Dec 20 2012
Posted by hmark
New Harris Poll released last week led some insights into consumer views on mobile payments. Among the highlights of the poll is that more than 60% of respondents believe that smartphone payments will eventually replace cash and card payments. This number is very high when compared with the number of respondents that have actually made (4%), or even witnessed (8%), a smartphone payment. What’s more, far fewer respondents believe that this transition will occur within the next five years. Contrast this with the media “Year of Mobile” pronouncements (that have occurred for the last two years, at least) and one would rightly ask where the disconnect is. Media keeps saying mobile payments are imminent, while consumers seem to be hesitant.
One of the major variables for most consumers in using smartphone payments is the question of security. According to the Harris Poll, “Among those who indicate being either not very or not at all interested in being able to make smartphone payments, security is a clear, if predictable, factor: half (51%) say they don’t want to store sensitive information on their phone, and four in ten (40%) don’t want to transmit sensitive information to a merchant’s device.” (Here is should be noted that there are mobile payment products that allow payments to be made without (1) storing payment data on the consumers phone or (2) transmitting sensitive data to the merchant’s device.) Another significant portion weren’t interested in making smartphone payments simply because they did not own a smartphone.
So I put it to you, reader. What do you think about smartphone payments? Have you made one? Would you make one? What factors or criteria are necessary for you to adopt this new technology? Or are you just waiting for it to reach critical mass so that it’s available in places that you frequent?
Dec 10 2012
Posted by hmark
You may have seen headlines (small ones, but headlines nonetheless) regarding the re-authorization of the Safe Web Act. The full name of the act, which is far more descriptive of its actual function, is ‘‘Undertaking Spam, Spyware, And Fraud Enforcement With Enforcers beyond Borders Act of 2006.’’ As implied in its title, the bill was originally passed in 2006, but was set to expire this year unless it was re-authorized. On Dec. 7, 2012, President Obama re-authorized the act until 2020. So does this mean that the web is now safe all the time for everyone? No, but it allows the Federal Trade Commission certain powers that enable them to find and prosecute scammers, even if they are not domestic criminals.
The main thrust of the act is to allow the FTC to go beyond the US borders when investigating online criminal activity, especially as related to consumer protection. the act empowers the FTC to share information about scams and the criminals behind them with foreign law enforcement agencies. Previously, the FTC had been restricted to sharing only with other US agencies. Additionally, the FTC is empowered to aid foreign agencies in the investigation of online scams. Further, the FTC will have the right to get information from foreign agencies. The law provides “enhanced investigative and litigating tools” to the FTC to allow them to pursue investigation and actions more effectively.
This is not a complete summary of the law, but it does allow consumers to know that the FTC takes online scams and fraud very seriously and has been empowered, through 2020, to pursue these criminals even if they are not within the boundaries of the United States. As Mary Bono Mack (R-CA), the bills lead sponsor says, “This is a win-win. It’s good for American consumers. It’s good for the future of e-commerce. And it’s the right thing to do for our nation and our friends around the world.”
Dec 6 2012
Posted by hmark
Data Breaches, Data Security, PCI DSS
A major national insurance company announced this week that its network had been compromised and more than 1 million customer records were stolen. Among the data included in the breach are “people’s names and a combination of Social Security numbers, driver’s license numbers, their date of birth, and possibly marital status, gender, and occupation, as well as the names and addresses of employers.” A company spokesperson said that there is no evidence that credit card information or medical information was involved in the breach. Affected individuals are being notified and offered free credit monitoring services.
It is interesting to note that this is the latest compromise in which sensitive personal information was stolen, while credit card data seems not have been involved. A few months ago, South Carolina had a similar type of incident in which social security and banking information was compromised, while the encrypted cardholder data remained secure. Now, I don’t have any details or knowledge of these events outside what is printed in the releases or articles, but it does leave me thinking of a very important reminder: PCI DSS only addresses cardholder data, not any other sensitive personal information. Birth dates, routing numbers, social security numbers and other sensitive are left out in the cold with respect to PCI DSS, though they merit just as much, if not more, protection than cardholder data.
PCI DSS only applies to cardholder data. It provides a baseline of protection for credit and debit card information. Nowhere in its requirements does the PCI DSS require companies to protect social security numbers, bank routing information, birthdates or any other sensitive information. Many companies take great pains to comply with PCI DSS and the standard has done a lot of positive things for an industry that desperately needed to implement strong security. However, simply being PCI DSS compliant does not mean that all the sensitive data in an organization’s environment is protected. A serious obstacle to overall security arises when companies believe that compliance with PCI DSS equates to security.
PCI DSS provides a good launching point for security initiatives. Many of the requirements contained in the standards are best practices (if not requirements) for other types of data, as well. It is tempting, particularly with so much focus on compliance, to focus on PCI DSS and cardholder data to the exclusion of everything else. It’s important to remember, though, that companies have many types of data in their networks. Companies would be well-served to conduct a data inventory, find out what they really need and what they don’t need to keep. If it is needed, then it should be adequately protected. If it is not needed, it shouldn’t be stored. Excess data is excess liability.
Nov 28 2012
“The times are tough now, just getting tougher - This old world is rough, it’s just getting rougher - Cover me, come on baby, cover me” – Bruce Springsteen 1984
Businesses work very hard to build their brand. Small businesses are no different. Establishing trust and loyalty among the customer base is essential to the longevity of any business. Many companies focus on marketing and sales relationships to ensure that connection between customer and company continues to grow. Social media, direct mailings, radio and tv advertising, print advertising, and data security and privacy policies all contribute to the growth of brand trust. What a minute! Did I say data security and privacy policies? You betcha! This is what I like to refer to as “brand security.” Businesses spend an inordinate amount of time and money on establishing a brand that customers trust. One of the fastest ways to lose that trust is to suffer a data security breach or to violate customer privacy. For that reason, I often refer to data security and privacy programs as “brand cover.”
I’m going to borrow heavily, and probably poorly, from law enforcement and military actions here. When you go into action, you generally have a forward team and then you have a team that provides “cover.” This team keeps an eye out for threats that may not be visible or apparent to the forward team, but pose significant risk. In the business world, one can think of your sales and marketing efforts as the forward team, while data security and privacy programs provide the cover. You marketing and sales efforts move the company forward and increase awareness. Your data security and privacy programs help to mitigate unseen, and sometimes unknown, risks to your brand’s integrity. In fact, some larger organizations, particularly not-for-profits, are more concerned about brand damage in the event of a security or privacy compromise, than they are the fines that may be associated.
For small businesses, implementing and enforcing data security and privacy policies can seem daunting. The Better Business Bureau, though, has put together a primer for businesses to help them develop these programs. If you accept debit and credit card transactions, you can look for services to help minimize how much of that sensitive payment data your business stores. You can also undertake an inventory to see just what data you are collecting and storing and how you are protecting it. You can also evaluate the partners that you use and how you share data with them. Understanding your data can ultimately serve as a very effective means of protecting your company, your brand, and your customers.
Nov 27 2012
When we talk about the protection of data, particularly sensitive personal information like credit card or social security numbers, we often focus on “digital data.” By digital data, I mean that data that is stored in our networks and computers, our POS systems and other “networked” appliances. It’s easy to lose sight of the fact that copiers, printers, and fax machines are often “networked appliances,” complete with memory. That means that it is conceivable that when you send a fax or make a copy, that appliance could retain that data in its memory. As a result, that appliance now represents a point of vulnerability for the network.
The ability of these devices to store data should also be a consideration with looking to lease or buy previously used equipment, particularly when buying or leasing used POS equipment. You may be introducing someone else’s liability into your secure environment. This is where having proper policies and procedures becomes vitally important. Merchants should have a process for evaluating security options on the device or equipment (does it allow for overwriting or encrypting the data in memory?); security procedures should also be in place to ensure that the device memory is regularly overwritten to avoid data leakage.
The PCI DSS specifically requires that companies “Protect Stored Cardholder Data Wherever it is Stored.” Unfortunately, as our businesses grow, that often means that our cardholder data environment grows along with it. Information security policies and processes become more and more important. It can also be helpful to find strategies for limiting the size of the cardholder data environment.