Uncategorized

Banks push for tokenization standard to secure credit card payments

Tokenization addresses gaps in EMV smartcard standard, says indsutry group

A group representing 22 of the world’s largest banks is pushing for broad adoption in the U.S. of payment card technology called tokenization, citing shortcomings in the planned migration to the Europay MasterCard Visa (EMV) smartcard standard over the next two years.

The Clearing House Payments Company (TCH), whose owners include Bank of America, Citibank, Capital One and JP Morgan Chase, is working with member banks to see how tokenization can be applied to online and mobile payment environments to protect against fraud.

The effort stems from what the group says is the need to address gaps in the EMV standard involving mobile and online transactions.

“EMV has been out there for close to 20 years” and has served its purpose well, said Dave Fortney, senior vice president, product development and management for The Clearing House.

Debit and credit cards based on the EMV technology use an embedded microchip, instead of a magnetic stripe, to store data and are considered almost impossible to clone for fraudulent purposes. Though the rest of the world moved to the technology years ago, the U.S. has lagged behind for a variety of reasons.

However, after the recent Target breach that exposed data on 40 million debit and credit cards, calls to adopt the standard in the U.S. have become more strident. MasterCard and Visa have said they want merchants and banks to be ready to start accepting EMV cards by October 2015.

While the planned migration has its benefits, EMV is not quite the panacea that many assume it is, Fortney said. “The downside with EMV is that it was created when there was no Internet, no online commerce, no smartphones and no tablets.”

While EMV is great for securing card transactions at point-of-sale terminals, it is less useful for online payments and other card-not-present transactions. That is one of the major reasons why payment card fraud has migrated from point-of-sale systems to online channels in Europe and other places that have already adopted EMV.

Payment card tokenization is one way to address this gap, Fortney noted.

Tokenization is a method for protecting card data by substituting a card’s Primary Account Number (PAN) with a unique, randomly generated sequence of numbers, alphanumeric characters, or a combination of a truncated PAN and a random alphanumeric sequence.

The token is usually the same length and format as the original PAN, so it appears no different than a standard payment card number to back-end transaction processing systems, applications and storage.

The random sequence, or “token,” acts as a substitute value for the actual PAN while the data is at rest inside a retailer’s systems. The token can be reversed to its true associated PAN value at any time with the right decryption keys. Tokens can be either single use tokens or multi-use tokens.

Tokenization eliminates the need for merchants, e-commerce sites and operators of mobile wallets to store sensitive payment card data on their networks, said Fortney.

With tokenization, credit and debit card data is encrypted at the point where it is captured and sent to the merchant’s payment processor where the data is decrypted and the transaction is authorized. The processor then issues a token representing the entire transaction back to the retailer while the actual card number itself is securely stored in a virtual vault.

The retailer can use the token to keep track of the transaction and handle refunds, returns, exchanges and other transactions. The token itself would be of little value to data thieves because there would be no way to link the token back to the PAN without the decryption key.

Customers would do nothing different when paying for purchases using a credit or debit card. The card data is encrypted when the card is swiped through the payment terminal, sent to the processor where it is decrypted for transaction approval processes, and a token issued to the merchant all without the customer experiencing anything different.

Tokenization can also be implemented on-premise with the merchant itself hosting the server that does the decryption and token issuance.

Tokenization also offers a great way to secure emerging mobile payment applications, Fortney said. A mobile wallet operator like PayPal or Google could use the approach to store one-time use tokens in a consumer’s virtual wallet rather than actual credit and debit card numbers. Consumers could use the tokens to make purchases like they would with an actual payment card while merchants would be able to complete a transaction without touching or storing actual PAN data, he said.

One major advantage with tokenization is that it does not require merchants to make major changes to their current payment acceptance systems, like EMV does, Fortney said. Tokens are formatted in the same manner as card information so merchants have to make relatively minimal changes to their payment systems, he said.

The real heavy lifting would happen at the banks, or other entities that store PAN data, generate tokens and keep track of them through the entire transaction chain.

Tokenization is not new. The Payment Card Industry Security Council, which administers a set of security standards for payment systems, recommends it as an approach for reducing the work that companies have to do to become PCI compliant.

A growing number of retailers already use tokenization as a way to reduce PCI scope, and several vendors sell tokenization products and services.

The Clearing House effort is aimed at fostering standards that everyone in the payment industry can use to implement tokenization in a consistent manner, Fortney said. “Our desire is to have an open standard across the whole industry,” he said.

The Clearing House is not the only organization looking at tokenization.

Following the Target breach, EMVCo, an entity owned by American Express, MasterCard, Visa and three other credit card brands, also announced plans to develop a tokenization standard for securing credit and debit card payments made via mobile handsets, tablet computers and online channels.

EMVCo did not respond to multiple Computerworld requests for comment on their effort. But a press release from January said the new specification would complement the existing EMV smartcard specifications that all merchants and banks are required to migrate to by the end of next year.

EMVCo’s specification will describe a “consistent approach to identify and verify the valid use of a token during payment processing including authorization, capture, clearing and settlement,” the statement noted.

The biggest benefit with tokenization is that it helps merchants remove payment card numbers from systems that don’t need it, said Terence Spies, chief technology officer at Voltage Security, a provider of encryption and other data masking technologies.

Since tokenization is done in a central way, only a small portion of the network knows how to generate and reverse a token. As a result, it is easier for banks and other third parties to protect that process, Spies said. He is also chairman of the cryptographic tools group at the X9 standards body responsible for developing cryptographic standards for the financial services industry.

Like EMVCo and The Clearing House, the X9 standards body is working on developing tokenization standards for the U.S. payment industry, Spies said. The X9 effort is focused on developing standard definitions for tokenization and for the processes for generating and validating tokens, he said. “There’s a lot of energy being putting into getting tokenization right,” Spies said.

(http://www.computerworld.com/article/2487635/data-security/banks-push-for-tokenization-standard-to-secure-credit-card-payments.html)

Standard
Uncategorized

Hollywood movies and computers…

Hacking is an art for some, for some it’s fun and for some it’s serious-tech stuff. For many people, hacking small Email account is hacking and for some taking down a nation a hacking. For me, it’s knowledge, and it’s safeguarding yourself from potential intruders. Normally, hacking is social engineering, and if you are landed here to watch some awesome movies on Hacking, you must be aware of what social engineering is. Anyways, The movie listed below doesn’t teach you how to hack, but these movies are good enough to inspire/motivate you for hacking.

Screen Shot 2015-04-21 at 22.12.38I don’t say, they all are the best one, but certainly they are the top in the hacking movies list and maybe you can add some from your movie collection.  This list is not in any particular order, and feel free to suggest and recommend more movies that inspired you for hacking.

1. Hackers(1995):

Hackers movie got a complete series, and it names as Hackers1, hackers2 and so on. We will start with my fav,”Hackers“. The main attraction of this movie is cyber-war between Acid Burn, i.e., Angelina Jolie and Zero Cool played by Jonny Lee Miller. Villain might look funny with his approach, and this is something not for a serious hacker. The movie got an average rating, but this movie is worth watching.
If you want to know how hackers use their social engineering skills to get sensitive details related to your hardware, this movie will not disappoint you.

2. Antitrust(2001):

A computer programmer’s dream job at a hot Portland-based firm turns nightmarish when he discovers his boss has a secret and ruthless means of dispatching anti-trust problems.

3.The Net (1995):

Identity theft is something that is not new to the online world of Hacking.  This movie is about Angela, a computer geek who lives a very low profile life. In this movie, her struggle of getting back her online identity is shown. Probably, an eye opener for many who think how is it possible to wipe completely off someone identity and create a new one.

4 Pirates of Silicon valley(1999):

This is a documentary movie about the birth of desktop computing. A complete saga of 1970’s to 1997. This documentary narrates the real incident happened in this period between Microsoft (Bill Gates) and Steve Jobs (Apple).  Again, not a real movie on hacking but worth watching for everyone. After all, Hacking is all about spirit and knowing the basics and our basic is computer.

5. Takedown(2000):

Kevin David Mitnick is at present working as an American computer security consultant. This movie is about his life and how a hacker turned down into country computer security counselor. Just to add more to the surprise, when Kevin was arrested for his cyber-crime, he was on the list of most wanted cyber criminal.

6 Wargames(1983):

An academy award winner movie which is about a young hacker who initiated a nuclear warhead by mistake, possibly a start of World War III. Somehow, I didn’t enjoy watching this movie much but many of my friends liked it and recommended to be added to this list.

7. Swordfish(2001):

Talking about Hacking how we can forget John Travolta’s Swordfish, which shows his intelligence and a master-plan to steal billions of dollar from U.S soil without getting caught.

8 Live free or die hard(2007):

This movie is about complete take down of a country by an attack in grids. Here villain Gabriel planned to take down last piece of data containing all financial transaction record for the country. This was a well-planned attack and at one point you will be amazed to see the pattern of attack. Though, it’s more of a Bruce Willis action movie sequel  but worth watching.

9. The Matrix(1999) : IMDB :

This movie is about “Neo”, a computer hacker who learns from mysterious rebels about the true nature of his reality and his role in the war against the controllers of it.  You might consider watching Matrix trilogy, as without watching sequel this movie is incomplete.

10. Untraceable(2008):

I saw this movie last week, and like the concept of the movie.The movie features gorgeous and sexy Diane Lane. The movie shows how a website http://www.killwithme.com which shows the live torturous killing of users become a hit, and the Diane ended up finding the killer.

11. Sneakers(1992) :

A group of computer hackers parleys their skills into a career, testing the security of computer systems by deliberately trying to break into them. They get entangled in a complex plot involving the National Security Agency and the Mafia.

12) The Social Network (2010):

Needless to mention it’s not a Hacking movie but I’m sure talking about Hacking, you might want to know How Facebook come into existence and why there are so many controversies related to Facebook. Probably, you might change your perception about Mark Zuckerberg. It’s a complete story of how a Harvard student started a simple site to compare girls and how he landed with the idea of Facebook. A complete journey of Facebook, which every geek should watch.

Standard