On the 30th of September this year, a new compliance directive will
come into force from the Payment Card Industry (PCI) that will affect
each and every business that accepts credit cards around the globe,
including those here in Thailand. Among the directives is a
requirement for merchants to secure their networks, both wired and
wireless, and to audit their compliance at least once every three
months.
Even if the merchant does not have a wireless LAN, they will need to
prove that no rogue access points have been installed in the area and
that the network is secure.
In Bangkok to explain the far-reaching implications of the directive
was John Cunningham, Motorola's director of RFID and wireless for
enterprise mobility, and Sujai Haleja, vice president and general
manager of its enterprise WLAN division.
Haleja explained that come Sept 30th, any merchant accepting Visa,
Mastercard, American Express or Discover cards can be fined up to half
a million US dollars per incident for not complying with the new PCI
security rules. If the non-compliance persists, they can have their
rights to accept credit cards revoked.
Two years ago, US retail giant TJ Maxx had its network breached and
46.5 million credit card details were stolen. This sent the entire
merchant industry into a spiral as banks rushed to re-issue cards and
limit the damage.
The cost was considerable and while the banks and credit card
companies absorbed the cost in that incident, it quickly became clear
that better security was needed to prevent a repeat. This led to the
credit card companies coming up with the PCI security directive, which
will be passed down to merchants and banks.
Today, the United States is by far the most concerned with PCI
compliance. Two states, Texas and Minnesota, have actually passed laws
that go far beyond PCI and state that if a TJ Maxx style breach occurs
today, the merchant will have to be financially responsible for
replacing all the compromised cards.
Even before PCI, many US merchants were clamouring for better network
defences to prevent damage to their reputation if they are hacked.
Away from the US, however, things are quite different. "Just recently,
when I talked to people in industry, they said, 'PCI compliance?
What's that?' Today, they are coming to me and saying, 'Oh my god, how
can I do it in time?"' Cunningham, who is based in Singapore, said.
For the network part at least, Motorola has been offering a PCI-
compliant solution for the past 18 months. Today, it has enhanced its
offering and is now offering PCI enforcement on top of its already PCI-
compliant wireless network hardware and software. Cunningham claims
that Motorola is the first and so far only player to offer turnkey PCI
network compliance in a box.
For instance, PCI requires that all Wi-Fi traffic is encrypted with
WPA or WPA2 encryption and not the much weaker WEP. All modern
wireless equipment supports all three protocols, so while the hardware
may be PCI compliant, it is possible for an incorrect network policy
to configure the Wi-Fi access points with WEP and render the network
non PCI compliant.
Motorola has added PCI compliance enforcement to its network
management tools, along with its other existing frameworks for
Sarbanes-Oxley (for financial institutions) and HEPA (for
healthcare).
Today, many merchants are using wireless terminals that allow the
credit card to be swiped anywhere in the store. In such cases the
merchant needs to ensure that the transmission is secure and cannot be
eavesdropped.
Both the wired and wireless networks also need to be secured. For
organisations that do not use wireless, they will still need to prove
that no rogue access points have been deployed on the premise. PCI
also requires that the wireless and wired networks are suitably
firewalled from one another.
Every quarter, an audit needs to be conducted to ensure that there is
no abnormal wireless activity happening. The Motorola solution
monitors the air all the time, and reports abnormalities in real-
time.
With the audit trail and compliance in place, if a breach does still
occur, the fine imposed on the merchant will be less than if it was
negligent. The analogy is like a house insurance policy that requires
the owner to install and use a deadbolt on the front door. Motorola is
like a community guard that takes note of when the door is opened and
closed, and whether the owner locks it when they leave the house. If
the owner does not lock the door, then they could be held responsible
for a burglary.
Today Bumrungrad Hospital, which accepts credit cards as payment, is
claimed as the first hospital in Asia certified PCI network compliant.
It did this through a simple rule change in its existing Motorola
wireless network security. For every four to six access points, there
is a sensor that only listens to wireless network traffic and logs any
abnormal network activity. This is fed into a forensics database log
and a monitoring system that can trigger work-flows if certain
conditions are met.
Motorola's RF switch is a device that takes the intelligence of the
entire wireless network and puts it in one place, with each access
point then just a dumb radio. This was at first intended to allow for
seamless mobility among access points without the need to re-
authenticate with each move. However, by extending the software, the
same RF switch can use the radio infrastructure to listen to packets
and audit the airwaves as per PCI. It can also use triangulation to
pinpoint in real time the location of any abnormal activity.
Because the same radio logic is used for WiFi, WiMax and RFID, the
same reporting and auditing system can be scaled up to wide areas, or
scaled down to three to five metre circles where a certain wireless
MAC address needs to be operating within a given radius of a
particular RFID tag.
For instance, a doctor's notebook needs to be operated only by the
doctor and any activity from that notebook MAC while the doctor's RFID
badge is out of the room can be flagged as suspicious.
All of this is something that cannot be done with standard 802.11
equipment. However, merchants with basic and non-integrated networks
can install just the listening and monitoring equipment for basic PCI
compliance.
Asked if this means Motorola will take on IBM and HP and become a
system integrator, Haleja said that for now they would prefer to work
with system integrators such as HP and IBM in providing solutions but
agreed that this business was quite unlike the Motorola of old.
Motorola only joined the PCI group after its acquisition of RFID
specialists Symbol, whose bread and butter is in the retail industry.
But it quickly became apparent that the demands of PCI network
compliance and Motorola's existing wireless protection were a perfect
match.
He also hinted that the world will soon be surprised as to the new
direction Motorola will be taking, but said that is all he is allowed
to say at this point.
However, while it is now certain that the PCI directive will come into
force on 30th September, it is still unclear exactly how it will be
enforced at a local level. Unlike HEPA or Sarbanes-Oxley - which both
have a strong legal basis and enforcement through each country's
central banks - PCI is an industry standard backed by the card issuers
rather than any federal law.
Cunningham noted that SOHO or, as he puts it, "Mom and Pop shops,"
will escape the brunt of the regulation as they do not store credit
card information themselves; they simply scan and pass on the
information.
Enforcement will have to be through their banks and card issuers and
the agreements they have with their merchants. Also, while the maximum
penalty for non-compliance is set at half a million dollars, it is
still unclear how much of a penalty will be leveraged for breaches
where compliance was proven, or for partial compliance.
Both of the executives were extremely concerned as to the almost total
lack of awareness in the region, even though it is clear to them that
the same penalties apply whether the breach is in the United States,
Europe or here in Thailand.
"It's like antivirus. I didn't buy an antivirus software until I had
to go through the pain of rebuilding my notebook. Today, you don't
think about it. People have to go through the pain because of a lack
of security before they start to look at it seriously," Cunningham
said.
-------------------------------------------------------------
http://www.rfidglobal.org
RFIDGlobal.org is an internationally oriented online platform for RFID
companies and end users.
.
|
|
| User: "The Kat" |
|
| Title: Re: Credit Card Crackdown |
17 Aug 2007 02:54:54 AM |
|
|
On Fri, 17 Aug 2007 07:39:36 -0000, RFIDabc <rfidabc@gmail.com> wrote:
including those here in Thailand.
What the ***** does that have to do with Nostradamus, dumbass??!!??
--
Lumber Cartel (tinlc) #2063. Spam this account at your own risk.
This sig censored by the Office of Home, Land & Planet Insecurity...
Remove XYZ to email me
.
|
|
|
|
|
Related Articles |
|
|
