>> About

  • Welcome to the Thales Information Systems Security digital media news centre.

    Thales has been at the heart of securing payments worldwide for over 25 years. Our solutions secure retail and corporate banking, in particular Thales payment HSMs integrate with all the widely used credit/debit applications and also secure other vital payments infrastructures.

    Thales solutions include the world's best-selling EMV data preparation system and complete PIN management for card issuers. Thales also secures some the world's busiest clearing and settlement and stock exchange systems and our solutions protect transactions such as online banking and payments.

    Subscribe by email

    Find out more at www.thalesgroup.com/iss

    Visit our Key Management site at www.keymanagementinsights.com

>> Contributors

>> Resources

>> Press Contacts

04 April 2012

Is now the time for EMV?

As is being widely reported, another massive data breach appears to be on our hands with MasterCard and Visa suffering a serious processor breach. The alert sent out to banks across the country stated that the data taken could be used to counterfeit new credit cards. Exact details of how this breach occurred are still emerging although speculation, of course, is running rampant.

However, the possible harm that could be done from this breach leads back to the conversation of EMV migration in the US. More importantly, it brings to light the additional levels of protection that EMV chip cards provide. US issuers should more than consider accelerating their migration to EMV chip cards. If the US had an EMV infrastructure in place today then the compromised data most likely could not have been used to create counterfeit cards for use at POS and possibly help prevent other harm.

Continue reading "Is now the time for EMV?" »

Posted at 09:45 in EMV, Encryption, Fraud, PCI DSS |

19 January 2012

What’s the point of PCI DSS if the world is moving to EMV?

A small restaurant in Utah is taking a stand against one of the biggest regulations affecting the payment security industry. Cicero’s Ristorante in Park City has launched a countersuit against their merchant acquirer after it seized money from the restaurant’s account for alleged violations of PCI DSS.

News of the lawsuit has whipped up a furore about both the drawbacks and benefits of the PCI scheme, and whether it is in fact worth having at all. One common argument against the cardholder data requirements of PCI DSS (see comments to this article) is that the standard is redundant in an EMV environment.  The argument goes like this: The purpose of PCI DSS and the more recent P2PE (point-to-point encryption) is to protect sensitive static payment data used for magnetic stripe transactions both in storage and in transit in the merchant to acquirer segment of the payment transaction. Encrypting cardholder data is all well and good – transaction data stolen from a POS (point-of-sale) terminal or merchant/acquirer system will be rendered worthless. However, any sensitive payment data stolen from an EMV transaction would be just as worthless to a criminal (due to its dynamic rather than static nature, thus preventing a replay attack) so why don’t we skip PCI DSS and move straight to EMV?

Continue reading "What’s the point of PCI DSS if the world is moving to EMV?" »

Posted at 11:11 in Compliance, EMV, Fraud, PCI DSS, Regulation |

18 January 2012

Visa: EMV means off-line Chip and PIN

There were reports earlier this week headlined “Visa: EMV move doesn’t mean Chip and PIN”, based on information in a Visa blog. In fact, the Visa blog is a reiteration of their positioning trying to persuade the market that an on-line PIN only implementation is the way forward. I first wrote about this a year ago here.

 

Posted at 09:56 in EMV, Fraud, PCI DSS, Two-factor authentication |

10 November 2011

Dedicated security for mobile issuance

Next week I will be speaking at Cartes 2011 on dedicated security for mobile issuance together with Tim Richards from Aconite. If you’re at the show do come along to our session.

Mobile payments will soon become an important part of our daily lives. There are now more people with mobile phones than there are with bank accounts and that makes mobile phones a natural vehicle for payments. Juniper Research, a European based provider of business intelligence, released a study forecasting that mobile contactless payment transactions are expected to reach nearly $50 billion worldwide in 2014 and NFC solutions will be launched in 20 countries within the next 18 months.

Continue reading "Dedicated security for mobile issuance" »

Posted at 12:43 in Contactless payments, EMV, Encryption, Innovation, Mobile payments | | Comments (0)

19 October 2011

Consumer awareness of mobile payments security is growing

This latest survey from Intersperience shows how aware consumers are and how much importance they are placing on security. The survey focuses on the more often talked about side of mobile payments security – the possibility of data being compromised on the phone or intercepted mid-transaction. However, as my colleague has talked about in previous posts, there are a number of other security considerations that are not as widely reported.

Firstly, as well as protecting the payment app in the device, the industry also needs to securely and efficiently get the app to the phone. The payment app loading process is called provisioning and, as it is done over-the-air, it is in itself a process that carries certain security risks. You can read more about this issue here and here.

Equally important is understanding the benefits of the ‘Secure Element’, a cryptographically protected piece of hardware which is resident on newer mobile phones. When stored in a ‘Secure Element’, a payment app is subject to similar security as the data stored on an EMV card. As mobile payments continue to mature and adhere to evolving security standards, Secure Elements in devices, combined with a secure provisioning process, will help address consumer concerns over the security of mobile payments.

Jose Diaz

Posted at 17:17 in Compliance, EMV, Encryption, Fraud, Innovation, Mobile payments, Regulation |

22 September 2011

PCI DSS talking points from Arizona

The North American PCI SSC Community Meeting brings together vendors, assessors and other stakeholders from across the payments chain to discuss the implementation of PCI standards. This year’s meeting is in Scottsdale, Arizona and has hosted some lively debates on the future of PCI DSS. Although arguably PCI DSS has been more topical in North America in the past, the international representation of delegates and the issues that are being discussed this year do show that there is an increasing acknowledgement that PCI DSS is indeed a global standard.

So what has been on the agenda?

Continue reading "PCI DSS talking points from Arizona" »

Posted at 15:08 in Compliance, e-commerce, EMV, Encryption, Fraud, Key management, Market trends, PCI DSS |

10 August 2011

A huge stride to EMV in the US

Regular readers of this blog will know that I have been writing about eating the US EMV elephant for some time. Yesterday’s announcement from Visa may just be the big push the US market needs for it to finally migrate to EMV.

Visa’s roadmap includes ‘carrot and stick’ elements in its drive to accelerate EMV adoption in the US. Merchants will soon have an incentive to install chip-enabled terminals: When 75 per cent of a merchant’s transactions originate from chip terminals, that merchant will no longer have to go through the troublesome process of annually validating their compliance with the PCI DSS standard.  The twist for the US is that the terminals must be both contact and contactless chip enabled, while a similar programme in the rest of the world requires only at minimum that the terminals accept contact chip transactions.

Continue reading "A huge stride to EMV in the US" »

Posted at 09:33 in Compliance, Contactless payments, EMV, Fraud, Innovation, Mobile payments, Two-factor authentication |

01 July 2011

New FFIEC guidelines make no mention of strong authentication

On Tuesday the US banking regulator, the Federal Financial Institutions Examination Council (FFIEC), set out its expectations to improve internet banking authentication standards. While the FFIEC calls for, amongst other measures, layered security and more sophisticated one-time cookies where device identification is used, there is notably no mention of strong authentication in their new document.

Strong authentication is already widely implemented in the UK and Scandinavia through the use of tokens and various devices to support card-not-present transactions such as Mastercard’s EMV-CAP card readers.

Continue reading "New FFIEC guidelines make no mention of strong authentication " »

Posted at 08:59 in Contactless payments, e-commerce, EMV, Encryption, Online banking, Two-factor authentication |

06 June 2011

Why US travellers’ EMV card PINs may not work in Europe

Specifications for all sorts of things have multiple options on how they are implemented, and the EMV standard used in the world of payments cards is no exception. There are several options on how your PIN is verified when you want to make a payment, and as to how your payment is authorised.

 When Europe was contemplating the roll-out of chip cards, on-line connection of POS terminals was not the norm, so countries chose an implementation that worked for off-line POS terminals. PINs are authenticated to the card, and transactions do not always have to be authenticated on-line to your issuer.  In actual fact, several years on since these decisions were taken, telecoms has moved on, and most EMV transactions in Europe are authorised on-line by your issuer.  Your PIN however is still verified to your card – because that’s how the cards are set up.

Continue reading "Why US travellers’ EMV card PINs may not work in Europe" »

Posted at 11:08 in EMV, Innovation |

21 April 2011

Chip and PIN Gains Momentum in the U.S.

Thales has previously noted in this blog as well as in the media about the US lagging behind the majority of the rest of the world when moving to Chip and PIN technology. Perhaps momentum is gaining for a change with JP Morgan Chase and Wells Fargo’s announcement last week that they will be testing Chip and PIN technology by mid-year.

We have discussed before that it would take some pretty big voices, either large issuers, a major retailer or the government, to make enough noise for change to the more secure payment card. Also, the increasing fraud rate is certainly a growing concern as consumers are starting to receive more letters in the mail about possible fraud these days than credit card offers.

The announcement last week shows that major players are now willing to dip their toe in the water and test the technology. The first audience being targeted is American travelers who can find it difficult at times to use their magnetic stripe cards overseas. The real question is whether or not this will be the catalyst to change the U.S. infrastructure over to Chip and PIN.

Regardless of the voice, reason or players involved, a global movement to improving payment card security is always a good strategy.

Jose Diaz

Posted at 16:01 in Compliance, EMV, Fraud, Market trends, Regulation |

Next »