Episode 69 is all about how the PCI Security Standards Council is responding to changes in security technology and how it is expanding its role and technology coverage across important new geographies. If payment security is on your screen, join Glenbrook’s George Peabody, partner and host of Payments on Fire, and Troy Leach, CTO for the PCI Security Standards Council as they discuss standards under development like PIN Entry on COTS, other new tools to mitigate data breach risk, and the Council’s work in Latin America, Asia, and India.

A little background...

We don’t need any more evidence for how difficult data security is. In payments alone the number of system components is so high that hardening them all has been functionally impossible. But we’re are making progress. There’s EMV. Data devaluation through encryption and two forms of tokenization - security tokens and payment tokens - reduces the amount of hack-worthy information available.

Guiding, steering, nudging, and corralling the payment card ecosystem toward stronger security is the PCI Security Standards Council. The PCI SSC has developed a 12 step standards program for the secure treatment of payment card data that goes well beyond data devaluation. Various enterprises looking to protect their own data assets, not just card data, use PCI DSS to guide their security program.

The Council’s activity is expanding along with the threats we face. As technologies emerge that benefit security, the Council considers how to employ and deploy them. For example, the Council has a certification program for the token service provider function that handles payment token vaulting and other life cycle management tasks.

Another example is its soon to be released PIN Entry on COTS standard. Commercial Off the Shelf (COTS) devices include the smartphone that’s by your elbow or in your hand right now. The standard makes clear that, with the right card acceptance hardware, PIN entry via a software-driven screen, rather than a physical encrypting PIN pad, is secure.

 

As you'll hear on the podcast, this is an exciting time in payments security development. Broad deployment of many important tools will take many years. That's the real news. As they come online, however, there's already reason for optimism. We just have to use what we have and get others to do the same.

Direct download: EP69_PCI_mixdown.mp3
Category:Payments on Fire -- posted at: 11:52am EDT

Digital identity is a crisp sounding term that belies a complex layer of concepts. There is identity proofing. Identify verification. Identity assurance. Each addresses one element of the many questioned raised by digital identity.

  • How does a bank really know the digital presence at its banking portal is associated with the accountholder?
  • How can you, as an individual, release only the amount of data necessary to satisfy the parties to the transaction? We share more than we need to. I still get carded at a bar to prove I’m over 21 (what a waste of time!). When I show my license, the barkeep also sees my address, license number, and more. Definitely a case of oversharing.
  • If parties such as utilities, government, and financial institutions vouch for that digital presence, should any of them be responsible for proving that digital presence is right and true?
  • Simplifying complex problems for multiple stakeholders should be a formula for success. SecureKey is a long time player in the identity ecosystem, having built a federated identity platform linking Canadian citizens to government resources using bank-issued credentials.

SecureKey has evolved its system to make use of a mobile app as well as a blockchain-based database that securely points to data stored by banks, utilities, and government entities, all in a zero liability arrangement.

This conversation between Glenbrook’s George Peabody and SecureKey’s chief identity officer Andre Boysen dives into identity concepts, how SecureKey’s Verified Me system works, and its use of blockchain.

For more on digital identity concepts, look at NIST’s excellent set of Digital Identity Guidelines.

 

Direct download: EP68_SK_mixdown.mp3
Category:general -- posted at: 5:20pm EDT

Voice is the natural user interface and the robots are coming to take it on. Enabled by high volume consumer devices like Amazon Echo, Google Home, Apple’s Siri and powered by artificial intelligence engines like Amazon’s Alexa, Google Assistant, and Apple’s Siri, we are headed toward making voice-enabled commerce and payments a common experience.

Russ Jones is Glenbrook’s “tech whisperer,” an expert observer of tech evolution and how it applies to payments. Join Russ and George as they discuss the development of the voice ecosystem, Amazon’s leadership, the intersection of voice and IoT, and where voice-enabled payments may flourish.

Direct download: EP67_PoF_voice.mp3
Category:general -- posted at: 12:21pm EDT

1