If you like card fraud, this one’s for you

Just spent most of today talking about PCI DSS compliance issues with QSAs focused upon E2EE.

What?

Yea, you heard me right.

Delving into an area that I talk a lot about at higher levels usually, but rarely at these levels.

Today, I was plumbing the depths of the Payment Cards Industry (PCI) Data Security Standards (DSS) and evolution towards End-to-End Encryption (E2EE) standard. This is basically all to do with fraud and risk in merchant terminals from point-of-sale to virtual terminals for online payments.

Merchants are tiered, based on card volumes and values, from Levels 1 to 4, and assessed for compliance through the use of Qualified Securities Assessors (QSA).

As there was so much to discuss, I’ve had no time to write up a blog entry today.

Instead, for those of you interested in cards, security, authentication, identification, verification, identity management and so on, here’s the list of questions I took into the room for discussion:

• New PCI-DSS v2.0 - Adjustment or Major change?

• The Payment Card Industry Data Security Standard (PCI DSS) has been one of the strongest drivers for investment in IT Security in the past years. Why do we need a new version?

• What is changing and how to prepare to the new PCI DSS v2.0? Is it about rewording to adapt to new technologies, or does it bring a new approach to IT Security?

• What’s really driving PCI DSS – Is the US government motivated to stem the flow of money to illegal narcotics and arms industries?

• How have the long-term consequences of the Heartland data breach on the PCI SSC and the behaviour of QSAs impacted the PCI DSS programmes of merchants?

• How can merchants better understand and process the demands made by QSAs in order to maximise the benefits of implementing requests by meeting key security as well as compliance requirements?

• Do businesses understand the importance of PCI DSS compliance?

• Why is becoming compliant so costly to businesses?

• Can all merchants be categorised together when there is great diversity in terms of operating, sales and fulfilment channels?

• Tick-box compliance vs. risk-based security: it is said that PCI DSS is based on security best practices, but does it really constitute a risk-based approach?

• Are the regulations able to keep up with emerging trends, such as virtualization, cloud computing and mobile technology

• PCI compliance and Virtualisation: what are the key differences between the traditional “physical” computing model and virtualised computing models, and what does that mean for your compliance strategy?

• Adapting security models to a dynamic, “instant-on” environment: what dynamics must be considered as regards virtual machines and the risk of mixed trust-level virtual machines when striving to reduce security risks to both cardholder, and other sensitive data?

• While the adoption of Chip & Pin has been successful in reducing card fraud, it has led to an increase in data compromises in the Card Not Present (CNP) space, what measures might be taken by merchants and acquirers to curb this trend?

• What new challenges do mobile payment platforms present us and how can they be overcome? For example, how can we stop merchants from using applications that process CNP payments for transactions where the card and customer are present?

• We have seen increasingly that criminals have deployed new methods such as man-in-the-middle attacks that exploit areas that the PCI DSS does not currently cover; what counter measures can be taken to combat them now and in the future and does the standard need to change to account for these exploits?

• How do modern banking Trojans inject themselves into systems to overcome security provided by PIN, TAN (Transaction Authentication Number), and iTAN (Indexed Transaction Authentication Number) http://en.wikipedia.org/wiki/Transaction_authentication_number to steal and manipulate transaction data 'on the fly', and how do they cover up their tracks?

• What techniques do criminals use to distribute malicious Browser Helper Modules and, why is it so difficult to detect compromised browsers, and what risks do they expose to the end user?

• If companies rely on SSL (Secure Sockets Layer) as an effective last line of defence against Trojans that embed themselves into the browser, are they offering any real protection to their end users?

• What steps can businesses operating in the online commercial environment take to protect their customers from these threats?

• Reducing scope – is E2EE the holy grail? Where are the weak links in the E2EE chain?

• The PCI Securities Standards Council (SSC), what have they done well? What could they have done better?

• What are the key points on which the PCI SSC need to provide clarification that would help large merchants both secure their data and meet compliance, and by which avenues can merchants lobby for such change

• PCI SSC has set up working groups to better understand End to End Encryption and tokenisation –what are the pro’s and cons of working group?

• What guidance will merchants need with new regulations on E2EE and tokenisation?

• Do merchants focus on wrong areas? Do merchants approach compliance in the wrong way, spending too much time on money on something which only secures a small piece of the whole project?

• Why are merchants not always 100% forthcoming to auditors, and what are the top ten things merchants don’t tell their acquirer?

• What will the payment security compliance landscape look like in the future and what should merchants do to ensure they stay ahead of the curve?

There’s a whole load more where that lot came from, and I’ll blog a simplistic overview of what the dialogue was all about next week ... bet you can’t wait can you?

If you like the Finanser, check out the books of the blog: the new Complete Banker Series