Thursday, August 31, 2006

Visa Issues Data Security Alert

BROOKFIELD, Wis. — Visa USA issued a data security alert Aug. 31 to warn merchants about the risks associated with storing magnetic-stripe and other sensitive data on point-of-sale systems. The alert recommends specific actions that merchants can take to mitigate these risks.

To support compliance with the Visa USA Cardholder Information Security Program, Visa issues security alerts when vulnerabilities are detected in the marketplace, or as a reminder about best practices.

Security vulnerability

Visa announced in a news release that it is aware of credit and debit compromises that resulted from the improper storage of mag-stripe data after transaction authorization was completed. The mag-stripe holds data in two tracks.

Track information is received by a merchant’s POS system when a card is swiped. Some merchant POS systems improperly store that data after authorization, violating Visa’s operating regulations. Hackers are aware of the vulnerability and are targeting certain POS systems to steal this information.

Visa also has observed compromises involving other data elements, namely card verification value 2 (CVV2), PINs and PIN blocks. CVV2 is the 3-digit number typically found on the signature panel of the card. PIN blocks are encrypted versions of PINs.

According to Visa, merchants may only store specific data elements, including the cardholder’s name, primary account number, expiration date and service code, from the mag-stripe to support card acceptance. But that information must be protected in accordance with the Payment Card Industry Data Security Standard.

Merchants may mistakenly believe they need to store prohibited elements to process merchandise returns and transaction reversals, Visa says. Acquirers should ensure their merchants have proper processes for each type of transaction.

Recommended mitigation strategy

To safeguard their systems and reduce risk from a compromise, merchants should make sure that they are not storing prohibited data.

Visa offers the following suggestions:

• Ask the software vendor to verify that your software version does not store mag-stripe data, CVV2, PINs or encrypted PIN blocks. If it does, those data elements must be removed immediately.

• Ask the software vendor to share a list of files written by the application, and a summary of the content to verify prohibited data is not stored.

• Review custom POS applications for any evidence of prohibited data storage. Eliminate any functionality that enables storage of this data.

• Search for and expunge all historical prohibited data elements that may be residing within your payment-system infrastructure.

• Confirm that it’s necessary to store the data you’re keeping. If not, don’t store it.

• Verify that your POS software meets Visa Payment Application Best Practices. A list of PABP compliant applications is available on Visa’s Web site.

Technorati Tags:

Wednesday, August 30, 2006

Yet Another Loss of Customer Data

SAN FRANCISCO, Aug 29 (Reuters) - AT&T Inc. (T.N: Quote, Profile, Research) said on Tuesday that computer hackers illegally accessed credit card data and other personal information from several thousand customers who bought DSL equipment from AT&T's online store.

The phone company said it is notifying "fewer than 19,000" customers whose data was accessed over the past weekend.

The company said it noticed the hacking "within hours," immediately shut down the online store, notified credit card companies and is working with law enforcement agencies to investigate the incident and find the hackers.

Technorati Tags:

Monday, August 28, 2006

Dear Bankers: Your Vault is Not Safe

Several high-profile examples of data tape loss during transit have put customers on alert over the risk that their confidential information may be subject to loss due to movement of backup tapes. For example, Bank of America last year was dealt a severe blow when the company admitted to losing data tapes en route to a data center. The tapes reportedly featured employee and personal information on 1.2 million federal workers.

This year’s news has been full of tape losses from Wells Fargo, Bank of America, Iron Mountain, etc. This, on top of the federal regulators hightened focus on Disaster Recovery and Business Continuity due to Katrina and other disasters, has put many financial institutions in a quandary on how to handle backups safely while still providing quick access for disaster recovery needs.

The age-old problem of 100% usable vs. 100% secure rears its ugly head again.

For years I have been telling my financial institution clients that storing your tapes in your vault, or in your sock drawer, is not an adequate recovery solution. Not to mention, it is inherently not secure. Now I am telling you that your vault isn’t secure either.

What? My vault is not secure? That’s right, it’s not. I’m going to share a true story with you now, that is so shocking, so scary, that I cannot even reveal what location this took place in. In order to protect my client’s identity, I will even have to fudge the numbers a little, but rest assured, I am rounding down!

The story starts with a bank robbery. A bank robber walked into a very remote bank branch and demanded all of the money in the teller drawers. When finished, he asked for the security videotapes. The branch manager attempted to explain, at gunpoint, that there are no security tapes and that the cameras were 100% digital.

Not being the brightest bank robber, he did not understand or believe the manager and took him to the vault. The bank robber then proceeded to steal the banks DATA tapes, thinking that they were videotapes.

Unfortunately, these tapes contained the names, addresses, social security numbers, birthdates, account numbers, and bank balances of 15,000 active bank customers, and another 8,000 inactive customers.

So your vault is not safe either. So what is the solution? You must encrypt your data at rest. Period. There are many solutions that allow for online data backup, encrypted, that allows for block level daily changes and keeps the data fully encrypted in transit and at rest. At a minimum, data tapes must not be able to be read in plaintext. We are just not in that world anymore.

In fact, if you are storing any of your non-public private information in a plaintext format, it is only a matter of time and effort before you are going to be exposed.

Technorati Tags: