For me, 2012 was a year full of challenges, setting up ways to meet peers (Facebook) and gaining experience in online identities, software testing and compliance .
This I want to continue in 2013.
Next year I want to deepen my security knowledge about online sharing protocols like UMA, OAuth2 , OpenID and my adventures (work experience, conference meetings) will be highlighted.
Also, I will continue to follow the news on privacy , big data and compliance and blog about this to express my views on these subjects, which will be combined in 2013.
Papers will be written, conferences will be visited and no worries, software and protocols will be tested.
All thoroughly done to give you a quality up to date repository about testing Software as a Service, with a flavor of online identities.
See you all in 2013 on Facebook, TestingSaaS-blog and Twitter!
And perhaps in real life too!!
Showing posts with label compliance. Show all posts
Showing posts with label compliance. Show all posts
Monday, December 31, 2012
Tuesday, September 25, 2012
Mobile payment ecosystems: a challenge for compliance testing
When you have read my blog lately you know I am very interested in compliance and software testing, especially for SaaS, NFC and mobile payments.
Since Google initiated Google Wallet I kept a close eye on what the compliance institutions were planning to do to develop testing programs for the emerging mobile payment ecosystems.
Especially because this is a new payment ecosystem, still unknown to the many merchants, acquirers and customers who are going to have to deal with it.
That it is susceptible to malicious attacks is illustrated by the POS (point of sale/checkout) attacks at different merchant locations in the USA, like Subway and Penn Station.
As always, the criminals know the weaker spots of the payment ecosystem the quickest and the compliance institutions are lagging behind, but have to react.
The compliance institute which is publicly expected to design countermeasures is the PCI Security Standards Council (PCI SSC). And recently it has 'done' that.
The PCI SSC has provided clarifications how every organisation (which stores, processes or transmits creditcard/debitcard data) should comply with the already devised PCI Data Security Standard (PCI DSS). A standard which should not be unknown to you if you read my former blog posts.
However, it are still clarifications about the PCI DSS, no update is planned yet until 2013.
Why clarifications?
Well, The entity which executes the compliance validation annually(!) is dependent on the amount of volume of transactions involved. If the volumes are small a Self-Assesment Questionnare (SAQ) is used. If the volumes are large, a Qualified Security Assessor (QSA) tests if the stakeholder is PCI DSS compliant.
When you read the PCI DSS you will encounter a lot of text, but no real details about how to test mobile payment ecosystems effectively (by QSA or through SAQ) resulting in an inadequate coverage. Especially what was part of the to be tested ecosystem (the 'scope') was insufficiently explained.
These and other points of concern are now written down in the Summary of 2012 Feedback for the PCI DSS and Payment Application Data Security Standard (PA-DSS). This document is a description of the international (!) feedback given by the PCI SSC stakeholders (merchants, acquirers, QSAs and payment software vendors) to the PCI SSC regarding PCI DSS v.2.0 and PA-DSS.
Regarding PCI DSS the feedback suggestions were mainly about the already mentioned need for scope guidance, a more detailed description of requirements, a more simplified SAQ and an update on password requirements. The last one is, regarding the current changes in identity management, an effective step in actualizing PCI DSS procedures.
Now I know what you're thinking: 'PCI SSC stakeholders, USA, is this also important for the European mobile payment system?'
Yes, it is. It's not a U.S. standard, it's a global standard, also affecting Europe, Africa and the Asia-Pacific (mobile) payment environments. The standard is a result of aligned policies from different U.S. Credit and Debitcard companies like MasterCard and VISA.
If these guidelines are not met annually, non -compliant merchants and acquirers meet its consequences: up to $500.000 fines and litigation costs, degradation to lower level PCI compliance and lower brand reputation and consumer confidence in the long term.
So, it is not amazing merchants and acquirers are giving feedback on guidelines they must comply to, but do not know how to comply to.
Let's see how the feedback from the PCI SSC stakeholders will result in a more testable, usable and , hopefully, more qualitative better PCI DSS standard.
Since Google initiated Google Wallet I kept a close eye on what the compliance institutions were planning to do to develop testing programs for the emerging mobile payment ecosystems.
Especially because this is a new payment ecosystem, still unknown to the many merchants, acquirers and customers who are going to have to deal with it.
That it is susceptible to malicious attacks is illustrated by the POS (point of sale/checkout) attacks at different merchant locations in the USA, like Subway and Penn Station.
As always, the criminals know the weaker spots of the payment ecosystem the quickest and the compliance institutions are lagging behind, but have to react.
The compliance institute which is publicly expected to design countermeasures is the PCI Security Standards Council (PCI SSC). And recently it has 'done' that.
The PCI SSC has provided clarifications how every organisation (which stores, processes or transmits creditcard/debitcard data) should comply with the already devised PCI Data Security Standard (PCI DSS). A standard which should not be unknown to you if you read my former blog posts.
However, it are still clarifications about the PCI DSS, no update is planned yet until 2013.
Why clarifications?
Well, The entity which executes the compliance validation annually(!) is dependent on the amount of volume of transactions involved. If the volumes are small a Self-Assesment Questionnare (SAQ) is used. If the volumes are large, a Qualified Security Assessor (QSA) tests if the stakeholder is PCI DSS compliant.
When you read the PCI DSS you will encounter a lot of text, but no real details about how to test mobile payment ecosystems effectively (by QSA or through SAQ) resulting in an inadequate coverage. Especially what was part of the to be tested ecosystem (the 'scope') was insufficiently explained.
These and other points of concern are now written down in the Summary of 2012 Feedback for the PCI DSS and Payment Application Data Security Standard (PA-DSS). This document is a description of the international (!) feedback given by the PCI SSC stakeholders (merchants, acquirers, QSAs and payment software vendors) to the PCI SSC regarding PCI DSS v.2.0 and PA-DSS.
Regarding PCI DSS the feedback suggestions were mainly about the already mentioned need for scope guidance, a more detailed description of requirements, a more simplified SAQ and an update on password requirements. The last one is, regarding the current changes in identity management, an effective step in actualizing PCI DSS procedures.
Now I know what you're thinking: 'PCI SSC stakeholders, USA, is this also important for the European mobile payment system?'
Yes, it is. It's not a U.S. standard, it's a global standard, also affecting Europe, Africa and the Asia-Pacific (mobile) payment environments. The standard is a result of aligned policies from different U.S. Credit and Debitcard companies like MasterCard and VISA.
If these guidelines are not met annually, non -compliant merchants and acquirers meet its consequences: up to $500.000 fines and litigation costs, degradation to lower level PCI compliance and lower brand reputation and consumer confidence in the long term.
So, it is not amazing merchants and acquirers are giving feedback on guidelines they must comply to, but do not know how to comply to.
Let's see how the feedback from the PCI SSC stakeholders will result in a more testable, usable and , hopefully, more qualitative better PCI DSS standard.
Thursday, September 22, 2011
A one stop NFC testing shop
As I expected a few months ago when blogging about Google Wallet
and NFC mobile payments, companies would also venture on the further development and implementation of this specific payment product.
One of the companies I followed the last months is Collis, a Dutch company with many years of experience in management of introducing new payment products.
Because testing is an important asset of Collis, I immediately thought of them when exploring the testing of mobile NFC payments.
For clarity, I have no commercial ties with this company, only the enthusiasm for testing NFC mobile payments.
So, when following the news of the NFC World Congress I found out Collis launched yesterday a Mobile Test Center for TSMs (Trusted Service Manager), which enables NFC solutions to be checked for
compliance with specifications set by a wide range of industry bodies like MasterCard, VISA, but also the NFC Forum.
Not surprising, if you keep in mind this company does the same for checking creditcard compliance for the already mentioned creditcard companies, which also are huge stakeholders in the adoption of NFC mobile payments.
The NFC-TSM ecosystem is very complex and trust is here the key issue. If its infrastructure is not trustworthy, it looses its stakeholders and it will get destroyed (compare DigiNotar and the digital certificate ecosystem).
Collis could work as a one stop shop for testing of all components of this ecosystem and contribute to the trust of NFC mobile payments, which could enhance its adoption.
As a tester I agree with the method of my Dutch colleagues at Collis and I hope I can help them improve the quality and trustworthiness of the NFC mobile payment ecosystem.
and NFC mobile payments, companies would also venture on the further development and implementation of this specific payment product.
One of the companies I followed the last months is Collis, a Dutch company with many years of experience in management of introducing new payment products.
Because testing is an important asset of Collis, I immediately thought of them when exploring the testing of mobile NFC payments.
For clarity, I have no commercial ties with this company, only the enthusiasm for testing NFC mobile payments.
So, when following the news of the NFC World Congress I found out Collis launched yesterday a Mobile Test Center for TSMs (Trusted Service Manager), which enables NFC solutions to be checked for
compliance with specifications set by a wide range of industry bodies like MasterCard, VISA, but also the NFC Forum.
Not surprising, if you keep in mind this company does the same for checking creditcard compliance for the already mentioned creditcard companies, which also are huge stakeholders in the adoption of NFC mobile payments.
The NFC-TSM ecosystem is very complex and trust is here the key issue. If its infrastructure is not trustworthy, it looses its stakeholders and it will get destroyed (compare DigiNotar and the digital certificate ecosystem).
Collis could work as a one stop shop for testing of all components of this ecosystem and contribute to the trust of NFC mobile payments, which could enhance its adoption.
As a tester I agree with the method of my Dutch colleagues at Collis and I hope I can help them improve the quality and trustworthiness of the NFC mobile payment ecosystem.
Subscribe to:
Posts (Atom)