The Logic Group Blog

A couple of days ago I logged on to my computer to read that VeriFone had pulled their mobile payments device 'Sail' out of the market after an eight month battle with Square. The reason VeriFone's CEO, Doug Bergeron, gave for this was that the micro-merchant space is 'fundamentally unprofitable'?

Post this announcement, there have been a number of articles questioning if VeriFone's exit should worry Square. Personally I think the answer to this question is yes, but not necessarily for the obvious reasons.

As a consumer we place our trust in retailers to provide the services and products we require to a service level that we expect. A retail store provides a slick and well presented mechanism to deliver products to the public in a fast, effective and secure manner. However, behind the scenes the technology that underpins this process can be woefully insecure.

 

It is reported that a major European retailer is breached every week and the reason we do not hear about it……the retailer does not know about the breach themselves. In the past five years there have been a number of high profile cases of card data theft from retailer systems including security breaches of high profile businesses resulting in data loss. These breaches have resulted in large fines being imposed and a loss of reputation for the business in question. However, the impact to us as the consumer is often more painful. The thought of your personal details being used by fraudsters to gain benefit because the retailer you trusted has failed to protect you in the most basic way, can be frustrating. That basic principle is to keep your personal information, your credit or debit card secure and safe from prying eyes and with over 165 millions cards in operation in the UK alone that proves a significant challenge.

Well as usual, I attended PCI London this week, which is probably my fourth or fifth one over the years. As always it was very well attended, which was encouraging as it demonstrates that merchants, schemes and service providers continue to treat security seriously, even in these difficult times.

 

It has been interesting to see the changes in approach.

 

Initially at my first one, the event had an educational bias. “What is PCI DSS, who does it impact, what does it mean?”

 

Then it moved to a more supplier centric focus, with many presentations talking about technology and solutions which would allow a merchant to meet a variety of controls within the standard.

Like many people out there, I stood on my bathroom scales a few days after Christmas, and after pushing my belly to one side in order to read the dial, decided that this year has got to be the year that I do something about shifting those excess pounds. Yes I’d promised myself in previous years that I would lose weight and get fitter, but never really got round to it, always finding other ‘More Important’ things to concentrate on. But this year I simply have to act.

 

I wonder how many IT Directors or Heads of Finance are wondering the same sort of thing regarding PCI compliance? Having put it off for a few years in the hope it will just ‘Go away’, this year may just be the year they decide to face this challenge head on.

 

It’s a daunting prospect, and whilst for me, there is no more frightening word in the English Language than the word ‘Diet’ many business leaders may feel the same way about the word ‘Audit’.

 

So how do I go about it?

Brussel Sprouts, hated them. These evil little green things just wanted to ruin a perfectly good dinner. After the joy of Christmas morning, playing with toys (I am talking about my childhood here, and yes, I can still remember it) and finally getting the “GET TO THE TABLE” call. Crackers pulled, reading the jokes (yes, still the basis of my humour till today) and putting on funny hats – laughing with grandparents. And then dinner is served, and it’s like the uber Sunday lunch! Added extras, cocktail sausages with bacon wrapped round (they weren’t called pigs in blankets back then!) – what genius came up with that? Freshly made stuffing and gravy, the turkey (we did have goose a few times) lots of roasties, good old veggies, and then, there it would be, the sprout. Now I never cheated per se, I was a good boy (at this time) and always did what my Mum told me to. So I would eat the sprouts, but only by dissecting them into the smallest possible size, and then trying to disguise the foul taste with a forkful of nice, tasty food.

Well they have arrived. After more than a year of discussion and debate the new requirements for Point to Point Encryption (P2PE) have finally been released by the PCI SSC.

 

These requirements, which are contained in the Point to Point Encryption: Encryption, Decryption and Key Management within Secure Cryptographic Devices (Hardware/Hardware) v1.0, were released this month and define how a payment solution provider may validate its P2PE solution thereby allowing merchants to reduce the scope of their PCI DSS assessments when using the solution.

I returned from holiday to find another attack vector has raised its ugly head. Reading the latest news, at least two hundred fraudulent SSL certificates (and oossibly over five hundred) have been issued from a trusted root certificate authority (CA). In this case, it appears that Diginotar, the Dutch trusted third party has been breached and spoof certificates for common domain names including google.com have been issued. This follows on from a breach at Comodo earlier in the year.

 

What are the implications of this? Well the Diginotar root certificates are included within the trusted root authority stores of all common browsers, meaning that the fraudulent certificates would have been trusted when creating a SSL connection. These can be used to create encrypted tunnels to spoof sites where sensitive information could be transmitted, or leading to potential Man in the Middle attacks.

I was recently browsing, when I came upon an interesting article.

 

It was discussing the Monty Hall problem.

 

For those of you who don’t know, this problem is based on a US quiz show and has caused a huge amount of debate at various times in the past. The idea is as follows.

 

A contestant is asked to look at three closed doors and told behind two of them is a goat and behind the other, there is a sports car. Choose the correct door, you get the car, choose incorrectly and you go home with an old goat. (Please add your own joke here)

I have just been reading the new guidance provided by the PCI SSC on Virtualisation. This document has been long anticipated, having been pre - announced at the PCI SSC User Forum back in October 2010.

 

The document includes advice for local virtualised servers and environments as well as advice for those merchants considering a wholesale switch to cloud computing in whatever flavour they believe beneficial. It covers a wide range of options and topics and the authors are to be congratulated on the output they have achieved.

Well looking at the latest news, Sony Corp. still remains in the spotlight. A new hacking group seem to have made Sony Corp. the focus of their current efforts. However I believe the most interesting incident from a security perspective is the attempted break in at Lockheed Martin and the recent announcement from RSA regarding the replacement of SecurID tokens.

What a busy year we are having. Following the release and implementation of the Payment Card Industry (PCI) Data Security Standard (DSS) v2.0, the PCI Security Standards Council (SSC) have just released their new version of the PCI DSS Prioritised Risk Approach for PCI DSS v2.0.

 

Available from all good websites, this new document outlines the six milestones which make up the Prioritised Approach to PCI DSS. As many of you are aware; acquiring banks have been increasingly measuring their merchant progress to PCI DSS compliance by their achievement of the milestones, with Milestone 1 being assessed as the most important, covering areas such as cardholder flows, sensitive authentication data and cardholder data retention, down to Milestone 6.

As I ask the question I can hear the thud of exasperation from overworked network administrators. Surely not another awareness day or preparatory day for the masses; haven’t network administrators enough work to handle.

 

Well, I suspect they do, however World IPv6 Day does have a serious intent. World IPv6 Day is scheduled for June 8th and a number of notable sites such as Google, Facebook and the like will be enabling their web services to be served over IPv6 for a test period of 24 hours.

 

Why? Well the internet is running out of network addresses; in fact they pretty well have and IPv6 is the solution. When IP was first developed, 4.3 billion addresses seemed sufficient; but with the number and diversity of devices looking to connect ever increasing (think of the proverbial internet enabled fridge or power smartmeter) this is far too small. IPv6 provides far more addresses, 3.4 x 10 to the power of 38 to be exact. However IPv6 is far more than simply a greater address range, it is the next generation of IP and has significant changes from the current IPv4 protocol stack.

It is estimated that 1 billion card transactions per year worth an estimated £40bn are processed by the UK’s 700,000 contact centre agents. Therefore it is not surprising that Card not Present fraud (stolen details over the phone, internet or mail order) accounts for 56% of all UK card fraud. With the vast majority of CNP fraud coming from contact centres, losses stem not only from fraudulent transactions, but also from cards that are leaked to the criminal fraternity by coerced call centre employees.

 

What can businesses that run contact centres do to prevent or stem this leak? After all they need to take payments, they need to provide effective customer relations and therefore they need their people to be on the phone to the customer.

You are a retail business. You have spent a small fortune in time and money to upgrade your systems and processes and a certified QSA has accredited you as PCI DSS compliant. Do you sit back and relax, safe in the knowledge that you have achieved security nirvana and that fraud will never show its ugly face in your business again? Well not quite.

Following recent news that more than two-thirds of companies have been hit by data breaches over the past year, the report featured in Computer Weekly is an interesting, if not alarming, confirmation that fraud is on the rise. Although person-present payments have improved security measures due to developments in global security standards like PCI DSS; cyber attacks still continue to be an area of vulnerability for businesses across the UK.

In many cases executive IT and security professionals trust their Information Security departments to provide adequate security to protect employees while operating in their business environment. However it is rare for users to extrapolate this security to a home environment.

 

What does this mean in practical terms? Well, an enterprise will normally provide a risk analysis of a security threat and then provide adequate controls to mitigate that risk to an acceptable level. And users need to consider the same things when at home. So what are the considerations which IT directors should take into account when looking at cyber security provisions for mobile workers?

According to the January 2010 report from the National Fraud Authority, fraud now costs the UK an eye watering £30 billion a year. 58% of fraud is committed in the private sector with tax fraud hitting £15.2 billion, and, in the private sector, financial services companies and organisations are said to suffer yearly losses of £3.8 billion through crimes including mortgage and insurance fraud, online banking, cheque and card fraud.

100% security doesn’t exist.

 

The frustrating truth is that almost every organisation will suffer a security breach at some point. Whether it is the defacing of a website, loss of data through a Trojan horse or the corruption of a system by a virus or worm, most companies will experience some form of data breach. This includes merchants who have diligently put measures in place to prevent fraud by implementing the correct security processes and procedures, enlisted specialist third-party anti-fraud services, adhered to appropriate industry initiatives such as 3D Secure and CV2, and complied with PCI DSS to protect their infrastructure against attack.

In the fast changing technology landscape a week does not pass by without a new Game-changing social media app, a new service in the cloud or some other provocative evolution. What chance does a regulator, such as PCI SSC have in setting a standard that applies to all the technologies employed in payments? Two years since PCIDSS 1.2, PCI DSS 2.0 is now upon us and this was one of topics discussed at a recent QSA roundtable...

In the past decade there has been a sharp increase in focus on the security of cardholder data held by third parties. High profile data breaches and the associated losses resulting from the fraudulent use of compromised cardholder data have made global headlines and have struck fear into consumers and merchants alike.

Contactless payment technology continues to develop; it is a hot topic of discussion as Barclaycard rolls out an update to its TV advert demonstrating the ease of contactless technology – but will its implementation become a rollercoaster ride for retailers and will hard currency become harder to find in the future?

The first PCI DSS deadline has been widely discussed by both merchants and payment card industry specialists but what does this really mean, will Visa and Mastercard soon be knocking at your door?

What is casual fraud? It can be anything from fraud conducted on online shopping and auction websites – with products purchased but never received, and internal fraud by employees and employers, to online dating scams and the so-called ‘Sweetheart Fraud’ – a deception that refers to the collusion between an employee and a customer.