Heartland Payment Systems has announced that yesterday it successfully completed the first phase of its end-to-end encryption pilot project. According to the company, "this first step involved the transmission of live AES (Advanced Encryption Standard)-encrypted card transactions from a merchant to Heartland’s processing platform. AES is the highest level of encryption and is currently on track to replace DES (Data Encryption Standard) and Triple DES as the desired standard for sensitive data."

Earlier this month Heartland announced it was working with Voltage Security to develop its end-to-end encryption approach. READ MORE »

Heartland Payment Systems has selected Voltage Security as a partner to develop end-to-end encryption (E3) software specifically suited to payments processing.

“Heartland is developing a complete end-to-end encryption solution designed to protect cardholder data at all stages of a transaction – from card swipe through delivery to the card brands,” said Bob Carr, Heartland’s chairman and chief executive officer. “Together with Voltage, we are developing a comprehensive solution that currently does not exist.” READ MORE »

Voltage Security has introduced the Voltage Data Breach Index, a single at-a-glance view into the state of national and global data breaches.

According to Voltage, "the visual map brings data breach reporting to life, summarizing historical and real-time breaches, size and scope, types of records, regions affected, industry and more. Perhaps most interesting is that patterns in the data enable the creation of a predictive data breach model. This model predicts, for example, that 14 data breaches will, over the next year, each expose 1,000,000 or more records to potential use by criminals. And, at least one breach of over 10,000,000 records will affect nearly 5 percent of the U.S. population." A white paper is also available.

More electronic records were breached in 2008 than the previous four years combined, fueled by a targeting of the financial services industry and a strong involvement of organized crime, according to the "2009 Verizon Business Data Breach Investigations Report" released today. Full press release here. READ MORE »

The Bank Fraud Forum Blog has been launched by Memento Security.

Fraud is a serious issue that deserves serious discussion. The Bank Fraud Forum℠ has two primary objectives: 1) to convey insights, opinions and comments on the world of financial crime, and 2) to serve as an open, albeit virtual, forum for the fraud fighting community. Our goal is to offer intelligent, timely and thought-provoking analysis of trends, news, best practices and more.

Visa chief enterprise risk officer Ellen Richey told security experts today that payment card data fraud rates remain near historic lows despite economic woes and high-profile compromises, and called for continued industry investment, collaboration and innovation, three key components in keeping the electronic payment system secure in the future. She made her comments to a gathering of business, government, academic and law enforcement officials at Visa's Global Security Summit, its third cross-functional symposium on payment security, held in Washington, DC. READ MORE »

Voltage Security has announced major enhancements to Voltage SecureData, supporting more environments and platforms, including end-to-end encryption across distributed environments such as those used by retail and payment processors. "Voltage customers are finding it easier to protect their data end-to-end, comply with regulations and protect sensitive customer information from the moment it is collected." READ MORE »

Kimberly Kiefer Peretti of the Computer Crime and Intellectual Property Section of the US Department of Justice has authored a paper titled "Data Breaches: What the Underground World of “Carding” Reveals" to be published in the Santa Clara Computer and High Technology Journal. READ MORE »

With all of the news this week surrounding the payment card data breach at Heartland Payments Systems, we've added a new section to the Payments News Bookstore with several new books covering the topic of PCI-DSS (Payment Card Industry-Data Security Standard) compliance. If you're aware of any we've missed, please send us Feedback and we'll add them to the bookstore.

In addition to these books about the subject, the PCI Security Standards Council website is a great starting point for learning more about PCI-DSS.

Heartland Payment Systems issued a press release today saying that it had "added more than 400 merchants to its client base in the past few days - exceeding results for the same period from last year" - and including a statement from founder, chairman and CEO Robert O. Carr on the response his organization has made to the announcement earlier this week of a payment card data breach at Heartland. READ MORE »

Eric Dash and Brad Stone report for the New York Times on the payment card data breach announced yesterday by Heartland Payment Systems. The compromise may have occurred as early as last May but wasn't detected until late last fall.

The Heartland breach also showed that in spite of the adoption of more stringent standards and tougher oversight by banks and credit card companies, consumers are still vulnerable."

Heartland Payment Systems has announced it has learned it was the victim of a security breach within its processing system in 2008. Heartland says it "believes the intrusion is contained." The company has created a website for "to provide information about this incident and advises cardholders to examine their monthly statements closely and report any suspicious activity to their card issuers."

Brian Krebs reports for the Washington Post that the breach "may have led to the compromise of more than 100 million credit and debit card transactions."

The data stolen includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. Armed with this data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.

[Reposted from my personal blog: www.sjl.us]

I happened to hear from Peter Wayner that he's got new editions of both his Disappearing Cryptography (third edition) and Translucent Databases (second edition) now available.

Disappearing Cryptography is available from Amazon while it looks like Translucent Databases, for the moment anyway, is only available on the publisher's web site.

The Payment Cards Center of the Federal Reserve Bank of Philadelphia has published a new discussion paper titled "Legislative Responses to Data Breaches and Information Security Failures" by Philip Keitel. READ MORE »

In a new report titled "The Impact of Online Personal Finance Offering: The Good, the Bad, and the Ugly", TowerGroup analyst George Tubin finds the capabilities of new non-bank online personal finance web sites are of interest but raises concerns about whether the sites have "adequate fraud prevention capabilities to protect both the consumer and the bank from account takeover and identity theft." READ MORE »

In a post titled "Attacks on NFC mobile phones demonstrated", Dancho Danchev writes for ZDNet on last week's presentation by Collin Mulliner at the EUSecWest conferece in London.

ING DIRECT has announced that it has partnered with Trusteer to become the first US bank to offer Trusteer’s Rapport consumer Identity Theft protection software free to all of its customers. READ MORE »

The latest U.S. results of the Unisys Security Index find that Americans are more concerned than they were seven months ago about national security issues and health epidemics and are increasingly concerned about financial security issues and worries about identity theft. READ MORE »

Accenture has announced that it has opened a new facility at its research and development technology lab in Sophia Antipolis, France, dedicated to innovation in the rapidly growing global payments industry. The facility, called the Accenture Payments Innovation Showcase, focuses on original research and development in all facets of the payments business, including mobile communications and other point-of-sale technology, bank-to-corporate connectivity, processing, process models, biometrics, regulation such as the Single Euro Payments Area (SEPA) initiative, and security. READ MORE »

Two important new books about security - and payments security in particular - arrived on my desk this week.

The first book - the second edition of Ross Anderson's Security Engineering - provides fascinating insights into all of those things that are often overlooked when designing secure systems. Anderson provides a comprehensive survey of the issues, the nature of successful attacks, with serious recommendations on how to simply do better across a range of security applications. This is a big book - not exactly suited for reading on the beach - but important nonetheless! Rated 4.5 out of 5 stars by Amazon.com reviewers.

The second book - Zero Day Threat by Byron Acohido and Jon Swartz - provides real insights into the threats that attackers are exploiting to gain the necessary information to take over online banking, PayPal, brokerage, and other accounts. If "know your enemy" makes sense to you, then you'll find Zero Day Threat of great interest. Zero Day Threat is 5-star rated by Amazon.com reviewers.

Both of these books have just been added to the first page of the Payments News Bookstore on Amazon.com.

Brian Krebs writes for his Security Fix blog at the Washington Post about changes to the banking code in the UK that stress that online banking customers have the responsibility to keep up-to-date anti-virus, anti-spyware, etc. software installed on their computers - and wonders why more US banks don't make available hardware tokens to secure online access (the way PayPal optionally does).

Nearly 90 percent of Americans say they feel safe online despite the rising tide of spyware, phishing and other badware threatening Internet users, according to a new poll sponsored by StopBadware.org, a consumer protection initiative aimed at combating dangerous software.

The Federal Trade Commission has announced that TJX has agreed to settle charges that it engaged in practices that, taken together, failed to provide reasonable and appropriate security for sensitive consumer information. The settlements will require that TJX implement comprehensive information security programs and obtain audits by independent third-party security professionals every other year for 20 years. Full details available here.

Jaikumar Vijayan writes for Computerworld about last week's announcement by Visa of new payment application security mandates. "Basically, they require any company that accepts payment card transactions to ensure that all third-party payment applications they use to store, process or transmit cardholder data comply with a set of minimum security requirements from Visa."

Aite Group has published a new report titled "Mobile Banking Security: The Black Cloud Attached to the Silver Lining" that it says "investigates security vulnerabilities for mobile banking, both now and in the near future, focusing on the methods that are being deployed to mitigate risk over this emerging channel."

Taking on an expanded role, the PCI Security Standards Council has announced that it has also assumed responsibility for the PIN Entry Device (PED) Security Requirements that were previously administered under the auspices of JCB, MasterCard International and Visa International.

The PULSE EFT Association has launched its annual nationwide effort encouraging consumers to review and practice safety tips when using their ATM/debit cards. New to the network’s ATM/Debit Card Safety Awareness Month campaign this June is an increased focus on privacy and fraud protection.

Javelin Strategy & Research has announced new report titled "Mobile Banking Security: The Call for Technology Standards and Proactive Security Messaging" (PDF).

Sarah D. Scalet writes for CSO Magazine about the Payment Card Industry - Data Security Standard (PCI-DSS) standard - calling it "corporate America's most ambitious effort yet to prove that it can self-regulate."

RSA has announced "an expanded Payment Card Industry Data Security Standard (PCI DSS) Solution portfolio, a suite of products and services that help enable customers to answer the most challenging IT security technology challenges associated with the PCI DSS. As part of the RSA PCI Solution, RSA also announced a new blueprint for promoting compliance by discovering data and infrastructure, assessing risk, enacting remediation and ensuring sustained controls."