Biometrics in Payments – Irresponsible Demand Generation

Demand generation is defined as; “The focus of targeted marketing programs to drive awareness and interest in a company’s products and/or services.”

Done responsibly it can be a very effective tool in any organisation’s marketing/PR tool-set, and I applaud anyone doing it well. Done irresponsibly it can lead target organisations to make very poor decisions that they will end up bitterly regretting. Yes, each organisation is responsible for making their choices, and for performing proper due diligence, but in an industry as complex as payments, vendors are often seen as the experts.

This position must NEVER be abused!

The example of demand generation that I invariably use is that of the smartphone. Until I saw one I had no idea I needed so much functionality in a mobile device. Now, quite literally, I cannot do my job without it.

Off the bat, that suggests 3 things:

  1. Smartphone manufacturers were justified in their aggressive marketing efforts …eventually;
  2. The drive by each vendor to win the entire market for themselves, while promoting competition, has left us with an enormous variety of devices and technologies that are difficult to adopt for fear of backing the wrong horse, and;
  3. I’m not smart enough to be a futurist.

But what if they had worked together on standardisation in the beginning (like with bloody power adapters for example!), how much better off would we be?!

Now biometrics vendors are the vultures over the kill, and the password is the corpse (harsh I know, but the alternative is wolves, but they work in unison for the good of the pack).

Biometrics companies are spending vast sums on marketing and PR resources to become the next big thing in authentication, All the while completely ignoring the fact that they are offering something little different (single-factor, static authentication), and side-stepping the most basic of practicalities; ease of adoption, and future-proofing.

The FACT remains that implementation of effective biometrics is extremely difficult. Distribution, false positive rates, disability support, privacy issues and a plethora of other challenges will continue to ensure that single-factor authentication with biometrics will not replace the 4 digit cardholder PIN any time soon. Nor should it.

It’s not about replacing the PIN, it’s about seamlessly combining the PIN with other forms / factors of authentication like biometrics. Anything else is irresponsible in the extreme given that most smart phones are capable of all 3 authentication factors multiple times each! Passphrase, PIN, fingerprint, voice recognition, iris, geo-fencing, device registration, device profiling, social media profiling you name it, can all be entered into a mobile device through normal and already established consumer use.

The following is not necessarily an endorsement of Fast Identity Online (FIDO) Alliance, but you can see from their Mission that they fully appreciated the importance of evolutionary change, not revolutionary change:

“The Mission of the FIDO Alliance is to change the nature of online authentication by:

  • Developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users.
  • Operating industry programs to help ensure successful worldwide adoption of the Specifications.
  • Submitting mature technical Specification(s) to recognized standards development organization(s) for formal standardization.”

Reliance on single factor authentication with biometrics is a mistake, so avoid any organisation who adopts the ‘password is dead’ stance and just do your homework based on a business need, not a buzz-phrase.

What We Could Learn From the 11 Plus

The title alone will severely limit the interested audience, as the 11 Plus is a concept that even at its ‘height’ was restricted to England and Wales.

The premise was that children in their last year of primary education (aged 11 – 12) took a test to narrow down their options for their secondary education. The better they did on the 11+ the more choices they had. I wish I had ‘failed’ mine way back in 1978, going to an all boys school absolutely sucked.

A friend of mine’s daughter had recently gone through the process, and like me he was amazed at the questions being asked. This was not a straightforward maths/english/reasoning test, this was a test of character that put to shame my interview techniques as a Senior Manager in charge of adult security consultants. Should I be unfortunate enough to ever be the manager of people again, I will be using these questions:

Why should you get priority over other children for a place in this school? – How would YOU answer that question, or what answer would you be looking for?! Say the wrong thing and you’ll come across as arrogant, insecure, indecisive, desperate, disinterested or a combination of several of these.

List 3 things you are good at or like doing. – Generally speaking, people like doing the things they’re good at and dislike things they aren’t. Sadly most people don’t KNOW they’re bad at something, so a question like this can help weed out the humble from the potentially deluded.

What is the most exciting thing that has ever happened to you? – Personally I would dismiss anyone saying anything about work. Passion for your chosen career is one thing, but someone without other interests is to me rather suspect.

Is there anything that I haven’t asked you about that you would like to tell me? - This one’s a doozy! Do I say no and let the person think there’s nothing more to me, do I say something and perhaps come across as trying too hard or do I ramble on because I’m nervous and end up boring the hell out the interviewer?

The above were good, but the next one was to me astounding;

Is life fair?

Bear in mind this is being asked of an ELEVEN year old, but now think about the answer you would give. No it’s not fair is whiney, yes it is fair is delusional, which leaves the only real answer; life is neither fair nor unfair, it just is. It is surprising just how many people cannot accept this.

Life is what YOU make of it, so any answer outside of that speaks volumes to the person you’re interviewing. If they consider life unfair then they are clearly not taking full responsibility for their own actions, anyone who thinks life is fair has likely never been truly tested and makes the following quote rather appropriate;

“I’ve never met a strong person with an easy past.”

Experience is one thing, you can read that on a person’s LinkedIn page, character is something else and rarely glimpsed during the interview process. Perhaps by asking questions we would ask our own children we can change that.

Disintermediation in Payments, Disin’what Now?

An almost 50 year old concept is now all the rage in the mobile payments space; disintermediation, which according to Wikipedia is”…the removal of intermediaries in a supply chain, or “cutting out the middlemen.”

It might be a cliché, and I hate any buzz-phrase not invented by me, but in the mobile payments space this one makes perfect sense.

For example, to make a branded card payment you have not one, but several middlemen all of whom add cost to the overall price of the goods you buy;

1. Terminal Manufacturers – those devices you slide / swipe your card into are a cost, and if they are PTS and SRED compliant, a significant cost. Target for example are spending $100 MILLION to replace theirs after their well publicised breach.

2. Acquiring Banks – The bank who authorises the payment charges roughly 0.25% of the total value of each transaction.

3. Issuing Banks – The institution who issued the card itself charges the lion’s share at a very rough average of 1.25% of the transaction value.

4. Card Schemes – The owner of the brands (Visa, MasterCard etc.) vary in the slice they take, but let’s for the sake of argument say it’s around 0.09% of the transaction value.

5. Your Bank (in general) – May or may not charge you for the ‘privilege’ of having a card, mine does, but let’s ignore this for now.

According to statista.com the volume of credit card transactions in  2012 was around $6,000,000,000,000 (or 6 TRILLION USD), so let’s put that into perspective:

Terminal Manufactures – I cannot even begin to guess how may payment terminals there are worldwide but I’m going to put my reputation on the line and say it’s a lot. Manufacturers have also received a very significant boost in the last year of so with the enforcement of EMV on our US brethren. For the sake of this blog, we’ll just assume many millions are spent by retail merchants on these devices.

Acquiring Banks – 0.25% of $6 trillion is $15 billion.

Issuing Banks – 1.25% of $6 trillion is $75 billion.

Card Schemes – 0.09% of $6 trillion is $5.4 billion.

In other words, the cost associated with the use of credit cards likely exceeds 100 billion USD.

This is actually not meant as a criticism. They provide a service, many services in fact (including paying for the inevitable fraud), and we are all very likely utilising the benefits of the non-cash services on a daily basis, my point is that we ALREADY have the ability to remove the majority of these middlemen sitting in our pockets; our mobile phones.

Your bank wants to be paid for storing, protecting, and providing access to your worth, the phone company wants to be paid for providing the bandwidth to get to your worth. That’s fair, but why should anyone else be paid? It certainly isn’t the retail merchant who’s absorbing the middleman costs, it’s us, the end consumer and it’s about time we start demanding more options.

The disintermediation of the non-cash payments systems will be a slow process of disruptive innovation, with one side trying desperately to hold on to what they have and the other side trying to move too fast to chage everything. BOTH sides need to understand that things WILL change, but can only do so when the replacement mechanisms are truly fit for purpose. We simply aren’t there yet.

Card Schemes need time to turn their enormous ships onto a new course; banks need to take over the fraud loss liabilities and biometrics companies need to shut the hell up about the death of password and the panacea of their single factor solutions. Most of all the consumer needs to ask for something they don’t even know they need yet.

So yes, disintermediation in payments is coming, but likely not any time soon.

I’m Just the QSA, It’s not MY Report on Compliance!

If you have ever been on the receiving end of a PCI assessment, you had one of two reactions to the title. You said;

  1. “Yes it is, that’s what I hired you for!”, or;
  2. “Damned right it’s not yours, the QSA is only here to validate it.”

95% of you are likely in the first group, unless you had someone like me as your assessor. It is not the QSA’s report, it is yours, the QSA is only there to confirm that you have completed your parts of the Report on Compliance’s (RoC) Executive Summary (Sections 1 – 5) correctly, edited their own sections, and documented the validation results in Section 6 – Findings & Observations. Validation of evidence you provide, and for which you are entirely responsible.

A QSA will likely never know your environment as well as you, and if you don’t take FULL responsibility for the contents of your RoC it will be your organisation that it liable for any mistakes, not the QSA. You will also then have absolutely no remedy if you are breached, and your forensic investigation exposes significant differences between the RoC and reality. This is also why you should never, EVER, hide anything from your QSA.

PCI is too often seen as an audit (it’s an assessment), and the QSA an auditor (s/he’s an assessor) and volunteering information is considered a no-no. I have actually heard a client say; “But you didn’t ask me about that!” No matter how many times I’ve tried to explain that I’m a consultant first and there to help, that I can’t help if I don’t have all the information, AND that if I do find out that they’re hiding something from me any sampling they may have be awarded is now out the window, I would still have issues.

That’s one of the differences between clients who use their PCI budgets (and even manipulate their QSA to get MORE budget!) to spend on securing the business, and those who only care about achieving PCI compliance. The first type will spend far less in the long run, even if the process does take longer. Not only that, they will likely not only STAY compliant, they will have actually protected their business …their ENTIRE business.

Setting PCI compliance as the end goal is like telling your kids to aim for a C average in school, and even the Card Brands and the SSC themselves have only ever said the DSS is a “minimum set of security controls”. So why would a QSA, whom you have hopefully chosen well (see Selecting the Right QSA for Your Business), take any ownership in a process where the goal is almost never fit for purpose?

So anyone who thinks that the PCI assessment process is structured, formal, and conducted using well established parameters has never been through an assessment. Every good QSA does their own internal Risk Assessment from day 1, and based on their gut instinct, will determine whether or not validation sampling is even an option. If I don’t trust you, you stay at 100%.

Want to get some benefit from a PCI assessment?:

  1. Choose the right QSA
  2. Tell them EVERYTHING
  3. Take FULL ownership of both the process and the output

It’s your RoC, accept it.

PCI DSS v3.0: Service Provider Agreements (Req. 12.8.X)

There seems to be quite a bit of confusion about the ‘new’ requirements for service provider contracts. I say ‘new’ sarcastically because this should have been part of your vendor due diligence processes from the beginning.

From a merchant’s perspective, unless they have hired a QSA (or other PCI expert) to help define the service requirements and contractual obligation, it’s very difficult for them to ask the right questions. From a  service providers perspective, I’ve seen the gamut from complete ignorance of their obligations, to out-and-out lies in terms of what they are and are not providing.

The DSS v3.0 requirements of 12.8.X go a long way to resolve this, but not far enough in my opinion. The bottom line is that someone has to be responsible for each requirement, and there are only the following choices;

  1. SP agrees to be fully responsible for the requirement;
  2. SP agrees to be partially responsible, and;
  3. SP pushes the entire requirement back on you.

That’s it.

The above list is fairly obvious, but for the service provider’s clients the challenges are now twofold:

  1. If the service provider accepts full responsibility, are they PCI compliant for the service(s)?
  2. If they are only partially responsible, EXACTLY what part of the requirement is left?

Does the service provider need to be fully PCI compliant for you to achieve compliance? The answer is no, but if they are not, you have just doubled your assessment scope. Again, someone has to answer the questions, so if your service provider has not validated compliance for the services they are offering, you need to add them to your validation efforts.

As for the partial responsibility, that’s easy, get your service provider to tell you what they’re doing. For example;

DSS Req. #

Description

Service Provider Responsibility Client Responsibility
1.1.3

Examine data-flow diagram and interview personnel to verify the diagram:

*  Shows all cardholder data flows across systems and networks.

*  Is kept current and updated as needed upon changes to the environment.

SP will provide initial diagrams in Visio format for the pre-production environment but will not own, manage, or keep up-to-date the data-flow diagrams post-production.

 This requirement is not part of SP PCI Report on Compliance dated [Mmm dd, yyyy]

Client must own, manage, and keep up-to-date all data-flow diagrams for inclusion into their own PCI compliance efforts once services have reached a production state.

You must repeat the above for EVERY requirement in the PCI DSS v3.0, then add this as an addendum or annex to your signed service contract. This applies not only for the services they are providing DIRECTLY, but the SP has a responsibility for any SUB-contractor they may bring in, and so on down the line.

Again, SOMEONE has to answer the questions!

However, let’s back up a bit and handle each DSS Requirement in turn:

12.8.1 Maintain a list of service providers

Easy, just maintain a list of Service Providers, with – at a minimum – the following detail;

  • Company Name
  • Service Description
  • Is [CONFIDENTIAL] Data Shared?
  • Regulatory Compliance Date
  • Status Verified By

12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.

Even easier, they wrote it down for you!! Include – again, at a minimum – the language in red in your contracts. You will likely want significantly more than this as there is no declaration of LIABILITY, or even SLAs.

12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.

If you don’t have robust vendor due diligence and vendor on-boarding/off-boarding processes you are really asking for trouble. For PCI services, if you have not ensured they are PCI compliant for the services they are providing AND you have the full details written into contact, then you have created a world of pain for yourself.

12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.

Does this say anything about the service providers actually working towards PCI compliance? No, it doesn’t, so the status could be; “They will never achieve PCI compliance.” and this is good enough for PCI. This should NEVER be good enough for you.

12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.

This we’ve already covered, all you need is a table, like the above, of every PCI requirement handled by each of your service providers and their sub-contractors. Your QSA can then tell you precisely what is left for you to cover for full compliance.

Whether you’re assessing for the first time, or re-assessing under v3.0, you need to start these conversation with your service providers NOW, as while this may be simple, it is not easy.

Advice for Merchants:

  • Only choose PCI compliant service providers (start here; Visa Europe Merchant Agent List)
  • Only choose service providers who have already addressed 12.8.2 and 12.8.5 up-front. You should not have to ask for this from SP worth their salt
  • If you have existing SPs and don’t know where to start, hire a decent consultant who is familiar with the PCI DSS to help

Advice for Service Providers:

  • Get your responsibility mappings and your contract language sorted out now, BEFORE you are asked
  • If you need help, ask for it, ignorance is not an excuse your clients can accept, nor can the card schemes

Easy huh?