Archive for the ‘PCI’ Category

PIN Requirement With Credit Card Purchases

August 14, 2011

Mathew J. Schwartz / InformationWeek

Visa announced that it’s putting its muscle behind the adoption of “chip and PIN” capabilities in U.S. credit cards, which require in-person purchasers to input a PIN code into a point-of-sale machine before the card can be used. Also known as EMV–for Europay, MasterCard, and Visa, referring to their global standard for integrated circuit chips built into cards–the U.S. chip will include contactless chip technology, laying the groundwork for greater adoption of mobile payments using near-field communications (NFC).

Posted in Authentication, Consumer Information Protection, PCI | Leave a Comment »

Death of password….not so soon!

January 30, 2011

I agree with Apple turning the iPhone into a universal debit card and Google’s Android supporting Near Field Communication (NFC) but not everything discussed in the article will happen that fast!

Why? Because I strongly believe that before Apple and Google implement a workable biometric ID solutions for cell phones or replace current authentication infrastructure with biometric infrastructure, the authentication will pass through other stages…like, two (or multi)-factor authentication (Yubi-key style touch key, some sort of machine tagging for cell phones) or one-time passwords (sent via out-of-bound channel like SMS or email).

The obvious password replacement is biometric identification — the use of a system capable of recognizing unique physical attributes, such as fingerprints, iris patterns or voices.

Far too many people don’t trust biometrics because it feels like Big Brother technology. But I believe that if the biometric system resides on the user’s cell phone, and is under the user’s control, such technology would be far more acceptable to the public.

Fingerprinting is not very reliable, voice recognition tehnology, in general, is suffering from false-positive and false-negative issues, and iris scanners/sensors are costly.

Posted in Application Security, Authentication, Communication, PCI | 1 Comment »

Point-to-Point Encryption Technology

December 27, 2010

After Heartland’s breach back in January 2009, Heartland’s CEO has been a strong advocate for industry adoption of end-to-end encryption. End-to-end encryption is still remains a future dream but to assist merchants, PCI Council has issued a “guidance” for encrypting cardholder data and sensitive authentication data during transmission.

According to PCI, “Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance” is written for the merchant perspective but is applicable to any payment industry stakeholder, including merchants, payment processors, acquirers, service providers, assessors, and solution vendors.

The purpose of this document is to help payment industry stakeholders in critically evaluating whether point-to-point encryption solutions may simplify PCI DSS compliance for their environment. The scope of this document relates only to transmitted cardholder or sensitive authentication data, and the impact on PCI DSS scope for a P2PE solution that encrypts this transmitted data.

Posted in Consumer Information Protection, Cryptography, PCI, Report / Paper | Leave a Comment »

Verizon’s 2010 PCI Compliance Report

October 6, 2010

Verizon released its 2010 Payment Card Industry Compliance Report which is based on an analysis done using the data collected from approx 200 organizations. Key findings, as listed on page 3 of the report, include -

  • 22% of organizations were validated compliant at the time of their Initial Report on Compliance (IROC). These tended to be year after year repeat clients.
  • On average, organizations met 81% of all test procedures defined within PCI DSS at the IROC stage. Naturally,there was some variation around this number but not many (11% of clients) passed less than 50% of tests.
  • Organizations struggled most with requirements 10 (track and monitor access), 11 (regularly test systemsand processes), and 3 (protect stored cardholder data).
  • Requirements 9 (restrict physical access), 7 (restrict access to need-to-know), and 5 (use and update anti-virus) showed the highest implementation levels.
  • Sub-requirement 3.4 (render the Primary Account Number (PAN) unreadable) was met through compensating controls far more often than anyother in the standard.
  • Organizations do not appear to be prioritizing their compliance efforts based on the PCI DSSPrioritized Approach published by the PCI Security Standards Council.
  • Overall, organizations that suffered a data breach were 50% less likely to be compliant than a normal population of PCI clients.
  • All of the top 10 threat actions leading to the compromise of payment card data are well within scope of the PCIDSS. For most of them, multiple layers of relevant controls exist across the standard that mitigate risk posed by these threat actions.

Posted in Consumer Information Protection, Information Security, PCI, Report / Paper | Leave a Comment »

EMV Chip cards – is it really a new technology???

June 1, 2010

Future of Credit cards

Proponents say, indeed, it’s time for the U.S. to adopt the EMV standard. EMV, short for the Europay, MasterCard, Visa standard, is the chip and PIN-based standard used to store card data as mandated by EMVCo. EMV has been adopted in virtually every part of the world — including Canada and Mexico — for the storing of payment-card data.

Posted in PCI | Leave a Comment »

Follow

Get every new post delivered to your Inbox.

Join 1,010 other followers