Entries tagged with “end to end encryption”.


“The times are tough now, just getting tougher  - This old world is rough, it’s just getting rougher - Cover me, come on baby, cover me” – Bruce Springsteen 1984

Businesses work very hard to build their brand.   Small businesses are no different.  Establishing trust and loyalty among the customer base is essential to the longevity of any business.  Many companies focus on marketing and sales relationships to ensure that connection between customer and company continues to grow.  Social media, direct mailings, radio and tv advertising, print advertising, and data security and privacy policies all contribute to the growth of brand trust.  What a minute!  Did I say data security and privacy policies?  You betcha!  This is what I like to refer to as “brand security.”  Businesses spend an inordinate amount of time and money on establishing a brand that customers trust.  One of the fastest ways to lose that trust is to suffer a data security breach or to violate customer privacy.  For that reason, I often refer to data security and privacy programs as “brand cover.”

I’m going to borrow heavily, and probably poorly, from law enforcement and military actions here.  When you go into action, you generally have a forward team and then you have a team that provides “cover.”  This team keeps an eye out for threats that may not be visible or apparent to the forward team, but pose significant risk.  In the business world, one can think of your sales and marketing efforts as the forward team, while data security and privacy programs provide the cover.  You marketing and sales efforts move the company forward and increase awareness.  Your data security and privacy programs help to mitigate unseen, and sometimes unknown, risks to your brand’s integrity.  In fact, some larger organizations, particularly not-for-profits, are more concerned about brand damage in the event of a security or privacy compromise, than they are the fines that may be associated.

For small businesses, implementing and enforcing data security and privacy policies can seem daunting.  The Better Business Bureau, though, has put together a primer for businesses to help them develop these programs.  If you accept debit and credit card transactions, you can look for services to help minimize how much of that sensitive payment data your business stores.  You can also undertake an inventory to see just what data you are collecting and storing and how you are protecting it.  You can also evaluate the partners that you use and how you share data with them. Understanding your data can ultimately serve as a very effective means of protecting your company, your brand, and your customers.

When it comes to PCI DSS there is no secret that there is a lot of confusion.  Surprisingly, one of the most confusing aspects seems to be who is responsible for enforcement of the standard.  Is it the acquiring bank, the PCI SSC, or the card brands?  Do state level governments get involved?  What about federal?  It’s not uncommon to hear merchants ask the question “why are you making me do this?”  Here, hopefully, is an explanation that can help clear up some of the confusion.

The Payment Card Industry Data Security Standard, commonly referred to as PCI DSS, is managed by the Payment Card Industry Security Standards Council (PCI SSC or simply “the council”).  The Council is responsible for working to create and manage the standards, ensure that they are disseminated appropriately and for training and accrediting Qualified Security Asessors, or QSAs.  The Council does not conduct assessments, nor do they enforce the standards.  While they play a critical role in the industry, they do not determine the consequences of non-compliance.

Acquiring banks or merchant banks are often cast in the role of the enforcer, but this is an oversimplification of the complex nature of the industry.  The acquirers, just as merchants, are bound to adhere to all card brand operating regulations.  Part of those rules require the banks to ensure that their merchants are also in compliance with the card brand rules, including the PCI DSS and related standards.  Fines for non-compliance are passed through acquirers to the merchants.  In other words, the card brands impose fines on the acquirer for non-compliant merchants.  The acquirer then passes that fine on to the merchant.

Ultimately, though, it is the card brands that are responsible for the enforcement of the PCI DSS.  Each of the major card brands has their own security programs with different process for dealing with non-compliant entities and with entities that have suffered a breach.  Here are the links to each of the programs

It is important to note, though, that some states have passed laws mandating PCI DSS compliance.  As of January 2010, all companies that collect or transmit payment card data in Nevada have been required to comply with the PCI DSS.  Penalties for non-compliance include civil action, paying restitution and even injunction.  In 2010, the state of  Washington  also passed a law requiring PCI DSS compliance.  Minnesota has codified portions of the PCI DSS in its Plastic Card Security Act.  As of yet, the federal government has not passed a law along these lines, but various regulations and the charter of the FTC mean that, in the event of a breach, the federal government may be involved as well.

The best defense against these regulatory headaches is simply this – to the extent possible don’t store the data.  For those that need to facilitate payments, there are solutions that would allow you to do so while minimizing the amount of data that is stored, processed, or transmitted.  Merchants are well-served to investigate these solutions in order to minimize their liability, and in some cases even to reduce their costs.

“When good people…cease their vigilance and struggle, then evil men prevail.” - Pearl S. Buck

When I was learning to ride a motorcycle my instructor gave me one piece of advice that always stayed with me.  He said “keep your head on a swivel.”  In other words, while I had to make sure that I was doing everything I should be doing, I also had to make sure that I was constantly looking out for what other people may be doing.  That way I could correct my course, or at least take some action to ensure that what the other people were doing wouldn’t put me in danger.  While this is certainly good advice for riding motorcycles, it is also good advice for data security.  It may seem like a stretch, but bear with me.

In securing our customers’ payment data, we have a guideline (actually a set of fairly stringent requirements) in the form of the Payment Card Industry Data Security Standards (PCI DSS).  To learn more about these standards visit this site.  Following these guidelines ensures that we are doing what we “should” in terms of protecting the data.  But that doesn’t mean that others won’t be taking action to put you (and your data) in danger – in the form of data compromise.  That means that you have to stay vigilant for what others might be doing – “keep your head on a swivel” –  to ensure that you are addressing newly identified risks and vulnerabilities that may not be addressed by the guidelines.

Recent trends indicate that small merchants are increasingly becoming targets of data thieves.  In a recent interview, Vantiv Vice President David Mattei stated, “…now we’re seeing an increase in the number of breaches in which smaller numbers of cards are compromised. Small, independent merchants are being targeted because of the ease with which fraudsters can compromise those payment systems.” That means that as small merchants, even if we are PCI DSS compliant, we must remain vigilant against potential attack.  One way to foil the fraudsters in this case is with the use of a P2P Encryption and tokenization solution. In this instance, the data is removed from the merchant system and replaced with “tokens,” or abstract representations of the cardholder data.  While merchants can still use the data to run reports, issue refunds or fight chargebacks, data thieves would find the tokens to be worthless.

The lesson in all of this is that we must remain on guard against new threats, even if we are doing everything “by the book.”  Leveraging secure technologies like tokenization can help ease the burden of compliance and render you and your customers more secure in the long run.

We spend a lot of time talking about what to do to prevent a breach of networks or computer systems.  This discussion has been, and continues to be, very valuable.  It is discussions like this that have allowed the payments industry to develop solutions like ProtectPay, ProPay’s secure payment solution.  ProtectPay, for instance, allows merchants to accept payment card transactions without storing, processing, or transmitting payment card data.  The benefit of such a system is tremendous.  Not only does it allow companies to significantly reduce the costs and resources necessary to achieve PCI DSS compliance, but it also reduces the risk associated with a breach.  If a merchant using a properly configured tokenization solution is breached, there is no data there to be stolen.  The merchant has only value-less tokens, not valuable cardholder data.  Unfortunately, tokenization isn’t yet universally employed.  That means that there are quite a few merchants operating today that still have cardholder data in their systems.  And while the conversation about preventing a data compromise is important, an important question still remains: What happens after the breach?

Experian and the Ponemon Institute teamed to answer that question.  The results can be found in “The Aftermath of a Data Breach.” (Registration is required to download the study.)  Of the companies studied, 45% indicated that the company lost bank or credit card information, and 60% of respondents indicated that the data that was stolen was unencrypted.  Additionally, the study found that 34% of breaches studies were the result of a “negligent insider.” This seems to support the notion of using a tokenization solution.    It should be noted that 19% of responding companies suggested that “outsourcing data” was the cause of their breach.  Most tokenization solutions do require the outsourcing of data, so how can these two findings be reconciled?  There are two important concepts that readers should keep in mind.  The first are the statistics and the second is due diligence.

The statistics are interesting.  The findings tell us that 60% of respondents lost unencrypted data.  That likely means that at least some of the outsourced providers that were cited as a cause of the breach were not securely storing the data.  Another interesting finding is that a full 50% of breaches were caused by insiders (negligent insiders 34% and malicious insiders 16%).  The other concept that one should keep in mind when reading the study is the concept of due diligence.  Outsourcing data is a big decision for any company.  It is advisable to do a significant amount of research into the potential vendor.  For example in the payments industry, companies that store, process or transmit cardholder data on behalf of a merchant is called a service provider or a data storage entity.  Regardless of the terminology, the company must be compliant with the PCI DSS and be registered with the card brands.  Ensuring that potential partners meet these requirements can substantially mitigate potential risk on behalf of the merchant.

The study is a very interesting read and has important lessons for those companies that store sensitive data.  Perhaps the most important lesson is this: If you don’t need the data, don’t store it!

Dr. Heather Mark, PhD; Sr. Vice President Market Strategy

One of my favorite things about the Payments industry is the pace of innovation.  Five years ago, when the Payment Card Industry Data Security Standard became mandatory, the industry buzzed with ingenious new ways to secure cardholder data.  Today, terms like “end-to-end encryption,” “tokenization,” and “encrypted at the swipe” are commonplace.  In fact, those technologies are now more often the rule than they are the exception.  Today, the industry is abuzz with a new phenomenon, the mobile payment platform.  Again, it is startling to see how quickly companies can develop both hardware and software to meet the clamoring demands for mobile methods.  Here is a brief discussion of those methods.

Near Field Communications (NFC) – In NFC technologies payment data is stored on a chip or device in the consumer’s phone.  When a purchase is to be made, the phone or other NFC-enabled device is “waved” near special equipment on the merchant side.  The purchase is approved and the consumer can walk out.

The benefits of such a solution are its speed and ease of use.  The consumer is required to do no more than wave the device near the merchant’s specialized POS.  For small purchases, the convenience is difficult to beat.  The challenges include the limits on the size of the purchase, its storage of data within the NFC device, and the requirement for the merchant to purchase special equipment to accept those payments.  With more and more providers offering NFC, the prices for the merchant-side equipment are beginning to fall, but merchants have been reluctant to adopt this technology as it does require a purchase of equipment.

Text/SMS – Also referred to as carrier billing, Text/SMS payments are particularly popular for merchants of digital goods, such as games, music, and ring tones.  The carrier billing model is growing increasingly popular in the realm of digital sales and Peer to Peer (P2P) payments.  In this model, a payment authorization is transmitted via text message and the amount of the payment is charged to the user’s mobile phone bill.  This method proves effective in high-volume, low ticket sales, such as P2P or digital goods.

Application-Based Payments – With the rapid adoption of Smartphone technology, these types of solutions are likely to become more prevalent. In this model, the user downloads the payment application and enters their preferred payment methods.  The secure storage of this data is fertile ground for debate, as there are proponents of storing the data on the phone itself, and others that prefer the data securely stored with the application’s provider in an encrypted or tokenized form to reduce the likelihood of misappropriation of data.  The application based model provides significant opportunities for value-add functionality, such as coupons or reservations.

In addition to these technologies, the eWallet, or at least the term, has become ubiquitous.  The eWallet allows users to link their payment cards to an application or device (usually an NFC chip) in order to facilitate payment.  Many companies are pursuing mobile payments through the adoption of the eWallet.

The next 12-18 months will be interesting in that the market will likely settle on a preferred model.  Of particular note is the very real possibility that the model that emerges will be a combination of those technologies discussed previously, or even one that has yet to be introduced.

Dr. Heather Mark, PhD;  SVP Market Strategy