ETA Expert Insights: PCI PIN Security Update 3.0
By Donna Gem, GEM Security Solutions; Greg Leos, Bank of America Merchant Services; Sam Pfanstiel, ControlScan, members of the ETA Risk, Fraud and Security Committee.
The Payment Card Industry Security Standards Council (PCI SSC), published version 3.0 of the PCI PIN security requirements in August 2018, and which has now gone into effect on October 1, 2019. This updated version was a collaborative effort between the PCI SSC and the American Standards Committee (ASC) X9. Together they integrated the ASC TR-39 into the PCI PIN security requirements to amalgamate it into PCI PIN 3.0. Here we examine the changes and what you need to know about the latest requirements order to ensure your organization remains compliant.
Summary of PCI PIN Update 3.0:
- The usage of multi-purpose personal computers for key loading is phased out. Clear-text secret and/or private keys and/or their components that exist in unprotected memory outside the secure boundary of a secure cryptographic device (SCD) are to be phased out.
- Allowance for the injection of clear-text secret or private keying material into point of interaction (POI) devices or other SCDs will be phased out starting with key injection facilities (KIFs) in 2021. Only encrypted key injections will be allowed after that time.
- The requirement that encrypted symmetric keys must be managed in structures called key blocks has been broken into three separate phases with different implementation dates, the first of which went into effect for service providers this past June.
- Host support for Advanced Encryption Standard (AES) PIN block for both encryption and decryption will be required over the next five years to facilitate adoption of this stronger encryption algorithm by POI devices.
- A new PCI PIN Assessor program includes the creation and management of the new Qualified PIN Assessor (QPA) designation by the PCI SSC, along with a listing of approved QPAs on the pcisecuritystandards.org website.
In addition, the PCI PIN 3.0 update has brought with it a multitude of changes to the requirements specifically for having comprehensive documentation to attest that procedures exist and are documented and followed by an organization’s personnel.
Existing in-flight PCI PIN 2.0 assessments by a Visa SA must be completed and submitted prior to December 31, 2019; with all other assessments being performed by a QPA against the PCI PIN 3.0 requirements, testing procedures, and reporting template. Organizations for which PCI PIN applies need to review their documentation and look at the new requirements to ensure they will be compliant when the QPA comes onsite.
How Does Crypto Work?
Anyone can invest in cryptocurrency. To use it, a consumer must first purchase a crypto amount. Let’s use Bitcoin as an example. The current cost for 1 Bitcoin is about $11,000. If you accept crypto payments, a consumer can purchase a Bitcoin at that amount, and then sell a fraction of it when they want to make a purchase at your store. For example, if they had purchased one Bitcoin at $11,000 and wanted to use it to make a $100 purchase at your store, they would need to sell 1/110 of that coin to make their purchase with you.
Bitcoins or other cryptocurrencies are securely stored in a digital wallet that is protected with a secret key. Everyone has two keys, one public and the other private. The public key can be shared with others so they can send you Bitcoin, while the private key is what you would use to send a payment. If someone else discovers your private key, your Bitcoin are at risk of being stolen. Therefore, make sure your private key is safely stored at all times.
When a payment is made it is first encrypted, then broadcast to the cryptocurrency’s network and prepared to be added to the public ledger. Next, transactions are recorded on the public ledger using a process called “mining”. Anyone who uses a certain cryptocurrency (such as Bitcoin) can access the full ledger if they choose. The amounts paid for each transaction are public, but sender information is encrypted. Many transactions are posted at the same time and added in sequence to the ledger.
If this seems complicated, don’t worry. All of the work and any of the risk associated with a transaction like this is the responsibility of the consumer. Accepting crypto payments with Electronic Merchant Systems simply means you’re giving your customers an additional way to pay. We’ll take care of processing their payment and will fund you the money in cold hard cash.
Other than the obvious customer convenience factor, there are unique benefits to accepting crypto payments for your business.
- Forget About Fraud and Chargebacks
Crypto transactions are virtually fraud-proof and eliminate chargeback risks for merchants. Purchases made with cryptocurrency are exact and final (unless you choose to process a refund). You are in complete control of the cash you receive. Check out The Truth About Cryptocurrency Processing for more information.
- Encourage Innovation
Gain a competitive advantage by being one of the first to offer this alternative payment method and cater to digital wallet users.
- Speed Up the Process
Payments move more quickly, which helps you to avoid the traditional wait time associated with global transactions.
- Make International Payments Easy
Simplify international payments by eliminating foreign transaction fees and currency conversions.
Currently, we and our partners can help you to accept Bitcoin, Ethereum, and Litecoin payments. There are various options for how you can receive these payments, depending on your business type. These options include:
Create an invoice and email it to your customer.
- Face to Face
Accept a crypto payment directly from your customer’s digital wallet.
- Payment Button on Website
Add a button to your website for online crypto payments.
- Custom Integration for Your Website
This option requires some advanced coding and will allow you to accept crypto payments through your eCommerce website.
A new Lost in Transaction report from ETA member and global payments technology company Paysafe has found that Gen Z, defined as consumers aged 16 to 24 years old, are embracing new and different ways to pay at higher rates than older generations.
According to the report, 40 percent of Gen Z consumers have some experience making in-app payments, and 15 percent make them regularly. That’s significantly higher than all other consumers, at 27 percent and 9 percent respectively. Further, one in three (34 percent) of Gen Z have used a mobile wallet, a full eight percent higher than other consumers. Whereas one in non Gen Z consumers currently use mobile wallets regularly, 14 percent of Gen Z consumers use them regularly.
Mobile eCommerce is also a popular way to shop and pay for Gen Z, but it is equally as popular with the older Millennials (aged 25-39). Just under half – 47 percent – of Gen Z and Millennials buy goods on their mobile phone more often than any other platform. That is much higher than older generations. Just 28 percent of Generation X (aged 40-54) and 10 percent of Baby Boomers (aged over 55) prefer mobile shopping.
For in-store payments, Gen Z prefers options, the report found. Fifty-three percent prefer to shop in stores that accept contactless payments, and physical cash is still used by eight in ten Gen Z shoppers when they are making purchases in brick-and-mortar stores. Voice payments are also exciting options to Gen Z, the report says. Over half said they would use voice technology to sign up for a subscription service (52 percent) or make a one-off entertainment purchase (51 percent), and 43 percent would be prepared to pay for groceries using voice commands to their smart fridge.
“This generation is naturally more comfortable with technology but has also been exposed to a much broader set of ways to pay,” said Phillip McHugh, CEO of Paysafe Group, in a press release. “Accepting new payment types and expecting lots of flexibility and ease will be table stakes going forward.”
According to a press release from Paysafe, Lost in Transaction: Gen Z expectations at the checkout is an independent research project commissioned by Paysafe and supported by London-based agency Loudhouse in Q2 2019. The research was completed among 6,197 consumers from the US, UK, Canada, Germany, Austria and Bulgaria. Respondents came from six different age groups and a variety of different professions.
Wednesday, April 10, 2019
The debate over whether we should become a cashless society shows no signs of abating soon, but in the meantime plenty of compelling reasons remain for using cash in a variety of situations.
While some businesses are embracing cashless payments, and the whole country of Sweden is moving in that direction, cash isn’t about to disappear. Too many businesses still depend on coins and bills to sell their wares. Cash remains king at fast food restaurants, for instance, where 41% of the business accounts for cash transactions. Cash also remains a significant portion of business at gas and convenience stores (33%), mass merchants (32%), restaurants and bars (26%), and warehouse clubs and food stores (25%), according to IHL.
With so much business still conducted in cash, don’t expect it to disappear any time soon. Besides, some customers cannot pay with anything but cash, since they are unbanked or under-banked.
When Banking Isn’t Available
Currently, the number of Americans without bank accounts is 5%, according to a Federal Reserve report. In Europe the number is higher – 14%. And the World Bank estimates that globally 2 billion people are unbanked.
If forced into a cashless system, unbanked and under-banked people would be disenfranchised, unable to buy food, clothing and other life necessities. Most people don’t choose to be unbanked or under-banked; they simply have no access to the banking system. In some cases that’s because they live in rural or inner city communities where bank branches are scarce.
Banks also deny people accounts if they fail a background check or they’ve had too many overdrafts of bounced checks in the past. Other reasons for unbanked or under-banked people include distrust of banking institutions, unemployment, illiteracy and banking fees.
A cashless society would disproportionally affect the poor and other vulnerable communities, such as recent immigrants who haven’t had enough time to build up credit or open a bank account.
Some consumers choose to pay for purchases with cash because of security concerns. Every time another big company suffers a breach that compromises payment card information, consumers worry about how that impacts them.
In 2017, the consumer credit reporting agency Equifax suffered one of the biggest breaches to ever grab headlines. It compromised personal data of almost half of all Americans (145.5 million), including driver license numbers birth dates, addresses and Social Security numbers.
Consumers have good reason to worry about a potential cashless society. One of the possible consequences of having personal data stolen through a security breach is identity theft, which can cause years of headaches for victims. Through identity theft, cybercriminals can empty a person’s bank account, use their credit cards, get government benefits and even apply for a job in the victim’s name.
Paying Cash for Online Purchases?
While there is an undeniable push for cashless systems, there is just as persistent a movement to continue using cash. It is even possible to pay for online purchases with cash, thanks to a product called Paysafecash. It allows buyers to go to a nearby location to pay with cash for an online purchase. How successful Paysafecash will be remains to be seen, but one thing is for sure: As long as initiatives and technology like Paysafecash are introduced, you can bet cash will stick around for a long while.
The Withdraw Cash Wednesday campaign is designed to promote consumer cash usage by reminding consumers to withdraw cash from the ATM the Wednesday before the U.S. Thanksgiving holiday for their Christmas Black Friday shopping needs and every Wednesday for their weekend endeavors. Backed by ATMIA, the campaign is also designed to educate consumers about the benefits of cash such as using it as a budgeting tool, reducing debt and saving money by not having to pay credit card interest fees and saving time at the checkout.
Banks face a tough job to lure small businesses from payment fintechs
Consumer banking is being redefined by new payment services and challenger banks while Enterprise customers have always received tailored banking services.
Relatively little innovation has happened in the small to medium enterprise segment, however, because SMEs are often seen as too small to offer tailored services to, but too complex and varied for mass-market services.
But there is a road map for SMEs. In his book “The Innovator’s Dilemma,” Clayton Christensen used the phrase “jobs to be done,” to describe a method that can help businesses better understand why their customers use their products.
Clayton Christensen defines a job as the progress that a person is trying to make in a particular circumstance. To illustrate this, let’s look at a simple example. When a smoker takes a smoke break, he’s meeting a need for nicotine. But he’s also using the cigarette to calm and relax himself. And in a work environment he will also go outside for some social contact and gossip with fellow smokers. So the “job to be done” includes not only the obvious “nicotine fix” but also the not-so-obvious social engagement.
There are a few ways that a jobs-to-be-done analysis can help businesses.
Segmentation. It’s likely that your product is used for a number of different “jobs” by different customers. Understanding what they are will help you better segment your market.
Marketing communications. Marketing messages should be aligned with the “jobs” your customers are trying to achieve.
Innovation. Understanding your customers’ jobs will help you identify other ways in which you can make those jobs even easier for your customers, and also importantly, which steps you should eliminate because they don’t help.
Banks find new relevance and loyalty with SMEs that are fleeing to payment apps and other fintechs by making the jobs those customers use banks for easier.
Entrepreneurs want to grow, or at least sustain, their businesses. This job involves many tasks that don’t involve banks: finding customers, developing a great product or service, etc.
The part of the “grow my business” job that does involve banks is making sure there is sufficient cash available to grow. At a high level, the promise to SMEs, therefore, is to have a relationships that will help grow the business.
That comes down to several subjobs that involve payments, such as making more informed decisions, controlling spending and getting paid on time.
There are emerging payment innovations and strategies, such as card controls and online payment technology and analysis that can help banks and financial institutions reach small businesses better.
The 2019 PCI Compliance Annual Plan
January 16, 2019 • Published
How are those New Year’s resolutions coming?
We’re now a few weeks into the new year and already people are asking: “How are those New Year’s resolutions coming?” Ugh.
It takes time to form a habit, but it’s often difficult to invest the kind of time that results in long-term, positive change. Without a plan of action and relentless commitment, the chances are good my New Year’s resolutions will fall by the wayside.
The same goes for your business goals. So many distractions and competing priorities come up each and every day, it’s next to impossible to maintain a steady course. Now add in a task no one wants to deal with—PCI compliance—and you end up rushing through a point-in-time validation that accomplishes nothing.
Make 2019 your year for payment security.
The PCI compliance process is about payment security. It doesn’t just magically happen, nor is it 100% taken care of by your POS system or IT vendor. In other words, your business is responsible for ensuring that specific processes are followed and requirements are met, 24/7/365.
While it can seem like a daunting task, incorporating these processes and requirements into your business doesn’t have to be if you begin with a plan. And that’s where my colleagues and I are here to help!
We’ve mapped out the entire year ahead into a simple, month-by-month plan, to help you integrate the PCI compliance process into your ongoing business activities. Click here for the PDF calendar.
Here’s your 2019 PCI Compliance Annual Plan.
The 2019 PCI Compliance Annual Plan is also outlined below. It is identical to the PDF calendar, plus it includes helpful links to additional research and information on various topics.
- January: Start the year strong by taking note of when your annual PCI compliance assessment will be due as well as ensuring that your monthly vulnerability scanning program is running smoothly. Now is also a good time to list all third parties and vendors that interact with or influence the security of your company’s or your customers’ payment card data. Include a column that indicates each service provider’s state of compliance.
- February: Identify all the places that payment card data is stored, processed and/or transmitted within your environment. Make sure you have the appropriate security controls in each location where a system would interact with that data. Perform a formal risk assessment against your company’s business objectives for the year and review your security policies to ensure they are sufficient to cover your risks.
- March: Reduce your breach risk by reviewing or creating your company’s security awareness trainingprogram. Security awareness training is a must for your employees, especially those who interact with payment card data. We recommend that your program is formal, ongoing and comprehensive so that all staff understand your company’s security policies as well as data security essentials and best practices.
- April: Review your firewall’s inbound and outbound network rules. Chances are someone will get into your systems, so prevent them from getting data out of the network by setting up alarms and other methods of intrusion detection. Lock down your network traffic to only those ports and services that are required. If possible, lock it down to the destination networks and hosts as well.
- May: Review and test your company’s incident response plan (IRP). If you don’t have an IRP in place, gather together your organization’s key stakeholders to develop one. This plan should seek to identify the risks your company and its data may face, and put in place specific procedures to be followed in the event that one of those risks becomes a reality.
- June: Free space for Annual Validation – This open block is here to swap with the month in which your business’s annual PCI Compliance validation takes place.
- July: Access management is important to strong security. Review your sensitive assets, vendor accounts, unused accounts, remote access accounts, employee accounts, physical access, application accounts, etc., and make sure that all related permissions are current and the level of privileges are justified. If it’s not required, remove the access. Accounts that are not used should be disabled or deleted.
- August: A comprehensive penetration test should be performed against all entry points into your systems, as well as places where sensitive data is stored. Penetration testing goes much further than vulnerability scanning, because it goes beyond the automated process of looking for basic vulnerabilities. Merchants are required to have a pen test annually and service providers must also validate segmentation controls every 6 months.
- September: This is the month to remediate all critical, high and medium-level vulnerabilities discovered in last month’s penetration test. Doing so will strengthen your security posture well in advance of the holiday cybercrime spike. Once you have completed remediation, a follow-up test is highly recommended to ensure that nothing was missed and no new vulnerabilities were created in the process.
- October: By October, most organizations are well underway with the budgeting process for the next calendar year. If your company’s fiscal year is not based on the traditional calendar year, feel free to swap this box with the month when you are typically planning your budget. When considering your budget for the next fiscal year, be sure to give some thought to the ROI advantages of managed security services over in-house resources.
- November: The holiday season is here! If you’re a brick-and-mortar retailer, that means it’s time to review physical security with your store teams. This includes how to spot the telltale signs that a payment-related device has been tampered with, as well as what to do if a shopper leaves their credit card behind. In addition, don’t forget to review and tighten your processes for securing all physical points of entry to your store/office space.
- December: Congratulations! You made it through an entire year of “business as usual” PCI compliance—and in doing so, you have established a baseline that will make next year run considerably smoother. What’s more, following this year’s plan has already significantly strengthened your business’s security posture. Now, let’s bring on 2020…
Phillips 66 Links With Honda in a Push for Dashboard Commerce
Phillips 66 Co., which has long been a leading player among petroleum companies in digital payments, has taken a step into in-car commerce in a tie-up with Honda Motor Co. Inc. that will allow customers to find the nearest station, claim a pump, and pay for gas from the infotainment system in their cars.
The new arrangement, under development with Honda Developer Studio, is expected to work at stations flagged under the Houston-based petroleum company’s three brands, which in the United States include 76 and Conoco as well as Phillips 66. Some 7,550 independently owned outlets in 48 states sell the company’s products.
The company also said it will continue rolling out its My Phillips 66 mobile app, which launched last year and works in-store as well as at the pump with both Apple Inc. and Google devices. Google is a unit of Alphabet Inc. The app integrates Mastercard Inc.’s Masterpass wallet. In 2016, Phillips 66 was an early player to announce it would accept JPMorgan Chase & Co.’s Chase Pay mobile wallet.
The company’s latest move is part of a larger trend toward bringing payments capability to the latest generation of infotaintment systems installed in automobiles. Honda has been an early exponent of this trend. Two years ago, the automaker worked with Visa Inc., pump maker Gilbarco Veeder Root, and parking-meter manufacturer IPS Group Inc. to demonstrate a mobile app that allowed drivers to pay for parking and fuel.
“We understand consumers want to fuel up, pay, and quickly be on their way,” said John Barbour, manager of payments and card services at Phillips 66, in a statement related to the partnership with Honda.
Honda Developer Studio is situated within a unit called Honda R&D Innovations Inc., which is based in Mountain View, Calif., and concentrates on self-driving technology as wells as in-car payments.
As consumers grow more attached to mobile devices for e-commerce and payments, fraudsters are intensifying their focus on handsets with new phishing, vishing to SIM-swap tricks.
Payment providers are looking for broad, new approaches to fighting fraud. The hunt for a new, universal digital ID will reach a critical point this year, in combination with innovations in artificial intelligence and biometrics technology.
But fraudsters are also working hard to stay ahead of these developments — and come up with new tricks of their own.
1 Mobile risk on the rise
As more banks rely on mobile devices as a second factor of authentication, fraudsters have shifted their sights to the cell phone providers that control that channel.
SIM-jacking and SIM swap fraud — which allow scammers to take over a phone number and/or intercept text messages sent to it — will increase in 2019 as crooks figure out new techniques. It’s still a relatively heavy-handed exploit, but anyone in possession of something hackers want will be a target, according to Adam Levin, co-founder of Credit.com, who was previously a director of the New Jersey Division of Consumer Affairs.
The South African Banking Risk Information Centre in October 2018 said the number of SIM-swap fraud incidents more than doubled in South Africa over the past year, and other global regions are seeing rising incidents. Also known as Port-Out scams, or SIM splitting, this technique targets the weakness in two-factor authentication where the second step triggers a call or text message to a mobile phone. In doing so, fraudsters can approve high-risk transfers long before the bank or customer is aware.
Further undermining device security is runaway spam call volume, which is expected to soar in 2019 to about half of all calls. Spam calls undermine consumers’ discipline in checking suspicious activity on their phones, and hurt payment providers’ ability to police and block fraud. Solutions requiring collaboration between financial services providers, device makers and wireless carriers — such as the carriers’ own Project Verify — could gain traction this year.
2 Bigger data breaches ahead?
Major data breaches have been a threat to the payments industry for more than 13 years, according to credit bureau Experian’s recent risk forecast.
The data breach of a rival credit bureau, Equifax, was said to be one of the biggest in history, but even bigger events could be ahead in 2019, Experian warns. A major wireless carrier, for example, could be attacked with devastating effect on iPhone and Android devices loaded with payments and financial data, possibly disabling wireless communications.
It’s also a matter of when, not if, a top vendor of cloud data storage will be hacked, Experian predicts.
Biometrics are a big area of innovation to make payments more secure, but it’s not without its own unique risk factors.“Biometric data is considered the most secure method of authentication but it can be stolen or altered, and sensors can be manipulated and spoofed or deteriorate,” Experian said in its report.
In online gaming forums, fraudsters can pose as gamers and gain access to the computers and personal data of trusting players, the company said. “Some regulation and oversight are necessary to strip away the total anonymity of players,” Experian said.
3 Who will control Digital ID?
The search for a better way to manage digital IDs to authenticate payments is on.
As identity theft has become rampant and passwords have become virtually useless in blocking fraud, companies across the technology spectrum in financial services, healthcare and government are working on streamlined, consumer-friendly approaches to verify their identities.
Mastercard and Microsoft’s recent announcement about plans to collaborate on a decentralized digital ID approach is the first of a wave of cross-industry partnerships for identity verification and payment authentication that will take different forms.
But the biggest risk is one of incentives — the companies best positioned to control digital ID are the ones least motivated to benefit from it. Collaboration will be vital to making a digital ID system that is both trusted and secure.
One possible approach is designing a way for federations to work as a mechanism for transferring a consumer’s ID credentials from one point to another, suggests Sunil Madhu, co-founder and chief strategy officer of Socure, which offers a digital ID verification solution to protect against payment fraud.
“ID requirements should be contextual, so there would be no need for 100 percent of everyone’s ID information for 100 percent of all actions, which is the approach some organizations are heading for now,” Madhu said.
But don’t expect a single digital ID solution to appease all users. “It’s unlikely, and there’s no need for one solution to rule them all,” Madhu said.
4 Don’t overlook AI
The prevailing wisdom in battling payments fraud for years has been layering solutions over one another, but many organizations have reached their limit in supporting multiple tools to fight fraud. And there’s a risk in relying too much on disparate solutions rather than adopting technology that can see the full picture.
Strategies are gradually changing to smarter use of machine learning and artificial intelligence with existing tools, said Amit Bhute, senior vice president and global head of payments at Virtusa, a global I.T. consulting firm based in Southborough, Mass.
“Artificial intelligence will play a growing role in tackling payments fraud, with the predictive abilities of machine learning helping detect hidden flaws and reacting to fraud faster,” Bhute said.
5 A higher price for privacy
Privacy and security in payments will become a premium feature.
Consumers are already paying for password-management services, ditching companies and apps they don’t trust, and seeking out companies, products and services that promise to protect privacy and data.
Shane Green, CEO of U.K.-based Digi.me., is building a company focused on user-centric data solutions that put consumers in control. “A number of new companies are creating more decentralized and ethical approaches that deeply value the data and privacy of individuals,” Green said.
Because of real risks and ongoing data breaches, the era of consumers blithely sharing their data in exchange for free services will eventually fade, said Credit.com’s Levin.
“Europe’s GDPR gives consumers the right to be forgotten, and we’re going to see more requirements like this for consent and disclosure, and new rules about how data is stores and shared. Canada has a tough new privacy law, Australia has gotten tougher on privacy and China is following that trend,” Levin said.
While cross-border payment demand rises, barriers to the flow of information could rise and impede that growth.
“Increased legislation will make the web less ‘worldwide,’ and today’s global sites will become more fenced-off in areas in what used to be a comparatively location-less internet,” he predicts.