>> About

  • Welcome to the Thales Information Systems Security digital media news centre.

    Thales has been at the heart of securing payments worldwide for over 25 years. Our solutions secure retail and corporate banking, in particular Thales payment HSMs integrate with all the widely used credit/debit applications and also secure other vital payments infrastructures.

    Thales solutions include the world's best-selling EMV data preparation system and complete PIN management for card issuers. Thales also secures some the world's busiest clearing and settlement and stock exchange systems and our solutions protect transactions such as online banking and payments.

    Subscribe by email

    Find out more at www.thalesgroup.com/iss

    Visit our Key Management site at www.keymanagementinsights.com

>> Contributors

>> Resources

>> Press Contacts

19 January 2012

What’s the point of PCI DSS if the world is moving to EMV?

A small restaurant in Utah is taking a stand against one of the biggest regulations affecting the payment security industry. Cicero’s Ristorante in Park City has launched a countersuit against their merchant acquirer after it seized money from the restaurant’s account for alleged violations of PCI DSS.

News of the lawsuit has whipped up a furore about both the drawbacks and benefits of the PCI scheme, and whether it is in fact worth having at all. One common argument against the cardholder data requirements of PCI DSS (see comments to this article) is that the standard is redundant in an EMV environment.  The argument goes like this: The purpose of PCI DSS and the more recent P2PE (point-to-point encryption) is to protect sensitive static payment data used for magnetic stripe transactions both in storage and in transit in the merchant to acquirer segment of the payment transaction. Encrypting cardholder data is all well and good – transaction data stolen from a POS (point-of-sale) terminal or merchant/acquirer system will be rendered worthless. However, any sensitive payment data stolen from an EMV transaction would be just as worthless to a criminal (due to its dynamic rather than static nature, thus preventing a replay attack) so why don’t we skip PCI DSS and move straight to EMV?

Continue reading "What’s the point of PCI DSS if the world is moving to EMV?" »

Posted at 11:11 in Compliance, EMV, Fraud, PCI DSS, Regulation |

18 January 2012

Visa: EMV means off-line Chip and PIN

There were reports earlier this week headlined “Visa: EMV move doesn’t mean Chip and PIN”, based on information in a Visa blog. In fact, the Visa blog is a reiteration of their positioning trying to persuade the market that an on-line PIN only implementation is the way forward. I first wrote about this a year ago here.

 

Posted at 09:56 in EMV, Fraud, PCI DSS, Two-factor authentication |

05 December 2011

How banks can protect themselves from Operation Robin Hood

Last week the hacking groups Anonymous and TeaMp0isoN announced that they have joined forces in an operation dubbed ‘Operation Robin Hood’ whose mission is ‘to take credit cards and donate to the 99% as well as various charities around the globe’. The groups claim that they have already taken ‘Chase, Bank of America and CitiBank credit cards’ with big breaches across the map.

Regardless of the truth behind these claims, how can organisations stop these sorts of attacks succeeding? Whether hackers are trying to steal credit card details from banks, retailers or another part of the transaction chain, the best way to protect cardholder data is using strong encryption secured in hardware.

Continue reading "How banks can protect themselves from Operation Robin Hood" »

Posted at 15:27 in e-commerce, Encryption, Fraud, Key management, Mobile payments, Online banking, PCI DSS |

10 November 2011

Dedicated security for mobile issuance

Next week I will be speaking at Cartes 2011 on dedicated security for mobile issuance together with Tim Richards from Aconite. If you’re at the show do come along to our session.

Mobile payments will soon become an important part of our daily lives. There are now more people with mobile phones than there are with bank accounts and that makes mobile phones a natural vehicle for payments. Juniper Research, a European based provider of business intelligence, released a study forecasting that mobile contactless payment transactions are expected to reach nearly $50 billion worldwide in 2014 and NFC solutions will be launched in 20 countries within the next 18 months.

Continue reading "Dedicated security for mobile issuance" »

Posted at 12:43 in Contactless payments, EMV, Encryption, Innovation, Mobile payments | | Comments (0)

31 October 2011

A quick guide to the latest mobile security standards

It has been some time since we last posted on mobile security standards (originally the topic surfaced here when Global Platform started working with the GSMA and EMVCo) but many industry players have announced updates in recent weeks that are worth digesting.

The rapid movement in this space brings us closer to a mobile ecosystem built on a set of security standards. It will of course take some time before these standards are widely adopted.  The mobile payments market remains chaotic with many competitors vying for their piece of the pie, but at least they all have a set of standards they can potentially use.

So what is new?

Continue reading "A quick guide to the latest mobile security standards " »

Posted at 12:02 in Innovation, Mobile payments, Online banking, Regulation | | Comments (0)

19 October 2011

Consumer awareness of mobile payments security is growing

This latest survey from Intersperience shows how aware consumers are and how much importance they are placing on security. The survey focuses on the more often talked about side of mobile payments security – the possibility of data being compromised on the phone or intercepted mid-transaction. However, as my colleague has talked about in previous posts, there are a number of other security considerations that are not as widely reported.

Firstly, as well as protecting the payment app in the device, the industry also needs to securely and efficiently get the app to the phone. The payment app loading process is called provisioning and, as it is done over-the-air, it is in itself a process that carries certain security risks. You can read more about this issue here and here.

Equally important is understanding the benefits of the ‘Secure Element’, a cryptographically protected piece of hardware which is resident on newer mobile phones. When stored in a ‘Secure Element’, a payment app is subject to similar security as the data stored on an EMV card. As mobile payments continue to mature and adhere to evolving security standards, Secure Elements in devices, combined with a secure provisioning process, will help address consumer concerns over the security of mobile payments.

Jose Diaz

Posted at 17:17 in Compliance, EMV, Encryption, Fraud, Innovation, Mobile payments, Regulation |

22 September 2011

PCI DSS talking points from Arizona

The North American PCI SSC Community Meeting brings together vendors, assessors and other stakeholders from across the payments chain to discuss the implementation of PCI standards. This year’s meeting is in Scottsdale, Arizona and has hosted some lively debates on the future of PCI DSS. Although arguably PCI DSS has been more topical in North America in the past, the international representation of delegates and the issues that are being discussed this year do show that there is an increasing acknowledgement that PCI DSS is indeed a global standard.

So what has been on the agenda?

Continue reading "PCI DSS talking points from Arizona" »

Posted at 15:08 in Compliance, e-commerce, EMV, Encryption, Fraud, Key management, Market trends, PCI DSS |

16 September 2011

PCI SSC Point to Point encryption, secured in hardware

Yesterday, PCI SSC published its first set of Point-to-Point Encryption (P2PE) solution requirements.  This document, eagerly awaited by many, focuses on solutions that use cryptographic hardware to secure sensitive data at the point of encryption and at the point of decryption.

The latest PCI POI PTS standard introduced last year included for the first time a Secure Reading and Exchange of Data (SRED) requirements module specifying the security environment that POI vendors must build and test against to protect account data – one end of point to point encryption.

Continue reading "PCI SSC Point to Point encryption, secured in hardware" »

Posted at 13:28 in Compliance, e-commerce, Encryption, Key management, Regulation |

15 August 2011

Mobile wallet security

Over last few months various groups have launched their mobile wallet offerings.

In the U.S., Isis, the mobile payment initiative that AT&T, T-Mobile and Verizon started last November, recently announced plans to launch a pilot project in 2012. This project will create a payment network that enables customers to pay, redeem coupons and store merchant loyalty cards, all with the tap of their phone.

Continue reading "Mobile wallet security" »

Posted at 13:03 in Contactless payments, Encryption, Fraud, Innovation, Mobile payments |

10 August 2011

A huge stride to EMV in the US

Regular readers of this blog will know that I have been writing about eating the US EMV elephant for some time. Yesterday’s announcement from Visa may just be the big push the US market needs for it to finally migrate to EMV.

Visa’s roadmap includes ‘carrot and stick’ elements in its drive to accelerate EMV adoption in the US. Merchants will soon have an incentive to install chip-enabled terminals: When 75 per cent of a merchant’s transactions originate from chip terminals, that merchant will no longer have to go through the troublesome process of annually validating their compliance with the PCI DSS standard.  The twist for the US is that the terminals must be both contact and contactless chip enabled, while a similar programme in the rest of the world requires only at minimum that the terminals accept contact chip transactions.

Continue reading "A huge stride to EMV in the US" »

Posted at 09:33 in Compliance, Contactless payments, EMV, Fraud, Innovation, Mobile payments, Two-factor authentication |

Next »