|
|
February 2008 Issue
If you think it’s tough to convince one merchant to become compliant, try being the person who has to do it for the entire payments industry.
As the first general manager of the PCI Security Standards Council (PCI SSC), it’s Robert Russo’s job to get stakeholders on the PCI Data Security Standard (PCI DSS) bandwagon. He oversees the PCI Council’s training, testing, and certification programs for Qualified Security Assessors (QSAs), Approved Scanning Vendors (ASVs), and related staff, and is the key resource for the certification process. He also coordinates research and analysis regarding PCI DSS, solicits feedback from the vendors and merchants, and steers council member recruitment.
As Russo gets ready to celebrate his first anniversary in this demanding role, Transaction Trends asked him to reflect on the past 12 months and his vision for keeping transactions on the straight and narrow. Transaction Trends: What is your perspective on the state of PCI compliance, and how do you expect compliance to evolve in the coming years?
Download the full PDF |
|
|
Feature: Show Them Your Cards |
|
|
|
The numbers are in: Gift and loyalty cards are must-haves for consumers, and according to industry insiders, they are the latest way to add some punch to your sales portfolio.
The closed-loop market will generate $239.9 billion, up from $171.2 billion in 2006, and network branded cards will garner $181.6 billion, up from $26.8 billion in 2006, according to a recent report from The Mercator Advisory Group. Industry observers estimate that gift cards made up 6 percent of holiday spending last year by bringing in more than $35 billion—nearly double what was spent in 2005.
“My passion is gift and loyalty cards, but I feel so conflicted even speaking publicly about it because the industry has neglected the prepaid market so extensively that I may be waking up a giant,” says Jared Isaacman, president and CEO of United Bank Card. “At UBC, our 2008 game plan has gift and loyalty right up there as one of the most important projects of the year. It’s a fantastic market.”
Download the full PDF |
|
|
Feature: Selling Security |
|
|
|
Seven years ago, ISOs could go about business the way they always had: “They sold fairly simple point-of-sale (POS) terminal programs to vendors, and that’s about all there was to it,” says Cliff Gray, an associate with The Strawhecker Group, an Omaha-based consulting firm that targets the payments industry. “Sponsor banks or processors—whomever the ISO had a relationship with—provided support for the terminal and the application running on it,” he adds.
Data security was simpler, too. Terminals communicated over what were relatively closed networks that revolved around the telephone line.
“As soon as we started pushing transactions over the open Internet, all kinds of schemes, scanning software, Trojan horses, and other mechanisms arrived on the scene to exploit the vulnerabilities of POS systems and capture and steal card data,” says Steve Mathison, vice president of POS terminal and hardware solutions for First Data in Greenwood Village, Colorado.
Download the full PDF
|
|
|
Risk in Review: The Card-Fraud Horizon |
|
|
|
Now that that the pressure of the holiday retail season is in the rearview mirror, those who toil in the back office looking for (and intercepting) persistent—and sometimes ingenious—attempts at card fraud can take stock.
As always, there is good and bad news. Fraud attempts are still with us, of course, but consistent vigilance and an ever-increasing degree of cooperation and communication among the payments industry’s fraud experts are doing a better-than-ever job of minimizing the number and size of such incidents.
Fraudulent transactions held steady in 2007 at about 2 percent of the total, the same as in 2006, according to Celent Communications, a banking industry consulting firm based in Boston. Most of that fraud originates from lost or stolen cards (48 percent), but identity theft (15 percent), skimming and cloning scams (14 percent), and counterfeiting (12 percent) still account for significant amounts of fraud.
Download the full PDF |
|
|
Data Security: Minding the Small Stores |
|
|
|
Anyone involved in the development or integration of software that stores, processes, or transmits payment-card transaction data for commercial products or internal systems knows that application security compliance is required of some but only recommended of others. Service providers, for example, have long been required to assess and demonstrate secure software developmental practices to successfully prove PCI compliance. Many commercial- product companies that develop stand-alone, deployed payment applications and point-of-sale (POS) systems, however, are not contractually obligated to become compliant and see payment application security as a recommended best practice. But in the past two years, several companies have voluntarily updated their application systems to adhere to Payment Application Best Practices (PABP) standards. Why? Because they understand that helping merchants become PCI-compliant makes good business sense for everyone.
Recent industry developments made payment application security compliance a standard requirement. With representation from major payment card brands, the PCI Security Standards Council recently adopted Visa’s PABP as the Payment Application Data Security Standard (PADSS).
Download the full PDF |
|
| |
|
|
Online Issues 
