Wednesday, May 27, 2009

Barney Frank Easily Gaining Co-Sponsors

It is not taking Representative Barney Frank long to convince fellow lawmakers that the current laws regarding Internet gambling in the US are outdated. Late last week four new co-sponsors signed on to support the Internet Gambling Regulation, Consumer Protection, and Enforcement Act.

With the four new co-sponsors, the Bill now has twenty-three co-sponsors to date. All four of the new sponsors are Democrats, three from New York, and one from California.

Of course, California may actually beat Frank to the punch when it comes to legalized online gambling. State lawmakers are discussing a plan that would make online poker legal in California. It is a plan that has tremendous support among the citizens of California.


Continue Reading at New Online Casino's dot Org



, , ,

13 Hottest Fraud Schemes You Can Prevent

http://www.bankinfosecurity.com/articles.php?art_id=1490


The fraud fight is getting nastier by the minute, say experts familiar with the new schemes - and some old ones with new wrinkles -- being perpetrated by criminals against financial institutions and their customers. Here are 13 of the most prevalent ruses.


#1 - Credit Bust-Out Schemes


#2 - Customer Loan Account Takeover


#3 - Corporate Account Takeovers

#4 - Cross-Channel Call Center/Online CD Purchase Scam

#5 -- Wire Fraud Account Grooming

#6 -- In-Session Phishing

"A somewhat recent tactic being perpetrated by fraud rings --"in-session Phishing" -- has emerged as one of the chief threats to thebreach of secured online assets. These attacks utilize vulnerabilitiesin the Javascript engine found in most of the leading browsers,including Internet Explorer, Firefox and even Google's Chrome, notesEisen.


How it happens: Utilizing a host website that has been injectedwith malware acting as a parasite, this parasite monitors for visitorswith open online banking sessions or similar protected asset sites(such as brokerage or retirement planning sites).


Using the Javascript vulnerability, the parasite can identifyfrom which bank the victim has a session currently open by searchingfor specific sites pre-programmed in the malware itself. "There are nolimits to the volumes of URLs a website hosting the parasite can testfrom the victim's machine. The malware asks: 'is my victim logged ontothis XYZ bank website' and their browser replies either yes or no,"Eisen says.


Once any site from the list is confirmed to be "in session," apop-up claiming to be from the bank issues a warning. Most warningsappear as time-out messages stating "For security purposes your bankingsession has been terminated. To continue your session please re-enteryour username and password here (supplied link by fraudster)."

Once an unknowing victim complies, clicks the link and entershis/her credentials, the damage has been done and the attack wassuccessful and the game is over - right?

In most cases it would be devastating for a victim after theircredentials had been breached; expecting the fraud rings to quicklybegin selling off this information or pillaging through the victim'saccount. Since many financial institutions rely on cookies or tags todiscern one device entering user credentials from another, and thencount on fairly common (and easily answered by crooks) out of walletquestions - to validate a new device attempting access, this would betrue.


However, simply by utilizing a robust device ID technology -which creates the equivalent of a device fingerprint for every machineattempting to log on to a banks site, coupled with historical negativelists of known bad devices, "financial institutions could rendercredential breaches using in-session or any other type of phishingattack useless to the fraudster," Eisen says.


The power lies in knowing what a suspicious or fraudulentattempt looks like upon log-in. "If you know a legitimate customer mostalways uses a device configured for local New York time and thelanguage for this device is English, you would not provide unchallengedaccess to this account from a machine showing to come from China andhaving a default language set to Mandarin," Eisen says.


Further strengthening against future attacks, placing thedevice fingerprints gleaned from all known previous fraudulent attemptsinto a negative list effectively blocks the devices with a history offraud from ever gaining access to another user account. "


#7 -- ATM Network Compromises

#8 -- Precision Malware Strikes

#9 -- PIN-Based Attacks

For the past 10 years, Verizon Business has tracked metrics andstatistics from IT investigative cases, including incident response,computer forensic and litigation support, across the globe.

The VerizonBusiness' just-issued 2009 Data Breach Investigation Report, shows moreelectronic records were breached in 2008 than the previous four yearscombined, fueled by a targeting of the financial services industry anda strong involvement of organized crime, says Bryan Sartin, director offorensics and investigative response at Verizon Business.


Driving this explosion in compromised records are moresophisticated attacks, specifically targeting the financial sector. Infact, 2008 saw three of the world's largest known data compromises onrecord.


With many large individual compromises over the past twoyears, the value of payment card, check, and other forms of consumerdata on the information black market are on rapid decline, says Sartin." 

Just two years ago, magnetic-stripe sequences sufficient forcounterfeit were priced at an average of $14 per record, while todaythat cost has dropped to as little as 20 cents," he says. "Cybercrime,it seems, chases the almighty dollar."

Last year showed a sharp increase in attacks againstcounterfeit sequences plus the corresponding cardholder PIN value,leading to the direct theft of consumer assets, Sartin notes. "The leadindicators of these types of crimes were not based on the conventionalanalysis of signature-based counterfeit fraud patterns to find commonvalid transaction points within legitimate spending histories. Instead,bank customers were suddenly reporting zero balances in checking andsavings accounts, alleging fraudulent ATM withdrawals." As more andmore similar complaints surface, it became easier to pinpoint thelikely source of compromise, whether it be a bank, data processor, orpayment gateway, Sartin says.

Verizon Business tracked at least three different techniquesduring 2008. Until recently, many PIN-based attacks were known to bepossible but no credible evidence of them being used in real-worldincident has ever surfaced. That has since changed as attacks againstPIN information are on the rise, setting the stage for moresophisticated forms of identity fraud. 

#10 -- Account Manipulation
.
#11 -- Fraud Pattern Changes


#12 -- Foreclosure Prevention Schemes

#13 -- Builder Bail-Out Fraud



International Credit Card Fraud Ring Dismantled in NYC

Banking / Finance News
Source: Queens District Attorney's Office
Complete item: http://www.queensda.org/newpressreleases/2009/may/operation%20plastic%20pipeline_05_2009_ind.pdf

Queens District Attorney Richard A. Brown, joined by Police Commissioner Raymond W. Kelly, today announced that an international forged credit card and identity theft ring based in the New York metropolitan area and with roots in Nigeria has been successfully dismantled following the indictment this week of forty-five individuals.

The ring - which was comprised of three separate identity theft and forged credit card groups that employed multiple cells - is alleged to have been responsible for stealing the credit cards and personal credit information of thousands of American and Canadian consumers, costing these individuals, as well as financial institutions and retail businesses, more than $12 million in losses over the past year alone.

District Attorney Brown said, "Our investigation reveals that - in terms of just the sheer number of people indicted - this is one of the largest identity theft networks uncovered in recent history and is just possibly the tip of a much larger global credit card trafficking operation.

Besides draining the bank accounts of individuals throughout North America, we believe that the defendants - some of whom live in California, Illinois, Maryland, Pennsylvania and Toronto - also shipped stolen or fraudulently obtained credit cards to buyers around the world and that purchases were made in such far-off places as Japan, Saudi Arabia and Dubai. Particularly disturbing is that we have no way of knowing if any of these accounts have fallen into the hands of terrorists and are being used to finance their terrorist activities or to undermine the efforts of homeland security and other law enforcement officials intent on keeping our borders and citizens safe.

Such a serious threat to public safety cannot go unchallenged. We will continue to work closely with our law enforcement colleagues to stamp out such fraud and help to maintain our nation's safety and security."

ATM Skimminig Is Reaching Epidemic Proportions

ATM Skimming on the Rise

Source: The Frederick News-Post Online - Frederick County Maryland Daily Newspaper
ATM card skimming on the rise
Originally published May 27, 2009 By Ike Wilson | News-Post Staff

ATM card skimming on the rise

The PNC Bank automated teller machine at 191 Thomas Johnson Drive was rigged with a skimming device in April, Frederick police said.  It's called "skimming," and ATM users worldwide are losing millions. The ATM Industry Association describes skimming as one of the industry's most recurrent fraud threats.  The practice hit Frederick in April, when the PNC Bank automated teller machine at 191 Thomas Johnson Drive was rigged with a skimming device, Frederick police said.

The hardware recorded card numbers of customers using the ATM. Police think a video recording device was placed near the ATM to capture personal identification numbers entered into the machine.  PNC Bank spokesman Fred Solomon said bank policies prohibit him from speaking about security or theft matters, including details about how many were affected by skimming at the Thomas Johnson Drive branch.  Customers with unidentifiable transactions on their statements should contact their local branches, Solomon said.

Just over 4,500 of the 11,360 ATM crimes recorded by the ATM Industry Association Global Cognito crime data management system for 2005 through 2008 involve skimming, according to association CEO Mike Lee.

"It's probably the most widespread crime type we face," Lee said.  The association defines skimming as the unauthorized capture of magnetic strip information by modifying the hardware or software of a payment device, or through the use of a separate card reader.  Skimming is often accompanied by the capture of customer PIN data.

Skimming is one of the financial industry's fastest-growing crimes, according to the U.S. Secret Service, which investigates bank fraud.

The ATM Industry Association has reported more than $1 billion annually in global losses from credit card fraud and electronic crime associated with ATMs.  Last week, the ATM Industry Association launched an international Anti Skimming Forum to counteract the growing trend.  Skimming is a problem that will continue to increase until technology brings it under control, Lee said.  "The technology exists today to help defeat the problem," he said.

According to Bankrate.com, ATM skimming devices come in two types: ones that interfere with the ATM operation and ones that don't. The skimmers that interfere with the ATM operation are easier to detect, because even though customers insert or swipe their cards, it's not the ATM's card reader so the ATM isn't actually being used and the customer isn't getting any money.

In other skimming cases, the thieves don't interfere with the normal operation of the ATM. The skimmer is placed over the card reader but doesn't block off the reader, and the customer gets money when making a withdrawal.  Credit and debit card abuse may also happen at cash registers during purchases.  Pay a restaurant tab with a credit card and you have no idea what the waiter might be doing with the card when it's out of your sight, according to Bankrate.com.

The mission of the ATM industry's new forum is to measure the global impact of skimming through the pooling and analysis of data. It is also to write best practices for preventing and reducing skimming. This will include a global skimming classification system. Industry officials also want to increase sentences for skimming convictions to create a stronger deterrent. Lee thinks more can be done in terms of educating customers to protect their PINs by covering the hand used to key in the PIN at an ATM so someone cannot learn the code. This simple measure alone would significantly reduce the success rate of skimming attacks, he said.


, , , , , ,

Moble Phone Location Technology to Cut Into Card Fraud?

Source: Network World
Complete item: http://www.networkworld.com/news/2009/052609-mobile-phone-location-technology-fights.html

Description:
Ericsson is courting major banks with a security service the company thinks could cut down on credit card fraud as well as eliminate an inconvenience for travelers using cards overseas.

Banks are increasingly blocking credit card transactions in certain high-risk countries due to increasingly levels of fraud. A business traveler who lives in the U.K. but goes to Russia can likely have a transaction rejected if the person hasn't informed the credit card company of their travel plans. It's embarrassing and inconvenient.

Ericsson's IPX Country Lookup service uses a person's mobile phone to provide a confirmation that a person is actually in the country where the transaction is carried out, said Peter Garside, U.K. and Ireland regional manager for Ericsson's IPX products.

For the service to work, Ericsson's technology must be installed on a mobile operator's network. Once installed, Ericsson will pay the operator a "small fee" every time a bank wants to verify a certain transaction by one of their customer's mobile phones, Garside said. Ericsson will then put a margin on the lookup fee and charge that to banks, he said. The lookup fee hasn't been set yet.

Garside said that Ericsson has figured out how to extract the location information from operators worldwide. The technology only identifies what country a person is in and not where they exactly are in that country. It only works for GSM networks.

To allay privacy concerns, Ericsson is recommending that the banks should get consumers' consent prior to using the transaction verification service. Once a person's approximate location has been passed onto the banks, that data will not be held any longer, Garside said.

The service will work even if someone's phone is off, but as long as they've turned the phone on at least once when they're in a new country. Mobile phones will register with the local operator when turned on in a different country, so Ericsson will be able to query the last known location.

The service comes out of Ericsson's IPX product line, which enables third parties to bill for ring tones or other content via mobile networks.

Garside said operators won't incur any costs to integrate the service into their networks and can make money from the location information they hold. "The operators are sitting on some valuable assets," Garside said.


E-Secure-IT
https://www.e-secure-it.com


Reblog this post [with Zemanta]

Heartland's New Strategy - Segment Data into Jigsaw Pieces

Below is an interview with Evan Schuman the Editor at StorefrontBacktalk.com regarding Heartlands new strategy which is basically to segment the data into a jillion pieces to make it harder for hackers to to grab the data.  Read the original article by Evan Schuman at StorefrontBacktalk.com


Consumerist - Credit Card Processors Launch A New Strategy To Defeat Theft - heartland

This fall, credit card processors will being rolling out a new approach to preventing data theft, based on the assumption that it's impossible to thwart every attack. Instead of keeping 100% of criminals out, they'll segment and encrypt the data into such small chunks that it will no longer be a cost-effective crime.

We spoke with Evan Schuman, the editor and publisher of the blog StorefrontBacktalk.com, which broke the story earlier this month. Schuman has spoken directly with representatives of Heartland—which announced its own massive data breach a few months ago—and says they'll roll out this new approach around October of this year, and that other processors are working on similar solutions. It involves new point-of-sale hardware that can encrypt each day's batch of credit card numbers separately, then shuttle each daily pack off to Heartland's data centers for archiving.

It's a better approach than what we currently have. For one thing, retailers will no longer have any reason to store credit card numbers. But it's not an ideal solution and there are some definite costs, as Schuman points out below. In fact, there's a much better end-to-end encryption solution that we could already be using but aren't simply because it's not as profitable for card companies like Visa and Mastercard.

Consumerist:
So what is it that Heartland is proposing?

Evan Schuman, StorefrontBacktalk.com:
"Historically security has always been based on, 'You build a really good deadbolt, you keep the bad guys out. And if they come in you set it up so that you'll learn about it quickly and engage in pursuit.' What they're saying here is, you know as a practical matter, let's be a little smart about this. First of all we really can't keep the bad guys out. Trying to do that is futile. Might as well let 'em in, and let them steal a certain amount of data, and let them go. A, they're going to anyway, and B., if you do it that way, you make sure they don't get enough data that they can profitably sell. If you do that, they're not going to steal it, or at least not very often, because they're not going to make money that way.

"So it's really about segregating data, so instead of having 50 GB of data here, you've got in a thousand different locations small quantities of data. They may get through that. Fine. They're not going to make any money off of that, and it's not cost-effective to break in at 50 different locations. It's like instead of having a million dollars in your house, you've got 5 dollars in 200,000 houses. They'll have to break in that many times, and each time there's a risk of getting caught. It's not worth it.

"Right when we broke the story, [we found out that] two other major processors, including one that's larger than Heartland, were working on essentially the same thing, with their own proprietary angle."

"Proprietary" sounds expensive.

"What it means is that there are a variety of proprietary efforts out there. Today, it's pretty easy for a retailer, if you don't like your processor, you go to another one. It's really not that big a deal to switch. But with this, now they're going to have all this hardware that only works with processor 3, and now it's much more difficult for [retailers] to shift, particularly when multiple processors are doing it. So it's going to be a whole lock-in time for retailers where they're going to have to stay if they let this happen."

A commenter on your story points out that this will separate retailers from their own data.

"I checked with our people at Heartland and they said, 'Well, yeah, that's kind of true.' When a retailer uses their own credit card—for instance, when Sears uses a Sears credit card—they're going to have to pay a processor to unencrypt their own data. In other words, you'll be paying someone else to give you access to your own data. And if you start following through the logic of that, there are a lot of issues."

Heartland calls this an end-to-end solution, but you and your readers have pointed out that this isn't really true.

"This is not end-to-end, this is not even close to end-to-end. End-to-end really refers to, you take a credit card off the factory line, when they print the credit card, before the consumer gets it, before anyone can steal it, on the factory floor it's encrypted. And it stays encrypted all the way through to the processor and even beyond to the card brand. Now that's end-to-end encryption. You can steal it at any point—the consumer never has it unencrypted in their hand. Neither does the retailer, you completely bypass them.

"What these guys [Heartland] are doing is kind of, 'Well, a little bit to the right of middle, to the middle of middle'—which just doesn't have as much of a marketing tone."

So why isn't the end-to-end approach being pursued? Is it too technologically difficult?

"No, it's not difficult at all. First of all, in Heartland's defense, and any of the processors' defense, it's beyond their power to do it. They don't ave the ability to do that, they don't own the card.

It would have to be at the Mastercard or Visa level...

"Exactly. And Visa, among others, doesn't want to do this because they would have to pay for the technology to unencrypt at their end. They would rather have it unencrypted. They insist that you send it in the clear, unencrypted, across a proprietary network. That's they way they've done it for decades.

"The card brands, they don't want to pay for end-to-end encryption, they have not supported it. They say, 'Oh, we'll consider it, we'll talk about it,' but they don't want to do that. They can see that's the best way to go, but they don't feel like doing it, and no one in Congress is forcing them to do it. Even the latest credit card overhaul, they didn't even come close to security issues. It was all about interest rates. No one is forcing them to do anything in terms of security, so why should they. So the processors are saying, 'Well, we're doing what we can here.'

"This doesn't solve the problem, it won't even materially reduce the problem, but it's a definite improvement in security. It's safer, it's better than what exists today. It won't resolve everything, but it's better than today."

So, how likely is it that Heartland's approach will happen?

"As far as Heartland is concerned, this is definite, they're going to have it out by October.

"Now, retailers who are Heartland's customers have got to buy it. As far as I can tell, no one has bought this yet, so in theory if no one ever does... It's sort of like a car company that puts out a car. Is the car definite? Yes, it's going to roll off the assembly line and be in showrooms, assuming there are showrooms any more, but if no one buys it it won't be out there for long.

"So this will definitely be introduced by Heartland. Whether anyone buys it has yet to be seen. I'm guessing some will. Heartland can deeply discount it to the point where it will be easy for them to do. But the cost is not really in the cost of the hardware, although if it's a large chain, that can add up quickly. The cost is in making the change and then making it much more difficult for yourself to move later if you feel like it."

We're reporting on this on Consumerist because it reveals a little of the world of credit card processing and data security—the part of the retail chain that we never see, but that affects us at the register and after we leave the store. Schuman points out that whether the new data segmentation approach takes off or not, things won't change for the consumer experience—it's all pretty invisible from our side of the register.

What it could affect, however, is the cost of transactions for the retailer, and consequently it could impact prices at the register. Whether that's worth it to implement a better security approach remains to be seen.

If you're interested in how retailers approach the issue of data security, you should check out StorefrontBacktalk.com.


Security Experts Sound Alarm Over Insider Threats

Security Experts Raise Alarm Over Insider Threats
Economic troubles raising the stakes on potential threats, FIRST members say

May 26, 2009 | 06:18 PM
By Tim Wilson |DarkReading

Security researchers and other experts are turning up the heat on insider threats, warning enterprises that the problem is growing and could prove devastating for many enterprises.

In preparation for its meeting in Japan next month, the Forum of Incident Response and Security Teams (FIRST) issued a press release in which its senior officers urge organizations to step up their efforts to protect themselves from insider attacks, saying that many are "ill-prepared for an onslaught which could prove calamitous."

"One of the greatest security threats of our times is from insiders, as organizations lay off tens of thousands of workers," said Scott McIntyre, a FIRST steering committee member and representative of the Netherlands-based KPN Computer Emergency Response Team (CERT). "People know the axe is coming, and the longer employers prolong the swing of that axe, the more danger they expose themselves to, either from sabotage or data theft. An employee who thinks he or she is [going to be laid off] can start fouling up systems which are critical to the organization, or decide to take an unauthorized pay-off by stealing a mass of data."

Continue Dark Reading


, , ,

Aite Group Releases New Report on Mobile Transactions Landscape







A New Report From Aite Group

By understanding the various initiatives around the globe, and what failed and what succeeded, financial
institutions and other players can better tailor their own solutions.

BOSTON — A new report from Aite Group LLC examines mobile transaction initiatives that are currently happening around the globe. The report, based on quantitative and qualitative research of 69 mobile transaction initiatives internationally, explores the current range of services in development and the underlying technologies powering each initiative.

Following an initial wave of mobile transaction initiatives at the turn of the century, developers are again active in bringing mobile transaction services to market. The technological evolution of the mobile device and mobile networks, coupled with increased end-user savvy, has led to an increase in mobile transaction initiatives over the past five years. By understanding the various initiatives around the globe and what failed and what succeeded, financial institutions and other players can better tailor their own solutions.

"Card networks, financial institutions, mobile operators and industry associations can separate hype from reality by not focusing on mobile transaction initiatives that are purely vendor-driven," says Nick Holland, senior analyst with Aite Group and author of this report. "One of the most critical questions that any stakeholder can ask of a 'new' mobile transaction initiative is this: 'Who has done this already and what was the outcome?' Invariably, any mobile transaction initiative will already have been done elsewhere. To state that is has not, means that due diligence has not been performed adequately."

This 41-page Impact Report contains 32 figures. Clients of Aite Group's Retail Banking service can download the report
by clicking on the icon to the right.


Fed Should Have Larger Role in ePayments: Hoenig

Feds should have larger role in e-payments: Hoenig

FRANKFURT - The US Federal Reserve should play a bigger part in the development of electronic retail payment systems, a top Fed official said on Monday.

'In light of the trend toward greater industry concentration and the existence of important payments system externalities, the Federal Reserve should play a larger and more active role in electronic retail payments,' Thomas Hoenig, president of the Kansas City Fed, said in the text of a speech to be given at an European Central Bank conference in Frankfurt.

Mr Hoenig also said that it was unlikely more competition in the payment systems would emerge without the Fed's participation, especially at current times when capital is scarce and expensive.

Mr Hoenig, who is not a voting member of the central bank's Federal Open Market Committee in 2009, did not comment on the economic outlook or interest rates in his speech.

The US central bank has cut interest rates to near zero and committed to massive lending and securities purchases to heal shattered financial markets and pull the economy out of the longest recession since the Great Depression. -- REUTERS



Rebuttal from SPSP (Society of Payment Security Professionals

Society of Payment Security Professionals - Compliance Demystified
End to End Encryption & Tokenization…is this really a debate?
May 26th, 2009 by cmark Posted in PCI DSS | No Comments »

I just finished reading an article in the Greensheet related to end to end encryption. While the article does a very good job at showing the different angles and arguments for and against the concept, it is disturbing that the concept is being summarily dismissed by some people in the industry. I have been fortunate to have worked with a number of companies that have developed end to end (actually point to point) and tokenization type solutions. These solutions represent a very big step forward in data security within our industry.

On the third page of the article it states that “…it is generally thought that even unencrypted data is safe when the PCI DSS is strictly followed.” Having been a QSA, card brand employee, and QSA trainer that has worked with over 100 very large banks, processors, and merchants, I can tell you definitively that not a single one with which I worked was able to ’strictly’ follow the PCI DSS in such a way as to make unencrypted data “safe”.

There is an argument in the article against tokenization that says: ”the risk is focused upon a particular entity, as opposed to spread out among various entities.” Really? This is an argument against tokenization? Keep in mind that Tokenization solutions are offered primarily by gateways and that gateways have their merchant’s data anyhow. These tokenization solutions remove data from the merchants that don’t really need it. Instead of 1,000 potential points of compromise, you now have a single point of vulnerability (the gateway). Regardless of whether they were offering a tokenization type solution or not, the gateway would be a target for data thieves. The person who made the previous statement then goes on to say: “And you are reliant upon a single entity, that entity has to be hardened and secured beyond any potential doubt.” Any potential doubt? This is difficult to understand. Is he saying that this entity must be PCI DSS compliant? If we are conceding that the PCI DSS represents the “best line of defense against a data compromise” as also stated in the article is it not enough to ask the companies providing the tokenization solutions to be PCI DSS compliant? As we all know, there is no guaranteed security.

Consider the following scenario. Gateway X provides payment processing services for 5,000 level 4 retail merchants. These level 4 retail merchants are using an IPOS provided by some VAR. They don’t have a firewall, IDS, or a security policy. While they are required to comply with the PCI DSS, they are not required to validate. Furthermore, even if they were required to validate, they simply do not possess the technical aptitude to install and maintain a web application firewall, intrusion detection system, file integrity monitoring or many of the other 230+ sub requirements. When they accept a card for payment, the data is stored locally on their IPOS and sent to their gateway for follow-on processing. In this situation, do you have 5,001 points of potential compromise? No, you likely have 7,001 or more as many of these merchants have more than a single POS or location. Since Gateway X already has the merchant data, they offer to allow their merchants to NOT store the data and instead provides a token for the merchant to store. Now we have reduced the points of vulnerability from 7,001 to a single point of vulnerability (the gateway). Gateways generally have the technical ability and the vested interest in protecting the data. Is there a risk that they will be compromised? Certainly. Have we reduced the risk to that data? It is hard to understand how we have not.

Let me be clear. We are a long ways off from end to end encryption being employed in most large merchants. Most level 4 retail merchants however can benefit from tokenization type solutions and end to end encryption solutions. In fact, while this is not public knowledge, I personally know of three Level 1 retail merchants that have removed nearly all of their data through tokenization solutions.

Is there a potential vulnerability in these solutions? Sure there is. Are these solutions appropriate for all merchants? Certainly not. Can many, many of the 6 million plus level 4 merchants (that are not currently compliant with the PCI DSS) benefit from these types of solutions? Absolutely!

Bob Russo states in the article that: “We (the PCI SSC) will continue to advocate for the PCI standards as an organization’s best line of defense against data compromise.” My question is; “Why do the concepts of PCI compliance and end to end encryption or tokenization have to be mutually exclusive?” Consider PCI compliance as a spectrum. On one end you have 233 requirements with which you must comply. On the other end you have a handful of requirements. The number of requirements is predicated upon whether you store, transmit, or process data, and in what manner. If I use tokenization for nothing more than replacing stored data, I have just removed a huge technological and administrative burden from my company. Simply not having to “Protect Stored Data” as per 3.4 of the PCI DSS, saves me a huge amount of money and complexity. By using tokenization, I have addressed 3.4 of the PCI DSS.

I find it unbelievable that we would be having a debate as to the value of end to end encryption and tokenization. When I was training QSA’s I used to really enjoy the hard core techies that could come in and make a compelling argument that any form of encryption was worthless. Many of these were folks that had come from the various government agencies and would make very compelling arguments. Truth be told, however, we are not in the “absolute security” business, we are in the “risk management” business and tokenization type solutions and end to end encryption solutions represent better risk management for one reason….they REMOVE THE DATA. No Data, No Risk to the data.

In reading the article, it was obvious that some of the people had a vested interest in seeing such solutions discounted. This is expected. My suggestion is that as a merchant you take a long hard look at these ‘alternative solutions’. Because we love you, we are providing (free of charge) some companies that offer good solutions. If you know of any more, please post them here in the comments!

* TrustCommerce (end to end w/vault)
* ProPay (end to end w/vault)
* Shift4 (Tokenization w/vault)
* MerchantLink (Tokenization w/vault)
* EPX (Tokenization w/vault)
* PPI (end to end w/vault)
* BrainTree (end to end w/vault)
* Network Merchants (tokenization I think)
* MagTek (encrypted MagStripe Reader supports End to End)
* Semtek (encrypted MSR supports End to End)
* HomeATM (encrypted Pin Entry Device; PED2.0 Approved)
* VeriFone (end to end; for IPOS)

Disqus for ePayment News