A Finextra member 20 January, 2014, 11:51 0 likes

Ah, those teenagers... They should be taught about PCI DSS, importance of security and firewalls. And HCE...

Or is it the other way round?..

A Finextra member 20 January, 2014, 11:59 0 likes

I think the payments industry (especially when it comes to mobile payments, especially when it comes to Android...) should take a close look at Target breach and give it a deep thought.

And then re-call history of the mobile industry - operators suffered from various security breaches, until SIM cards (aka SE) were introduced... It is EXTREMELY (!) difficult to defraud mobile operators these days. Why? Because their architecture is sound and solid.

In particular, the key authentication and security protocols used by the mobile industry are concise and covered on 20-50 pages. Compare that to 800+ pages of EMV specs (and add another hundreds of pages that EMVCo is now working on in respect of tokenisation...)

A Finextra member 20 January, 2014, 12:27 0 likes I am sure that many tools NSA uses were written by Russians as well. Who originally wrote the software should not really matter. The 'Russian teenager' made his buck by selling the malware to the people who committed the data breach. That is where probably 'Russian connection' ends. James Bond conspiracy won't help payment industry in the US Who planted it inside the POS terminals, and why Target and its Acquirer processor did not detect the breach in the first place are the main questions. Don't they check the POS software stack digital signature? What about PCI DSS? Is it useless in preventing these kinds of most likely insider type attacks? EMV + end to end unique per txn PAN tokenization (transparent to the merchant, acquirer) is the best deterrence mechanism against credit card collection and usage in online channel. Make the txn info useless to anybody except card issuer and that solves this.

A Finextra member 21 January, 2014, 07:00 0 likes

Here's the thing: It doesn't need to happen again, and here's how to do it.
1. The credit card companies need to wipe everything but the UserID (and, possibly, the company ID) from the card.
2. They then install a fraudproof user authentication system. (A tolerably good description of such a system is at www.designsim.com.au/What_is_SteelPlatez.ppsx).
3.   The customer and retailer both have accounts on the authentication system.
4.    When the customer needs to make a purchase, or checkout at the POS terminal, he either selects his credit card from a menu, or swipes the card, to identify himself and the card company.
5.   This action connects the customer to the authentication system belonging to the appropriate credit card company, passing his user ID and details of the purchase. This includes the retailer's User ID.
6. The credit card company already knows the user's card number, so if his User ID has  been authenticated, it accesses the credit card details as it would do under the current system.
7. It then checks for a match with the retailer's submission.
8. If there's a match, it performs the usual checks for limits, expiry etc, issues an approval (or not), pays the retailer etc.
Simple.