Blog

Everyone's Talking About EMV

Steven Hughes — Wed, 01 Feb 2012 23:47:32 GMT

EMV has been a hot topic in the U.S. of late as a growing number of American financial institutions adopt EMV-enabled chip cards they claim are the future of secure payments. However, some argue the technology may be outdated by the time it’s implemented.

For more than a decade, EMV (Europay, MasterCard and Visa) cards have been widely embraced across the globe as a means to reduce credit card fraud. The U.S., however, has been slow to adopt the technology, mainly due to expenses related to converting EMV-compliant credit and debit cards and cash registers. That is now changing. Visa recently announced plans to speed the adoption of EMV contact and contactless chip technology in the U.S., offering incentives to merchants and processors and the promise of increased card security to banks and other card issuers. In addition, MasterCard introduced a comprehensive roadmap this week focused on EMV adoption in the U.S., while several banks and credit unions have announced the addition of EMV chips to the credit cards they offer.

Response to the EMV push has been a mixed bag. Some retailers are embracing the technology as the next step toward a new world of payment transactions, while others are questioning why they are being asked to upgrade to an old technology instead of preparing for a more modern approach to payments.

“EMV is 20 year-old technology that already has known deficiencies—no security for online use, no security of the card number and susceptible to man-in-the-middle attacks,” said Trinette Huber in a recent Convenience Store Decisions article. Huber is manager of information privacy and security for Sinclair Oil’s PCI program. “U.S. merchants want the next generation of EMV—one that protects the card number so that PCI compliance requirements are thrown out, and one that addresses online fraud. Let’s update that technology and do full card encryption. Then the return on investment would be worth it.”

Despite some of these merchant concerns, industry experts welcome the EMV migration. SPVA member VeriFone, for example, says the move to EMV will help further reduce the potential for fraud.

“With the coming shift in liability for fraud costs, and in light of growing evidence that card fraud is increasingly migrating to non-EMV countries, VeriFone encourages earliest adoption of this critical payment technology to assist in building a complete defense against criminal elements,” said VeriFone in an official statement.

So what do you think? Is the U.S. ready for chip and PIN payment card authentication? Is EMV is the future of the secure payments industry?

Security a Top Priority for Retailers

Steven Hughes — Thu, 19 Jan 2012 10:11:20 GMT

With data breaches and skimming incidents already garnering headlines in 2012, it’s perhaps no surprise that secure payments was a hot topic among attendees at the National Retail Federation’s 101st Annual Convention & EXPO this week. As a growing number of smartphone makers unveil NFC technology that transforms mobile devices into wallets – and more consumers replace their traditional wallets with those of the virtual variety – concerns over security threats are likely to grow.

The rapid development and deployment of mobile payment technologies has certainly been a source of concern for those of us in the secure payments field. According to the 2011 KPMG Mobile Payments Outlook, a survey of nearly 1,000 global executives in the financial services, technology, telecommunications and retail industries, 83 percent of the respondents believe the use of cell phones for financial transactions will be a mainstream practice within four years. And 46 percent claim mobile payments will be common in the next two years. Also of note, 58 percent said they already have a mobile payments strategy in place.

As a response to this growing trend, the PCI Security Standards Council recently expanded its PIN Transaction Security (PTS) program guidelines to include all payment card acceptance devices, including those optimized for mobile devices. Previously, the program only applied to devices that accepted a PIN. The updated requirements address secure card readers, further facilitating the use of open platforms, such as mobile phones, to accept payments. So now, merchants looking to use magnetic stripe readers (MSRs) or plug-ins can ensure the devices have been tested and approved to encrypt data before it reaches the device. The new guidelines provide device manufacturers with a consistent set of data security and encryption standards.

As many of you know, achieving and maintaining security is vital in the payments industry. The complexity of mobile payment technology has certainly introduced new risks and threats that may affect the security of cardholder data. That’s why it is more important now than ever for participants in the field to understand and support a uniform and widely understood compliance standard.

Resolve to be Compliant in the New Year

Steven Hughes — Thu, 05 Jan 2012 10:01:18 GMT

From card skimming attacks to insider theft, 2011 was a tough year for U.S. businesses, with many falling victim to massive network security breaches. Unfortunately, industry experts predict more of the same in 2012 due to the proliferation of Internet connectivity, mobile devices and Web applications.

However, there are ways to protect against this risk. Now that the holiday crunch is over, it’s a good time to determine where your business is with regard to information security technology and PCI compliance. Do you have the right policies and procedures in place to ensure customer information confidentiality, data integrity and user accountability? Resolve now to take more steps to secure sensitive cardholder data and prevent breaches this year. After all, the risks of non-compliance – such as fines, legal fees, decreases in stock equity and lost business – can far outweigh the cost of implementation.

Here are a few tips to better protect your business in 2012.

PCI compliance is crucial to security efforts. Recent studies have shown that PCI-compliant companies experience less data breaches than those that are non-compliant. Many vendors offer an array of software and services for PCI compliance. Be sure to look for a security and compliance platform that covers as many of the 12 categories of the PCI standards as possible. That way, you can take a more holistic, integrated approach to securing your information and meeting compliance.
Set clear business policies for your employees regarding the processing of credit/debit and payroll card data. Many security breaches actually happen within an organization, so it is critical that policies are clear to employees.
Update staff regularly with new or different measures being used to ensure PCI compliance. Make sure that your employees are up-to-date with any changes that affect the security of the data you store or transmit. Require strong passwords and educate users on effective password management to minimize the risk of account takeovers.
Keep records of how your business is complying with and validating PCI standards. Remember that you will be audited, and keeping good records will assure that your company remains in good standing.
Develop a proactive plan to respond to any potential data breach and data loss incidents, minimizing the risk and impact to customers and business partners.

It’s important to remember that fraud can affect any company, regardless of size or industry. There is no “silver bullet” for data security, but by ensuring PCI compliance and staying abreast of changing guidelines, businesses can stay a step ahead in 2012.

Survey Says: Unencrypted Data on the Rise

Steven Hughes — Thu, 15 Dec 2011 15:56:22 GMT

A new study reveals that a whopping 71 percent of merchants claim to have stored unencrypted payment card data in 2011 – an increase of 8 percent over the previous year. These are troubling numbers, especially for an industry marked by ever-changing technology and increasingly sophisticated hackers. The fact of the matter is this: merchants who store unencrypted payment card data directly violate Payment Card Industry Data Security Standard (PCI DSS) requirements and may be subject to fines and other penalties after a compromise. The lapse in encrypted data may indicate a variety of factors, such as an improperly designed or configured payment application, a non-PCI compliant payment application or improper card handling by employees.

Since our inception in 2009, SPVA has been at the forefront of efforts to advance international payment security. Our end-to-end encryption security requirements, released last year, were established to set a baseline for the industry – ultimately allowing companies to engage different solutions and select secure products that can be trusted. Targeted to vendors of POS devices, key elements covered by this SPVA-approved standard include:

Data to be encrypted during transmission

Key management

Physical and logistical security of the Tamper-Resistant Security Module and key components

Encryption monitoring and management systems requirements

As studies like the recent SecurityMetrics one reveal, there is still a lot of work to be done to better protect cardholder information and defend against security breaches. SPVA members represent all points along the payment continuum, from POS payment terminal vendors to software developers to acquirers and so many more. Confused by the industry’s complex and ever-shifting compliance standards? Join us and stay ahead of the game, ultimately keeping your clients and consumers safe from security compromise. To download our End-to-End Encryption Security Requirements white paper and to learn more about the SPVA, visit www.spva.org.

‘Tis the Season… to Get Hacked

Steven Hughes — Thu, 01 Dec 2011 09:38:07 GMT

It’s been a good year for hackers, with some of the world’s largest companies falling victim to cybercrime. And with the hectic holiday shopping season now in full-swing, security experts warn that the number of data breaches could escalate.

Both brick-and-mortar and online businesses are currently processing an extremely high volume of credit and debit card transactions from consumers stocking up on holiday gifts, dining at a favorite restaurant or paying for an overnight stay. Despite the growing numbers of data breaches, a recent Verizon report reveals that a majority of businesses continue to struggle to comply with payment card security standards, ultimately putting consumers’ confidential information at risk.

Fortunately, there are steps merchants can take to help protect their customers, their sales and their good names. Perhaps the most important is to become PCI compliant or work with a payment vendor who is compliant with the industry’s most current security standards. Other suggestions include:

Setting clear business policies for your employees regarding the processing of credit/debit and payroll card data. Many security breaches actually happen within an organization, so it is critical that policies are clear to employees.
Updating your employees regularly with new or different measures being used to ensure PCI compliance. Make sure that your employees are up-to-date with any changes made that affect the security of the data you store or transmit.
Keeping records of how your business is complying and validating PCI standards. Remember that you will be audited and keeping good records will assure that your company will remain in good standing with the credit card companies.
Being involved in all IT decisions regarding how your business will comply with the regulations.

There is no “silver bullet” to maintaining a secure system this holiday season, but by ensuring PCI compliance and staying abreast of changing guidelines, merchants can stay a step ahead.

Since 2009, the SPVA has worked to create a common understanding of existing and newly released standards in the world of secure payment solutions. Our member-driven Technical Working Groups are constantly evaluating the latest information to keep stakeholders informed and responsive to what they are reading in the news.

Interested in learning how SPVA can help you? Contact me at 404.803.0636, steven.hughes@spva.org or visit www.SPVA.org.

The Benefits of EMV

Steven Hughes — Thu, 17 Nov 2011 13:09:34 GMT

For more than a decade, EMV (Europay, MasterCard and Visa) cards have been widely embraced across the globe as a means to reduce credit card fraud. The United States, however, has been slow to adopt the technology, mainly due to expenses related to converting EMV-compliant credit and debit cards and cash registers.

That might not be the case much longer, however, as a growing number of American financial institutions unveil EMV-enabled chip cards they say are the future of secure payments.

Earlier this year, Visa announced its plan to speed the adoption of EMV contact and contactless chip technology in the U.S., offering incentives to merchants and processors and the promise of increased card security to banks and other card issuers. In addition, several banks including Chase and Wells Fargo, as well as credit unions, recently announced the addition of EMV chips to the credit cards they offer.

So what are the benefits of EMV? Proponents say EMV-enabled chip cards are harder to counterfeit than magnetic-strip technology. At the same time, advocates say EMV could also help ease the arrival of NFC-based mobile payments by building the infrastructure needed to accept and process chip transactions that support a signature or PIN at the point of sale.

But it’s not all roses according to some experts who express concern about costs tied to EMV technology implementation. Although banks will be able to leverage their existing infrastructure, adjusting their security solutions will still be necessary. In addition, nationwide standards and a conversion deadline would need to be imposed, some experts say, with the largest burden falling on merchants.

So what do you think? Is the U.S. ready for chip and PIN payment card authentication? Is Visa right to believe that EMV is the future of the secure payments industry?

SPVA remains dedicated to providing a unified voice in the world of secure payment solutions, so we’ll be following the progress of EMV technology in the months to come.

Interested in learning how SPVA can help you? Contact me at 404.803.0636, steven.hughes@spva.org or visit www.SPVA.org.

SEPA: Are We Almost There?

Steven Hughes — Wed, 02 Nov 2011 15:13:40 GMT

The Single Euro Payments Area (SEPA) has become a term that either strikes fear into the heart or is greeted with indifference. The project, which aims to improve the efficiency of cross border payments and turn fragmented national markets into a simple domestic one, would enable customers in a 32-state European area to make cashless euro payments anywhere, using only a single bank account and single set of payment instruments.

Over the past few weeks, I’ve been taking a closer look at why SEPA has met with so much consternation. When I learned that Peter Puttick, a senior security manager at VeriFone UK and a member of the EPC Cards Stakeholders Group, would be speaking on this topic during a panel at a Vendercom Payment Terminals & UPT Special Interest Group, I reached out to him to see how he planned to address the subject.

Peter was quick to point out that the general perception of SEPA is that nothing is happening. However, the truth of the matter is that, “if you’re not involved, you wouldn’t realize what progress is being made,” he said. “There are a lot of people out there working really hard to make this happen.”

So let me try to put things into perspective. Pilot evaluations of terminals to the Common Approval Scheme Protection Profile are now underway, which means vendors are working with labs to determine the common criteria methodology. Once the pilots have completed—which should be the middle of next year—PCI will then review the reports to see if they could be accepted as evidence of PCI compliance. By this process, EPC would move towards the point where a single evaluation producing a single report may result in two certificates – for SEPA and for PCI. Keep in mind though that the target for alignment between SEPA Protection Profile version 2 must align with PCI version 4 requirements which are due at the end of 2012. If a resolution is not met, the process will continue.

Currently, there is a great deal of caution by the PCI Council regarding SEPA. And while it might not have delivered the reforms that the European Central Bank (ECB) wants just yet, progress is definitely being made. When finalized, SEPA means significant technological change for European payment systems because it involves more than 300 million consumers and 15 million companies, as well as 8,000 banks, public corporations, clearing corporations and software suppliers.

When will it happen? Only time will tell. Stay tuned…

Mobile’s the word…

Steven Hughes — Thu, 20 Oct 2011 11:15:26 GMT

As more consumers replace their traditional wallets with those of the virtual variety, secure payment experts have been forced to scramble to find ways to ensure credit card data is protected. In fact, mobile payment technology and PCI compliance have been the buzz of the industry recently, with a growing number of smartphone makers unveiling near field communications that transform the devices into wallets. As a result, the PCI Security Standards Council recently expanded its PIN Transaction Security (PTS) program guidelines to include all payment card acceptance devices, including those optimized for mobile devices.

Previously, the program only applied to devices that accepted a PIN. The updated requirements address secure card readers, further facilitating the use of open platforms, such as mobile phones, to accept payments. So now, merchants looking to use magnetic stripe readers (MSRs) or plug-ins can ensure the devices have been tested and approved to encrypt data before it reaches the device. The new guidelines provide device manufacturers with a consistent set of data security and encryption standards.

"Now that these requirements are defined, vendors can design and build their devices based on security criteria, and then submit the devices to the PCI Council to have them certified as PTS compliant,” said Bob Russo, general manager of the PCI Council in a prepared statement. “Merchants looking to buy these devices will be able to look up the vendors with compliant devices on the PCI website.”

The rapid development and deployment of mobile payment technologies has certainly been a source of concern for those of us in the secure payments field, as well as for a variety of federal agencies struggling with how to regulate this new and complex form of commerce. But as mobile and NFC technology continues to gain popularity, we will work together as an industry to address the shift, help protect cardholder information and defend merchants and acquirers against security breaches.

Interested in learning how SPVA can help you? Contact me at 404.803.0636, steven.hughes@spva.org or visit www.SPVA.org.

No Surprise: Verizon Business Report Shows PCI Compliance Still a Struggle

Steven Hughes — Thu, 06 Oct 2011 15:04:10 GMT

It’s been a good year for hackers. As a multitude of news headlines have shown, even some of the world’s largest companies fell victim to cybercrime in recent months. Yet despite the growing numbers of data breaches and identity theft, a new Verizon Business survey reveals that a majority of businesses continue to struggle to comply with payment card security standards, ultimately putting consumers’ confidential information at risk. Unfortunately, those findings come as little surprise to those of us in the secure payments industry.

According to the report, a whopping 79 percent of organizations are not fully compliant with the Payment Card Industry Data Security Standard (PCI DSS), despite validation a year earlier. These results are virtually identical to the previous year’s report, which revealed a similar level of struggle. What could cause this type of widespread non-compliance? Difficulty in achieving it, overconfidence, complacency and the need to focus on other security issues are among the list of possible reasons.

The reality is, establishing a PCI compliance policy to help prevent cardholder data theft is only half the battle. It’s just as challenging to get small and mid-sized merchants on board the compliance train. But as worldwide security threats grow and hackers become increasingly sophisticated, it is more important than ever for participants in the field to understand and support a uniform and widely understood compliance standard. Recent studies have shown that PCI-compliant companies experience less data breaches than those that are non-compliant, so all should remain vigilant in implementing and maintaining security practices.

As an industry, we need to work harder to stay on top of core security elements like data encryption, tokenization and mobile payments. In addition, more input is needed from special interest groups like SPVA, who have contributed many hours to provide guidance on the PCI issue. With fraud accounting for millions of dollars in losses across major industries including financial, hospitality and retail, stakeholders can’t afford to wait. After all, if customers and businesses cannot trust the transaction process, the payment card industry as a whole will take a hit.

The SPVA remains dedicated to creating a common understanding of existing and newly released standards in the world of secure payment solutions. Our member-driven Technical Working Groups are constantly evaluating the latest information to keep stakeholders informed and one step ahead of what they are reading in the news.

Interested in learning how SPVA can help you? Contact me at 404.803.0636, steven.hughes@spva.org or visit www.SPVA.org.

EMV: Ready or not here it comes

Steven Hughes — Thu, 22 Sep 2011 11:43:40 GMT

Recently, there has been a lot of buzz surrounding Visa’s EMV (Europay-MasterCard-Visa-integrated circuit cards) push in the United States. They are not alone in their efforts to advance this technology. Earlier this month, MasterCard announced they will require ATMs to accept EMV cards by 2013. Why the rush?

According to many security experts, institutions see EMV as a way to reduce fraud now that federal regulations have cut revenues once used to absorbed fraud costs. Visa and MasterCard, on the other hand, simply see it as a way to make it more difficult for criminals to steal account data.

Ellen Richey, Visa’s chief enterprise risk officer, said in a recent ABA Banking Journal interview that “the migration to chip technology will be an important security layer and a critical step in a comprehensive strategy to use dynamic authentication across all markets and all channels.”

While Visa stands strong behind their stance that EMV will help ease the arrival of NFC-based mobile payments by building the infrastructure needed to accept and process chip transactions that support a signature or PIN at the point of sale, others aren’t as quick to jump on the EMV bandwagon.

Cindy Merritt, assistant director of Retail Payments Risk Forum said in a recent Green Sheet interview that that "the merchant community in particular has rightfully expressed concerns over the infrastructure investment costs for card acceptance terminals. While they acknowledge the need to migrate to a more secure payment system that does not rely on outmoded magnetic stripe card technology, they understandably want a future-proof investment strategy."

Regardless of how you feel about EMV, it is coming. Across the payment card landscape, there are many ISOs scrambling to figure out exactly what EMV means, how it works and when and where the technology should be installed.

Below is a list of a few of the pros and cons and how EMV might affect the future of the payment card industry.

Pros include:

· The advancement of the adoption of mobile payments as well as improved international interoperability and security.

· The reduction of a criminal’s ability to use stolen payment card data due to chip technology and dynamic values for each transaction.

· The reduction of static authentication, which will diminish the value of stolen cardholder data, ultimately benefiting all stakeholders

· The ability to do away with a card form factor altogether.

· Advances in technology. Technology can be used securely with ISIS - the mobile platform created by AT&T Mobile, Verizon Wireless and T-Mobile - in an effort to set the standard for mobile phone payments.

· Ability to reduce skimming. When Australia introduced EMV technology a few years ago skimming fraud fell 25 percent - the first drop ever seen in skimming statistics there.

Cons include:

· Cost effectiveness. In some countries, the reduction of fraud losses, given existing systems, simply didn’t outweigh the cost of replacing terminals and cards.

· Continued fraudulent behavior. In 2010, researchers at Cambridge University hacked into a chip-and-PIN card and forced it to bypass the cardholder verification requirements (in this case a PIN), allowing them to execute fraudulent transactions in real-world tests.

· Lack of retailer support and understanding. ISOs and MLSs should keep in mind that merchants may balk at paying for new EMV technology.

· Adoption will take much longer, if ever, for smaller companies.

· EMV chips can reduce counterfeiting schemes, however, they do not prevent card-not-present fraud.

Javelin Strategy & Research recently released estimates that fraud based on stolen card numbers in the U.S. was $14 billion last year. Add in several billions more for fraud based on new card accounts using stolen identities. The pros of EMV seem to outweigh the cons, however the cost of moving to chip-based cards is estimated to be $8 billion. It will be interesting to watch this play out.

All Aboard the Mobile Payment Train

Steven Hughes — Thu, 08 Sep 2011 09:55:27 GMT

As companies race to adopt mobile payment technology, some say it won’t be too long before billfolds become a relic of the past. In fact, virtual wallets could be all the rage within the next two to four years, with people using a smartphone instead of pulling out cash or cards.

According to the 2011 KPMG Mobile Payments Outlook, a recent survey of nearly 1,000 global executives in the financial services, technology, telecommunications and retail industries, 83 percent of the respondents believe the use of cell phones for financial transactions will be a mainstream practice within four years. And 46 percent claim mobile payments will be common in the next two years. Also of note, 58 percent said they already have a mobile payments strategy in place.

At the same time, IE Market Research Corporation (IEMR) recently forecast that the gross value of global mobile payment transactions would reach $945 billion in 2015, a nearly 30-fold increase from $31.5 billion for 2010.

However, even though mobile payment devices provide a fast and convenient way to purchase goods, it’s important to provide proper security prior to mass implementation. The complexity of mobile payment technology has certainly introduced new risks and threats that may affect the security of cardholder data.

As mobile and NFC technology continues to gain popularity, we will work together to address the shift in the payments industry, help protect cardholder information and defend merchants and acquirers against security breaches.

Interested in learning how SPVA can help you? Contact me at 404.803.0636, steven.hughes@spva.org or visit www.SPVA.org.

A Little Guidance on Secure Tokenization

Steven Hughes — Fri, 26 Aug 2011 14:07:26 GMT

If you follow secure payment news, you’ve probably noticed that tokenization is a hot topic these days. In recent years, it’s been increasingly deployed by small and mid-sized businesses to bolster the security of credit card and e-commerce transactions. In response to the technology’s growing popularity, the PCI Council has published a 23-page PCI DSS Tokenization Guidelines Information Supplement to provide greater clarity on how specific technologies relate to the PCI Security Standards and impact compliance.

Although there are no industry standards yet regarding implementation, the industry group’s guidelines offer advice to merchants on evaluating and utilizing tokenization. According to the council, a properly deployed tokenization solution can reduce or remove the need for a merchant to retain sensitive customer information once the initial transaction has been processed. But they also warned that tokenization will not eliminate a merchant’s need to comply with PCI DSS.

Overall, the release of the supplement will help merchants make better decisions in evaluating their card payment processes and options. But given the influence tokenization is having on emerging practices, it’s important for the industry to have strong insight into where PCI is going.

According to a recent survey, a whopping 67 percent of PCI-regulated companies are still not in full compliance with the standard. As worldwide security threats grow and compliance standards evolve, the SPVA and other industry groups will have to work hard to stay one step ahead. Our member-driven Technical Working Groups are constantly evaluating the latest information to keep stakeholders informed and one step ahead of what they are reading in the news.

Interested in learning how SPVA can help you? Contact me at 404.803.0636, steven.hughes@spva.org or visit www.SPVA.org.

Witham Laboratories Joins Us As First Lab Partner

Steven Hughes — Thu, 11 Aug 2011 13:18:08 GMT

At SPVA, our goals include sharing best practices and improving security throughout the point of sale industry. Over the past couple of years, we’ve issued two white papers recommending stricter guidelines and solutions to better protect cardholder information and defend against security breaches. We also created a Lab Network that would allow participating labs to work with our members and Technical Working Groups on security evaluations and implementation guidelines, ultimately providing members with the resources they need to meet SPVA requirements.

Along those lines, we’re thrilled to announce a new partnership with Witham Laboratories. The Australian-based consultant will serve as the first Lab Network member and will focus on testing our end-to-end encryption requirements.

As security threats grow worldwide and compliance standards evolve, it’s good to have partners like Witham helping us define and develop best practices for the industry.

Interested in joining the Lab Network? There are several benefits to participating, such as:

· Recognition throughout the industry as a qualified and effective lab, operating on the forefront of security

· Access to SPVA’s Technical Working Groups and committee members representing leading payment companies

· Ability to share best practices and navigate through challenges with PCI’s top players

· Promotion through SPVA’s website, newsletter, press releases and social media channels

· Permission to download and use the SPVA Lab Network logo

To learn more about the SPVA and how to participate in and benefit from the Lab Network, visit www.spva.org or contact me directly.

Brand Reputation Drives E-Commerce Payment Security

Steven Hughes — Thu, 28 Jul 2011 17:03:22 GMT

Good news for online shoppers. A new survey shows that nearly 70 percent of e-commerce merchants tightened their credit card security to better protect brand reputation and preserve customer loyalty. Only about 26 percent of respondents claimed to have increased security to avoid penalties related to Payment Card Industry Data Security Standard (PCI DSS) non-compliance.

Despite the payment industry’s attempts to secure and protect credit cardholder information, data breaches, cyber crime and identity theft continues to occur worldwide – just pick up the newspaper any given day to read another story about companies falling victim to hacking. So regardless of the motives, it’s encouraging to find that more merchants today are taking steps to curb potential fraud.

Conducted by Visa’s CyberSource unit and Trustwave, the survey generated some other interesting results including:

A majority of respondents said they felt the threat of payment data theft from employees equaled the threat from external hackers. Large merchants and organizations were more likely to cast a suspicious eye on their own staff, with 38 percent citing them as the likely source of a breach.

* Over the next two years, more merchants expect to move credit card data from their networks to third-party vendors to reduce security risks and data storage and compliance costs.
* Merchants that outsource their credit card data processing and storage spend less on infrastructure.
* Merchants that do not capture, transmit, or store data inside their own network tend to employ fewer personnel, validate PCI DSS compliance more quickly, and operate at a lower overall cost of payment security.
* To avoid storing credit card information in-house, a growing number of merchants are embracing tokenization.

Although survey results reveal that that most merchants are making strides in protecting sensitive cardholder data, there continue to be global challenges with PCI compliance and safety. SPVA remains dedicated to providing a unified voice in the world of secure payment solutions.

Interested in learning how SPVA can help you? Contact me at 404.803.0636, steven.hughes@spva.org or visit www.SPVA.org.

Pay-at-the-pump fraud on the rise

Steven Hughes — Thu, 14 Jul 2011 16:06:04 GMT

According to recent news reports, at least 60 people in suburban Tucson have reported fraudulent transactions after swiping their cards to pay for gas – the latest in a rash of card skimming incidents at gasoline pumps nationwide. Only a few weeks ago, police in West Covina, Calif., launched a public awareness campaign after skimming devices were discovered at multiple gas stations. And last year, one Florida police department even recommended that motorists avoid using pay-at-the-pump terminals altogether, instead opting instead to pay inside with cash.

So how can consumers pump gas without the fear of compromised data? What needs to be done differently to prevent these incidents from taking place?

The National Association of Convenience Stores has launched an awareness campaign that focuses on steps retailers can take to protect cardholder data at the pump. These measures include:
* Conduct daily inspections of card readers, PIN pads and unattended terminals.
* Be on the lookout for suspicious activity around pumps.
* Communicate with police.

While those are all good tips, the fact is gas station skimming has been around for years, mostly because the industry continues to use universal access keys that open pay-at-the-pump enclosures, easing the ability of thieves to insert the skimming devices. In addition, some gas stations are behind the PCI compliance curve. This lack of compliance can help aid thieves who are getting usable data right at the pump, before it is transmitted back to the station’s central terminal.

PCI affects the petroleum world in several areas:
Fuel Island Transactions (pay at the pump) – all debit transactions require strong TDES encryption.
Inside Transactions (customer facing payment devices) – all in-store debit transactions must also use TDES encryption.
POS Software – all payment processing software residing on the retailer’s POS system must meet PA-DSS certification. Since PCI addresses secure cardholder data, this requirement affects the transmission of card-based transactions and the subsequent storage of card data.

As criminals continue to learn new ways to keep up with security countermeasures, retailers, as well as the payment card industry, need to adapt as well. The cost to become compliant varies widely based on the size of the business, but the decreased data loss risks are worth it.