The PCI SSC meeting (1400 participants) is over. Mostly, minor clarifications in PCI DSS and PA-DSS 3.0, changes in PTS testing requirements 4.0. Unfortunately, no significant changes in PCI standards means no good news for merchants and cardholders. No regulation or tech breakthroughs means the show will go on.
PCI DSS and PA-DSS 3.0 changes
PCI SSC has released a document that "highlights anticipated changes to the PCI Data Security Standard (PCI DSS) and Payment Application-Data Security Standard (PA-DSS) in order to prepare organizations for the introduction of Version 3.0 in November 2013".
I could not find any significant changes that would help to improve the security of card payment transactions. I wasn't surprised though.
Biometric scanner on mobile phone is interesting feature that might be helpful to enhance security of mobile payments, as well as simplify the payment process and reduce the transaction processing time.
"All Secure" rating
I wish all the systems I work with were "All Secure"!
But I can't even imagine how attractive "All Secure" rating is for hackers!
"Financial Tracking Technologies, LLC announced today that it received an "All Secure" rating, the highest possible, by a third party security penetration test of its data security. The penetration and vulnerability tests were conducted during the months of May and June of this year by Loricca Inc., a world class data security consulting firm located in Tampa, Florida."
PCI ISA Certification Forum
I have created a separate menu entry -- "PCI ISA" -- which contains a link to the one of the most popular blog entries - PCI ISA Training Experience. So everyone can just click on the direct menu link and share her/his experience about ISA certification process - training, exam, and more.
Myth: PCI will make us secure
I just found a list of "PCI myths" on some website about PCI compliance. One of the myths sounds familiar and reasonable, although the explanation (they call it "fact") sounds polite but unconvincing and incomplete:
Myth: PCI will make us secure.
Fact: Successful completion of a system scan or assessment for PCI is but a snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data.
Liberty Reserve went down
The popular Costa Rica based online payment system Liberty Reserve went down following the arrest of his founder Arthur Budovsky (Артур Будовский). Budovsky, 39, a former U.S. citizen and naturalized Costa Rican of Ukrainian origin, was arrested in Spain as part of a money laundering investigation.
I found interesting U.S. Department of Justice report about money laundering in digital currencies. In addition to information about the money laundering payment systems, it explains in an accessible form the methods of anonymous Internet access:
Various technologies can increase the utility of digital currencies for money laundering by providing additional anonymity and networking abilities. Because digital currency transactions are conducted over the Internet, they can be traced back to individuals’ computers. The origins of Internet activity can often be identified using IP (Internet Protocol) addresses. Each computer on a network, including the Internet, must be uniquely identified by an IP address in order to receive information, such as web pages, requested from remote servers. These servers, including digital currency servers, track and record users’ IP addresses.
However, anonymizing proxy servers and anonymity networks protect individuals’ identities by obscuring the unique IP (Internet Protocol) address as well as the individuals’ true locations. Anonymizing proxy servers and anonymity networks are designed to prevent identification of Internet users’ IP addresses. Such proxy servers and networks redirect users’ activities so that they appear to originate from a proxy server’s or anonymity network’s IP address rather than the IP address of an individual Internet user.
Furthermore, mobile payments conducted from anonymous prepaid cellular devices, such as web-enabled phones, may be impossible to trace to an individual. Such portable devices that provide Internet access enable transfers of digital currency; afterward, they can be destroyed, easily and inexpensively, to prevent forensic analysis.
I have been comparing several Track/PAN detection tools and this one looks pretty good. Later on I am going to publish a comparison chart of several such products (both commercial and free). If you have any comments/links please let me know.
National Security Agency has unclassified the document which previously was a secret guide to search engine hacking including Google and Yahoo. In fact, this is the full-size book (640 pages) called Untangling the Web: A Guide to Internet Research.
Interesting quote from the introduction:
"We pay for the benefits of the Internet less in terms of money and more in terms of the currencies of our age: time, energy, and privacy."
Credit card with display and keyboard
There is a new Mastercard which has LCD screen and keyboard. It looks like the plastic becomes smarter and closer to POS terminal in its functionality which I guess will bring new security issues...