Welcome to Collaborative Strategy Guild Where insights are transformed into actions at the intersection of collaboration, information management, security, and business strategy.
|
So if you recall, I received an inquiry the other day to take a bit further my post where I was quacking about credit unions.
As a refresher, the gist of that discussion was that I found it to be somewhat lame that credit unions were complaining about how they have stringent technical controls whereas merchants don’t. My meta-point was that merchants (at least for card-based payments) have some very stringent (i.e. technically prescriptive) security controls by virtue of PCI compliance. Credit unions, on the other hand, by virtue of their regulatory context, have more “interpretive latitude” in how… Continue reading: Chatting with an auditor about credit unions
So today we have some excellent coverage via the always-interesting Mocana DeviceLine blog (have I blog-rolled them enough do you think?) covering a technical deep-dive on Google Wallet from ViaForensics. An interesting read.
According to their inquiry of how Google Wallet works, they’ve determined that there’s some scary data stored cleartext on the phone, including:
- Card type and last 4
- Card holder name
- Current balance
- Available to spend
- Statement balance
- Payment due date
- Citi contact number
Well, that’s interesting. Folks might object to this kind of data being stored in cleartext within Google Wallet (I sure do), but I’d like to point out that the… Continue reading: Google Wallet, cardholder data, and the edge of PCI?
So today the CUNA (Credit Union National Association) issued a letter from their president to Congress (as part of the record for a hearing on data protection for small businesses) calling for merchants to have the same “same high standards for data protection” as financial institutions.
From the letter:
As we describe below, credit unions are subject to very high data security standards under the Gramm-Leach Bliley Act of 1999 (GLBA)… However, merchants are not required to follow these standards, and until they are held to the same standard, consumers will remain vulnerable to a system that does not… Continue reading: Credit unions: be careful what you wish for
TechTarget just published my analysis on the PCI Tokenization Guidelines:
For years, security experts have touted the value of credit card tokenization for limiting PCI scope. The National Retail Federation (NRF) listed tokenization in its January 2009 “Key PCI Best Practices” document, and Gartner Inc. analysts John Pescatore and Avivah Litan explained how tokenization can be used to reduce PCI scope in their August 2009 research note, “Using Tokenization to Reduce PCI Compliance Requirements.”
Now, following the long-awaited release of its PCI Tokenization Guidelines in August 2011, the PCI Security Standards Council (SSC) has made it official: tokenization can reduce scope for PCI audits. Organizations that were waiting for the council’s opinion can now… Continue reading: Analysis: PCI Tokenization Guidelines offer Clarity, but Questions Remain
So, for folks who pay attention to this stuff, the long-awaited PCI Tokenization guidance is finally out.
We’ll be discussing it in some depth over the next few months — in this forum and others. However, as a quick hit, the biggest win by far is that we finally know for a fact (because they council finally said it officially) that scope-limiting via tokenization is permissible. So that ought to be refreshing to folks. But really, it was pretty much the only way that it could have gone down (I do confess though to finding a “project mayhem“-esque humor in… Continue reading: Tokenization: and just what is a payment application anyway?
|
|
