Posts Tagged ‘acquiring banks

26
Aug
15

A Better Mouse Trap?

I had the pleasure of recently talking to David Marsyla, CEO of PocketKey (http://www.pocketkey.com) about their new solution to secure card transactions. PocketKey is an independent attempt to address security issues with card transactions, particularly card-not-present (CNP) transactions such as those related to eCommerce. If any security solution was needed, it is in the CNP space.

While PocketKey seems to provide a very secure method of conducting transactions, during our conversation, I expressed my concerns about their business model.

  • We have seen this before. Back around the turn of the century, Visa, MasterCard and American Express all flirted with similar schemes that required their EMV cards to be inserted into a serial device connected to a PC to be used online. Unfortunately, very few Web sites ever supported their application programming interfaces (API) so these solutions disappeared as quickly as they had been rolled out.
  • It is not as portable as I would have hoped. PocketKey needs to be plugged into your PC, smartphone or other device that can provide Internet access. If an application on your device supports the PocketKey API, then the application can store the encrypted CHD information from the PocketKey for use in future transactions.
  • It requires application changes. In order for PocketKey to work, applications must be modified to handle the PocketKey API to get the full potential out of the solution. This means that PocketKey needs to get application providers on board for their solution to be implemented. In my very humble opinion, the best solution is one that does not require any application changes at the merchant end.
  • It requires the cooperation of transaction gateways, processors or banks. Not only do applications need to be addressed, but then card transaction gateways, processors or banks need to support PocketKey to work because the encrypted data generated by PocketKey needs to be converted at some point to actual cardholder data (CHD) for approval.
  • EMV provides similar capabilities. EMV cards have the ability to secure transactions through the use of dynamic primary account numbers (PAN), dynamic card verification values (CVV) and other security features. However these capabilities also require changes with applications as well as with transaction gateways, processors or acquiring banks in order to work. Do not be surprised if once the US EMV roll out is completed that, wonder of wonders, Visa and MasterCard then tout these “new” security features and push for their implementation by merchants, gateways, processors and banks.

It is not that these limitations cannot be surmounted so much as they require cooperation within the application and transaction processing communities to make it work. It is nice to see that someone is trying do something to address fraud problems. Card present fraud is almost a thing of the past and will be once magnetic stripes are completely gone (still a long time before this happens). However CNP fraud continues to grow as attackers find it the only way to quickly monetize their illegally obtained CHD.

I wish PocketKey all the best and hope they attract the necessary partnerships to make their business model work.

18
Jul
10

An Open Letter To Acquiring Banks

Get with the program people!

The PCI standards have been around for almost four years now and you would think with all of the press that has been given the PCI standards that the key participants in the standards would be intimately knowledgeable with these standards.  However, the more and more I talk to acquiring banks, the more I am amazed that most acquiring banks still are not with the program.  It is time for all acquiring banks to get a clue about the PCI standards and their responsibilities regarding the PCI standards.

Acquiring banks have many responsibilities under the PCI standards.  The first of which is to understand and support the PCI standards.  However, it is painfully obvious from trying to work with acquiring banks that most are clueless about the PCI standards, let alone do they understand their responsibilities.  Card brands and the PCI SSC have focused on educating QSAs, merchants and service providers in the PCI standards to the detriment of educating acquiring banks.  I cannot tell you how many conversations I have had with acquiring banks where they have no idea of what their responsibilities are regarding the PCI standards let alone regarding knowledge of the PCI standards themselves.  What I dearly love are those acquiring banks that tell me that they have no responsibilities in regards to the PCI standards, that it is a merchant program.

This is not just a problem in the United States, this problem is worldwide.  This is a very big issue in Asia where acquiring banks seem to be totally clueless about the PCI standards.  It is a bit better in Europe, but because European acquiring banks have been brainwashed to believe that Chip and PIN gives them a security edge, the acquiring banks there are not aggressively promoting PCI compliance.  But at least the European acquiring banks seem to have a basic understanding of the PCI standards and some of their responsibilities.

Another responsibility of acquiring banks is to be the final arbiter between merchants or service providers and their QSAs.  According to the card brands, if a merchant or service provider is at loggerheads with their QSA over whether a PCI requirement has been met, the acquiring bank is supposed to be the final arbiter of that dispute.  Yet in the handful of instances where I have been involved in such disputes, the acquiring bank has provided limited or no assistance with the dispute.

An even bigger problem is with small merchants that are trying to decide which Self-Assessment Questionnaire (SAQ) to file.  Again, the card brands have stated that the decision regarding which SAQ to file is the responsibility of the acquiring bank and no one else.  Yet time and again, our small merchant clients contact my Firm because the acquiring bank has told them it is up to a QSA to determine the SAQ to file.

Then there is the acquiring banks’ responsibility to follow the PCI standards.  Yet time and again, I run into instances where the acquiring bank is transmitting cardholder data insecurely to or from the merchant or service provider.  The number of acquiring banks that use FTP or electronic mail for the transmittal of cardholder data is just staggering and after four years of the PCI standards existence is unacceptable.  Yet, when you bring this issue up, a lot of the acquiring banks will tell you that PCI standards are for merchants, not for them.  The other excuse I hear is that the acquiring bank is working on securing their transfer of cardholder data.  Again, after four years of the PCI standards, you are just now getting around to securing the transmission of cardholder data?  Unbelievable.

This year we started receiving calls from banks and credit unions that drive their own ATM networks that had been requested by their ATM network interconnection provider such as NYCE and Pulse to obtain a PCI Report On Compliance.  What a wakeup call.  In a number of cases, the institution was shocked that the PCI standards applied to them and questioned us extensively to confirm that they really had to go through the process.

As a QSA out in the field, these attitudes are just no longer acceptable.  The PCI program flounders in part because one of the key constituents is not on board.  It is time for the PCI SSC and the card brands to educate the acquiring banks and get them engaged.




Announcements

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

October 2021
M T W T F S S
 123
45678910
11121314151617
18192021222324
25262728293031

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 2,422 other followers