Tracy Kitten at Bank Info Security reports technology and payments players are debating the topic of EMV, and how it might affect the U.S. payments industry. That debate has pushed the PCI Security Standards Council to issue new guidance about a possible chip and PIN shift. During the PCI Security Standards Council’s North American Community Meeting in Orlando, Fla., the council discussed a number of emerging technologies, including EMV — the payments card standard that has become the norm throughout most of Europe. U.S. merchants and financial institutions may soon follow suit, as security vulnerabilities related to the magnetic stripe increasingly expose cardholders to skimming attacks.
The Register reports Credit card fraudsters may have pocketed as much as $500,000 over the past month by pursuing a new type of attack that exploits a major blind spot in payment processors’ defenses, an analyst said. The “flash attacks” recruit hundreds of money mules who go to ATMs throughout the US and almost simultaneously withdraw relatively small sums of money from a single compromised account, according to Avivah Litan, vice president at market research firm Gartner, who follows the credit card industry. They then move on to a new account. At the end of the month, the heists can fetch as much as $500,000.
BusinessWire reports Dynamics Inc., unveiled its anti-skimming technology at BAI Retail Delivery in Las Vegas. Each year, the payment ecosystem loses billions of dollars from fraudsters stealing credit card numbers. More advanced fraudsters steal credit card numbers by breaking into merchant servers where the numbers are electronically stored. Dynamics’ anti-skimming device, called the Dynamic Credit Card™, helps to protect consumers and merchants against this threat by automatically writing a new, unique dynamic security code onto its magnetic stripe for every in-store purchase. A display can also be added to the card so the card can automatically display a new, unique dynamic security code for every online purchase – thus replacing the three or four digit security code physically printed on traditional cards.
SC Magazine reports the PCI Security Standards Council (PCI SSC) released version 2.0 of the PCI data security standard (PCI DSS) and payment application data security standard (PA DSS) this week with minor changes. Claiming this is designed ‘to provide greater clarity and flexibility to facilitate improved understanding of the requirements and eased implementation for merchants’, version 2.0 will become effective on the 1st of January 2011. As revealed by SC Magazine in August, version 2.0 does not introduce any new major requirements and the majority of changes are modifications to the language, which clarify the meaning of the requirements and make understanding and adoption easier for merchants.
PaymentsNews reports the PCI Security Standards Council (PCI SSC) has announced the availability of separate guidance papers on the use of end-to-end (E2E) encryption and EMV technologies in a payment card data environment. The documents are intended to provide the market with greater clarity on how these two specific technologies relate to the PCI Security Standards and impact PCI DSS compliance.
Tim Horton at First Data and Rob McMillon at RSA have written a white paper on encryption and tokenization payment security technologies. They note solutions such as end-to-end encryption and tokenization, can help merchants go beyond the current requirements of PCI, solving many vulnerabilities in the payments processing chain. Learn more about the technologies behind encryption and tokenization—what they are, the different ways they can be implemented, and the benefits and drawbacks of selecting a particular method of implementation.
Bank Info Security reports researchers at S21sec have confirmed a malware threat to mobile banking devices. In late September, the Zeus Trojan hit mobile banking users at 12 Spanish banks. S21sec discovered a link between malware that was hitting online users and their mobile devices. Ultimately, it was a dual-Zeus compromise, says Daniel Brett, head of business development for S21sec. Brett says this so-called man-in-the-mobile, or Zeus Mitmo, attack is likely just the beginning, as other types of malware aimed at mobile devices can be expected.
Tim Wilson at Dark Reading reports despite millions of dollars in spending and millions of hours in training, identity theft has become more widespread in 2010 than at any point in history. Maybe, a new industry group suggests, it’s time to take a different approach. The Identity Theft Council, a new consortium of business and law enforcement entities that launched earlier this week in San Francisco, proposes to attack the ID theft problem in reverse: Instead of going global, it’s going local — and personal.
Jose Diaz, director of technical and strategic business development at Thales e-Security writes in SC Magazine on the U.S. impact on credit card security. He notes, “With almost every other developed country in the world now moving toward chip-and-PIN technology to support EMV, a global standard for authenticating credit and debit card payments, the continued use of magnetic stripe cards in the United States has looked out of order for a while now. The reasons behind the United States’ stance are complex, but it seems now that some important voices are calling for a change, and as more voices are heard, the chance for change will only increase.”
The New York Times reports an Armenian-American crime syndicate stole the identities of doctors and thousands of patients then used them at more than a hundred spurious clinics in 25 states to bill Medicare for more than $100 million for treatments no doctor ever performed and no patient ever received, according to the federal authorities. The group’s members and associates are charged with numerous crimes, including racketeering, health care fraud, identity theft, money laundering and bank fraud.
