Archive for the ‘PCI Compliance & Data Security’ Category

Square vs. VeriFone: Mobile Payments ‘Square’ Off In Security Showdown

In Equipment Updates, PCI Compliance & Data Security on March 16, 2011 at 10:59 am

by Jonathan Ramaci

What a day at the ole’ payments corral in the “square off” initiated by VeriFone’s CEO, Mr. Doug Bergeron.

While people in our industry can be and should be very passionate about payments and security, there is a line where the message gets lost and all that’s seen is something other than reason. I must admit that I was waiting to see an effigy of Mr. Dorsey being burnt at the conclusion of the now-infamous video or the camera being toppled by a flying drop kick.

Emotions aside, let’s get to the real issues. The claim levied against Square is that it is not secure and a skimming device which needs to be immediately recalled. Can Square do things in a more secure, PCI Compliant manner? I do believe so. Does VeriFone live up to the standard of clean hands when it comes to security and do they see Square as a threat to their business model? I believe the answer is “yes”.

The root of the security problems that both organizations are either contending with or claim to have solved really revolve around the antiquated magnetic stripe credit card itself. Let’s face it , this form factor has changed little in the past thirty or so years and we probably won’t see any changes to this form factor because of the millions of magnetic stripe point of sale systems which are in market and will be for some time to come. There is a lot of talk about payments moving to the phone tomorrow using the NFC protocol. There are a few large problems with this thinking – there are not the 13 million+ NFC equipped terminals in the marketplace to take these transactions and security should be a major concern.  There is no incentive for the consumer to to “tap” versus “swipe”. There is little incentive for merchants to pay to upgrade to NFC equipped terminals in order to take “card not present” payments via the phone which will end up costing merchants a higher transaction fee. This may happen, with many of the hurdles overcome, in the years ahead but that time vacuum also allows for yet-to-be-released technologies to challenge or surpass NFC.

What really needs to occur is to make the magnetic stripe card itself more secure. Anyone can freely buy a magnetic stripe reader online for $99, plug it in to a usb port and use TextEdit or Word to read the track data on a magnetic stripe. The introduction of Square into the market has not caused this; it’s been there for years.

True security means tying the individual to the payment method (card) itself. In an unabashed plug, I invite readers to look at the iCache solution ( Our digital wallet, built to exceed CAST and PCI standards generates a card that is tied to the user, thereby assuring that the card that is presented for use (online and offline) is owned by that individual and that individual only. This occurs for brick and mortar and online transactions. The iCache solution also incorporates many other value added features to include issuance of dynamic CVV numbers. The iCache solution can be used anywhere in the world, without POS modification, delivering value to issuers, merchants and consumers – today.

Now that we are back from the iCache commercial, let’s analyze the real issues with Square and VeriFone.

To understand Square is to realize that Square is more about the easy on-boarding of merchants and the processing of transactions than it is about the card reader itself. The Square “dongle” is a conduit to something much bigger which is the empowerment of every consumer to become a merchant without laying out a lot of money for expensive hardware, excessive processing fees and being locked into multi year contracts with hefty termination costs. Innovation and empowerment is a wonderful thing yet it does challenge established players. With every evolution there is the possibility of a counter-revolution when another’s bottom line is threatened.

In all fairness, I do believe that Square can do more in the area of security and PCI compliance and I am hopefully sure that they will. There was not a great deal of information that I could find on the Square website which gave me complete confidence that  all of the components of the PCI DSS standards were being followed. This could be intentional as the average consumer does not probably care to read all of the technical nuances of these standards.  If the true debate is about security, it might be fair for each organization to release a table of all of the payment standards for all of their products and state their compliance for each. I do believe that today’s event is not so much about security as it is about revenue lines and the simple fact that a less expensive, easier to implement solution is gaining a foothold in the payment acceptance space and payment acceptance hardware market.

If we look at some of the VeriFone devices, as advertised on the Company’s website, the Side Swipe product line (which connects to a mobile phone for payment processing) does not appear to fully conform to PCI DSS standards for the same or similar reasons Mr. Bergeron calls for the removal of Square from the marketplace. The VeriFone Side Swipe works  “with the simple swipe of a card, data is stored directly on application software resident in the smartphone”. I am further confused by Mr. Bergeron’s statement about Square that “the issue is not whether Square’s application security is sound”, yet a case was vehemently made that Square be emasculated for security reasons.

I do believe that more truth was revealed in the comments that “….what matters is they [Square] are freely distributing….” and that the “problem is growing hourly”. What could the true problem be?

The Square hardware costs $0 while, from my research, VeriFone’s PAYware Mobile hardware sells for roughly $139+. The issue appears to further extend into the area of other fees (source: Square’s “card present” processing fee is 2.75%. Square’s termination fee is $0. To sign up for a PAYware mobile for 24 months, there is a “Boarding Fee” of $49, a “Monthly Service Fee” of $11, a “Per Transaction Fee” of $0.11 and an “Early Termination Fee” of $199. This fee structure is highly reminiscent of my landline phone bill from 10 years ago!

It is also a bit concerning that at the conclusion of the educational website established by VeriFone to inform us about Square and educate consumers about payment security that in the bottom right is a nice big button where one can sign up for PAYware – not to mention the irony of a Twitter button in the upper left!

At the end of the day, evolution is healthy, innovation has brought us out of the dark ages and competition forces us all to do things better. In competing, let’s compete hard while remembering the high road. In our industry, let’s do our best to make sure that the payment system is secure and available for all who desire to transact. The movement of value across all modes of secure rails is of paramount importance to our free market system, our economy and all those in it.


Data Breaches Stabilize in 2010, But There’s an Asterisk

In PCI Compliance & Data Security on January 4, 2011 at 10:43 am
Jan. 4, 2011
At first glance, a review of the data-breach scene in 2010 shows signs of improvement, or at least stabilization, according to figures from the Identity Theft Resource Center (ITRC). Although the total number of reported breaches increased to 662 from 498 in 2009, the number of records known to have been exposed fell from 223.1 million to 16.2 million.

ITRC, a San Diego-based non-profit, sorts data about compromised payment cards and bank accounts into two of its five major categories: banking/credit/financial and business. In banking/credit/financial, the number of reported breaches slipped slightly to 54 from 57 in 2009, though the number of records exposed rose to 4.85 million from 8,364. In the business category, which includes merchants and processors that suffered payment card data breaches, reported breaches increased 34% to 279 from 208 in 2009 but the number of records exposed fell to 6.63 million from 132.4 million.

IRTC presents its data based on when data breaches are first reported, though the compromises may have occurred one or more years earlier. The 2009 records figure was inflated by the huge data breach reported in January of that year by merchant processor Heartland Payment Systems Inc., a breach that compromised an estimated 130 million debit and credit cards. Heartland accounted for 98% of the records compromised in the business category in 2009.

Some 170 of 2010’s breaches, or 26% of the total, involved credit or debit cards, and those breaches resulted in 29% of the known records compromised. Those figures represent the first time ITRC has broken out card data, according to ITRC founder Linda Foley. Also, 412, or 62%, of breaches involved Social Security numbers representing 76% of known records.

Hacking into computer systems accounted for 17.1% of reported breaches last year. What the IRTC calls “data on the move,” the theft or loss of laptops, flash drives, CDs, and other storage devices containing unencrypted data, accounted for 16.6%. Some other major methods of compromise include insider actions, 15.4%, and accidental exposure, 10.7%.

All the data come with a big asterisk, however. Many breaches come to light only because of media reporting or through mandates from the 46 states that have some form of data-breach reporting law, according to Foley, who estimates only 10% to 15% of breaches are actually reported. Plus, state laws vary in their requirements, as does the public’s access to the information states collect. Only five states, Maryland, New Hampshire, Vermont, Maine, and Wisconsin, make the data they collect “public in a meaningful way,” Foley tells Digital Transactions News. She does say that the state laws probably have shed more light on small breaches that previously went unreported.

Just 51% of publicly reported breaches indicated the number of records exposed and 38.5% did not state the manner of compromise, according to the ITRC. Foley’s solution: a strong federal data-breach reporting law.

Foley predicts cybercrime will increase in coming years, as will insider data thefts. “It’s the path of least resistance,” she says.

Asked if she thinks better technology and tighter data-protection practices spurred by the Payment Card Industry data-security standard (PCI) have had an effect, Foley says, “I hope so. The problem is that the IT person does understand. Then they have to convince the money people, the bean counters, that the investment [in security] is worthwhile. That’s where they get tripped up.”

ITRC also tracks data breaches at educational institutions, governmental bodies, and medical providers.

PCI 2.0 refines, clarifies compliance process

In PCI Compliance & Data Security on December 9, 2010 at 2:10 pm

The PCI Security Standards Council (PCI SSC) released version 2.0 of the Payment Card Industry (PCI) Data Security Standard (DSS) and the Payment Application (PA) DSS on Oct. 28, 2010. The council said the updates are primarily meant to help clarify existing standards and assist with their implementation.

PCI DSS 2.0 arrives in the wake of PCI SSC annual meetings in Orlando, Fla. (Sept. 23 to 25), and Barcelona, Spain (Oct. 18 to 20), where more than 1,500 people from 600 organizations participated in discussions that were largely designed to help craft the new standards, according to the PCI SSC’s website. Among the participants were merchants, banks and processors, along with members of the council.

PCI DSS 2.0 goes into effect Jan. 1, 2011, although merchants aren’t required to become fully compliant with the new standards until Dec. 31, 2011.

Some of the new requirements include more explicit instructions for issuers and processors regarding the storage of sensitive authentication data, changes regarding the prioritization of different security vulnerabilities, and a provision for logging different data streams in a centralized place to simplify tracking.

“Many merchants have many logs associated with many different systems,” said Jeremy King, European Director for the PCI SSC. “What we’re saying is try to create a centralized logging process.

“Instead of having many different logs, just have one centralized process. …. These things can help you identify critical issues when they occur.”

Easing the process

Some changes are intended to make the standards easier to manage and speedier to implement. A few eliminate redundancies (by, for example, combining requirements 10 and 11, which relate to remote access of payment data), while others clarify certain passages that have caused confusion.

Another noteworthy change relates to future updates to the PCI DSS, which will now be released every three years, rather than every two. “We’ve gotten a lot of feedback from people saying two years is just too short a time frame; you know, by the time we’ve understood the requirements, it already needs to be changed again,” King said. “We’ve listened to that and we’ve changed it.”

King said the updates will also facilitate implementation of the PCI DSS by doing more to tailor certain requirements to different types of merchants, rather than having them apply a uniform standard.

“The final ruling within this set is to say to the merchant, ‘You really need to take a more risk-based approach to your processes and your environment,'” he said, adding that analyzing factors like whether a merchant is brick-and-mortar, e-commerce and/or MO/TO, for example, will help merchants understand where cardholder data is going to be in their systems.

“And from that you can match your security appropriately and thereby meet the requirements,” he said. “This is an improvement. Instead of, in the past, ‘You must, you must, you must,’ it’s now ‘do this risk-based approach and then match your security to it.’ And that’s going to be a significant improvement to make life easy for the merchants and let them focus on key areas.”

King said the PCI 2.0 updates target smaller merchants, especially, adding that the PCI SSC has added a new section to its website that’s entirely dedicated to helping small merchants implement a good security framework. For further information on small-merchant PCI compliance issues, go to

Survey Outlines Compliance Challenge Among Small Merchants

In PCI Compliance & Data Security on November 8, 2010 at 11:27 am

(November 2, 2010) With a freshly revised version of industry rules for payment card data security having just emerged (Digital Transactions News, Oct. 28), further evidence is also surfacing of the compliance challenge acquirers face with the smallest merchants. Indeed, the smaller the business, the less sensitive it is to the possibility of a data breach, and the less likely it is to understand or comply with the Payment Card Industry data-security standard (PCI), according to survey results released on Tuesday by ControlScan Inc., a vendor of compliance solutions, and Merchant Warehouse, an independent sales organization.

This is despite the fact that, news headlines about breaches at big retailers like TJX Cos. Inc. notwithstanding, the overwhelming share of card-data compromises occur at so-called Level 4 merchants, defined by Visa Inc. as those processing fewer than 1 million card transactions a year. In fact, such small businesses account for some 85% of breaches, according to a 2-year-old report from Visa, which tracks PCI compliance and, along with MasterCard Inc. and other card networks, enforces the standard.

Yet Atlanta-based ControlScan and Boston-based Merchant Warehouse found an almost alarming level of nonchalance about data security among small merchants in their survey, which garnered responses from 628 Level 4 businesses. Nearly three-quarters classified their risk of compromise as “low,” while a further 11% said it was “non-existent.” More than half (53%) are not familiar with PCI, or are unsure whether they are. And just half understand that PCI compliance is mandatory. On the positive side, 84% rate data security as a “high” or “medium” priority (e-commerce merchants rate security at a significantly higher priority than do brick-and-mortar merchants). Among respondents, so-called micro-merchants, or businesses with 10 or fewer employees, accounted for 90% of replies.

The survey results are “definitely a little concerning but not shocking,” says Markiyan Malko, compliance officer and program manager at Merchant Warehouse. “Most of them are worried about running their business rather than security. They don’t seem to be that worried about it.” He points out, though, that as Level 1, 2, and 3 merchants become harder to breach, hackers are increasingly targeting the smallest and most vulnerable merchants. And while these businesses in isolation may not perform huge volumes of transactions, collectively they account for a treasure trove of card data. “Hackers have tools, it’s automated and doesn’t take that much time,” Malko says. “It adds up pretty quickly.”

The risk these merchants face can be dire, with the costs of a breach including not just network fines but reimbursement to issuers to reissue cards, litigation expenses, and fees for forensic audits. “I definitely have heard of many merchants getting shut down,” says Malko. “I hear of it every few weeks.”

Both Merchant Warehouse and ControlScan see an opportunity for acquirers and ISOs to educate small merchants about PCI and the risk of data breaches. But they caution that the approach must be a careful one. Acquirers must be mindful of differences among businesses and of their need for concrete help. “The worst thing an ISO can do is charge a PCI fee and not do anything beyond that,” says Heather Foster, vice president of marketing at ControlScan.

Level 4 merchants number more than 5 million and account for more than 99% of all Visa merchants, while generating about one-third of all Visa card volume. But the exact level of PCI compliance among Level 4 businesses is not known, since Visa has left it up to acquirers to monitor compliance efforts among these clients. “Most of what I’ve heard is anecdotal,” says Foster.

All told, the two companies sent surveys to just over 10,000 small businesses. Among the respondents, 30% were physical stores, 22% were online merchants, and the remainder were either multichannel merchants or non-storefront businesses, such as limo services or medical-supply companies.

Digital River sues over data breach

In PCI Compliance & Data Security on June 4, 2010 at 9:01 am

The company suspects that hackers in India stole valuable marketing data during an upgrade of its computers in Eden Prairie.

By DAN BROWNING – June 4, 2010 – 6:35 AM

A massive data theft from the e-commerce company Digital River Inc. has led investigators to hackers in India and a 20-year-old in New York who allegedly tried to sell the information to a Colorado marketing firm for half a million dollars.

The Eden Prairie company obtained a secret court order last month to block Eric Porat of Brooklyn from selling, destroying, altering or distributing purloined data on nearly 200,000 individuals. Digital River suspects that the information was stolen by hackers in New Delhi, India, possibly with help from a contractor working for Digital River.

Porat has said he got the information from India, but won’t say how or from whom.

“I fully suspect that Mr. Porat hacked the hacker,” said Christopher Madel, an attorney with Robins, Kaplan, Miller and Ciresi who’s overseeing Digital River’s investigation.

The matter came to light Thursday afternoon when U.S. District Judge Donovan Frank convened a public status conference in the case. The hearing was posted on the court docket without listing any of the parties involved.

A reporter attended the hearing, and Frank ordered all previously filed documents to be unsealed without objection. Frank, who co-chairs a committee on public access to the federal courts in Minnesota, said he temporarily allowed the civil case to be filed under seal — and without notice to the defense — so Digital River could issue subpoenas and safeguard evidence that might otherwise be destroyed or disappear.

Digital River Marketing Solutions Inc. filed the lawsuit under seal on May 13 listing Porat and his company, Affiliads, as defendants and demanding to know how they obtained Digital River’s data and what they’ve done with it.

The data was originally gathered by companies that offer “affiliated marketing” programs, a practice in which businesses pay a commission to affiliates who post links on the Internet that drive customers to participating companies. The affiliates get paid when consumers buy something, make an inquiry or provide a sales lead.

Direct Response Technologies, a Digital River subsidiary based in Pittsburgh, sells a leading software program called DirectTrack to help companies create and manage affiliated marketing programs. Data gathered by the program gets stored on Digital River’s servers, and access to it is tightly restricted with passwords and other security measures, the company says.

Since the lawsuit was filed, Porat has tried to be as forthcoming as possible without waiving his constitutional rights, said his attorney, Joseph Nierman of Passaic, N.J. He noted that Porat participated in a deposition with the plaintiffs that lasted nearly six hours.

Madel said that while Porat has cooperated, he also invoked his Fifth Amendment right against self-incrimination “about 26 times,” refusing to explain how he got the data, or from whom. “I am very reluctant to say that Mr. Porat has been forthcoming” with everything he knows, Madel said.

Porat said Thursday evening that he was too busy to talk to a reporter.

Regardless of how he got the data, the suit alleges that Porat tried to sell it for $500,000 to Media Breakaway, a marketing firm based in the Denver suburb of Westminster, as well as to some of Media Breakaway’s competitors. Court records say that Porat had been an affiliate of Media Breakaway, and had collected commissions totaling $1,600 for driving consumer traffic to the firm.

Firm cooperated with FBI

According to Media Breakaway records, it initially spurned Porat’s offer. When he persisted, the company notified Digital River and helped the FBI to investigate the matter.

Madel disclosed Thursday that a federal grand jury is investigating the alleged data theft under the direction of Assistant U.S. Attorney Timothy Rank, one of the prosecutors in the trial of convicted Ponzi schemer Tom Petters.

Porat, who lives at home with his parents, claimed in e-mails and instant messages with Media Breakaway that he had consumer-tracking information from a dozen different companies, including names, e-mail addresses, websites, company names and unique user-identification numbers, for 198,398 individuals. This kind of information is extremely valuable to companies seeking targeted marketing lists of potential customers.

Scott Richter, CEO of Media Breakaway, said in a court filing that Porat claimed to be offering the DirectTrack data to the highest bidder. He said Porat told him that he got the data from a former consultant for Digital River, who captured it during an enhancement of the DirectTrack data system when security systems were taken down temporarily.

Gary Olden, vice president of product management at Digital River Marketing, said in a court filing that an internal investigation found that the stolen data was accessed Jan. 27 from four different computers linked to a DirectTrack customer in New Delhi named VCommission, or Vaxat iTech Pvt. Ltd. He said the data was downloaded using a “highly unusual” search command.

Olden said he could find only one other instance where that type of command was used to access DirectTrack data. It took place six hours after the command was issued in India, and it came from another customer, Clickbooth/IntegraClick, a marketing firm in Sarasota, Fla. In that case, though, the user only accessed Clickbooth/IntegraClick’s own data, he said.

Olden said his customers and clients view data security as an important component of DirectTrack, as they have “a significant interest in ensuring that their customer lists are not made available to their competitors (let alone sold to the highest bidder).”


Top Tier Merchants and the Challenge of Card Data Security

In PCI Compliance & Data Security on June 1, 2010 at 8:24 am

June 01,2010-

New insight into the issues posed by PCI and card number security for merchant category leaders provides guidance and cautions

For merchants, payment card security has two meanings. First, it means protecting payment card data from hackers. It also means getting out from under the threat of the high fines involved should a data breach happens. But thinking about PCI-related costs requires steps that balance cost against real data security and against the financial costs of a data breach. As security best practices demand layered defenses, the complexity of up-front decision making continues to rise.
Encryption, Tokenization and the Top Tier Merchant: A Progress Report on PCI, Deployment and the Cost of Payment Security is the latest report from Mercator Advisory Group on payment card security. An in-depth look at the card payment issues confronting large merchants in particular, the report addresses the complexities and pitfalls of PCI compliance in an era of changing and evolving security standards. The report concludes with a discussion of security pricing and what to expect from the next version of the PCI data security standard.

The Top Tier Merchants and the Challenge of Card Data Security report includes discussion of the following topics:

Security Technologies: EMV, Tokenization, and Encryption reviews these technologies and their roles in the US and beyond.

Security and Business Intelligence addresses the downside of outsourced security

Large Merchant Guidelines and Lessons Learned

Vendor Landscape and Shifting Business Models.

Highlights of the report include:

Despite some expectations to the contrary, EMV is not a single “silver bullet” solution for PCI scope reduction or card number security in particular. While card number tokenization options have been available for nearly a decade, card number encryption techniques are only now ramping up in live operations.

Large merchants in particular face daunting complexity when choosing PCI scope reduction techniques. Thorough planning is required that includes close coordination with all internal stakeholders as well as external vendors and processing providers.

PCI DSS 1.3, the next version due out this year, will provide greater guidance on EMV, encryption and tokenization but is hardly prescriptive due, in no small measure, to the complexities of securing enterprise-scale payment systems.

Global payment security efforts are shifting geographies with EMV under close consideration for the USA and PCI DSS mandates heading to Europe and other markets.

“Payment card security concerns, and the sharp stick that is PCI compliance, will drive merchant and processor security decisions for years to come,” George Peabody, Director of Mercator Advisory Group’s Emerging Technologies Advisory Service and principal analyst on the report comments. “For the largest merchants, that decision-making process is especially complex as the number of moving parts, both within the enterprise and across its vendor borders, makes planning crucial. This report provides guidance based on card number encryption and tokenization deployments.”

Companies mentioned in the report include: SecureWorks, Fifth Third Processing Solutions, Heartland Payment Systems, First Data, Voltage Security, Braintree Payment Systems, Adyen, MerchantLink, Shift4, Electronic Payment Exchange, CyberSource, ProPay, Planet Payments, nuBridges, RSA, VeriFone Systems, Semtek, Thales, MagTek, Visa, MasterCard, AMEX, Discover, UN Federal Credit Union.

One of the 5 Exhibits included in this report:

This report contains 28 pages and 4 exhibits.

Members of Mercator Advisory Group have access to this report as well as upcoming research for the year, presentations, analyst access and other membership benefits.

Please visit us online at


When You Change Processors, What Happens To Your Data?

In PCI Compliance & Data Security on May 24, 2010 at 11:32 am

Written by Walter Conway, May 19th, 2010 –

Have you ever wondered what happens to all your old card transaction data after you change your processor or acquirer? Most retailers have made such a change, and many make it a practice to rebid their card-processing contract every few years. After you move on, though, your data frequently doesn’t follow you. What are your responsibilities if this old data gets compromised?

Are you still responsible under PCI Requirement 12.8 for managing a service provider when you no longer have a relationship with that provider but it still has your data? Aside from PCI considerations, if a service provider–think tokenization vendor or loyalty program manager–simply goes out of business, how will you get your data back?

I am neither a lawyer nor do I work anymore for a card brand, so I can’t say for sure that you would be held responsible for a third-party data breach in the above situations. But I do know that a large retailer makes a better headline than an obscure third-party provider. That fact alone should be reason enough for you to take a fresh look at your third-party service provider contracts.

Requirement 12.8 is probably my favorite in all of PCI. It states that if a merchant shares cardholder data with any third party, the merchant is responsible for having policies and procedures in place to manage that third-party relationship. Exactly what those policies and procedures should be is spelled out in four sub-sections.

One reason 12.8 is my favorite PCI requirement is that every merchant–from the largest Level 1 retailer that requires a 100-page Report on Compliance to the corner store that outsources its processing and validates its compliance with the two-page Self-Assessment Questionnaire “A”–has to confirm explicitly it is managing all its service provider relationships.

Another reason it is my favorite: 12.8 implicitly recognizes that cardholder data is toxic and that it continues to be toxic long after the original transaction. If you are going to entrust an outside organization with your cardholder data, PCI obligates you to take certain safeguards. These safeguards include securing the third party’s agreement, in writing, that it will take responsibility for the cardholder data you entrust to the provider (12.8.2).

When you specify the contract details, then, it makes sense to ensure the terms carry on past the expiration of your current agreement and continue so long as the third party holds or has access to your data. Most CIOs will be familiar with such a continuing provision. Just about every non-disclosure agreement ever written includes one, whereby even after a particular project is over, neither party is free to disclose the other’s confidential information. The same thinking applies here.

The parallel for CIOs is to use 12.8 to put that same continuing obligation in your service provider agreements. In the course of PCI assessments, I have seen several of these agreements. I don’t recall too often, however, seeing an explicit recognition of the continuing value of the data beyond the initial term of the contract.

Although you can outsource your processing, you cannot outsource your responsibility. By that I mean if a third party gets breached and loses your data, you are likely to be held responsible even if that data is a year old and you no longer work with that third party. You will get the headlines and likely the fines, too.

A related situation is when you want to access your data but can’t. If you change processors and want to get back your old transaction data, does your original processor provide it or–better yet–send it along to your new processor? Or, what if your tokenization, encryption or key management vendor goes out of business? Can you get your original data back? Is there a provision in your contract for some form of data escrow where you can retrieve your original data either in case of business interruption or if you just want to change vendors?

At this point, we have to address the issue of whether the actions I’m describing would effectively put all the data back into your PCI scope. Particularly in the case of tokenized or encrypted data, which is generally considered to be in your PCI scope. The exception is if you, the merchant, have no ability to get back to the original clear text data. This exception should allow you the leeway to protect your organization.

The idea is that you do not have access to the clear text data unless and until you need to actually take it back, per the conditions spelled out in your contract. For example, in the case of tokenized or encrypted data, you cannot access that cardholder data unless, say, the vendor’s business fails. Should you need to exercise this provision, though, at that point and only at that point, would the data come into your PCI scope.

I would hope service providers of all types would see the benefit in what I’m suggesting. In the case of a processor, it might be reluctant to ease your transition to a competitor. But obstructing the process only guarantees that processor will have no chance whatsoever of getting back your business the next time around. For a tokenization or encryption provider, offering some form of data escrow reduces the customer’s risk and gives potential customers more confidence in the company. There may even be a business niche for such data escrow providers.

Alternatively, if you, the merchant, decide you don’t want or need your old data, your contract can obligate the service provider to purge your data permanently on your orders. Just don’t forget to do it if that’s your plan.

Merchants and QSAs may disagree or have difficulties with individual pieces of PCI Requirement 12.8. But that requirement is in place to help merchants protect the data they share with third parties–even after the initial contract has expired. Remember that to take full advantage of this safeguard, you need to have a long-range view and think beyond the initial term of your present third-party agreements.

What do your third-party contracts look like? Do you have provisions that go beyond the initial term and obligate your providers to return or purge your data? It is your data, after all. If you’re a service provider, what objections do you have to my suggestions? I’d like to hear your thoughts. Either leave a comment or E-mail me.


Heartland Payment Systems and MasterCard Agree to $41.4 Million Intrusion Settlement

In PCI Compliance & Data Security on May 20, 2010 at 12:50 pm

PRINCETON, N.J.–(BUSINESS WIRE)–Heartland Payment Systems® (NYSE: HPYNews), the nation’s fifth largest payments processor, has entered into a settlement agreement with MasterCard Worldwide to resolve claims from MasterCard and its issuers related to the 2008 criminal intrusion into Heartland’s payment system environment. Under the agreement, alternative recovery offers totaling $41.4 million will be made to eligible MasterCard issuers with respect to losses alleged to have been incurred by them as a result of the criminal intrusion, and MasterCard will recommend that eligible MasterCard issuers accept such offers.

Bob Carr, Heartland’s chairman and chief executive officer, stated, “We are pleased to have reached an equitable settlement agreement that helps issuers of MasterCard-branded cards obtain a recovery with respect to losses they may have incurred from the intrusion. We look forward to working with MasterCard to encourage these issuers to participate in the settlement program for a speedy resolution.”

The settlement is contingent upon financial institutions representing 80 percent of the claimed-on MasterCard accounts accepting their alternative recovery offers by June 25, 2010. The settlement also includes mutual releases between Heartland and its sponsoring bank acquirers on the one hand – and MasterCard and the accepting issuers on the other. Issuers that accept their alternative recovery offers must waive rights to any other recovery of alleged intrusion-related losses from Heartland and its sponsoring bank acquirers through litigation or other remedies and release MasterCard, Heartland and its sponsoring bank acquirers from all legal and financial responsibility related to the intrusion.

All eligible issuers will soon receive notification from MasterCard with full details of the settlement agreement and how to accept their alternative recovery offers before the offers expire.

About Heartland Payment Systems

Heartland Payment Systems, Inc. (NYSE: HPY), the fifth largest payments processor in the United States, delivers credit/debit/prepaid card processing, gift marketing, payroll, check management and related business solutions to more than 250,000 business locations nationwide. Heartland is the founding Heartland and MasterCard Worldwide agree on settlement/supporter of The Merchant Bill of Rights, a public advocacy initiative that educates merchants about fair credit and debit card processing practices. For more information, please visit,, and

Forward-Looking Statement

This press release contains forward-looking statements. These statements may be identified by the use of words such as “will,” “believes,” “anticipates,” “intends,” “estimates,” “expects,” “projects,” “plans” or similar expressions. Such forward-looking statements include, without limitation, statements about the settlement agreement, strategy, future operations, prospects, plans and objectives of management and events or developments that Heartland expects or anticipates will occur. The forward-looking statements reflect Heartland’s current views and assumptions and are subject to risks and uncertainties, which may cause actual and future results and trends to differ materially from the forward-looking statements, including but not limited to the risk that all of the conditions necessary to the consummation of the settlement agreement among MasterCard WorldWide, its issuers, Heartland Payment Systems, Inc., Heartland Bank and KeyBank National Association may not be satisfied or waived; Heartland’s ability to achieve its strategic objectives and the expected goals of the settlement agreement; general market conditions; the outcome of legal proceedings; uncertainties inherent in its operations; and the impact of law and regulations. Many of these factors are beyond the company’s ability to control or predict. Given these factors, you should not place undue reliance on the forward-looking statements.


Picante restaurant is victim of credit card scam

In PCI Compliance & Data Security, Risk & Fraud Alerts on May 13, 2010 at 3:05 pm

Picante, the popular Mexican restaurant on 6th Street, has been the target of an international credit card fraud operation, its owner says today.

Thieves from as far away as Russia managed to penetrate the restaurant’s credit card encryption system and steal the numbers of dozens of customers, says Jim Maser, who has owned Picante for 16 years. The thieves then used the stolen numbers to create phony credit cards, which they turned around and sold, he says.

“People are upset and we are sorry,” says Maser. “We acknowledge how inconvenient and unsettling it was for them.  We are so service-oriented we want to make this right as fast as we can.”

Picante is just one of a number of Berkeley and Bay Area businesses that have seen their customers’ credit cards compromised, according to the Berkeley Police Department.

Picante first became aware of the security breach last Thursday, May 5, and has been working with the U.S. Secret Service since then, says Maser. The restaurant hired a private security company to find the source of the breach, fix it, and make sure it does not happen again. The restaurant is replacing its credit card swiping hardware and software.

The Secret Service arrested a number of people on Tuesday in connection with the theft, says Maser. They were arrested on the East Coast after they tried to make a purchase at an Apple store. But the masterminds of the theft probably came from overseas, perhaps from Russia or Dubai, Secret Service agents told Maser.

Berkeleyside reported Tuesday, May 3 that there had been a rise in credit card fraud in Berkeley. A number of readers commented that they thought their cards had been compromised at Picante, although the restaurant said they only began hearing from customers in large numbers on Thursday last week.

One Berkeleyside reader whose card had been compromised got a call Tuesday from a detective in Arlington, VA. Police there had arrested a woman who had 15 credit cards in her possession and all of them were made from credit card numbers stolen in Berkeley, Oakland, Albany and other parts of the East Bay, she said. One of those cards had this woman’s number on it.

Maser says the Secret Service told him that international thieves are targeting businesses that do more than $500,000 in business a year.

“This is the tip of the iceberg,” Maser says. “There are a bunch of hackers out there targeting businesses.”

It has been unsettling for Maser to find that his business had been so badly compromised and he hopes his customers understand that it was not someone inside Picante who was involved, but very sophisticated thieves.

“We sell tacos. We don’t solve crime. We don’t know what’s going on. This is way over our heads.”

Maser has set up an email account for people to contact him if they think their credit cards were compromised at Picante. It is


FTC says it is creating Internet privacy framework amid growing concerns

In PCI Compliance & Data Security, Risk & Fraud Alerts on April 30, 2010 at 12:03 pm

The Federal Trade Commission said Tuesday that it plans to create guidelines on Internet privacy, amid a growing cry by privacy advocates and lawmakers to protect consumers from abuse of their personal data by social networks, search engines and location tracking on cellphones.

The comments came after four senators called for greater enforcement and rules at the FTC on Tuesday, with troubling business features on social networking site Facebook that they said exposed users’ information to the public and to third-party advertisers trying to create profiles on those users.

“We agree that social networks provide a valuable consumer service, but that they also raise privacy concerns,” said Cecelia Prewett, a spokeswoman for the FTC, who declined to comment specifically on the senators’ complaints about Facebook. “The FTC is examining how social networks collect and share data as part of a project to develop a comprehensive framework governing privacy going forward. Our plan is to develop a framework that social networks and others will use to guide their data collection, use and sharing practices.”

The complaints by the lawmakers, users and privacy groups have increased in recent months with the advent of new technologies like location-based services such as Foursquare, which allow sites to track users’ location and spending activity through cellphones. A change in privacy setting policies at Facebook late last year and a mishap on Google’s Buzz social network that exposed e-mail contacts to the public have added to concerns that users are flocking to these Web sites without a strong federal guardian of privacy.

With advertising as the primary means of drawing revenue for their Web businesses, the desire to draw more detailed and tailored profiles of users will only continue to rub against the comfort levels of consumers and Washington’s desire to regulate those activities.

“This is a whole new world,” said Sen. Charles Schumer (D-N.Y.) in a news conference. “The onus here should be on Facebook, not on the user.”

Last week, changes at Facebook made data from its users available to third parties unless a user opted out, the lawmakers said. Schumer and fellow Democratic Sens. Al Franken (Minn.), Michael Bennet (Colo.) and Mark Begich (Alaska) sent a letter to Facebook CEO Mark Zuckerberg asking him to reverse those policies. They also called for the FTC to take up new rules and step up enforcement of companies that harm consumer by misusing their private information.

With 400 million users, Facebook is the largest social networking site in the world, where people form miniature networks where they share pictures, personal musings, videos and information about their backgrounds with “friends” they connect with the site.

Last week, the company partnered with 75 companies, including The Washington Post and CNN, to allow their users to take their networks to other sites. The lawmakers said those business partnerships posed troubling questions on what information was being shared with the third-party sites. Washington Post Co. Chairman Donald Graham is a board member of Facebook.

Facebook agreed to let third-party companies retain information about its users indefinitely, a shift from previous policies that forced businesses to purge that information after 24 hours.

And the lawmakers questioned changes to its privacy settings late last year, which automatically made profile information publicly available unless a user opted out of that default setting.

“Folks who’ve put information out that they may not want shared with the entire world are put in the position where they have to opt-out. Now I would read what you have to do to opt-out, but we really only have so much time,” Franken said at the news conference.
Facebook said it isn’t sharing information with third-party sites.

“Specifically, these new products and features are designed to enhance personalization and promote social activity across the Internet while continuing to give users unprecedented control over what information they share, when they want to share it, and with whom,” Elliot Schrage, Facebook’s vice president of communications and public policy, wrote in a letter responding to the lawmakers. “All of Facebook’s partner sites interact with a user’s consent.”

Some privacy advocates say that the agency hasn’t responded to complaints over Facebook’s privacy changes last December and a mishap by Google when it launched its social networking application Buzz. In February, Google launched Buzz through Gmail users’ accounts and for those that agreed to try it, their e-mail contact lists became public to other users of the application.

“It’s becoming increasingly clear that the FTC is a black hole for user concerns about online privacy, said Mark Rotenberg, executive director of the Electronic Privacy Information Center.