Jan 17 2012

What is EMV and Why Is It Important?

Posted by hmark
Data Security, EMV, Technical Discussions
No Comments

Over the past year, the payments industry has been abuzz with news of Visa’s plan to encourage adoption of EMV technology.  While many in the payments industry have a clear understanding of what EMV is and how it might impact our business, for small merchants the term just adds on to the growing list of acronyms with which they must now be familiar.  PCI DSS, PA DSS, QSA, SAQ, and now EMV.   But what is EMV and what do small merchants need to know about it?

EMV itself is a standard begun by Europay, MasterCard International and Visa International. (Its current members are American Express, MasterCard, Visa, and JCB.)  The three companies joined together to form EMVco, whose purpose is “to manage, maintain and enhance the EMV™ Integrated Circuit Card Specifications for Payment Systems.”  In other words, the company was formed to promote the use of “smart cards.”  A “smart card” is essentially a payment card with an embedded micro-processor, or chip.  Because the chip can hold much more information than a magnetic stripe can, EMV enabled cards support multiple methods of authentication.  This ostensibly makes the process more secure for both the merchant and the consumer.   Since the chip can support dynamic and static authentication as well as online and offline authentication, the theory is that using EMV means that the risk of compromised card data being used fraudulently is significantly lower than with magnetic stripe data.  In other words, even if the data is compromised, it is less likely that it can be used to perpetrate fraudulent transactions.  As a result of its capabilities with respect to fraud prevention, Visa is strongly encouraging the US payments industry to move towards EMV.  So, what does this transition mean for merchants?

1) The requirement to comply with PCI DSS will remain - Visa’s program states that if a merchant can verify that at least 75% of its transactions are EMV, then the requirement to validate compliance with the PCI DSS can be waived.  It should be noted, though, that it is only the requirement to validate compliance that is being waived, not the obligation to comply itself.  Another important caveat to this validation waiver is that only Visa has so far extended this offer.  Merchants will still have to validate compliance as required with the other card brands.

2) EMV  does not replace data security – The use of EMV cards does not inherently provide protections against the unauthorized access or disclosure of the data itself.  Data thieves would still be able to compromise the data.  However, the utility of the data is significantly lessened as a result of the layering of authentication mechanisms employed by EMV cards.

3) Acquirers/ Processors have to transition by 2013 – As of April 1, 2013 acquirers and processors must be able to support EMV transactions.

4) Liability Shift means Acquirers likely to encourage adoption – Visa has announced plans to implement an liability shift for fraudulent purchases.  Currently, if a counterfiet purchase is made, it is largely left to the issuing bank (the bank that issued the card) to absorb.  Under the new rules, which would take effect on October1, 2015 counterfeit purchases that occur at a merchant location that has not adopted the EMV technology may become the liability of the acquiring bank.

As the deadlines come closer, the card brands will release more detail that will help guide merchants on the path to EMV.  Moving to EMV will be a challenge for an industry as fragmented as the US card processing ecosystem.  Although there will be the inevitable growing pains, though, the technology will serve to benefit all of the stakeholders – from merchant to the consumer.

Dr. Heather Mark, PhD; Sr. Vice President, Market Strategy

Tags: , , , , , , , ,

 

Jan 5 2012

Immune to Online Scams?

Posted by hmark
Data Security, Risk/Fraud, Scams, Social Engineering
No Comments

Many people today that consider themselves to be internet savvy might believe that they are too clever to fall for an online scam.  They know that they should not respond to pleas for help from Nigerian princes that need to move furniture for their long-deceased, well-meaning philanthropist great uncle.  They know that any job posting that requires respondents to send their bank routing information is likely not legitimate.  They know that a bank will never send an email asking their account holders to “verify their passwords” by clicking on a link.  But do they know that they shouldn’t click on that link that promises a sneak peak of the iPhone 5?

According to a recent survey by the Ponemon Institute (in collaboration with PC Tools), the answer is “no.”  The temptation is just too much, even for seemingly savvy internet users.  “Almost half (47%) of US respondents identified an online survey with a prize as either a scam or an attempt to get you to buy something later. However, when presented with the test scenarios, more than half (55%) of US respondents indicated they would be likely to provide their personal information to redeem a prize after completing an online survey,” said Richard Clooke, Online Security Expert, PC Tools.

A recent article on CNet emphasizes point made by the survey. Last spring, a number of Facebook users were scammed by a link that offered a look at the new iPhone 5.   According to Elinor Mills, the author of the article, “People who normally ignore all the other scams involving purported free software or naked celebrity photos clicked that fake news link and even completed a captcha on a second site, which reposted the scam to their own Facebook stream. That probably says more about how fanatical people are about Apple products than anything else. But it did raise the question–what does it take to lure someone to click on something that seems fishy?” It would certainly appear that the old cliche “everyone has their price” is analogous to this situation. If scammers can target the right prey with the right bait, people seem to disregard their concerns about fraud.  Target techies and Jobs-o-philes with a promised look at a future Apple product and they’ll likely click away.

The moral of the story – “think before you click.”  Many people associate internet scams with malware and Trojans, but sometimes scammers are looking for more specific information about users so that they can launch more targeted and sophisticated attacks later on.   For example, in the scam listed above,  scammers could perhaps garner email addresses.  Those addresses could then be used in phishing attacks later on to get more sensitive data from individuals.  It’s important to remember not to let your guard down when it comes to cyberscams.

Dr. Heather Mark, Ph.D.

SVP of Market Strategy

Tags: , , , , , , , ,

 

Dec 13 2011

An Interesting Bargain…

Posted by hmark
Industry News, Privacy
No Comments

As someone that watches with great interest as the great privacy debate unfolds, this article really caught my attention.  The issue in question is the trade-off between online privacy and discounts or special offers.  According to  a study by KPMG (Consumers and Convergence V: The Converged Lifestyle survey) a majority of US shoppers would offer up their online activity history in exchange for discounts on goods or even digital content.  Further, 43% of those surveyed would be willing to receive advertising, if they didn’t have to offer up personal details, in exchange for lower fees.

This is an interesting juxtaposition to the privacy hearings that have been occupying the US Congress of late.  Legislators have been greatly concerned with things like smartphone tracking and browsing histories.  It’s interesting to note that the issue may not be that consumers are upset about these activities on the part of merchants, but that they are not currently getting anything out of the bargain.  It is true that organizations should not be tracking consumer behavior, at least individual consumer behavior, without the consent of said individual, but there are benefits to sharing browsing history  and shopping behavior and consumers are recognizing those.  The question becomes, how can one  leverage the consumers’ self-interest to help the merchant?

It is important not to lose sight of the fact that consumer notification, awareness and choice remain priorities.  Tracking consumers without letting them know and providing them with the ability to opt out is a major faux-pas.  However, providing them some quid-pro-quo seems to ease many consumer qualms. What would be interesting to know though, is the consumer “break-even point.”  In other words, what sort of discount or service is the minimum for sharing their online behaviors?  That is not included in the KPMG survey, and is likely much more difficult to ferret out.

In today’s world, the balance between marketing research and a breach of consumer privacy can be difficult to measure.  For organizations that have questions about managing consumer privacy, there are a number of resources that can be referenced. Included is a short, certainly not exhaustive, list of privacy guidelines.

1) OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

2) Federal Trade Commission Fair Information Practice Principles

3) Generally Accepted Privacy Principles

4) Privacy by Design

Dr. Heather Mark, PhD; SVP of Market Strategy

Tags: , ,

 

Dec 5 2011

PCI DSS Compliance and Fraud

Posted by hmark
PCI DSS, Risk/Fraud, Small Businesses
No Comments

I saw a blog post yesterday that reminded me of complexity and confusion surrounding the relationship between PCI DSS compliance and fraud prevention.  The details of the story are less important than the central idea that the author was communicating –  the notion that merchants should rely on PCI DSS compliance for the prevention of fraud.  The idea behind PCI DSS is of course to reduce the amount of fraud by helping to protect payment data from unauthorized disclosure and use, but it should be noted that the standard is not a fraud prevention program.  It is a data security compliance program.  Understanding the difference between fraud prevention and data security will help to clarify the relationship between the PCI DSS and fraud.

Fraud is the intentional deception for personal gain.  This is a broad definition that includes social engineering as well as the misuse of financial data.  Fraud prevention, then, must be a very broad set of practices and procedures that are put in place to prohibit people from being able to misuse (in this case) payment card data.   All of the major card brands have suggestions and best practices for preventing fraud at the merchant level.  MasterCard Worldwide provides a quick reference guide to help merchants educate their staff on fraud prevention techniques.  Among the suggestions is the notion that staff should be familiar with what a card is supposed to look like.  Valid cards have a number of fraud prevention mechanisms, including embossed numbers and holograms.    (Each of the card brands can also provide a sort of “anatomy of a card” that will keep merchants and their employees current with new card designs and security mechanisms.

Data security is a subset of fraud prevention tools.  Ensuring that the data is adequately protected from unauthorized disclosure (data compromise) helps mitigate the risk of fraudulent transactions.  All of the major card brands require compliance with the PCI DSS with any entity that stores, processes, or transmits cardholder data.  This helps to prevent data thieves from perpetrating fraudulent transactions on a large scale.  Merchants should not rely on the PCI DSS to protect them from fraud schemes.  PCI DSS is designed to help companies protect payment data from thieves, not to protect merchants from fraud schemes.

Dr. Heather Mark, PhD. ; SVP, Market Strategy

Tags: , , , , , , ,

 

Nov 21 2011

Passwords? What’s the big deal about Passwords?

Posted by hmark
Data Breaches, Data Security, Micro Merchant, Small Businesses, identity theft
No Comments

We often think that our personal computers or laptops are not targets of hackers.  ”There is little data of value to a thief,” we might rationalize.  ”They are going to be better served going after a big target – like a bank or other financial institution.”  This assumes that the only reason a computer would be hacked is for the value contained on that computer.  On the contrary, sometimes hackers or data thieves seek out computers that they can use as a launching pad for other attacks.  Of course, as long as the criminal has accessed your computer, they are likely to make use of whatever personal data may reside there, as well.  That means that creating a complex password for all of your computers – not just those that are used for business – is important.

SplashData, a company that provides mobile productivity applications, recently released a study of some of the worst passwords to use.   These passwords are the ones that are most frequently cracked.  Not surprisingly, the most frequently compromised password, is “password.”    The top 5 on the list from SplashData  is:

1. password

2. 123456

3. 12345678

4. qwerty

5. abc123

The complete list can be found here.

On this blog, we frequently discuss the importance of complex passwords – including alphanumeric characters, upper case and lower case, punctuation, and other symbols.   We also suggest that the password be changed at least every 90 days.  This will help to prevent hackers from making an easy target of your computer.

Dr. Heather Mark, PhD; SVP Market Strategy

Tags: , , , , , ,

 

Next Page »