Blog

My Data Breach Costs More Than Your Data Breach

Steven Hughes — Fri, 27 Aug 2010 13:44:31 GMT

Earlier this year, the Ponemon Institute released a study (“Five Countries: Cost of Data Breach”), and the results paint a dichotomous picture of security and loss among counties.

All participating companies experienced one or more data breach incidents over the past year. The companies were based in the United States, the United Kingdom, Germany, France and Australia.

Right off the bat, one thing stands out. The total cost of a data breach in the US is off the charts ($6.75 million) compared to the study average of $3.55 million. Similarly, the US stands alone in the “lost business cost” results. It is the only one of the five countries above the average of $1.6 million. The US comes in at $4.47 million while its next closest data point is Germany at $1.19 million.

One immediate question is: why? The root cause of these breaches may be surprising (or maybe not!), but the US had the smallest percentage in the “malicious or criminal attack” category yet the highest in the “system glitch” category and second highest in “negligence” (topped only by the UK).

With so many compliance standards and rules regarding data security, where is the kink? Are things changing too quickly? Is there a general lack of understanding? Is there a false sense of security among C-level executives? Let us know what you think.

And here’s hoping you never meet the requirements to participate in next year’s study.

U.S. Credit Cards Not Welcome?

Steven Hughes — Wed, 11 Aug 2010 12:00:47 GMT

A number of recent surveys show that anywhere from one-half to two-thirds of people who carry U.S. credit cards experience difficulty when trying to use their cards outside of the United States. The hang-up, as most of you know, is magnetic stripes versus chip-and-PIN technology.

The perennial question is whether chip-and-PIN will make it to U.S. shores, and what factors will line up to motivate a change. Wal-Mart pulled its weight earlier this year when it announced that it would accept chip-and-PIN in its U.S. stores, and the U.S.’s neighbors to the north and south have also moved to adopt chip technology. Still, it hasn’t taken hold here, maybe due to cost – estimated to be nearly $9 billion.

But an article posted Monday on CreditCards.com describes the next generation of payment cards. LCD screens, videos, passwords, voiceover features, etc. In a word – innovative.

From an aesthetic and interactive standpoint, this new generation of cards will pique interest. From a security perspective, the new cards will help prevent fraud through a password protected feature that allows for safer online and in-store purchases.

The catch – these cards are only being tested in the European EMV market on cards that use the chip technology. So will interactive cards take off? Are magnetic-stripe cards becoming obsolete? Will interactive cards nudge the public into creating demand? What do you think?

You Asked, We Answered

Steven Hughes — Thu, 29 Jul 2010 12:28:57 GMT

During my travels –domestic and international – on behalf of the SPVA, I’ve spoken with hundreds of payment industry stakeholders about what our organization is bringing to the table in terms of security compliance and best practices.

Many of you brought up compelling questions about the SPVA and the industry at-large that I thought were worth addressing in a more public, widespread forum, so here we go. You asked, we answered. Below are some of the issues you wanted to know about. And please keep the questions coming. We’re here to collaborate with the industry’s best and brightest to reduce fraud and lowering risk for all.

Q. Will the SPVA host an annual conference or other face-to-face networking and educational opportunities?

A. The SPVA currently has no plans to host a stand alone annual conference, however we do host bi-annual meetings of the members at other industry conferences around the world. In addition, the SPVA is partnering with other industry associations to host Webinars and integrate half day to full dayworkshop sessions at their conferences.

Q. Will the SPVA issue additional white papers similar to the SPVA End-to-End Encryption Security Requirements paper?

A. Yes, the SPVA is committed to providing educational white papers and presentations to the payments industry. The SPVA is comprised of four technical working groups and these working groups are the backbone of the SPVA’s knowledge sharing with the industry stakeholders. The SPVA will issue additional White Papers during the coming year, and I encourage you to join the SPVA and participate in the formulation of the forthcoming SPVA implementation guidelines.

Q. How do you see mobile apps for devices such as the iPhone and iPad impacting payment security and compliance?

A. Mobile apps definitely are an interesting emerging technology in the payments industry and an area that has potential for attacks and security breaches. This is certainly an area that needs attention in assuring environments are secure.

Q. What are the benefits to the labs that join the SPVA’s Lab Network ?

A: The benefits of joining the SPVA Lab Network is to assure customers that your Lab is an active participant in the development and implementation of the SPVA’s recommended implementation guidelines. Labs which participate with the SPVA are interacting with the various stakeholders throughout the entire payments process and are instrumental in defining and developing the best practices around secure environments.

Now’s The Time

Steven Hughes — Mon, 12 Jul 2010 12:49:00 GMT

Google “PCI compliance” or “payment security” and you’ll always find a long list of news stories, but media is picking up the pace, and there couldn’t be a better time to join the fight for tighter security and a common solution to the various – and constantly shifting – security standards.

As Infosecurity Magazine reports, “PCI DSS hurdles loom,” and the industry is taking note. Every stakeholder in the payment process has an ear to the ground, working to keep up with the ever more complex and shifting set of rules and requirements.

As these worldwide security threats grow and compliance standards evolve, the SPVA is working to stay one step ahead, working not to add another layer but to create a common understanding of existing and newly released standards. Our member-driven Technical Working Groups are constantly evaluating the latest information to keep stakeholders informed and one step ahead of what they are reading in the news.

SPVA members represent all points along the payment continuum, from POS payment terminal vendors to software developers to acquirers and so many more. Before your company gets lost in the payment security news and looming regulations, join us and stay ahead of the game, ultimately keeping your clients and consumers safe from security compromise.

Steven
steven.hughes@spva.org

Interview With The Chairman

Steven Hughes — Thu, 17 Jun 2010 09:11:36 GMT

In case you missed our most recent newsletter, we wanted to share this interview with our new chairman, T.K. Cheung.

SPVA Welcomes T.K. Cheung as new Chairman of the Board
Hypercom’s vice president global quality & security takes the helm of the SPVA as the founding members rotate leadership positions heading into the organization’s second year. T.K. Cheung talks SPVA accomplishments and goals.

What were the most important accomplishments of the SPVA in its inaugural year?
I think our membership numbers (20) speak for themselves and not only the quantity of our members – but the quality. Our members represent the leading companies in the industry. In addition, the establishment of our Technical Working Groups and the work that is being shared is significant and stands to have a lasting impact on the industry, garnering widespread recognition of our organization.

What is your vision for year two?
I would like to continue to grow the organization and double our numbers this year. In addition, we look forward to the publication of more white papers from the other TWGs, that will be just as impactful as the recent End-to-End Encryption Security Requirements document.

What do you see as the biggest challenges for the SPVA?
Hands down, the adoption of SPVA guidelines and recommendations as well as attracting retailers and the card associations to join the SPVA is one of the biggest challenges. This will be a critical step for us as their input is valuable and will help shape our future.

What are three things that are not generally known about you?
I built my first computer from a kit in 1977. It was called a Nascom 1, and I still have it. My accent is English, not Australian, and I’m fluent in Cantonese.

Current personal goal?

To break 100 playing golf.

From End to End – A Guideline is Born

Steven Hughes — Thu, 27 May 2010 09:59:31 GMT

After a year of collaboration and research from our End-to-End Encryption Technical Working Group, I am pleased to announce the release of SPVA’s first white paper, the End-to-End Encryption Security Requirements.

This guideline represents SPVA’s commitment to strengthening global payment security standards and creating a common understanding of best practices. The insight and thoroughness with which this framework has been prepared is a testament to our members and to the Technical Working Groups.

The End-to-End Encryption Security Requirements sets a baseline for the industry, and focuses on:

Data to be encrypted during transmission
Key management
Physical and logistical security of the TRSM and key components
Encryption monitoring and management systems requirements

We invite you to download the End-to-End Encryption Security Requirements. We welcome your thoughts and feedback.

If you are interested in contributing to our next white paper, membership in the SPVA allows you to join any of our four Technical Working Groups.

Steven

steven.hughes@spva.org

“On the Road Again…”

Steven Hughes — Fri, 07 May 2010 14:36:15 GMT

Disclaimer: The following information is subject to change (but hopefully it won’t!).

But having officially given that disclaimer, it looks like the SPVA’s event schedule is taking shape. We’ve got our eye on four shows in 2010.

Midwest Acquirers Association (MWAA)

July 21-23

Schaumburg, IL

8th Annual MWAA Conference – “Changing Times…Changing Visions”

Cards Latin America

October 4-6

Coral Gables, FL

ETA Strategic Leadership Forum

October 27-29

Palm Beach, FL

"Business Intelligence for a Rising Economy"

CARTES & IDentification

December 7-9

Paris, France

“Digital Security – Smart Technologies – Payment – Mobility”

So if we haven’t met in person or you haven’t had a chance to learn about the benefits of joining the SPVA, this is a great place to start. Visit us at one (or all) of these shows to see the great work we’ve been doing and talk to us about what our plans are for the future.

There you have it. I wanted you to hear it here first. I encourage you to check our events page regularly as we confirm the shows in which the SPVA will be exhibiting, speaking and hosting workshops. Hope to see you on the road in the coming year. Wheels up!

Steven

steven.hughes@spva.org

Lights Up on the Lab Network

Steven Hughes — Wed, 21 Apr 2010 09:18:44 GMT

I don’t think I’ve given our Lab Network its due spotlight on the blog. No excuses since it’s a fantastic opportunity for labs and SPVA members alike.

For anyone who doesn’t know what I’m referring to, the elevator pitch about SPVA’s Lab Network is this: It’s a group of participating labs that work with our members and Technical Working Groups on security evaluations and implementation guidelines. Ultimately, the Lab Network will work with its peers and with other members to share best practices and improve security throughout the POS industry.

So what are the benefits? Here are five reasons why a lab would want to join:

· Recognition throughout the industry as a qualified and effective lab, operating on the forefront of security

· Access to SPVA’s Technical Working Groups and committee members representing leading payment companies

· Ability to share best practices and navigate through challenges with PCI’s top players

· Promotion through SPVA’s website, newsletter, press releases and social media channels

· Permission to download and use the SPVA Lab Network logo

And we’re not letting just anyone in. There are requirements to meet and applications to fill out. For more details about the details, I’m your guy. Email or call – or both!

Steven

steven.hughes@spva.org

404-760-4223

SPVA Value to Industry: Questions for Bob Carr

Steven Hughes — Mon, 29 Mar 2010 14:44:01 GMT

I sat down with our newest board member, Bob Carr, CEO of Heartland Payment Systems and SPVA associate member director, to get his perspective on how the SPVA is impacting the world of payments.

Read on for his take on how the organization is helping members protect their data and reputations while staying one step ahead of cunning cybercriminals. This week, he outlines a few key initiatives for us that the SPVA is proud of and talks about recent successes.

Why is the SPVA important to the world of payments?

The SPVA is important because it can lead the way in taking valuable digital data out of the POS systems of business owners. This removal will make merchants, consumers and all stakeholders in the payments infrastructure less vulnerable to cyber criminals.

What’s your long-term vision for the organization?

The SPVA can make the break through changes to POS devices, define the standards for those devices, and continue to refine their solutions.

How has Heartland benefitted from membership?

The very existence of SPVA has provided proof that TRSM encryption at the POS is a valuable solution in the fight against cybercrime.

What is your advice to prospective member companies with regard to membership, involvement with the SPVA?

Any manufacturer or user of POS equipment should support the mission of the SPVA to remove valuable digital data from merchant systems.

What trends are you seeing in the payments industry?

A more intense focus on creating real solutions to security breach concerns.

Good News/Bad News

Steven Hughes — Thu, 04 Mar 2010 10:37:24 GMT

Don’t worry. The “bad” news isn’t all that bad. You could say that the good news is the excuse for the bad news. Confused? I’ll explain. The bad news is that I’ve been remiss in posting a blog entry as frequently as I had planned. The “good” news is that the reason for the radio silence is due to the hectic event schedule SPVA has committed to.

Having said that, I hope you can join us at some of our upcoming shows. We’ll be at EPCA in Paris and then ETA in Las Vegas (celebrating our one-year anniversary). In between the two dates, we’re participating in a PCI Compliance webinar panel, hosted by BrightTALK.

Take a look at some of our upcoming plans. If you’ll be there, please drop me a line – I’d enjoy the chance to meet you.

EPCA Payment Conference

Bonjour! Wheels down in Paris on Sunday, March 21. We’ll have a booth set up at the 2010 EPCA Payment Conference March 22-24. Stop by and say hello.

BrightTALK

If you’re sitting at your computer on March 25 1 p.m. GMT, tune in to this free webinar. The PCI Compliance Summit will be a day-long event, but if you can catch our time slot, we’re sharing the “stage” with SPVA member Witham Labs and the CTO of SecureWorks.

ETA Annual Meeting & Expo

April marks the one-year anniversary of the SPVA. We’ll be back at the place of our launch to hold our annual members’ meeting and board meeting. If you will be in Las Vegas April 13-15, let’s talk.

See you on the road.

Steven

steven.hughes@spva.org

Expanding Connections

Steven Hughes — Thu, 11 Feb 2010 14:35:32 GMT

The past two weeks have brought significant andexciting changes to the Secure POS Vendor Alliance. When the SPVA launched less than ayear ago, the founding members – Hypercom, Ingenico and VeriFone -always had the vision that the organization would not simply be a soapbox for the “big three,” but rather a more inclusive entity that provided a collaborative environment and a stronger voice for ensuring payments security. The 15 additional members that have joined the SPVA over the past eight months agreed, committing their time and resources in return for the value this organization could provide. With two recent developments, we’ve come even further in realizing our vision.

Bob Carr, CEO of Heartland Payment Systems, was elected to the 2010 SPVA Board of Directors as our Associate Member Director.We are honored to have Bob take on this leadership position and feel there is currently no one better for this role. Bob expressed his commitment to 'bringing POS hardware and software vendors together for the good of all the stakeholders in the payments domain.” I look forward to working with Bob in continued support of our mission.

In case you missed it, the SPVA also launched a new involvement opportunity – the Lab Network. Our Technical Working Groups have been working diligently in the development of implementation guidelines related to end-to-end encryption, payments lifecycle management protocols and other pressing industry needs. Members of theLab Network, including authorized QSA labs, will be given the opportunity to conduct security evaluations of our implementation guidelines and connect with our other members in sharing best practices and raising the security level within the POS industry.

So as you can see, we’ve been busy around here! We’re convinced that the strides we are making to expand our connections will help to further our goals. If you want to know more about what’s going on at SPVA, reach out to me at any time.

SPVA Attracts More Members

Steven Hughes — Thu, 21 Jan 2010 09:23:57 GMT

Elavon, GHL Systems, ID TECH, Independent Purchasing Cooperative, Inc. (IPC) and Voltage Security joined the SPVA, bringing our membership total to more than a dozen elite organizations. Following through on their new year’s resolutions to help the SPVA achieve its mission to increase awareness of security issues, each new member is committed to providing the safest operating environment for their partners and customers.

These companies are leaders in their respective fields and will bring a high level of expertise to the SPVA effort. We look forward to their involvement and hope to engage all our members in the important work of our technical working groups this year.

Here’s what some of our current members are saying about SPVA involvement:

“I am very excited to be involved with SPVA, an organization that provides strong support and guidance to the merchant community around security and specifically PCI compliance. In this confusing and everchanging compliance environment, merchants need a trusted and reliable sourcefor information and solutions. The Secure POS Vendor Alliance is focused on bringing answers to the merchant community and supporting their interests when it comes to consumer payment information security.”
– Doug Dwyre, VP, Business Development, Voltage Security

“Heartland has benefited from our membership in SPVA in several ways. The SPVA creates an environment conducive to moving important industry ideas forward – such as improving security of cardholder data from global payment industry participants. The SPVA also provides a forum for participating member companies to demonstrate their commitment to payments security and re-imagine what is possible within the payments ecosystem and set new standards to help move forward on shared security goals.”
– Bob Carr, Chairman and CEO, Heartland Payment Systems

Please join us as we continue to rapidly expand and transform the world of secure payments in 2010 and don’t forget to vote by tomorrow, January 22, as the SPVA elects two new board of directors. Contact me at steven.hughes@spva.org to find out about membership opportunities. Happy New Year!

Five Good Reasons

Steven Hughes — Mon, 28 Dec 2009 10:31:52 GMT

As we head (or sprint) toward the finish line that will bring an end to 2009, 2010 promises to be an even more exciting year in the payment processing world. The rapidly-changing mobile marketplace, increasing scrutiny of payment standards, and continuing economic uncertainty are sure to play a role in our industry in the coming year. As you look ahead at ways to grow your business, might I suggest putting “join SPVA” at the top of the list?

Here are my top five reasons you should join:

1) Work with leading POS vendors to enrich and develop security guidelines

2) Acquire first-hand knowledge of current security threats and ways to mitigate them

3) Cultivate a common interpretation of existing security standards and public collective implementation guidelines

4) Develop end-to-end lifecycle security guidelines

5) Create industry encryption framework of cardholder data

I hope you’ll take the opportunity to contact me for more details on what the SPVA is bringing to the industry and what we can bring to your business.

I look forward to talking to you.

Election Day

Steven Hughes — Tue, 08 Dec 2009 13:07:40 GMT

After a successful whirlwind trip to CARTES, we’re settling in but still just as busy on the home front. The SPVA continues to build momentum as new members come onboard, our technical working groups prepare to release their first whitepapers, and…drumroll…it’s time for us to elect two candidates to the SPVA board of directors.

For some quick background, the SPVA board is comprised of five directors. Three seats belong to the founding members (VeriFone, Ingenico and Hypercom), and the other two are open to a representative of our general members and a representative of our associate members.

So who will it be? We have to keep you in suspense until January 6, when the results of the election are made public. Right now, the call for candidates is out, and we’re anticipating strong nominees to emerge over the course of the next few weeks.

I’ll also take this opportunity to mention again that it’s never too late to join SPVA. Take a look at some of the benefits, and if you act quickly, you may be able to run for a 2010 board seat. And if you’re already a member and wondering what else you can do to help (besides voting, of course), I’d ask that you help us spread theword about SPVA. The larger our membership base, the stronger we’ll be.

Our plates are full in 2010, so have your say in our strategic direction, policy formation, administration and all matters regarding SPVA’s work scope and mission.

Don’t forget. Only our members are eligible to run for the board and cast a ballot. And as always, please feel free to contact me if you have any questions.

Good luck to all the candidates…

Bonjour de Paris!

Steven Hughes — Mon, 23 Nov 2009 15:12:28 GMT

Hot on the heels of CARTES & IDentification 2009, SPVA members gathered last week for the first official members meeting. Joined by the SPVA board and myself, more than 20 representatives from leading payment industry companies assembled to discuss where SPVA has gone in its short existence and where it is headed.

So why SPVA and why now?

You don’t have to look much further than the recent data breaches (Radisson Hotels & Resorts, TJX Companies, Network Solutions, etc.) to know that payment security is not where it needs to be. What better way to contribute to the understanding and compliance of existing security standards than to utilize the knowledge of some of the biggest players in the industry. Ingenico, Hypercom and VeriFone are opening the door for an industry-wide meeting of the minds.

With the creation of four Technical Working Groups, SPVA members have the opportunity to affect the future of PCI compliance. One representative from each member company is allowed to sit on a TWG committee. The four TWGs address distinct and critical areas of payment security:

Security Standards
Payment Device Lifecycle
Threat Analysis and Intelligence
End-to-End Encryption

One important note is that SPVA does not endorse any one solution over another. Its impartiality allows that any and all retailers, acquirers, POS vendors/supplies and card brands are welcome to join the conversation and share best practices.

Our TWGs are already in action, and we anticipate the release of an end-to-end encryption implementation guideline in early 2010. Stay tuned for details because we’re not wasting any time getting moving or making our mark on the industry.