Recently, several prominent vendors within the payment card industry have begun to square-off (pun intended) and have lobbed a number of ‘open letters’ to the industry in which they each make claims and accusations.  You can read the letters here 1, 2, 3. While there is likely validity to at least part of each vendor’s letter and/or responses the greatest impact is simply their addition to the confusion within the payment card industry.  Without dissecting each letter it is fair to say that they each revolve around at least one of two concepts:  Encryption and/or Authentication and how each applies to security and/or fraud.  Click each link to read a primer on Authentication and Encryption. This blog post will (hopefully) help shed some light on the concepts as they apply to the payment card industry and allow merchants to choose the correct solution.

Security of Payment Card Data

Without a doubt ensuring the security of payment card data (Credit and debit card data) is critical to every merchant’s ongoing success.  The card brands (Visa, MasterCard, Amex, Discover, JCB) all have rules mandating that merchants protect data.  Each requires compliance with the Payment Card Industry Data Security Standard (PCI DSS).  One of the most effective methods of protecting payment card data is to ensure it is rendered unreadable through encryption or other methods when at rest (ie. stored) and when transmitted.  Encryption is not only effective but is one of the accepted methods required to comply with PCI DSS requirement 3.4.   Encryption applies to both standard PCs as well as mobile devices such as smart phones.  If a vendor is allowing data to be read from a swipe device attached to a smart phone and the device does not encrypt the data 1) it is not secure and 2) it is not compliant with the PCI DSS and other card brand rules.  As a merchant you should never allow a device to transmit unencrypted payment card data from a mobile device.

Fraud Prevention

Fraud is defined as the use of deception for personal gain.  Within the payment card industry we consider fraud the unauthorized use of a payment card for purchases.  This could include data stolen that is used by a thief or could include the use of a card by an unauthorized family member of friend.  Fraud prevention is a complex topic.  While we often hear about data breaches and their resulting fraud, the reality is that fraudulent transactions represent a very small percentage of payment card transactions. Visa’ Head of Global Payment System Security Mr. Eduardo Perez stated in an interview that global fraud was only about 6 basis points.  This represents only about 6 cents of every $100 dollars in transactions.  There exist two basic methods to preventing fraud.  First, is to protect payment card data from being stolen.  The PCI DSS, and various state laws are focused on ensuring that data is not stolen.  One of the most effective methods of ensuring data is not stolen is to ensure that it is protected with appropriate encryption and other security controls. Merchants, and 3rd party service providers (Like ProPay) have an important role to play in the protection of data.  Ensuring that you are in compliance with the relevant rules and are using technology that adequately protects data both at rest and in transit is critical.  Using encrypted swipe devices on mobile terminals is not an option to ensure that data is protected from compromise.

While this works well on data that is at rest or being transmitted, it does not address data that is stolen from ’skimmed’ cards where humans handle the cards and swipe them through magnetic stripe readers that are designed to copy payment card data.  The second, and most effective method of reducing fraud is through advanced authentication.  The card brands currently have a number of authentication programs that are designed to minimize fraud.  These include, AVS, CVV, CVV2, EMV, 3DSecure, and PIN authentication. You can read more about this in Security 101: Authentication.  It should be noted that as a merchant your responsibility is to ensure that you require the appropriate authentication for the appropriate type of transaction.  For example, if you accept card payments from a website, you are well served to require either CVV or AVS or both to ensure you have greater confidence that the card being used is in p0session of the authorized user.  One of the ‘open letters’ to the industry made some very pointed comments related to fraud prevention and authentication being the responsibility of the hardware vendor.    As a merchant your role is to ensure that you require the appropriate authentication for the appropriate transaction.  If you follow the card brand rules for authentication you are protected from fraudulent transactions.  Developing and approving new authentication tools and mechanisms are the domain of the card brands and banks.  It is simply not accurate to suggest that hardware vendors or 3rd party processors have a role in developing or requiring new authentication tools.  The letter is right in that every participant plays a role in fraud prevention.  Consumers should protect their cards, merchants should use technology that supports data security (encrypted swipe devices, for example), 3rd party vendors (like ProPay and others) should continue to develop technologies such as tokenization and encrypted swipe devices that enable merchants to protect data, and banks and card brands should continue to evaluate new authentication technologies which can reduce the incidence of fraud.

The Great Trade-Off

I used to conduct PCI related training for Visa and the PCI SSC throughout the world.  Invariably someone in the US would ask when the US was going to move to Chip and PIN like in the UK.  Their question was usually followed by a statement similar to the following: “If the US moved to Chip and PIN, we would eliminate fraud.  This should be enough to get the merchant onboard” My response was simple.  I would ask them how much they were personally willing to spend to upgrade to Chip and PIN.  Would they be willing to spend $50 for every $25 in fraud they could prevent.  The answer was always a predictable and emphatic ‘No’.  I would also ask if they were willing to reduce their acceptance of payment cards by 25% if they could reduce their fraud by 10%.  Again, the answer was ‘No’.  This is the challenge with fraud prevention and security.  There are many people who will make definitive statements about how to prevent fraud without considering the impact to acceptance and the overall cost.  There is a trade off between security and convenience/cost.  When faced with a belligerent attendee who refused to consider the trade-off, I would state with absolute confidence that I could prevent 100% of their payment card fraud.   When they asked how, I would simply suggest that they not accept payment cards.  This was never an acceptable option as they knew that without payment cards their sales would drop significantly.  Again, this demonstrates the trade-off.  When faced with losing sales, suddenly the prospect of fraud was more palatable.

Summary

Of the three letters referenced previously, Verifone was closest to the mark when they advocated using encrypted swipe devices for mobile phones.  ProPay agrees with this position and our own JAK product ensures that data is encrypted at the devices and employs DUKPT key management as discussed in the Encryption post.  This supports merchant’s PCI DSS compliance and provides significant information security benefits by ensuring that IF the data is ever stolen or intercepted from the device, it is useless to the thieves.  As a mobile merchant ensure you are using an encrypted swipe device.  This supports compliance with PCI DSS and prevents your customer’ data from being stolen.  Also ensure you are accepting the appropriate authentication for the type of transaction.  If you follow the rules you are protected in the instances where there may be fraud.

Chris Mark, EVP; Data Security & Compliance

This is intended to be complementary to the post: Security 101: Authentication.

Encryption is explained in Wikipedia as:  “…the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as ciphertext). In many contexts, the word encryption also implicitly refers to the reverse process, decryption (e.g. “software for encryption” can typically also perform decryption), to make the encrypted information readable again (i.e. to make it unencrypted).”

At a high level encryption requires three elements (yes this is a very basic primer)…1) the plaintext or input 2) the algorithm and 3) the key (s).  The value of encryption is based upon the strength of the algorithm and the length of the key(s).  All industry accepted, or government approved algorithms are in the public domain. As an example, you can read about the 3DES algorithm here.  As stated by Auguste Kerchoff in the 19th century: “A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.” Understanding this point, it is fair to say that the key provides the proverbial “keys to the kingdom” in encryption and as such the keys need to be protected.

With this in mind, there are two basic types of encryption which rely upon different methods of key management.  The first type of encryption is known as symmetric key (or private key) and relies upon a single key (or trivially related key) to encrypt and decrypt the data.  Symmetric key algorithms are those used every day and includes 3DES, AES, and Twofish.  The challenge with private key encryption is that the key must remain private.  Another form of encryption is known as asymmetric or public key encryption.  In public key encryption two mathematically related keys are employed.  The first key, known as the public key, is used to encrypt the data, while only the mathematically related private key can be used to decrypt the data.  Public key cryptography is often used to secure email and provide digital signatures for electronic documents.    The value of public key encryption is that the encrypting key (the public key) can be distributed and does not need to be protected as only the related private key can be used to decrypt the data.  A well known email encryption program called Pretty Good Privacy (PGP) uses public key cryptography to secure email.

A variation on public key cryptography that was patented by Visa is known as Derived Unique Key Per Transaction (DUKPT).  In DUKPT, every single transaction uses a new key that is generated from the preceding transaction.  In this model, if a single key is compromised the preceding and following transactions are protected.  DUKPT is specified in ANSI X9.24 part 1 and is used to encrypt PIN based transactions.

At a high level encryption allows data to be rendered unreadable to anyone without the proper key.  With the proper key the data can be decrypted into the original form and read.  As stated previously: “A cryptosystem should be secure if everything about the system, except the key, is public knowledge.” If employed correctly and the keys are appropriately secured, the data is protected.  It is this premise that provides the value of encryption.

Chris Mark

EVP, Data Security & Compliance

Recently I found myself in a discussion with a person about a particular feature of payment cards.  When I started discussing the concept of authentication the look on the other persons face told me that I was discussing a completely foreign subject.  While this is not a dissertation on security authentication is a vital component of information security and fraud prevention within the payment card industry.  For this reason, it is important to have an understanding of the concept and how it applies to our daily lives.

Authentication is described on wikipedia as: “…the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true”.

There are three generally accepted factors of authentication.  1) something you know (like a password), 2) something you are (biometrics like fingerprints or iris scans), and 3) something you have (like a token).  Each of these factors alone have some value and may be sufficient to demonstrate with an appropriate degree of confidence that you are the person who is authorized to access the resource.

Access control is a combination of authorization and authentication.  Authorization is simply the approval to access a particular resource.  Consider a work environment where you are required to use a badge reader to enter the building.  As an employee you are authorized to enter the building.  To ensure that it is truly you (the authorized party) entering the building you need to provide some evidence that you are who you say you are.  In many cases, the authentication mechanism is a proximity card that is waved and the door opens.   The proximity card is a token and would be considerd as a single factor of “something you have.”.

When you get to your desk you need to access your work computer.  As an employee, you are authorized to access your email, and certain applications.  To log into the system you enter a user name (the system knows the person who owns this username is authorized to access certain resources) and then you enter your password.  This password (something you know) is a single factor of authentication that tells the system with some degree of confidence that you are the person that matches the username.

In both of these examples the astute reader has likely identified the vulnerability of single factor authentication.  In the first example a thief may have stolen the badge and may be masquarading as the legitimate user.  In the second example a person may have shared their password with another of the password may have been stolen in which case an ‘unauthorized’ person could also masquarade as a legitimate, authorized user.  When it is necessary to have an increased level of assurance that the authorized person is indeed the one accessing the resource, two factors of authentication can be used.  For the solution to truly be considered two–factor authentication it requires two of the three types of factors to be used simultaneously.  In high security areas it is common to see two factor authentication used.

Consider an example where you bank online.  Due to the sensitive nature of your account (and FFIEC regulations) the bank wants to have assurance that only the authorized account holder is accessing the account.  Since the bank website is accessed over the internet the bank is limited in their ability to confirm the identity of the user.  A password alone is not sufficient as a password can be stolen or shared.  In this scenario a bank would use a second factor of authentication.  While it does not guarantee that the person using the authentication mechanism is the authorized user it provide a much greater level of assurance than a password alone.

Payment cards possess a number of authentication mechanisms.  The objective is to authenticate the transaction or user and reduce the incidence of fraud.  In card not present transactions such as ecommerce purchases the CVV2 number is often used to authenticate the card.  Since the number is only printed on the card and it is against card brand rules (PCI DSS) to store the CVV2, the assumption is that if someone can input the CVV2 they are in possession of a valid card.  Unfortunately, it is this fact that makes CVV2 such a valuable target for data thieves.  More robust authentication mechanisms include 3DSecure (Verified by Visa, MasterCard Secure Code), EMV (Europay, MasterCard, Visa) and the PIN used in debit transactions.  While each of these technologies increase the level of assurnace that the authorized user is making a legitimate transaction it does not guarantee such.

Authorization is a critical component to any information security or fraud prevention system.  Understanding the basics fo authentication can help users better manage the security of their payment cards.

Chris Mark, EVP; Data Security & Compliance

Today’s news featured two articles in particular that should be of interest to social networking users.  The first was an article on MSNBC’s Red Tape column that discussed a study of the gender differences in social networking behavior.  According to the study, men were more likely than women to accept a friend request from a stranger of the opposite sex.  Men accepted such requests at a rate of one in five, while only one in thirteen women would accept such a request.  As a result, women were more likely than men were to trust their “friends.”  Further, according to estimates by ID Analytics, “24 million U.S. adults still keep their profiles open to anyone, making them an easy target for data mining. Once again, men are more lax than women, with 28 percent of male adults skipping any steps to lock down their profiles, vs. 17 percent of women.“

This same study by Harris Interactive also provides the basis for an article by Don Reisinger of The Digital Home. He further points out that almost 5% of adults will accept every friend request that they receive.  Why is this behavior dangerous?  People tend to believe that they are being very careful about the information that is publicly posted, however aggregating seemingly innocuous data allows scammers to put together a profile of social network users.  Over the course of a month or two, users may post pet names, children’s names, neighborhoods, travel plans, birthdays and anniversaries.  This information may be enough for scammers to be able to begin guessing account usernames and passwords and it can even allow traditional thieves to know when to target your house.  With this knowledge in hand, it can be little wonder that scammers often take advantage of so-called promiscuous friending habits.

That being said, there are a number of steps that can be taken to protect yourself while still participating in social networking.

1)      Don’t Take Candy from Strangers – In other words, no matter how tempting, don’t accept friend requests from people that you don’t know.  Some ill-mannered marketers use this technique to try to sell their products to unsuspecting people, but in a worst case scenario, it may be criminal trying to gather more information about you.

2)      Some Things are Better Left Unsaid – Be very careful about the types of information that you do post.  Account numbers, banking locations, social security numbers, phone numbers and similar information should remain private.  Legitimate sites will not require that you provide this information.  Also, while you may trust your friends, it is never a good idea to discuss your travel plans on social networking sites.

3)      Know What Your Computer is Saying About You – Check your privacy settings frequently.  Some sites change their policies frequently and you should be aware of what information is being shared about you.

Social networking is a fact of life in today’s society, but social engineering does not have to be. Being cautious about the information that you share and aware of your privacy settings can help you maintain a vibrant online life while protecting your personal information.

Dr. Heather Mark, PhD

SVP Market Strategy

 This is part two (see previous post) in a series on VeriFone CEO, Douglas G. Bergeron’s six rules for success in the mobile commerce market (found here) and how ProPay’s social m-payment product, Zumogo, addresses each one.

Rule #2: “Mobile commerce must add value to the consumer. Tapping a phone is a gimmick, no different from tapping a card or fob. In addition to providing the ability to pay for stuff by phone, service providers and retailers need to provide real additional value –- such as coupons, loyalty rewards and discounts — for consumers to leave their wallets at home.

I recently attended a lunch at a local restaurant with large group of colleagues.  Each of us wanted separate checks.  Because of my familiarity with Zumogo, what once was overlooked as just the sluggish realities of a “separate checks” scenario became a tedious (and probably familiar) experience to watch.  Starting with the drink orders, our server proceeded to ask us one by one what our preference was, followed by the entrée orders obtained in the same process. By the time our server handed us our checks, gathered our credit cards, and returned with our receipts (and the cards to go with them) all while navigating through (and reaching across) the large group of people sitting around the many lined up tables, I wanted to shout “There’s a better way!”

High on the list of Zumogo’s compelling features for consumers is convenience.  Imagine the separate checks scenario using Zumogo.  As each customer announces themselves to the restaurant, they get a welcome message… “Welcome to our restaurant Wayne, What would you like to drink?”.  (This of course can be configured based on the needs of the merchant, I.e. some merchants may value the customer service aspect of face time with the server.) Each customer then orders their meal, eats their meal, verifies and pays for their check and walks out the door, all virtually through their smart phone. (All but the eating part… that works better in the physical realm.)

Zumogo introduced us to the term “social m-payment” and thus inherently addresses the “coupons, loyalty rewards and discounts” that Bergeron mentions in Rule number two.  The geo-location and two-way communication features of Zumogo, allow a customer to find, not only traditionally posted coupons and discounts, but up-to-the-minute information from a variety of nearby merchants including theater show times, wait times, table availability, daily specials, soups of the day, special appearances, local events etc.  The customer can act on this information using Zumogo to order and purchase meals, make reservations, redeem coupons or loyalty points etc; all through a variety of payment options such as credit cards, loyalty cards, gift cards and bank drafts.

While there are some benefits to being in close proximity to the merchant, it is not necessary.  Because Zumogo is location agnostic, all of these features can be utilized from anywhere you happen to be at the time, whether it’s at your office, in your home, sitting in a stadium, browsing online, on a phone with a call center or actually in the store.  You can even approve transactions that have been initiated by somebody else.  Imagine a scenario in which your son is buying books for school.  Once the cashier has rung up the books your son just gives them your user identifier and that payment request is sent to you (wherever you happen to be) for approval.  Once you’ve approved the request (after making sure the invoice is not for other less appropriate items) the transaction is complete and your son has his books.

These are just a few examples of applications for the Zumogo technology .  For the consumer, the flexibility, mobility, security and efficiencies of Zumogo are no gimmick, and with the proliferation of the smart phone and the universal expectations of utility that go with it, consumers will soon demand a technology like Zumogo.

Wayne Peck – Director of Software Development

<- Prev  Next ->