If you have any questions about anything I've blogged about over the past year, feel free to shoot me one. I've got my email below:

Here's the first question:

Q:  Is Triple DES a better encryption standard than DUKPT?  (Derived Unique Key Per Transaction)?

A:I've used the terms Triple DES and DUKPT quite a bit in recent posts. To clarify, let's just start by saying that DUKPT does not really compete with Triple DES.  Let's go over them one by one.

The DES stands for Data Encryption Standard, a block cipher that was selected as an official Federal Information Processing Standard (FIPS)for the United States in 1976.

Triple DES, sometimes shortened further as 3DES, increases the difficulty of cracking the encryption byapplying three rounds of action: an encryption, a decryption and an encryption, each with independent keys.

3DES has become popular for encrypting financial transactions because it is potentially far more secure than DES, which has been shown to yield its secrets somewhat quickly to relatively cheap hardware.

Both DES and 3DESuse a symmetric key. In other words, the same key enciphers and deciphers the protected data.  To keep the key secret, a secure key-management system is required.

Worldwide, POS devices handle billions of transactions per day.  If the keys to even a small portion of that traffic was discovered, we'd have a tremendously huge problem.  Which is my segway to DUKPT.

One way to prevent fraud is to use a different key for "each transaction," (Derived Unique Key Per Transaction)   HomeATM's secure devices (and thus your transactions) are "Protected by DUKPT" and each one is initialized with a master key.   The master key is from which the unique keys are derived, one for each"per" transaction.

The benefit of DUKPT is that even if an attacker discovered the key toa particular transaction, none of the other transactions from the same device would be able to be decrypted with that key.

That  said, a potential attack point (from a fraudster) would be the master key stored in the encrypting device. However, because HomeATM uses DUKPT, our device is built so that tampering with the device wipes this master key out.
These derived keys are used to encrypt transaction data with a symmetric cipher such as 3DES. HomeATM also takes it one step further and encrypts the Track 2 data as well.  If you ever have any questions regarding financial transaction security or how HomeATM provides true end-to-end-encrypted transactions, feel free to email me

Before I get to the next question, I've got one for you. 

When you "type" your card number into a "box" on a merchant website, is it protected by DUKPT?  Is it encrypted?  If so, DES or 3DES?  First one to send me the correct answer gets a Free HomeATM PED!

Q: What is TRUE end-to-end encryption?  (E2EE)

A: First of all, "true"end-to-end encryption can only occur with a PIN based transaction.  It doesn't exist outside of that scope because there is a point in the process where the cardholder data is decrypted and before it is re-encrypted is that is the point where it is vulnerable. 

With that said, Heartland's proposal for end-to-end encryption has promulgated E2EE into a hot topic.

I would point out that Heartland's E2EE proposal came "AFTER" their breach...while HomeATM instituted their end-to-end encryption from "the very beginning."  I'm not bragging.  I'm proudly displaying our insight into the weaknesses inherent in the payments system and  how we improved upon said weaknesses.

But let's get back to Heartland, shall we?  In this post I will attempt to explain why they CANNOT magically snap their fingers and introduce E2EE on their own.  They need cooperation from others in the industry.

While it's true that some large U.S. retailers encrypt cardholder data while in transit,  it's also true that most don't. order for E2EE to work, a lot of retailers would need to revamp their system(s).  Very costly indeed.

In addition, the top full-service U.S. payment processors also don't currently support E2EE;  thus, retailers that encrypt card data in transit typically must decrypt it before they send it to their processor. 

The key word here is decrypt.  That is the weak point, the vulnerability,  and as such, also the problem. 

That said, PIN Debit is an entirely different animal.  Card brand standards require that PINs are encrypted end-to-end.   In fact, speaking about Heartland's quest for E2EE, Distinguished Gartner Analyst Avivah Litan stated: 
End-to-end encryption would be most effective if data was encrypted from the time a card was swiped at a POS until it reached the card issuer, similar to the way personal identification numbers (PINs) currently are encrypted according to card brand standards.
Starting to get the point?  If not here's some more insight as Ms. Litan went on to state:
"Heartland is limited by the scope of systems it manages and from which it accepts datait can only seek to influence the card industry to carry end-to-end encryption beyond the processor stage, through the card networks and onto the card issuers."The proposal's success also depends on merchants' willingness to invest in terminal upgrades that support card data encryption."

(Editor's Note: For instance...HomeATM's PCI 2.0 Certified SafeTPIN PED which also encrypts the Track 2 data.)  Avivah continues:

"If Heartland implements its proposed project more securely than it has managed in the past with its network, it will make payment card processing more secure for merchants, especially if they don't manage the encryption keys and leave key management to their processor. 
Nevertheless, the process will always include vulnerabilities at the point where data is encrypted and decrypted

"These vulnerabilities can be limited by using "sound key management practices" and enforcing extra security measures, such as "requiring two separately managed sets of keys for cryptographic operation
Can you provide an example of a "sound key management practice?  That's why HomeATM is the closest thing to TRUE end-to-end encryption in the industry.  (our industry being eCommerce payments and Real Time Money Transfer.) 

In the bricks and mortar world, end-to-end encryption doesn't exist and the whole system would need to be revamped.  You can learn more about that in this related post where Avivah Litan asks:

Reblog this post [with Zemanta]

Debit Surpasses Credit for the1st Time in Visa History (Volume & Transactions)

The total dollar volume of purchases made with Visa debit cards at the end of 2008 was larger than the amount spent on credit card purchases -- the first time debit purchases surpassed credit. Visa's 2008 fourth-quarter debit card transactions made up more than 50 percent of Visa's volume.

"The reality is that the vast majority of consumers want to pay as they go," said Stacey Pinkerd in a press release. Pinkerd oversees Visa's debit-card business.

Visa's growth in its debit card segment far exceeded analyst's predictions. (Editor's Note:  Not the analyst I know.  See Debit is King, Replaces Cash on Throne  So that I'm on the record for future developments when they occur:

  • PIN Debit will increase it's margin on signature debit,
  • eCommerce will "eventually" overtake Brick and Mortar
  • Hackers will continue to outsmart and their attacks will continue to breach software applications, until we finally realize that:
  • Hardware is the only tried and true method to conduct secure online transactions, (and a 2FA 3DES E2EE PCI 2.0 PED that encrypts Track 2 data and utilizes DUKPT does it best).
  • Analysts will realize and start writing that Software PIN Debit is not really True PIN Debit especially when:
  • Online Merchants Start Demanding Card Present and TRUE PIN Debit Interchange Rates which they cannot derive from a software based POS solution.
  • True PIN Debit will become ubiquitous on the web by 2014.
There, I'm on the record.  I'm already on the record stating that HomeATM engineered, designed and manufactured the FIRST and ONLY PCI 2.0 Certified PIN Entry Device specifically designed for eCommerce, right?   

MasterCard also witnessed a major shift toward debit cards, reporting its debit card transactions rose 13 percent last year while credit card purchases dropped more than 2 percent.

Payment cards have long been the preferred purchase method for American consumers, with credit and debit card purchases for retail goods and services outmatching cash and check payments since 2003. Debit cards have slowly approached the levels of credit card use in the 21st century, according to a release by the Nilson Report.

The switch in payment cards is reflected in debt levels and types of accounts nationwide, with the U.S. government reporting in March that personal saving rates rose to 5 percent in January, the highest in 14 years. Meanwhile, revolving debt from credit cards plummeted more than 9 percent, said the Federal Reserve.

However, the Nilson Report projected debit cards will also eventually be reined in, with the buildup in both credit and debit spending slowing to single digits after five consecutive years of double-digit growth.

Reblog this post [with Zemanta]

FIS Reports Strong Earnings Growth

FIS Reports Strong Earnings Growth | PIN Payments News Blog

Adjusted EPS of $0.31, up 19.2%/Adjusted EBITDA margin of 22.7%, up 100 basis points

Free cash flow increases to $119 million

JACKSONVILLE, Fla., May 1st, 2009 PIN Payments News Blog -- Fidelity National Information Services, Inc. (NYSE: FIS), a leading global provider of technology services to financial institutions, today reported financial results for the quarter ended March 31, 2009.

Consolidated revenue of $797.8 million declined 3.9% in U.S. dollars and increased 0.3% in constant currency compared to $830.3 million in the first quarter of 2008. Non-GAAP adjusted net earnings increased 19.2% to $0.31 per share in U.S. dollars, compared to $0.26 in the prior year, and increased 23.1% in constant currency. The increase is attributable to improved operating performance, lower interest expense and a lower share count, partially offset by a slightly higher tax rate. GAAP net earnings from continuing operations attributable to common stockholders totaled $34.3 million, or $0.18 per share compared to $0.06 per share in the prior period. Free cash flow (cash from operations less capital expenditures) was $119.2 million compared with $4.9 million in the prior year quarter.

"FIS's strong first quarter performance in the midst of ongoing economic uncertainty reflects the continued solid execution of our business plan and the strength of our operating model," stated William P. Foley, II, executive chairman of FIS.

"We are very pleased with the strong growth in earnings, profit margins and free cash flow," stated Lee A. Kennedy, president and chief executive officer. "Despite very difficult market conditions, our disciplined focus on improving efficiency and managing costs drove a 100 basis point improvement in our EBITDA margin, and contributed to the 19.2% increase in earnings per share. Although we expect challenging market conditions to persist throughout 2009, we remain confident in our ability to achieve solid earnings growth and strong free cash flow."

Supplemental Information

Consolidated revenue in the first quarter of 2009 was $797.8 million, compared with $830.3 in the prior year quarter, a decrease of 3.9% in U.S. dollars. Excluding a $34.9 million unfavorable impact of foreign currency resulting from a strengthening of the U.S. dollar, consolidated revenue increased 0.3% driven by strong growth in International.

  • Financial Solutions revenue declined 3.2% to $271.3 million compared to $280.4 million in the prior period, as increased demand for risk management and commercial outsourcing services was offset by lower software license and professional services revenue;
  • Payment Solutions revenue declined 2.3% to $364.7 million compared to $373.3 million in the 2008 quarter, due primarily to a $9.7 million decline in the company's retail check guarantee business. Excluding Check Services' revenue from both periods, Payment Solutions revenue increased 0.4%;
  • International revenue declined 8.3% to $162.3 million in U.S. dollars, compared to $176.9 million in the prior year quarter.
  • International revenue increased 11.5% in constant currency, driven by 16.3% growth in payments and 4.5% growth in financial solutions.
  • Adjusted EBITDA increased 0.7% to $181.2 million in the first quarter of 2009 compared to $180.0 million in the 2008 quarter. The adjusted EBITDA margin improved 100 basis points to 22.7% compared to 21.7% in the prior-year quarter, driven by increased operating leverage and ongoing expense management.
  • Financial Solutions EBITDA declined 2.9% to $102.0 million, due primarily to a decline in high margin software sales. The 37.6% margin was comparable to the prior period;
  • Payment Solutions EBITDA increased 11.5% to $95.2 million, and the margin increased 320 basis points to 26.1%. The improvement is attributable to increased operating efficiency;
  • International EBITDA decreased 8.6% to $23.4 million due to a $5.2 million unfavorable currency impact. The International margin of 14.4% was comparable to prior year.
The effective tax rate in the first quarter of 2009 was 34.5% compared to 33.1% in the first quarter of 2008.

Balance Sheet

FIS had $272.0 million in cash and cash equivalents at March 31, 2009. The company repaid $54.0 million of debt during the first quarter, reducing total debt outstanding to $2.46 billion, of which $2.1 billion has been swapped to fixed interest rates. The effective interest rate was 5.2% as of March 31, 2009.

Continuing an intensive focus on capital spending, capital expenditures totaled $45.3 million in the quarter, which is a 42% reduction from the $78.3 million spent in the prior year.

Acquisition Update

On April 1, 2009, FIS announced plans to acquire Metavante Technologies, Inc. (NYSE: MV). The transaction is subject to approval by FIS and Metavante shareholders, receipt of regulatory approvals and the satisfaction of customary closing conditions. Subject to receiving the required approvals, FIS expects to complete the transaction in the third quarter of 2009.

2009 Outlook

FIS reaffirmed its full year outlook for adjusted net earnings of $1.60 to $1.66 per share. This guidance does not reflect the proposed acquisition of Metavante. FIS will update its fiscal 2009 guidance to include Metavante's results following the completion of the transaction.

Use of Non-GAAP Financial Information

Generally Accepted Accounting Principles (GAAP) is the term used to refer to the standard framework of guidelines for financial accounting. GAAP includes the standards, conventions, and rules accountants follow in recording and summarizing transactions, and in the preparation of financial statements. In addition to reporting financial results in accordance with GAAP, the company has provided non-GAAP financial measures which it believes are useful to help investors better understand its financial performance, competitive position and prospects for the future. These non-GAAP measures include earnings before interest, taxes and amortization (EBITDA), adjusted net earnings, and free cash flow. Adjusted EBITDA excludes the impact of merger and acquisition and integration expenses, LPS spin-off related costs, certain stock compensation charges and certain other costs. Adjusted net earnings exclude the after-tax impact of merger and acquisition and integration expenses, LPS spin-off related costs, certain stock compensation charges, acquisition related amortization and certain other costs. Any non-GAAP measures should be considered in context with the GAAP financial presentation and should not be considered in isolation or as a substitute for GAAP net earnings. Further, FIS's non-GAAP measures may be calculated differently from similarly-titled measures of other companies. A reconciliation of these non-GAAP measures to related GAAP measures is included in the press release attachments.

Conference Call and Webcast

FIS will host a call with investors and analysts to discuss first quarter 2009 results on Wednesday, April 29, 2009, beginning at 8:30 a.m. Eastern daylight time. To register for the live event and to access a supplemental slide presentation, go to the Investor Relations section at and click on "Events and Multimedia." A webcast replay will be available on FIS' Investor Relations website, and a telephone replay will be available through May 13, 2009, by dialing 800-475-6701 (USA) or 320-365-3844 (International). The access code will be 996633. To access a PDF version of this release and accompanying financial tables, go to

About Fidelity National Information Services, Inc.

Fidelity National Information Services, Inc. (NYSE: FIS), a member of the S&P 500 Index, is a leading provider of core processing for financial institutions; card issuer and transaction processing services; and outsourcing services to financial institutions and retailers. FIS has processing and technology relationships with 40 of the top 50 global banks, including nine of the top 10 and was ranked the number one banking technology provider in the world by American Banker and the research firm Financial Insights in the 2008 FinTech 100 rankings. Headquartered in Jacksonville, Fla., FIS maintains a strong global presence, serving more than 14,000 financial institutions in more than 90 countries worldwide. For more information on Fidelity National Information Services, please visit

Reblog this post [with Zemanta]

Debit Card Skimming Scams

Debit-card 'skimming' scams

Three steps to take to protect your account data from getting into the wrong hands

Debit Card Theft
Whetherby choice or necessity, American consumers are increasingly relying ondebit rather than credit cards. Debit purchases for 2008 are expectedto have increased by 13 percent, to a total $1.2 trillion. Thatcompares with a rise of only 3 percent, to $1.9 trillion, for creditcards over the same period, according to the Nilson Report, anewsletter that tracks the consumer payment industry.
Whenyou use a debit card, the money is immediately taken from your checkingaccount. While using debit guarantees you that pay as you go, thesecards have downsides, including a growing appeal to thieves. "Aseconomic conditions have worsened, there's been a noticeable increasein all types of card fraud," says Avivah Litan, an analyst specializingin fraud detection and prevention at Gartner Research in Stamford,Conn. "But ATM and debit-card fraud is the top area of concern we'rehearing about from banks all over the world."

Unlikecredit-card thieves, who usually charge merchandise and then resell itto come up with money, people who create counterfeit ATM or debit cardsby stealing your PIN and other account data can simply pull cold cashfrom your bank account. Using a technique known as skimming, they setup equipment that captures magnetic stripe and keypad information whenyou input your PIN at ATM machines, gas pumps, restaurants, orretailers.

Here's how you can protect yourself:

Don't type in your PIN at the pump (or into a web browser!)

Beespecially vigilant at gas stations, Litan says. "Gas pumps arenotorious for skimming because they're produced by only a couple ofdifferent manufacturers, and if someone gets the key to one from adisgruntled employee, they can insert a skimming device inside the pumpwhere it can't be seen," she says. She recommends using a credit cardrather than a debit card when you fill your tank.
Ifyou must use a debit card at the gas pump, choose the screen promptthat identifies it as a credit card so that you do not have to type inyour PIN. The purchase amount will still be deducted from your bankaccount, but it will be processed through a credit-card network, whichwill give you greater protection from liability if fraud does occur.This is because card issuers typically have "zero liability" policiesfor both debit and credit cards, but sometimes exclude PIN-basedtransactions from that protection.

Editor's Note:  As the PIN Payments News Blog reported last January, (Triple DES for GASVisa has mandated that all new gasdispensing machines must support Triple DES effective January 1st.  Forexisting machines, Triple DES must be implemented into pay at the pumpstations by July,  2010.  So, if your gas station has NEW gas dispensing machines, your good to go...otherwise heed this advice until 7/10!

Visa'snew requirement calls on gas retailers to ensure that all new pumpscapable of processing debit card purchases are equipped with anencrypting PIN pad, or EPP, that supports 3DES

Continue Reading at Consumer Reports
Reblog this post [with Zemanta]

New Standard for Encrypting Card Data in the Works - HomeATM Already Done

Banking / Finance News
Source: ComputerWorld
Complete item:

The same organization that led the development of security standards for payment-card magnetic stripe data and PIN-based transactions will soon begin work on a new specification for encrypting cardholder data while it is in transit between systems during the transaction process.

And among the companies in the forefront of the effort is Heartland Payment Systems Inc., the Princeton, N.J.-based payment processing firm that announced in January what some analysts think could end up being the largest data breach involving credit-card information thus far.The Accredited Standards Committee X9, which is accredited by the American National Standards Institute, is set to launch an initiative formally known as the Sensitive Card Data Protection Between Device and Acquiring System program. ASC X9 develops and maintains numerous standards for the financial services industry in the U.S., and participants said this week that the goal of the new effort is to develop a data encryption standard to protect information from the moment a card is swiped at a payment register to the end of the transaction chain at a so-called acquiring bank.

The need for such "end-to-end" protection has become increasingly apparent within the payment card industry in the wake of the continuing breaches at companies such as Heartland and RBS WorldPay Inc., another payment processor that disclosed a system intrusion last December.

But while proprietary tools are available from a few vendors for achieving that type of protection, there currently is no standard approach
, said Sid Sidner, director of security engineering at ACI Worldwide Inc., a vendor of payment processing software in New York.

And yes, HomeATM's proprietary approach to securing online transactions is way ahead of the game.  Not only do we provide end-to-end protection, but we also encrypt the Track 2 data, which is what they are talking about here.  Furthermore, we utilize DUKPT key-management to provide an enhanced layer of security for PIN entry, something that CANNOT be done with a software based approach to PIN Entry, and are the "first and only" company to engineer, develop and manufacturer a PCI 2.0 Certified PIN Entry Device specifically designed for eCommerce use.  So is HomeATM ahead of the game?  We're the only end-(to-end) game in town!  Let me provide more information on DUKPT key managment (from Wikipedia)

In cryptography, Derived Unique Key Per Transaction (DUKPT) is a key management scheme in which for every transaction, a unique key is used which is derived from a fixed key. Therefore, if a derived key is compromised, future and past transaction data are still protected since the next or prior keys cannot be determined easily. DUKPT is specified in ANSI X9.24 part 1.

DUKPT allows the processing of the encryption to be moved away from the devices that hold the shared secret. The encryption is done with a derived key, which is not re-used after the transaction. DUKPT is used to encrypt electronic commerce transactions. While it can be used to protect information between two companies or banks, it is typically used to encrypt PIN information acquired by Point-Of-Sale (POS) devices.

DUKPT is not itself an encryption standard; rather it is a key management technique. The features of the DUKPT scheme are:

  • enable both originating and receiving parties to be in agreement as to the key being used for a given transaction,
  • each transaction will have a distinct key from all other transactions, except by coincidence,
  • if a present key is compromised, past and future keys (and thus the transactional data encrypted under them) remain uncompromised,
  • each device generates a different key sequence,
  • originators and receivers of encrypted messages do not have to perform an interactive key-agreement protocol beforehand.

Continuing on with the story:

As a result, ACI, which is a member of the ASC X9 group, wrote up a "work request" in February suggesting the development of a standard. According to Sidner, the effort will focus on the formatting of "cryptographic payloads" to carry sensitive data over transaction networks. The goal, he said, is to create something akin to the level of standardization that exists now for protecting PIN data. Although numerous messaging formats are used to transport cardholder data over a transaction network, the cryptographic blobs that protect the PIN data itself in each message looks exactly the same.

A similar encryption standard would require few or even no tweaks to the existing payment systems infrastructure, claimed Sidner, who is chairing the working group set up to carry out the project. As part of the standards effort, ASC X9 may also look at the viability of using the same security-key management mechanism that is currently used for PIN security, he said.


Reblog this post [with Zemanta]

Hacker Targets Twitter

By Steve Evans - CBR security

Twitter, the phenomenally popular micro-blogging site, faces more question about its security procedures after a French hacker claimed he accessed the account of a Twitter employee with administrative rights.

The hacker claimed that this enabled him to access Twitter accounts belonging to US president Barack Obama and singers Britney Spears and Lily Allen. He posted screenshots taken during the break-in on a hacker forum.

The screenshots appeared to show email addresses, mobile phone numbers and information about other Twitter accounts that had been blocked by the user.

This is the latest security setback for Twitter, which has seen huge growth during 2009. Over the Easter weekend the site was hit by a malware attack that resulted in Twitter identifying and deleting almost 10,000 tweets that could have continued to spread the worm.

Graham Cluley, senior technology consultant at security firm Sophos, said: “This is just the latest in a string of security issues at Twitter in recent months, and the website is surely in danger of losing the confidence of its users who will be rattled by yet another breach.

“Just like with the recent Twitter worm outbreaks, this is not so much a case of Twitter raising awareness amongst its many users about sensible online security, but learning a few lessons itself. Careless security by the micro-blogging site could potentially put millions of Twitter users at risk.”

Recent research from Sophos revealed that two thirds of businesses think social networking is a security risk, as IT admins believe that employees share too much personal information via their social networking profiles.

Reblog this post [with Zemanta]

Facebook Targeted with Another Phishing Attack

Facebook beefs up security with MarkMonitor - Security : News   By Steve Evans

Social networking site hit by another phishing attack

Facebook has expanded its use of MarkMonitor’s AntiFraud Solutions to cover malware attacks, after it was revealed on Wednesday that users of the social networking site were the victims of another phishing scam.

Facebook’s users were sent an email claiming to be from the site, but redirected users to where they were asked to enter their username and password. Their details were then stolen by the fake website.

Facebook was already using MarkMonitor’s technology to protect users from potential phishing attacks but has now extended that to cover malware as well.

Facebook has often found itself the target of malware attacks due to its strong brand name and number of users. The impact of malware on a user’s PC can range from deleting important files to capturing personal information such as usernames, passwords and other login information that can be used for identity theft.

Continue Reading at CBR
I do believe we're starting to see a "trend" here.  What's Next?  Is Twitter going to be targeted by a Hacker?  If so, I would say that social networking sites protect their user's data, or, who knows...they could wind up in jail.  (see previous post)

Reblog this post [with Zemanta]

Social Networking is a Security Risk - 2/3rd's of Businesses Say!!

Two thirds of businesses say social networking is security risk - Security : News
Security firm Sophos said its latest research into social networking found that 63% of system administrators worry that employees share too much personal information via their social networking profiles, putting their corporate infrastructure – and the sensitive data stored on it – at risk

The findings also indicate that a quarter of businesses have been the victim of spam, phishing or malware attacks via sites like Twitter, Facebook, LinkedIn and MySpace.

With social networking now part of many computer users' daily routine – from finding out what friends are up to, to viewing photos or simply updating their online status – Sophos experts note that unprecedented amounts of information is updated every minute.

Frequent use of social networking sites makes them a prime target for cybercriminals intent on stealing identities, spreading malware or bombarding users with spam, Sophos said.

So I guess what they are also saying is that applications such as TwitPay need to be enhanced.  I think we can help Amazon with that. 

Keep in mind, just because Sophos is warning about the security risks of social networking sites doesn't mean they are going to be targeted by Hackers or utilized for phishing attacks. 

Does it?  We'll see.  Stay tuned.  I've got some insider information that both incidents will be covered by the PIN Payments Blog within the next hour and a half!  Click the "Follow Me on Twitter" graphic above right to stay up to date.

Until then, you may read the above article in it's entirety here

Survey Says! Jail for CEO's of Breached Companies

Data breach CEOs should face jail: survey - Security : News

A new survey of security executives has revealed that they believe CEOs and board members should face imprisonment for exposing consumers’ confidential data.

The survey, carried out on behalf of Websense at this year’s e-Crime Congress, found that 30% of the 104 respondents believe jail time is a suitable punishment for security breaches that result in the loss of confidential data.

Negligent security procedures should also result in a fine for the guilty company, 62% of respondents believed.

Compensation for consumers whose data had been compromised was favoured by 68% of respondents.

The tables are turning.  If security executives feel that strongly about the crime, then it's time for CEO's to start seriously looking at protecting cardholder data. 

Here's my "hard cell" ... CEO's now have a choice! 

1 PCI 2.0 Approved PED with 3DES End to End Encryption with DUKPT (pronounced DUCK PUT) key management or...
2.  Get PUT away and throw away the key?  (no key management)

I do know that 10 out of 10 people surveyed would rather have HomeATM Monitoring than go to Jail.

Read the Entire Article

Reblog this post [with Zemanta]

France Delays SEPA Direct Debit Launch for a Year

Newsflash from  01/05/2009 15:19:00

French banks have pushed back the date for implementation of the Sepa Direct Debit scheme by a year to November 2010, setting the stage for a confrontation with the European Central Bank and the European Commission.

More on this story:

FreeMason Job: Chip-and-PIN On Trial

'Phantom' withdrawal case concludes in U.K. court

A Halifax bank defends chip-and-PIN, while the plaintiff argues his cash card could have been cloned
By Jeremy Kirk , IDG News Service , 04/30/2009

A one-day trial that raises questions about the security of cash cards used in the U.K. and Europe concluded Thursday, with a decision expected in about a month.

Alain Job sued U.K. bank Halifax in March 2007 over eight withdrawals made from his account in February 2006. Job maintains he did not withdraw a cumulative £2,100 ($3,100). He also maintains he did not authorize anyone else to withdraw the money.

Job decided to sue after the Financial Ombudsman Service (FOS), which mediates disputes between banks and customers, sided with Halifax.

Job is the first person to sue a U.K. bank over a phantom withdrawal and believes one possibility is that his card was cloned. Halifax maintains that it was his exact card that was used to perform the withdrawals and that either Jobs is knowingly trying to defraud the banks or was grossly negligent in handling his card and PIN (personal identification number).

Job admitted at one point during testimony to putting his cash card in his garden outside one night for some inexplicable reason, according to Alistair Kelman, an attorney who watched the proceedings in Nottingham County Court.

Stephen Mason, an attorney who specializes in the collection of digital evidence and has written about case law involving disputed cash-machine transactions is representing
Job is "pro bono" i.e. "he's doing Job for Free"

Continue Reading at NetworkWorld

Reblog this post [with Zemanta]

Visa, American Express Dropped from Lawsuit

AmEx, Visa Gift Card Claims Construction Upheld

On April 17th I blogged about a lawsuit filed by Actus (a Texas hold'em, make that "holding" company against Visa, MasterCard, AMEX, Green Dot, First Data etc.  It seems this was done a couple years ago by a company called EPC, or Every Penny Counts over some gift card patents they held.  Yesterday an Appeals court upheld a lower courts ruling that EPC is SOL. 

Thecourt ruled Thursday that the U.S. District Court for the MiddleDistrict of Florida had correctly construed the key term of the patentsheld by Every Penny Counts Inc.   It sounds like the court was a little annoyed at EPC:

Here's the pages argument for affirmation:

"EPC has surprisingly little to say about what it alleges is substantively wrong with the district court’s construction, or why its proposed construction would be better on the merits. Instead, it attempts to assign error to the district court’s construction on a number of procedural grounds. Principally, it argues that the court erred by (1) spending a portion of the claim construction hearing considering the meaning of the phrase “sales price,” which was not a disputed claim term; and (2) using the accused products to tailor a construction of the patent claims that would make it impossible for EPC to prove infringement. Neither of these arguments has merit.

EPC’s first argument is that the district court erred by spending a portion of the claim construction hearing considering the meaning of the phrase “sales price,” which was not a disputed claim term. This argument is somewhat puzzling, since it was EPC’s own proposed construction that raised questions concerning the meaning of “sales price.” EPC proposed to construe “excess cash” as “an amount . . . offered in excess of the sale price of merchandise” (emphasis added). It admitted, however, that the parties disagree about what constitutes a “sale.”  According to the defendants, a sale occurs when cash changes hands at the cash register. According to EPC, by contrast, to call a transaction a sale is to imply that the merchant would treat the cash the consumer tenders as income on its accounting statements. EPC also insists—without offering any evidence—that when a consumer purchases a gift card, a merchant would not consider this to be a sale.

In the light of this acknowledged disagreement over the meaning of “sales price,” the fact that EPC would both propose to define its patent claims in terms of this phrase and then fault the court for attempting to clarify the phrase’s meaning is at best ironic and at worst disingenuous.

Again, the court’s obligation is to ensure that questions of the scope of the patent claims are not left to the jury. In order to fulfill this obligation, the court must see to it that disputes concerning the scope of the patent claims are fully resolved. In the present case, to evaluate EPC’s proposal concerning the scope of its claims, the court first had to understand this proposal. If the court had adopted EPC’s proposed construction without first assigning a fixed meaning to this construction, then it would quite clearly have failed to assign “a fixed, unambiguous, legally operative meaning to the claim.” Thus, there was nothing improper about the fact that the court interpreted EPC’s (quite slippery) proposed construction.

As Michele de Montaigne has said, there are times when “[w]e need to interpret interpretations more than to interpret things.” Jacques Derrida, Structure, Sign and Play in the Discourse of the Human Sciences, in Writing and Difference 278 (Alan Bass, trans. 1980) (quoting Montaigne).

Equally without merit is EPC’s argument that the district court erred by “tailoring its claim construction to fit the dimensions of the accused product.” A court may not use the accused products for the sole purpose of arriving at a construction of the claim terms that would make it impossible for the plaintiff to prove infringement. But that is not what the court did here. To the contrary, the court quite properly invited the parties’ views of what they thought “excess cash” meant in the context of a series of hypothetical transactions, some of which involved the accused products. For example, the court described a situation in which a consumer tenders $50 for a grocery store gift card with a face value of $50, and then asked the parties to identify whether there was any “excess cash” in that transaction, and if so, what portion of the amount tendered constitutes the “excess.” In other words, the court considered the accused products only to elicit the parties’ views about what the claim term means in the context of a concrete transaction involving these products.

EPC’s suggestion that this was improper is way wide of the mark. See id. at 1326-27 (“While a trial court should certainly not prejudge the ultimate infringement analysis by construing claims with an aim to include or exclude an accused product or process, knowledge of that product or process provides meaningful context for the first step of the infringement analysis, claim construction.”); Aero Prods. Int’l, Inc. v. Intex Recreation Corp., 466 F.3d 1000, 1012 n.6 (Fed. Cir. 2006) (“Although the court revealed an awareness of the accused device, the court’s awareness of the accused device is permissible.”).

In short, the district court correctly construed the claim terms in EPC’s patents. EPC’s attempts to assign error to the process by which the court arrived at its construction cannot succeed.
The district court appropriately construed the key term in EPC’s patent claims. We therefore affirm. The defendants may recover their costs accrued in this court.

Click here to read the court document

Reblog this post [with Zemanta]

Disqus for ePayment News