Article Archive - Network Security
Perspective: Defining Tokenization
August 2010
Bruce Dragt at FirstData blogs about Visa’s initial guidance on tokenization best practices. He says, “Having discussions around tokenization, as an industry, is essential to its future. I like how Rob McMillon articulates the difference between a tokenization and encryption in his latest blog post.”
Perspective: Data Security Standards with Tokenization and Encryption
July 2010
Craig Tieken at First Data presents perspectives on what data encryption and tokenization will mean for payments industry standards. He states data that comprises a token is random; the token can have the same 16-character format as a credit card, which is powerful for merchants as it enables them to use it in back-end databases and business applications without modifying those systems. If you are not able to map the token with the individual cardholder, merchants will lose valuable information such as trends and customer buying behavior.
Looking at Visa's Tokenization Best Practices
July 2010
Robert McMillon at RSA’s Speaking of Security blogs Visa issued their initial guidance on tokenization best practices. He states, “Overall, I think Visa presented a good start for the industry. Several other bloggers seem to agree. However, I do have a bone or two to pick with what they propose. The biggest issue that I have is that they seem to be allowing encrypted values to be called tokens, the very thing I cautioned against a few weeks ago.”
Visa Releases Global Best Practices for Card Data Tokenization
July 2010
Visa Inc. announced global industry best practices for tokenization to provide guidance to merchants, vendors, service providers and acquirers and promote safer merchant payment environments. Based on Visa's experience working with the industry and also insights from data compromise investigations, the tokenization best practices are the latest in a series of guidance to help merchants reduce or eliminate sensitive card data from payment systems and simplify data security and compliance efforts.
Visa Yanks PCI Approval from PIN Entry Kit
July 2010
The Register reports Visa has withdrawn PCI certification from two older PIN entry devices from Ingenico following concern they are vulnerable to manipulation by cybercrooks. The development represents an apparent change of strategy from Visa, which has previously maintained that retailers who achieve and maintain PCI-compliance are protected against security breaches. The credit card giant has also been at pains to make sure that products that fail to reach PCI compliance do not make it into the public domain and are only circulated within the industry.
Where Security Fits In The Payments Processing Chain
June 2010
First Data Corp. has published a white paper entitled “Where Security Fits in the Payments Processing Chain.” First Data introduces the paper by noting: “With over 20 billion credit card purchase transactions in the US in 2009 and a highly complex system for processing those transactions, it’s not surprising that credit card information is a key target for thieves. Thieves have become adept at exploiting numerous vulnerabilities in the consumer-merchant-acquirer payment processing chain to gain access to this information. Fortunately, there are cost-effective solutions that are available to help secure sensitive data and reduce compliance costs.”
PCI Update Gets Mixed Reviews
May 2010
The new point of sale standard released by the PCI Security Standard Council receives mixed reactions from industry security experts. The revised standard is meant to enhance and prevent payment card fraud on devices that accept payment transactions, and will cover everything from retail point of sale card readers to unattended payment terminals at gas stations and parking lots.
PCI Enhancement Announced
May 2010
Bank Info Security reports that PCI’s 2PIN Transaction security update is effective immediately. A new measure to strengthen credit card data protection was released by the PCI Security Standards Council May 12. Version 3.0 of the PIN Transaction Security (PTS) Point of Interaction (POI) standard is designed to streamline and simplify testing and implementation by providing a single set of modular evaluation requirements for all PIN acceptance Point of Interaction terminals.
Visa Warns of New Fraud Scheme
May 2010
The Identity Theft Resource Center reports as of March 23 there have been 182 data breaches identified in 2010. Twenty-two of the breaches have been perpetrated against financial institutions, including at least two credit unions. The ITRC compiles data breaches confirmed by various media sources and/or notification lists from state governmental agencies. The list is updated daily, and published each Tuesday.
Moving Beyond "Compliance Think" in Online Banking Security
April 2010
Francois Lasnier at Bank Info Security blogs that a change is happening in the security of online banking. In October 2005, the FFIEC provided guidance requiring the banking industry to provide stronger security controls to ensure the safety of online transactions. This set in motion a flurry of changes, but the effort has not been able to keep up with the ever-increasing sophistication of online threats. The time has come for stronger security, but the focus needs to be protecting end users -- not simply meeting compliance requirements.
Cisco 2009 Annual Security Report
January 2010
Cisco Security Intelligence Operations announces the release of the Cisco 2009 Annual Security Report. The updated report includes information about 2009 global threats and trends, as well as security recommendations for 2010. Among the highlights, the report notes online criminals have taken advantage of the large social media following, exploiting users' willingness to respond to messages that are supposedly from people they know and trust.
