Blog posts of '2014' 'April'

EMV: Where we are on change.

Many card issuers are still not changing their scheduled plans in regards to their EMV timelines, despite the holiday breaches and Target’s recent fast-track plans. Since the breaches, Target representatives and executives have vowed to  adopt EMV at least six months before the EMV Deadline.  The reason that issuers aren’t accelerating their efforts seems to be due to a lack of return on investment.  Render Dahiya, CEO of Chicago-based card provider Arroweye Solutions says, “Even though the Target breach has scared people there is a significant value out there when you look at the costs”.

Target alone does have the resources to make the switch to EMV early next year, and still plans on delivering on its promise for an earlier transition. However, “One remains skeptical that EMV will ever take place,” says Dahiya. Media coverage of the breaches played a massive role in giving off the impression that all issuers might move more quickly with the EMV transition. “But they are sticking with their wait-and-see approach, especially on the debit side… One said that credit cards are a clearer path and that would be the first to move. Learn some lessons then move to debit later in 2015”.

The breaches did create a “timing issue” - do the issuers fast track their process of issuing cards only to have to replace them again by the deadline? Fidelity National Information Services V.P. of product, Bob Legters  says “To reissue now and then reissue again for EMV in a year is a big question issuers are asking”.  Originally, issuers working with FIS had planned to wait until late 2015 to issue EMV cards as magnetic cards expired. However, Legters acknowledges that the breaches did motivate issuers to consider other strategies.

“One advantage Target gives to the issuers is they get an opportunity to advertise the advantage of a chip card… Without some level of a breach in the marketplace and the heightened awareness, it would be more difficult to put out a product for security as a value-add”.

Source - ISO&Agent

End of Windows XP support - What's next?

Last week marked the end of support for Windows XP, though it does not mean the licenses have expired. However, the important thing to remember is the risk in lack of security patches that come with ignoring the update.

The April 8th deadline has come and gone, but how much of an effect has it had on the industry? Honestly, close to none at all, or at least not yet.  Bank ATMs are established on a private network with no internet access. Firewalls keep the ATMs communication through a designated server with anti-virus software and white-listening to ensure no other software can run parallel. There can be however, two general problems that can occur now that the deadline has passed:

The first issue is compliance; PCI regulations and bank rules require that bank ATMs are not to run unsupported software, which could lead to a loss of PCI certification. Most banks in the West have started to meet the requirements almost a year ago, while the rest have put together a transition plan that allows them enough time to migrate to Windows 7. During this time however, Asian banks have generally ignored the deadline, treating it like a modern day Y2K.

The second risk is what those in Asia may come to experience. Unsupported ATMS face something called "zero-day" vulnerabilities. These vulnerabilities are security threats that Microsoft has no way of knowing will even exist or how they will operate. What they do know is that somewhere out there a hacker will be prepared armed. Today there is a much larger battle going on between security protections and malware, which was not the case during Y2K. So it is merely a matter of time until these zero-day vulnerabilities are exploited.

Microsoft has however, set a cost for limited support or a "customers service agreement" that lasts up to 2 years from the April 8, 2014 deadline. The CSA will allow security patches to be made available, assuming the right XP license was purchased for your ATM. With the CSA, you essentially buy yourself a 2 year grace period to get your machine upgraded to Windows 7, or Windows 8 if you want to get ahead of the game.

The delay in the Windows 7  migration can be directed to both the manufacturers for "guarding" a low driver layer called XFS SPs (which there is no open market for) and the banks for not demanding that these drivers be made available in time. The XP to W7 upgrade could have run smoothly had the transition started four years ago, with a properly implemented hardware replacement cycle.

So when does the support for Windows 7 expire? 2020, leaving us with just 6 years until the next disaster meets the industry, unless we can get it right in the mean time.

Source - ATMMarketplace

MasterCard and VisaRivals Team Up

MasterCard and Visa have teamed up to increase efforts in the U.S. transition ot EMV chip cards as well as other security measures.

The alliance will receive representation from numerous banks, credit unions, acquirers,
retailers and terminal manufactureres - according to the the card brands.

The purpose of a collaborative group is to instill confidence in front of congress. Avoiding  a competitve atmosphere that may cause uncertainty in a time of heavy breaches and  fraud claims; a cohesive approach is critical when instilling confidence with the masses.

Though the group is new, there may still be issues that have yet to be covered. Some  examples:

Should issuers require consumers to use a PIN to make EMV payments, though VISA has openly expressed using signature authentication.

Pat Carroll, executive chairman of security vendor, ValidSoft, supports the effort in speeding up the EMV process -
"The industry must be fully cognizant of how payments and fraud are evolving... there is a grave danger that will find itself having spend billions of dollars on new cards and POS devices capable of processing chip-and-pin, only to find that both  consumers and crooks have moved on".

The new group also intends on becoming a catalyst for other types of security technology, such as: tokenization and end-to-end encryption. Both of these methods can replace payment card details with data that criminals can exploit. 

VISA President Ryan, McInerney states in a press release that "The recent high-profile breaches have served as a catalyst for much needed collaboration between the retail and financial services industry on the issues of payment secrutity... As we have long said, no one industry or technology can solve the issue of payment system fraud on it's own."

Group members plan on sharing ideas, break down barriers and move towards a "next-generation security solution for the benefit of all."

-Source, ISO&AGENT