Retailers try to push data responsibilities back to banks

Fri Oct 5 18:13:36 EDT 2007

some number of other recent notes on the subject:

Customer Service: Consumer Confidence at Stake in Retail, Credit Card
Industry Clash
http://www.ecommercetimes.com/story/59670.html
Retailer PCI Rebellion: 'No More Storing Credit Card Numbers'
http://www.darkreading.com/document.asp?doc_id=135602
Retailers Fighting To No Longer Store Credit Data
http://it.slashdot.org/it/07/10/05/192250.shtml
Retail group takes a swipe at PCI
http://www.infoworld.com/article/07/10/05/Retail-group-takes-a-swipe-at-PCI_1.html
Retailers Challenge the Networks’ Card-Data Storage Requirements
http://www.digitaltransactions.net/newsstory.cfm?newsid=1536
NRF to Credit Card Companies: Stop Forcing Retailers to Store Credit Card Data
http://www.nrf.com/modules.php?name=News&op=viewlive&sp_id=380
Retail group takes a swipe at PCI, puts card companies 'on notice'
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9040958&taxonomyId=17
Rethinking the Assumptions Behind PCI-DSS
http://www.paymentsnews.com/2007/10/rethinking-the-.html
PCI Is Here: Keeping the barbarians outside the cyber gates
http://www.practicalecommerce.com/articles/580/Caveat-Vendor-PCI-Is-Here/
Retailers, Credit Card Industry Clash
http://www.physorg.com/news110781861.html

.... 

we had been called in to consult with this small client/server startup that
wanted to do payment transactions. this required some amount of translating
technology into business critical data processing ... which has somewhat
come to be referred to as "electronic commerce". This including technology
invention that they called SSL ... and among other things we had to do
some detailed audits of these supporting infrastructures that were calling
themselves certification authorities ... various past posts on the subject
http://www.garlic.com/~lynn/subnetwork.html#gateway

in the mid-90s we got involved in the x9a10 financial standard working group
that had been given the requirement to preserve the integrity of the
financial infrastructure for all retail payments. we drew on our experience
having previously done "electronic commerce" as well as some detailed
vulnerability studies and threat models. having been given the requirement
for all retail payments ... we had to look at a standard that was lightweight
enuf that could be easily deployed in both point-of-sale as well as internet
environments ... and provide end-to-end security and integrity with countermeasures
for both "data-in-flight" vulnerabilities (aka transaction transmission)
as well as "data-at-rest" vulnerabilities (aka transaction logs and databases).
part of the issue was some studies that claimed as much as 70 percent
of ("data-in-flight" and "data-at-rest") compromises involved "insiders"
(aka countermeasures had to recognize that majority of compromises
possibly involved individuals with legitimate access to the information).

the resulting financial standard was x9.59
http://www.garlic.com/~lynn/x959.html#x959

the x9.59 approach was to eliminate fraudulent transactions resulting
evesdropping and data breach compromises ... aka it didn't eliminate
evesdropping and data breach compromises ... but it eliminated the
ability of attackers (insiders or outsiders) to use the information 
that they had obtained for purposes of doing fraudulent transactions.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com