These are a few pictures from the Zumogo launch in Park City, Utah during the Sundance Film Festival.

The ProPay team worked throughout the Sundance Film Festival to introduce the Zumogo product.  The feedback was overwhelmingly positive and there were even a few celebrity sightings!

Starting today merchants in Park City, Utah will be able to receive payment through ProPay’s (patent pending) Zumogo! social media application during the Sundance Film Festival.  More than a simple mobile payment application, Zumogo combines the best of social media and secure payment technology to enable consumers to identify local merchants, communicate with the merchant, and pay all on their IPhone or Android.  Merchants have the ability to communicate with their customers and request payment.  Best of all, Zumogo does NOT store any account data on either the merchant system or the mobile device.  All communication and payment is handled by the ProtectPay system, ProPay’s secure tokenization process.   If you are in Park City at the Sundance Film Festival, look for the Zumogo! representatives wearing Zumogo Jackets!  You just might get a free meal!!  Be sure to drop by 350Main, O’Shucks, The Bridge, and Red Banjo to check out Zumogo!

Update….just returned from a short trip to downtown Park City to catch some of Sundance and was able to sit outside of O’Shucks, order my food, eat, and pay on my Android without ever stepping inside!  Awesome experience! (works on iPhone, as well   Pictures will be up soon!

As we embark on 2011, much of the payments industry is focused on converging payment technologies – traditional payment methods meeting and working new technologies.  This progress is exciting on many levels.  We can increase card acceptance, increase purchase and in some cases the purchase size.  These are all good things, but as organizations adopt these new technologies it is important to keep in mind the new risks that are being introduced as well.  Small organizations are especially susceptible to “organic growth” of their information ecosystem.  In other words, the smaller the organization the more likely it is that new processes will be adopted without examining the impact to the data – What new data is being collected? What new data entry points are being added? How will the new data be handled and who will have access to it?

Why are small businesses sometimes more likely to fall into this trap than others?  One reason is simply the lack of in-house resources.  People don’t often go into business out of a burning desire to become data security and privacy experts (unless they are starting a data security or privacy consulting firm). Privacy and data security are extremely complex discussions.  Understanding the nuances of these issues is time-consuming, not to mention often headache inducing.  Small business owners are, rightfully so, concerned with more immediate and pressing concerns like making payroll, paying the rent and ensuring happy repeat customers.

Another, more subtle and insidious, reason for this trap is that many small businesses operate under the assumption that, because they are small businesses, they are “flying under the radar” of data thieves.  In fact, the Privacy Rights Clearinghouse tells a different story.  While the number of records compromised may be smaller this year than last, that appears to be because data thieves targeted more small businesses this year.  The trend appears to be that more smaller businesses were hit than in previous years.  It should also be noted that the 2009 numbers were drastically skewed as a result of the largest data breach ever reported.  In 2010, though, small businesses appeared to be the target of preference for data thieves.  For a complete list of reported data breaches since 2005, visit the list maintained by the Privacy Rights Clearinghouse.

So what is a small business to do?

Ask questions – Many small business rely on merchant service providers.  Those service providers are partners in your business in the respect that your business may depend on their practices.  Ask questions about how they manage security and privacy issues for themselves and their customers.  Ask probing questions about their practices.  Do they offer remote management of POS systems and if so, how do they secure those management sessions?  Does each merchant have a unique username and password?  If you are not comfortable with their answers or they are unable to give answers to your questions, you may be better served to keep searching.

Be Aware – It is extremely difficult to keep abreast of changes in the regulatory landscape or evolving threats to sensitive data. There are firms that maintain a healthy revenue stream by helping companies monitor changing regulation and standards.  However, the card brands often put out bulletins for merchants that alert them to new data theft techniques or evolving methods of data protection.  Visa’s merchant page on security can be found here.  To visit MasterCard Worldwide’s merchant resource page, click here.

Minimize Data Collection and Storage – One of the cardinal rules of data security is “don’t store it if you don’t need it!”   This does require some examination of your current practices to determine exactly what is being collected and stored in terms of sensitive data.  There are companies, ProPay among them, that can help companies process and accept credit and debit card transactions without ever storing, processing or transmitting cardholder data.  Not only does this lessen the burden of complying with the PCI DSS and the various state data breach notification laws, it minimizes the impact should a data thieve decide to target your businesses – if you don’t have data, they can’t steal it.

Dr. Heather Mark, PhD.  SVP  of Market Strategy

ProPay is filled with rabid football fans.  We have Utah, BYU, Oregon, Southern Utah, and Auburn fans, among others.  As today is the national championship game between #1 Auburn and #2 Oregon (and as Heather and Chris Mark are Auburn alum) we wanted to take this opportunity to talk about football and security.  Some may be questioning the sanity of this post by now but let me explain.  Football, much like information security, is a game of strategy in which each side is attempting to gain advantage over perceived vulnerabilities of the other.  This BCS championship is featuring two of the most prolific offenses in college football history.  Both Auburn and Oregon run what is known as a ’spread offense’.  In the spread, teams operate without a huddle and attempt to spread the field by utilizing 3,4 or 5 receivers as opposed to the more traditional two receivers in a standard set. In the earlier days of football there as the basic T formation in which the quarterback was under center and had two running backs on each side.  Another early formation developed by Pop Warner in 1907 was the ’single wing’ formation.  Of course the ‘I’ formation was hugely popular and is still used in some variations today. While this is not a dissertation on the evolution of football formations it should be viewed as an example of adversaries attempting to capitalize on the vulnerabilities of defenses.  As offenses were changing to gain advantage over defenses of the day, defensive coordinators were not sitting still.  Today most professional football teams and many college and high schools utilize what is known as a 3/4 scheme.  In this scheme 3 defensive linemen are on the line of scrimage ( a tackle and two ends) and 4 line backers support them.  The 3/4 allows defenses to drop more people into coverage of receivers to offset some advantage of the spread offense.  The 3/4 evolved from the more traditional 4/3 in which 4 defensive linemen are on the line of scrimmage with 3 linebackers behind the line of scrimmage.  In theory a 4/3 is a better defense against a running attack as there are more defenders on the line of scrimmage.

As we look at the evolution of data security within the payment card industry we see similarities to football.  In the earlier days of data theft (2001 or so) thieves were using very basic network layer attacks to capture data.  In response the PCI DSS was modified to address network layer vulnerabilities and in turn the data thieves changed their tactics to focus on application layer vulnerabilities.  As companies began locking down applications attackers began focusing on authentication mechanisms.  The key point to be taken from this short post is that in any situation where two or more adversaries are attempting to gain advantage evolution will occur.  For this reason it is not enough to view your company’s information security as ‘complete’ or ’secure’.  Continually evaluate the tactics and techniques being employed by the adversary and adapt.

On that note….WAR EAGLE!!! (for our Auburn fans)

On December 18, 2010 President Obama signed into law the Social Security Number Protection Act of 2010.  Despite it’s broad title, the law is fairly narrow in its scope, and it applies only to government agencies, not to the private sector.  The law has two primary provisions. The first prohibits federal agencies from printing the social security number “or any derivative” thereof  of the recipient on any government check.  Government agencies have three years from the effective date of the law to comply with this requirement.  The second clause of the law precludes Federal, state or local agencies from employing convicts in any position that would give them access to social security numbers. ( We need a law to tell us that this is not a good idea?)  Agencies will have one year to comply with this requirement.

Laws like this are good for two purposes 1) protecting our data from those with bad intentions and 2) reminding us how far we still have to go in the protection of that data.  Did we really need a law to tell us that printing SSNs on checks or letting convicts access personal information is bad practice?  Private companies have been held to an increasing number of regulations that often differ in scope, objective, target, etc which only makes the duty of protecting personal data more difficult.  Which law applies and which data must be protected and how must that data be protected?  The myriad of regulations that face organizations can make the protection of data overwhelmingly complex.  There are a number of sources, though, that can help organizations implement strong, comprehensive information programs (information programs include both privacy and security, as opposed to simply “information security programs” or “privacy programs”).  Some of these sources include:

A Preliminary FTC Staff Report on Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers (December 1, 2010)

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

Generally Accepted Privacy Principles

Following guidelines like these can help companies proactively address privacy concerns, manage compliance with various state, federal and international laws, as well as prepare for any laws that may be forthcoming.  Being proactive about privacy helps both with compliance and with brand issues.

Dr. Heather Mark, PhD.  Sr. Vice President, Market Strategy