RSA has announced the general availability of the RSA Data Protection Manager, which "combines tokenization and application encryption, two popular application-based controls, with advanced token and key management to deliver end-to-end data security." RSA tokenization technology is currently used with partners like First Data Corporation and VeriFone to secure payment card data.

Akamai Technologies has announced a new Edge Tokenization payment security service that is seamless and undisruptive to a retailer's existing eCommerce workflow. The Akamai solution enables card data to be converted to a token prior to Web transactions landing on a merchant's infrastructure.

Litle & Co. has announced the availability of Litle Vault, an integrated tokenization solutions that enables CNP merchants to safely remove sensitive cardholder data from their systems without disrupting the integrity of their existing card transaction-based processes. "Delivered through the Litle payment processing platform, merchants can then use tokens in place of credit card numbers for all successive payment transactions including authorizations, deposits and chargebacks."

A recent survey commissioned by F-Secure found that online users in Finland, Germany, Malaysia, Poland, Sweden, the UK and the United States show striking variations in their experiences and perceptions of the online risks. Specific to payments, the survey results shows that payment card crime is the most prevalent in the US, where 32% of the respondents personally experienced it or knew someone who has been a victim. Malaysia (27%) and UK (27%) also reported a relatively high level of credit card crime; the lowest incidence was in Poland (11%) and Finland (12%).

Panda Security's anti-malware laboratory (PandaLabs) reports that hackers are creating 57,000 new websites each week that exploit many of the major high-profile brand names. In the investigation, PandaLabs found that banks by far comprise the majority of fake websites with 65% of the total. Online stores and auction sites are also popular at 27%, with eBay taking the spot as the #1 most targeted brand on the Web today. Western Union was the #2.

Visa has announced global industry best practices for card data tokenization.

Based on Visa's experience working with the industry and also insights from data compromise investigations, the tokenization best practices are the latest in a series of guidance to help merchants reduce or eliminate sensitive card data from payment systems and simplify data security and compliance efforts. Tokenization is the process through which a credit or debit card's 16-digit primary account number (PAN) is replaced by proxy numbers.

Visa's Best Practices for Tokenization, Data Field Encryption, and PAN Storage and Truncation may be found online at www.visa.com/cisp. READ MORE »

The Federal Financial Institutions Examination Council (FFIEC) has released an updated Retail Payment Systems Booklet that replaces the version issued in March 2004. The booklet is one of 12 that, in total, comprise the FFIEC IT Examination Handbook. The OCC commented: "The updated booklet incorporates developments in various aspects of retail payments activities since the first edition was issued and provides guidance on the risks and risk-management practices applicable to national banks. The booklet’s enterprise-wide perspective makes it a valuable tool to an entire organization in addition to an information technology department."

Thales and Voltage Security have announced a "technology integration and partnership centered around delivering end-to-end encryption and key management solutions for the payments industry and broader enterprise security applications. Through the partnership, the two companies have worked together to integrate Voltage SecureData technology with Thales hardware security modules (HSMs) for customers, Heartland Payment Systems being an example." READ MORE »

Ingenico has announced a "comprehensive strategy to provide secure end-to-end solutions to assist merchants in complying with the PCI Data Security Standards." Ingenico says its strategy addresses the entire payment transaction process including: data in flight, data at rest, and architecture. READ MORE »

The Financial Services Information Sharing and Analysis Center (FS-ISAC), a forum for sharing information about attacks, threats, vulnerabilities, and risk mitigation practices in the financial services industry, has announced that it is planning "a nationwide cyber attack simulation exercise to test the ability of financial institutions, processors, businesses and retailers to respond and recover from major cyber attack incidents that could impact their payment processes." READ MORE »

In an article titled "Cybercrooks stalk small businesses that bank online", Byron Acohido writes for USA Today about how small businesses are being targeted by fraudsters seeking to gain online banking account userid's and passwords. According to Acohido, "the American Bankers Association and the FBI are advising small and midsize businesses that conduct financial transactions over the Internet to dedicate a separate PC used exclusively for online banking."

Heartland Payment Systems has announced that yesterday it successfully completed the first phase of its end-to-end encryption pilot project. According to the company, "this first step involved the transmission of live AES (Advanced Encryption Standard)-encrypted card transactions from a merchant to Heartland’s processing platform. AES is the highest level of encryption and is currently on track to replace DES (Data Encryption Standard) and Triple DES as the desired standard for sensitive data."

Earlier this month Heartland announced it was working with Voltage Security to develop its end-to-end encryption approach. READ MORE »

Heartland Payment Systems has selected Voltage Security as a partner to develop end-to-end encryption (E3) software specifically suited to payments processing.

“Heartland is developing a complete end-to-end encryption solution designed to protect cardholder data at all stages of a transaction – from card swipe through delivery to the card brands,” said Bob Carr, Heartland’s chairman and chief executive officer. “Together with Voltage, we are developing a comprehensive solution that currently does not exist.” READ MORE »

Voltage Security has introduced the Voltage Data Breach Index, a single at-a-glance view into the state of national and global data breaches.

According to Voltage, "the visual map brings data breach reporting to life, summarizing historical and real-time breaches, size and scope, types of records, regions affected, industry and more. Perhaps most interesting is that patterns in the data enable the creation of a predictive data breach model. This model predicts, for example, that 14 data breaches will, over the next year, each expose 1,000,000 or more records to potential use by criminals. And, at least one breach of over 10,000,000 records will affect nearly 5 percent of the U.S. population." A white paper is also available.

More electronic records were breached in 2008 than the previous four years combined, fueled by a targeting of the financial services industry and a strong involvement of organized crime, according to the "2009 Verizon Business Data Breach Investigations Report" released today. Full press release here. READ MORE »

The Bank Fraud Forum Blog has been launched by Memento Security.

Fraud is a serious issue that deserves serious discussion. The Bank Fraud Forum℠ has two primary objectives: 1) to convey insights, opinions and comments on the world of financial crime, and 2) to serve as an open, albeit virtual, forum for the fraud fighting community. Our goal is to offer intelligent, timely and thought-provoking analysis of trends, news, best practices and more.

Visa chief enterprise risk officer Ellen Richey told security experts today that payment card data fraud rates remain near historic lows despite economic woes and high-profile compromises, and called for continued industry investment, collaboration and innovation, three key components in keeping the electronic payment system secure in the future. She made her comments to a gathering of business, government, academic and law enforcement officials at Visa's Global Security Summit, its third cross-functional symposium on payment security, held in Washington, DC. READ MORE »

Voltage Security has announced major enhancements to Voltage SecureData, supporting more environments and platforms, including end-to-end encryption across distributed environments such as those used by retail and payment processors. "Voltage customers are finding it easier to protect their data end-to-end, comply with regulations and protect sensitive customer information from the moment it is collected." READ MORE »

Kimberly Kiefer Peretti of the Computer Crime and Intellectual Property Section of the US Department of Justice has authored a paper titled "Data Breaches: What the Underground World of “Carding” Reveals" to be published in the Santa Clara Computer and High Technology Journal. READ MORE »

With all of the news this week surrounding the payment card data breach at Heartland Payments Systems, we've added a new section to the Payments News Bookstore with several new books covering the topic of PCI-DSS (Payment Card Industry-Data Security Standard) compliance. If you're aware of any we've missed, please send us Feedback and we'll add them to the bookstore.

In addition to these books about the subject, the PCI Security Standards Council website is a great starting point for learning more about PCI-DSS.

Heartland Payment Systems issued a press release today saying that it had "added more than 400 merchants to its client base in the past few days - exceeding results for the same period from last year" - and including a statement from founder, chairman and CEO Robert O. Carr on the response his organization has made to the announcement earlier this week of a payment card data breach at Heartland. READ MORE »

Eric Dash and Brad Stone report for the New York Times on the payment card data breach announced yesterday by Heartland Payment Systems. The compromise may have occurred as early as last May but wasn't detected until late last fall.

The Heartland breach also showed that in spite of the adoption of more stringent standards and tougher oversight by banks and credit card companies, consumers are still vulnerable."

Heartland Payment Systems has announced it has learned it was the victim of a security breach within its processing system in 2008. Heartland says it "believes the intrusion is contained." The company has created a website for "to provide information about this incident and advises cardholders to examine their monthly statements closely and report any suspicious activity to their card issuers."

Brian Krebs reports for the Washington Post that the breach "may have led to the compromise of more than 100 million credit and debit card transactions."

The data stolen includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. Armed with this data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.

[Reposted from my personal blog: www.sjl.us]

I happened to hear from Peter Wayner that he's got new editions of both his Disappearing Cryptography (third edition) and Translucent Databases (second edition) now available.

Disappearing Cryptography is available from Amazon while it looks like Translucent Databases, for the moment anyway, is only available on the publisher's web site.

The Payment Cards Center of the Federal Reserve Bank of Philadelphia has published a new discussion paper titled "Legislative Responses to Data Breaches and Information Security Failures" by Philip Keitel. READ MORE »

In a new report titled "The Impact of Online Personal Finance Offering: The Good, the Bad, and the Ugly", TowerGroup analyst George Tubin finds the capabilities of new non-bank online personal finance web sites are of interest but raises concerns about whether the sites have "adequate fraud prevention capabilities to protect both the consumer and the bank from account takeover and identity theft." READ MORE »

In a post titled "Attacks on NFC mobile phones demonstrated", Dancho Danchev writes for ZDNet on last week's presentation by Collin Mulliner at the EUSecWest conferece in London.

ING DIRECT has announced that it has partnered with Trusteer to become the first US bank to offer Trusteer’s Rapport consumer Identity Theft protection software free to all of its customers. READ MORE »

The latest U.S. results of the Unisys Security Index find that Americans are more concerned than they were seven months ago about national security issues and health epidemics and are increasingly concerned about financial security issues and worries about identity theft. READ MORE »

Accenture has announced that it has opened a new facility at its research and development technology lab in Sophia Antipolis, France, dedicated to innovation in the rapidly growing global payments industry. The facility, called the Accenture Payments Innovation Showcase, focuses on original research and development in all facets of the payments business, including mobile communications and other point-of-sale technology, bank-to-corporate connectivity, processing, process models, biometrics, regulation such as the Single Euro Payments Area (SEPA) initiative, and security. READ MORE »