On Disabilities In Payments

Have you ever wondered what it would be like to go through life blind? Or with a learning disability? Or perhaps what it will be like when you’re older and your mental acuity is not what it once was?

What must it be like to be almost totally reliant on loved ones, or worse, the honesty and goodwill of complete strangers?

I readily admit, these are not thoughts that I have very often, as any disabilities I have relate to my sparkling personality. However, I am now in a position to HAVE to think about it and it’s more than a little humbling to see what those with physical or mental challenges have to go through.

For the purposes of this blog, I will restrict myself to issues related to non-cash payments, as that is my skill-set, the limit of knowledge on the subject of disabilities, and there is more than enough material to fill several blogs, lets alone this one.

The issues faced today centre on the fact that the only ubiquitous form of non-cash payment is the branded credit / debit card (Visa, Mastercard et al), and both the cards themselves and the infrastructure necessary to accept them is geared almost entirely to those without any sort of disability. In fact, even if you wanted to make changes to the infrastructure, the effort would be entirely prohibitive given both the limited return on investment and the absence of any legislation.

For example, according to Action for the Blind there are approximately 360,000 in the UK with ‘sight loss’ (total population ~64M), yet the number of people who can actually read braille is under 20,000. So even card terminals with braille overlays are more for marketing / image purposes than actually providing a means for expanding independence. Terminal manufacturers don’t have to spend more, so why would they?

According to Dr. John Gill, one of the UK’s leading experts in the field of disabilities, challenges for the disabled related to non-cash payments go way beyond issues with sight. The elderly, for example, not only begin to have challenges with vision, but their declining ability to handle abstract concepts, hand tremors and even an aversion to / fear of new technology means that payment innovations will be largely avoided by this group. Especially if their individual needs are not built in from the beginning.

I have posited in previous blogs that mobile devices are far better placed to enable cashless payment for those with disabilities, but it’s clear that this will only be the case if considerable thought is put into the challenges from the outset. ‘Consistency of Interface’ (Dr. Gill’s primary interest), simplification of available technologies, and setting of individual preferences across all payment front-ends will all be required before adoption of mobile technologies is available to everyone.

Well, almost everyone.

Too many technologies aimed at disabilities are nothing more than smoke-and-mirrors, and any effort on the part of manufacturers is aimed at demonstrating that they are good citizens. And while there can and will never be 100% adoption of mobile technology, it represents a significant advance over current systems which are now in their 6th decade of use.

Payment systems for those with disabilities must be able to address the following or they will simply not be used:

  1. Consistency of Interface – Terminal manufactures have some standards they need to apply to their devices, but constancy of interface is not one of them. Even as a sighted person, I sometimes have an issue with where to put my card, where the OK button is, how to apply tip (or not) and so on. However, I CAN read the total, what are the options for those who can’t?
    o
  2. Swiss Army Knife Approach – I love technology and innovation, yet even I use a fraction of the abilities of my phone. The elderly not only use even less, they want to SEE less available. The drive is for more and more functionality, but no-where is there an option for less, and until there is, adoption in the elderly will be limited.
    o
  3. Non Reliance on Biometrics – You just have to look at payment innovation and see that biometrics will be a major factor. This ridiculous concept from MasterCard for example; MasterCard, Zwipe announce fingerprint-sensor card. But what about those with deformities, injuries, mobility issues? Apparently people who work with concrete or pineapples have fingerprint issues, as do those on various forms of chemotherapy. Who knew?
    o
  4. Size of Keypad – Something as simple as this can result in the avoidance of non-cash payments. Combine a small PIN pad with low contrast fonts and you have just lost a payment.
    o
  5. Learning Disorders / Mental Acuity Challenges – How do current payment technologies handle dyslexia? Or short-term memory loss? Or the onset of dementia? The use of the PIN is about as ubiquitous as the cards they authenticate, yet even this is out of reach for some. But who says the ‘PIN’ has to be numbers, can’t it just as easily be a picture of loved ones, or some other individual preference?

Clearly I am only scratching the surface here, and while there is no solution that will ever make everyone happy, there is a LOT more that can be done to make life easier for those with disabilities. Mobile devices are not perfect, but they represent a  considerable advantage over current payment technologies in terms of adapting preferences to an individual.

All we need is the attention this deserves.

 

[Note: A very special thank you to Dr. John Gill who was very generous with his time and his guidance. Please see http://www.johngilltech.com for more on this subject.]

Forget the Systems, Only the Data Matters

As a Director of a team of 28, I tried very hard to install a culture of both self-reliance, and innovation. This could be summarised by the phrase; “Don’t come to me with problems, come to me with solutions.” I have tried as much as possible to build that into my blog posts as well.

Not this time however, this one’s just me babbling.

My theory is that because there is no such thing as 100% secure, with the right motivation, skill, and time, a hacker will get in. The hacker in question spends a significant amount of effort mapping the target systems to eventually find the weak spot(s), and because the environment rarely changes, their end goal is always achievable.

The analogy used most often in security is one of a castle. You build up many layers of defence (thick walls, moat, arrow-slits, battlements etc.) and your most precious possessions are held in the most secure room in the centre of it. However, because that castle can only change very slowly, a concerted attack will eventually result in the loss of the ‘crown jewels’.

All it takes is time, and a little patience.

However, all of these defences are really just a means to an end, it’s the data itself that’s the only thing that matters. The real problem therefore lies not so much in the systems, but their predictability. Spending money and resources on more and more way to protect the systems is just building higher walls, eventually you have to stop, and eventually someone is going to break them down. And to take the analogy one stage further, the higher the walls, the more fragile they become (see Insecurity Through Technology).

So what can we do when the rising interest in privacy, and the ongoing nonsense that is PCI, is causing a tidal wave of new products and services all claiming to be the missing link in your security program? Oddly enough (given my dislike of buzz-phrases), the only one that makes sense in the context of this blog is Cloud based services, where scalability, redundancy and resilience are generally built into the platform from the beginning. A system goes down and you plug in a new one.

But how about taking this one stage further? Don’t just replace when something breaks, replace / change as a matter of course! From firewalls, to servers, to encryption, even as far as location, change something in your environment to negate as much of the hacker’s reconnaissance as possible. For every benefit, there will be at least one, or even several, reasons to keep things the same, but the benefits are extensive:

  1. Security – The entire premise of this blog; if you change things frequently, bad-guys can’t keep up and the rewards become less and less worth the effort. Back to building your fence higher than your neighbour.
    o
  2. Simplicity – To even think about replacing a system outside of a disaster recovery scenario everything you do has to be simple, and there is no security without simplicity.
    o
  3. Business Transformation / Competitive Advantage – I contend that in terms of competitive advantage in the Information Age, any head start will be closed in a matter of week / months, not years / decades, so any organisation that has the capability to randomly change aspects of their environment clearly has an unrivalled understanding of their business processes. Understanding is knowledge, the correct application of knowledge is wisdom, or in this case, appropriate transformation.
    o
  4. Business Continuity – Most organisations have distinct gaps between their continuity needs, and their ability to meet them. Even if Incident Response and Disaster Recovery processes are tested annually, only an organisation that makes significant changes frequently has the well-honed skill-set to meet to exceed the continuity plan. Practice, in this can, can indeed make perfect.
    o
  5. Innovation – Only from simple and well-known can innovation be truly effective. When you’re not worrying about how to keep things running and can focus on what else you could be doing with what you have, you are free to be either more creative, or recover quicker from your mistakes. Too often the inability to adjust begets the fear to even try.

As I stated previously, there are probably more reasons that this theory is completely unsustainable than there are apparent benefits, but I don’t think that means it’s  not worth a try. Humans tend to overcomplicated things and then get lost in the detail, but with simplicity comes the freedom to focus on what really matters; the data from which all of your knowledge springs.

Anyone want to write a guest blog from an opposing perspective?

GUEST BLOG: Thoughts From the PCI Trenches

[Ed: I am very pleased to present a guest blog for a good friend of mine. He and I have spent more time in the PCI trenches than we would either care to admit;]

“I read your blog somewhat religiously and I find myself thinking about my feelings towards PCI both from an assessor and client perspective and moreover as a security professional.

With breaches now on the rise, it is time to reflect a bit on how did we get here? Why are things this way? Is PCI working?

We got here because of money. The all mighty dollar (pick your currency). Greed, my friends, has fueled this issue, and for years and will continue to do so.

Greed by the card brands has pushed them to promote acceptance so wide that the only way anyone even thinks about non-ash payments is with a card. This push for acceptance came in the early 1990’s and continues today. At that time, very little was thought of PCI other than a little fine print that was quietly overlooked until breaches began to result from this push.

At that point, the card brands felt that the public – being sufficiently hooked on the drug of convenience – was finally ready for enforcement of compliance with standards. Shortly thereafter the PCI SSC was born, and the real greed and corruption was to begin.

Below are a few points that have been smoldering quietly in the back of my head that are now demanding to be shared.

  1. Unless it’s my core business, it will never be my core competency. You cannot make merchants into military. They won’t go, they never will, stop trying to make them. Realize this now and move on.
    o
  2. The card brands have created the problem by pushing their acceptance channels as hard as they have, and then attempted to throw security on top of the pile long after the fact. Security first, acceptance of cards later.
    o
  3. The card brands added insult to injury by creating the PCI SSC. This is a self serving group that dictates a set of documents and charging fees, then completely and utterly fails to enforce its own assessor quality assurance program.
    o
  4. The SSC has, through their actions and inaction, contributed to the creation of a scandalously corrupt cottage industry of PCI QSACs. These companies are selling assessor services for a flat fee and assigning work at a rate of 35 to 45 PCI assessments a year per QSA. This volume is horrific and does not serve the client, or the card brands. The delivery of an appropriate assessment is simply not possible. You can have two of the three, “cheep”, “fast” and “good” but only two. Cheep and fast does not make for good, yet the SSC has allowed the QSAC’s to promote and aggressively sell just that.
    o
  5. The SSC has allowed the same QSAC and QSA to assess the same environments year after year creating complacency and further corruption. If you care about compliance, rotate assessors. Assessors make bad calls, and in order to maintain the client, must live with them year after year. Fresh eyes are critical to maintaining integrity.
    o
  6. The card brands have failed to adopt more secure methods of moving funds. The clear text account number adhered to the back of a piece of plastic via technology rivals that of the 8 Track player in my mother’s 1976 Mercury Cougar. This is criminal.

I could go on and on, but the key points remains the same, the card brands are the cause of the problem, and have made it worse by setting up an unrealistic security program rather than focus on their own flawed methods.

The reality is this; PCI is a way to shift the burden of securing the otherwise insecure from the card brands to the merchants, banks and service providers. God forbid the card brands pick up the tab??

As long as I am ranting, how is it that Moore’s Law drives down the cost of all technology except when it comes to transaction processing?

Will my rant change anything? No, but I do feel a bit better sharing with you all.

Regards,

Frustrated Assessor”

Can a Blog Be Your CV / Resume?

In a recent post (Digital Anarchy? Not Without Identity Management) I posited that eventually Identity Management would consist of a construct of your entire life, from the beginning, all the way through your to your present day, and continues without pause until the end. The premise is that the more that is known about you, the harder it becomes to pretend to be you. Most fraud mechanisms work on making value judgements related to ‘normal’ behaviour, so why don’t we help that process along?

Privacy and profiling issues aside of course :)

So it occurred to me that if all potential employers knew exactly what I believed, and – assuming they agreed with me – how I could provide benefit to their organisation, then a CV is almost unnecessary.

LinkedIn already provides the factual information about my previous employment, and as much detail regarding my functions / achievements as I deem fit to share. Employers can do a background check based on my online presence long before approaching me directly, so add a blog on top of that, and what else could they possibly need to make a decision regarding next steps?

References? Background Investigations? Yes, but these are final steps, as the only purpose a CV serves is to get you that first interview. As such, it is VERY hit and miss, and a shining gem of a CV to one HR pro is a not-so-polished turd to another. In the end, HR are not even your final audience, but every candidate is expected to know all about writing CVs and cover letters, as well as interview techniques and etiquette. All you end up doing is filtering out the worst candidates, not narrowing down the best.

A blog, on the other hand, shows many things, all of which have good and bad elements depending on your point of view:

  1. Communication Skills – Writing is not easy, and even doing an average job of it takes a level skill. If you cannot get your point across in 500 – 1000 words, AND in a way that the majority can understand, you either need to work on your writing skills, or knowledge of the subject.
    o
  2. Subject Matter Expertise – Blogs on specific subjects should be written by people who have relatively significant experience in their chosen profession, but that does not mean they are alway right. A blog from a ‘security expert’ with whom I vehemently disagree will be dismissed just as quickly as would a blog on intelligent design.
    0
  3. Desire to Help – While my blog [for example] was initially started because my wife told me to do it, it soon became an integral part of my weekly tasking. The skill-set I have (such as it is) does no good to anyone until everyone can at least follow the guidance I am trying to impart. Security expertise [for example] is just NOT something that should be used as a competitive advantage. There is plenty of opportunity to make a living while giving as much as you can back.
    o
  4. Thought Leadership …Or Not – One of the fastest growing buzz-phrases / clichés, but the concept is sound; Are you a person who creates the new, improves the old, or sustains the present? All of these things have their place, any one of them is not necessarily better than the others, but you need to know which you are, and so do your potential employers.
    o
  5. Skin In The Game – A phrase I’m borrowing from our American friends, it just means that you are actually taking part in something, and not just sitting on the sidelines watching. Good if you’re contributing positively, bad if you’re an idiot.

Anything that fights against “But we’ve always done it this way!” is to me good thing, and that’s where a blog really comes into its own. All of your ideas, concepts, or even random thoughts need to be put down into words that others can follow, which mean YOU have to clarify them first. Ideas catch on, but only the ideas that see the light of day.

For good or bad my blog is now my CV, let’s see how it pans out! :)

PCI – Going Beyond the Standard: Part 25, Now Do It All Over Again…

…or better still, keep doing what you’ve learned, all day every day.

This is the final post in my ‘Going Beyond the Standard’ series – HURRAH!! – and hopefully despite all of the spelling mistakes, grammatical errors, left-field rants, and miscellaneous off-topic diatribes that you have derived some benefit from it.

Timing is pretty good as well, seeing as the SSC came out with their Information Supplement: Best Practices for Maintaining PCI DSS Compliance, and I will say that I have to agree with the majority of its content. However, reading a book on emergency appendectomies does not make me a doctor, so when it comes to the implementation of the ‘staying compliant’ concepts, have an expert help you.

It takes someone very skilled to make things simple, do not half-arse your security.

There is nothing in PCI that you should not already be doing around all of your sensitive data, and there are no validation requirements that should fall outside of standard practices. In fact, you should be validating EVERY day, not once a year, and the only way to do that is to baseline everything and report against exceptions.

I previously used this ridiculous analogy; If every PCI requirement was a tennis ball, you could very easily carry them all from a weight perspective, but it’s impossible to hold them all together without some kind of container (Tennis ball = DSS Requirements, Container = Security Program). In other words, the requirements themselves are basic, but completely out of context from an ongoing management, business, or even good security practice perspective.

The reason PCI becomes so difficult to maintain is because security in general is too often seen as an IT project and not what it is; a business process. The only time it gets the attention it deserves is when there’s a problem, which is already too late.

When I started my own business, and when I began this blog, it was with the following premise; “Security Is Not Easy, But It Can Be Simple.” Yet every business for whom I have ever provided guidance were basically making a pig’s ear of it, and it always revolves around a lack in at least one, but usually all of the The 4 Foundations of Security.

The way I have always phrased it is; “If my boss does not care about something, guess how much I care about it?”, which is why I have made this statement several times now;

Let’s be very clear; The CEO sets the tone for the entire company: its vision, its values, its direction, and its priorities. If the organisation fails to achieve [enter any goal here], it’s the CEOs fault, and no-one else’s.

So if you get nothing out of this series of 25 blogs, take that away and do what you can to help them change the culture to one of accountability and responsibility across the entire organisation. It will pay dividends.

Hope you enjoyed the series, and I would welcome any guest blogs that either expand on the concepts on the subjects on which I am weakest (encryption, coding, charm, spelling etc.) or are better than mine if it’s a subject in which you are an expert.

There is no room for ego in security, everyone has to win.