Wednesday, February 26, 2014

TARGET'S 3DES ENCRYPTION STATEMENT: WHAT DOES IT TELL US? WHAT INFORMATION IS MISSING? AND WHERE DOES PCI APPLY?

On December 27, Target issued an official statementabout hackers' access to encrypted debit card PIN data along with the payment card numbers accessed during its breach event.

Some have wondered whether Target's claims regarding the encrypted PIN codes are accurate. Although Target has not provided us with enough details to make a firm assertion that they are in fact accurate, there is nothing in their statement to indicate they are inaccurate, either. The details they have disclosed all seem to align with what we know is true about the payment workflow: Customer PIN codes are encrypted on the keypad using encryption keys stored in a limited-feature Hardware Security Module (HSM), and the encrypted PINs are sent to Target's payment processor, where they are validated in an HSM on the processor side. In other words, neither the unencrypted PIN data nor the encryption keys ever touch any of Target's systems.

A FRESH NEW START MEANS A FRESH NEW LOOK AT YOUR PCI STATUS

Happy New Year! It's the time of year when many of us celebrate a fresh start and make new resolutions. Your resolution may have been one of the common ones: get to the gym more, stress less, actually use those vacation days this year. And like you, hackers make their own resolutions: attack more, reduce the time it takes to access a private database, take advantage of new attack vectors, and generally, cause more mayhem.

BUILDING MORE MOMENTUM: WHY NOW IS THE PERFECT TIME FOR ACQUIRERS TO RE-TOOL THEIR PCI PROGRAMS

The last couple of months have felt like a rollercoaster ride for those of us in the security and compliance space, as we watch multiple retailers come forward about data breaches and the forensic evidence being uncovered. In the midst of this, ControlScan has conducted two important payments industry surveys that lend credence to the belief that now, more than ever, security is everyone's problem.