Holiday’s Bring Rise in Payments Fraud

While consumers spent nearly $3 billion holiday shopping on their smartphones this year, more than any other Black Friday and Cyber Monday in history, a new report from iovation has found that suspected online retail fraud also increased this holiday season.
According to the report, suspected online retail fraud increased 29 percent during the start of the 2019 holiday season when compared to the same period in 2018. What’s more, the report indicated a 60 percent increase in suspected eCommerce fraud during the same period from 2017 to 2019.
The growth in suspected online fraud means that 15 percent of total suspected fraud during the holiday season so far took place online, up from 13 percent in 2018 and 11 percent in 2017. Online fraud in general accounts for 10 percent of suspected fraud across the rest of 2019, the report found.

ETA Expert Insights: PCI PIN Security Update 3.0

By Donna Gem, GEM Security Solutions; Greg Leos, Bank of America Merchant Services; Sam Pfanstiel, ControlScan, members of the ETA Risk, Fraud and Security Committee.

The Payment Card Industry Security Standards Council (PCI SSC), published version 3.0 of the PCI PIN security requirements in August 2018, and which has now gone into effect on October 1, 2019. This updated version was a collaborative effort between the PCI SSC and the American Standards Committee (ASC) X9. Together they integrated the ASC TR-39 into the PCI PIN security requirements to amalgamate it into PCI PIN 3.0. Here we examine the changes and what you need to know about the latest requirements order to ensure your organization remains compliant.

Summary of PCI PIN Update 3.0:

  • The usage of multi-purpose personal computers for key loading is phased out. Clear-text secret and/or private keys and/or their components that exist in unprotected memory outside the secure boundary of a secure cryptographic device (SCD) are to be phased out.
  • Allowance for the injection of clear-text secret or private keying material into point of interaction (POI) devices or other SCDs will be phased out starting with key injection facilities (KIFs) in 2021. Only encrypted key injections will be allowed after that time.
  • The requirement that encrypted symmetric keys must be managed in structures called key blocks has been broken into three separate phases with different implementation dates, the first of which went into effect for service providers this past June.
  • Host support for Advanced Encryption Standard (AES) PIN block for both encryption and decryption will be required over the next five years to facilitate adoption of this stronger encryption algorithm by POI devices.
  • A new PCI PIN Assessor program includes the creation and management of the new Qualified PIN Assessor (QPA) designation by the PCI SSC, along with a listing of approved QPAs on the pcisecuritystandards.org website.

In addition, the PCI PIN 3.0 update has brought with it a multitude of changes to the requirements specifically for having comprehensive documentation to attest that procedures exist and are documented and followed by an organization’s personnel.

Existing in-flight PCI PIN 2.0 assessments by a Visa SA must be completed and submitted prior to December 31, 2019; with all other assessments being performed by a QPA against the PCI PIN 3.0 requirements, testing procedures, and reporting template. Organizations for which PCI PIN applies need to review their documentation and look at the new requirements to ensure they will be compliant when the QPA comes onsite.

Leave a Reply

Your email address will not be published. Required fields are marked *