Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Posts Tagged ‘ Bob Russo ’

Yesterday on the blog we reported on recent information provided by the PCI Council regarding Version 3.0 of the standards. Many in the industry and writing about it, including the well-known blogger PCI Guru, who pointed out in this post the comments Bob Russo (General Manager of the PCI SSC) made with regard to mobile devices at the point-of-sale. Russo said:

“The fact is that many consumer mobile devices simply can’t provide the level of security needed to adequately protect payment card data. In other words, they cannot create a trusted environment equivalent to the PCI DSS compliant cardholder data environment. [...] We encourage merchants and others to understand the risk of using mobile, work with their acquirer and make their own decisions about whether they want to accept that risk. [...] We’re working with others in the industry including: standards bodies, vendors, banks and processors. But we are unwilling to lower the bar for security by writing a standard that current mobile devices could meet. If we wrote a secure standard for mobile now, no consumer devices would be able to meet it.”

In essence, Mr. Russo stated in no uncertain terms that the Council does not consider Android, IOS or other tablet environments to be secure or compliant at the present time. He recommends that merchants, if they are going to use these devices, work with their acquirer to ensure that both merchant and acquirer are aware of and accepting of the risk being presented. 

When one looks at the Point-to-Point Encryption (P2PE) Solution Provider requirements, I see this as the logical point at which mobile devices will be deemed acceptable by the Council. While there are currently no validated P2PE solutions available today, such a solution would move the mobile device into Domain 4 as part of the segmentation between encryption and decryption environments. The Council already recommends P2PE for mobile environments in the document “Accepting Mobile Payments with a Smartphone or Tablet.”

It’s clear that the use of mobile devices as POS terminals is growing in demand. The Council will absolutely need to provide requirements about these devices in the near future. QSAs today are no doubt challenged by how they should respond to these devices being present in a merchant’s environment when preparing a ROC. A validated P2PE solution – including a point of interaction (POI) that meets all the PIN Transaction Security and Domain 1 P2PE requirements may be the final destination.
.


…………………………………………………………………………………………………………………………………
Welcome to the Bi-Weekly Best of the Web – a great way to catch up on recent commentary and compelling content from across the Web. Every other Friday, we’ll post insightful news articles, noteworthy blog posts and more related to the world of payments, payment data security and technology.
……………………………………………………………………………………………..………………………………….

PCI Council Offers Clarity On Cloud, Mobile Issues <Share this article on Twitter>
by Ericka Chickowski
The PCI Council recently provided merchants with more detailed guidance on two topics most commonly confusing merchants in their pursuit to protect cardholder data and comply with PCI Data Security Standards: cloud storage and mobile payments. Led by merchants, banks, and payment processors participating in the council’s community-driven special interest groups, the effort to clear up some of the confusion came to fruition with the publication of two separate documents this month… Click here to read more

7 Technologies Redefining Retail <Share this article on Twitter>
by Retail Info Systems
Times are changing and retailers are experiencing a shift that moves from predominantly human transactions to technology-enhanced interactions. Technology is now available to automate the customer experience – from wayfinding, to merchandise research, comparison-shopping and point-of-sale transactions. Consumers have changed their attitudes toward privacy and expect more from the stores they shop. According to the Control Group’s 2013 Retail Technology Survey, over half of U.S. shoppers are browsing the aisles with powerful computers in their pockets… Click here to read more

Identity fraud in US reaches highest level in three years <Share this article on Twitter>
by Jeremy Kirk
IDG News Service — U.S. consumers experienced the highest level of identity theft in three years in 2012, although much of the fraud losses were absorbed by banks and merchants, according to a new survey.
Incidents of identity fraud affected 5.26 percent of U.S. adults last year, according to a survey of 5,249 people by Javelin Strategy and Research. That’s up from 4.9 percent in 2011 and 4.35 percent in 2010. The company put the total number of identity victims in 2012 at 12.6 million…
Click here to read more

…………………………………………………………………………………………………………………………………
What other interesting content have you come across? Leave a comment below and join the discussion
……………………………………………………………………………………………..………………………………….
.


…………………………………………………………………………………………………………………………………
Welcome to the Bi-Weekly Best of the Web – a great way to catch up on recent commentary and compelling content from across the Web. Every other Friday, we’ll post insightful news articles, noteworthy blog posts and more related to the world of payments, payment data security and technology.
……………………………………………………………………………………………..………………………………….

Data Breach Security From A To Z <Share this article on Twitter>
by Robert Westervelt
Companies face daily threats from cybercriminals, hacktivists and nation-state-sponsored hacking groups. Financially motivated cybercriminals typically use automated tools to spread a wide attack campaign, gaining as many victims as possible. Hacktivists are politically motivated and often use distributed Denial-of-Service attacks as a weapon to cripple or bring down a website. Nation-state-sponsored hacking groups choose a specific target and stealthily conduct cyberespionage activities on a network over extended periods of time. Their aim is to steal intellectual property, email and other sensitive documents…. Click here to read more

Lyndhurst Man Among 18 Charged in $200M Global Credit Card Fraud <Share this article on Twitter>
by Hugh R. Morely
It was a meticulously planned criminal operation, with at least 18 participants, 1,100 separate bank accounts, and 7,000 false identities.
There were doctored credit reports, sham companies and 1,800 mailing addresses used to receive documents for 25,000 fraudulently obtained credit cards.
And when it was all put together, the participants – among them a Lyndhurst man who ran a jewelry store involved in the scheme, and five other New Jersey residents – stole at least $200 million from credit card companies….
Click here to read more

New PCI Guidelines for E-Commerce <Share this article on Twitter>
by Tracy Kitten
A new set of card data security guidelines for merchants and payments providers aims to address increasing risks unique to e-commerce environments.
On Jan. 31, the Payment Card Industry Security Standards Council issued its PCI DSS E-commerce Guidelines Information Supplement, a set of guidelines for e-commerce security. The guidelines relate to online infrastructures and how merchants work with third-party providers….
Click here to read more

…………………………………………………………………………………………………………………………………
What other interesting content have you come across? Leave a comment below and join the discussion
……………………………………………………………………………………………..………………………………….
.


…………………………………………………………………………………………………………………………………
Welcome to the Bi-Weekly Best of the Web – a great way to catch up on recent commentary and compelling content from across the Web.  Every other Friday, we’ll post insightful news articles, noteworthy blog posts and more related to the world of payments, payment data security and technology.
……………………………………………………………………………………………..………………………………….
Brain Hacking: Scientists Extract Personal Secrets With Commercial Hardware <Tweet this article>
by Gregory Ferenstein
Chalk this up to super-creepy: scientists have discovered a way to mind-read personal secrets, such as bank PIN numbers and personal associations, using a cheap headset. Utilizing commercial brain-wave reading devices, often used for hands-free gaming, the researchers discovered that they could identify when subjects recognized familiar objects, faces, or locations, which helped them better guess sensitive information..…….Click here to read more

PCI SSC’s Bob Russo on point-to-point encryption, PCI compliance <Tweet this video>
by SeachSecurity
In this video interview, Bob Russo, general manager of the Payment Card Industry Security Standards Council (PCI SSC), discusses tokenization, point-to-point encryption, PCI compliance issues, and the state of guidance documentation for emerging technologies. According to Russo, the PCI SSC is currently assessing hardware-based point-to-point encryption products and plans to produce a list of approved PIN transaction security (PTS) devices by the end of 2012..……. Click here to watch video

Mind the Gap: PIN versus Signature Authentication <Tweet this article>         
by Douglas A. King
The just-released PULSE Debit Issuer Study reveals that in 2011 the gap in loss rates between signature and PIN debit transactions has widened further. Issuers lost an average of three cents per signature debit transaction compared to less than one-half of one cent on PIN transactions..……. 
Click here to read more

…………………………………………………………………………………………………………………………………
What other interesting content have you come across? Leave a comment below and join the discussion
……………………………………………………………………………………………..………………………………….

With the holiday shopping season fast approaching, most of us are dreading the full parking lots, long lines and busy malls. Finding the perfect gift amid the frenzy can be a challenge. Similarly, when merchants set out to purchase a new technology solution, it can invoke a certain amount of dread.

As merchants grapple with the ongoing challenges of payment security and PCI compliance, now is the time to embrace new technologies such as point-to-point encryption (P2PE) as part of an overall risk management strategy.

Merchants can ease the shopping process by arming themselves with the following questions.  By asking these questions first, it will be easier to find a solution that meets their unique needs.

  1. Is the P2PE solution a hardware or software solution or both?
  2. Is the vendor well established in the payments industry?
  3. Does the solution encrypt both swiped cards and manually entered cards?
  4. Does the solution encrypt online transactions, as well as on-site or card-present transactions?
  5. Has the vendor solution been evaluated by a trusted Qualified Security Assessor (QSA)?
  6. Is the P2PE solution integrated with the property management or point-of-sale system or is the encrypting device standalone?
  7. What happens if the encrypting device fails? What is the fall back scenario?
  8. Where is the HSM located in the solution? Where is the data decrypted exactly?
  9. Does the P2PE solution integrate with a tokenization system?
  10. Can the solution function effectively without tokenization?
  11. How does the encrypting device handle non-payment cards such as employee cards, gift cards and airline/membership cards?
  12. How does the vendor secure communication between their network and the merchant’s systems?
  13. Is the solution tamper resistant? What happens if an attempted breach occurs?
  14. Does the solution support format-preserving encryption?

As we all know, hackers are continually targeting merchants with new and creative tactics. Merchants must stay one step ahead of them and employ the best means and methods available. According to Bob Russo, general manager, PCI Security Standards Council, “If implemented in accordance with PCI requirements, P2PE solutions can significantly reduce a merchant’s card data environment, mitigate potential breaches and simplify PCI DSS validation efforts.”

So don’t let solution shopping overwhelm and stress you out. Submit these questions to prospective vendors to help ensure a painless experience.

Originally published by SC Magazine, reported by

The use of a tokenization solution does not eliminate a merchant’s need to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS), the industry group responsible for managing payment security guidelines said in a new document released Friday.

“The misconception is that I can buy one of these [tokenization solutions] and be PCI compliant,” Bob Russo, general manager of the PCI Security Standards Council, told SCMagazineUS.com. “That’s not the case.”

A mature and properly deployed tokenization solution can, however, simplify the requirements of PCI DSS by taking systems that no longer contain sensitive credit card numbers out of the scope of the standard, according to the 23-page supplement released by the PCI Council.

Meanwhile, Sue Zloth, product group manager at payment data security provider Merchant Link, a member of the PCI Council’s tokenization task force, told SCMagazineUS.com on Friday that she believes the document is a good first step, though it may lead to some confusion and deter adoption.

Zloth took issue with a section that discusses the need to evaluate whether a token itself could be used – in lieu of cardholder data – to perform a transaction.

The document states that so-called “high-value tokens,” which can be used as a form of payment, could be monetized by an attacker or used to generate fraudulent transactions.

The council introduced a valid concern –  that certain tokens could be valuable to attackers — but “fell down” by failing to describe how a tokenization system could adequately protect tokens from being fraudulently used, Zloth said.

“A properly implemented system will know who is sending transactions and will not allow anyone to send transactions with a token,” she added.

To read this full story go to http://www.scmagazineus.com/pci-council-releases-tokenization-guidance/article/209505/

By Sue Zloth

Merchants who have been awaiting guidelines on how to process payment card data in a virtual environment, no longer need to wait.  The Virtualization Special Interest Group(SIG) for the PCI Security Standards Council (SSC) has just released the documents.

So whether you are in a virtual or in a traditional environment, the guidance is now clear: You must still adhere to PCI DSS requirements and you can’t hold back on security efforts.

Bob Russo, general manager of the PCI SSC told InformationWeek, “If you’ve got to do them in the real world, you’ve got to do them in a virtualized world too.”

In a cardholder data environment, if virtualized technologies are used, PCI DSS requirements will apply as it would with technologies used in a traditional environment.  Additionally, merchants are urged to understand the new risks associated with virtualization and address them accordingly.

Additionally, the guidance points out that there isn’t a one-size-fits-all method to configuring virtualized environments to meet PCI DSS requirements.  Procedures will vary for each environment, according to how virtualization is used and implemented.

But merchants won’t have to start from scratch if they already store cardholder data in a virtualized environment.  The guidance is a supplement to the requirements that merchants have been following and there are no new requirements.

This guidance is a part of an effort the Council to offer guidance on new technologies such as encryption, tokenization and virtualization.  Merchants awaiting guidance on tokenization should expect to see guidance before the summer is over.

Google Advertisement