Can someone shed light on this ghostly "payment card industry fraud investigative unit"? I stumbled upon this name in Brian Krebs blog's post about potential card data in Goodwill Industries. But googling this name did not return any distinct reference. Isn't such a unit, if it really exists, supposed to have some kind of communication portal for public relations, like IC3, for example?
Nothing changes as there is no need to change the mechanism that works. The same familiar scenario:
An initial investigation revealed that someone, most likely outside the United States, remotely installed malware on the Big Rapids restaurant's server sometime during the past month.
Most of the trends and predictions in this presentation are intuitively obvious, but it is still interesting to see the real numbers (if they are actually real).
It's interesting to see the current share of daily bitcoin transactions compared to plastic cards:
$58 million of bitcoin vs. $37,114 million of all card brands.
However, the difference between the amount of daily bitcoin and PayPal transactions is not so dramatic already:
$58 million of bitcoin vs. $397 million of PayPal.
According to this study, more than 63% of businesses do not encrypt the account numbers of payment cards. Isn't it a true hacker heaven?
During its 2014 study, PANscan scanned 145,144 gigs of data on 2,590 computers and found:
The recording of the Hacking Point of Sale live webcast is now available at Tripwire website:
HACKING POINT OF SALE: HOW MEGA RETAILERS ARE COMPROMISED
It's summer time. Swelter. No outstanding security news. It seems that even hackers are on vacation! Hopefully, there will be some fresh news at upcoming Black Hat and DefCon, in just one month. See you there!
I will be presenting at the live webcast organized by Tripwire.
LIVE WEBCAST: HACKING POINT OF SALE: HOW MEGA RETAILERS ARE COMPROMISED
Tuesday, July 15, 2014 – 11:00 AM Pacific / 2:00 PM Eastern
PCI SSC to release version 2.0 of P2PE (Point-to-point Encryption) security standard during 2014. The goal is to increase market acceptance of P2PE technology while maintaining the high security level of its implementations. The new version of the standard is supposed to be more understandable, contain less requirements, and clarify the validation process for solution providers. P2PE v.2.0 will also combine both Hardware/Hardware and Hardware/Hybrid standards (the difference is that HW/HW requires both encryption and decryption to be performed in cryptographic hardware, while HW/Hybrid allows some parts of decryption process to be done in software). Hybrid encryption (do not confuse with hybrid decryption), Software Encryption, and Software Decryption options will be discontinued due to security concerns.
P2PE is the PCI Security Standard Council’s most recent standard (others include PCI DSS, PA-DSS, and PTS) for merchants, HW/SW vendors, and service providers. Although the first version of the standard was released almost 3 years ago (in September 2011), due to complexity and uncertainty of multiple PCI P2PE requirements only 3 companies are currently listed on the PCI website as certified P2PE solution providers.
Interesting idea and implementation of virtual EMV chip in the cloud.
Host Card Emulation (HCE) is a mobile technology that emulates a physical smart card using only software. It gives payment issuers more control and flexibility over their mobile payments strategy as credentials can be stored on a remote server rather than on the mobile (NFC) device.
Unfortunately, it still requires a physical NFC transmitter...