|
|
|
Analysis of Visa s Proposed Tokenization Spec |
Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Présentation : Visa, Mastercard and Europay together they are known as EMVCo published a new specification for tokenisation this month. Tokenization is a proven security technology and has been adopted by a couple hundred thousand merchants to reduce their PCI audit costs and security exposure of storing credit card information. That said, there really is no tokenization standard out there, for payments or otherwise. Even the PCI-DSS standard does not address tokenization, so companies have employed everything from hashed credit card PAN values Craptastic to very elaborate and highly secure random value tokenization systems. This specification is being provided to both raise the bar on shlock home-grown token solutions, but more importantly, address fraud with existing and emerging payment systems. I don t expect many of you want to read 85 pages of token system design to determine what it really means, if there are significant deficiencies, nor contemplate if these are the best approaches to solve payment security and fraud issues. So I ll summarize here. However, I think this specification will be long lived, so if you build tokenization solutions for a living, you d better get familiar with it. For the rest of you, here are some of the important highlights of the proposed specification. As you d expect, the specification requires the token format to be similar to credit card numbers 13-19 digits and pass LUHN. Unlike financial tokens used today, and at odds with the PCI specification I might add, the token can be used to initiate payments Tokens are merchant or payment network specific, so tokens are only relevant within that specific domain. For most use cases the PAN remains private between issuer and the customer. The token becomes a payment object shared between merchants, payment processors, the customer and possibly others within the domain. There is an identity verification process to validate the requestor of a token each time a token is requested. The type of token generated is variable, and based upon risk analysis higher risk factors means a low assurance token When tokens are used as a payment object, there are Data Elements - think of them as metadata that describe the token - to buttress security. This includes a cryptographic nonce, payment network data and token assurance level. Each of these points has ramifications across the entire tokenization eco-system, so it s not your same ol tokenization platform that will meet these requirements. That said, they ve designed the specification so it will work within todays payment systems while addressing near-term emerging security needs. Don t let the misspelled title fool you this is a good specification Unlike the PCI s Tokenization Guidance paper from 2011 was rumored to have been drafted by VISA this is a really well thought out document. It s clear whoever wrote this has been thinking about tokenization for payments for a long time, and they have really done a nice job providing functions to support all of the use cases this specification needs to address. There are facilities and features to address PAN privacy, mobile payments, repayments, EMV smartcard, and even card-not-present web transactions. And it represents not just one audience to the detriment of others, but the needs of all of the significant stakeholders are addressed in some way. Still, NFC payments seems to be the principle driver as the process and data elements really only gel when considered from that perspective. I think this standard is going to stick. - Adrian Lane 0 Comments Subscribe to our daily email digest
Les derniers articles du site "Security Bloggers Network" :
- In An Era Of Decline, News Sites Can t Afford Poor Web Performance
- BeautifulPeople.com experiences data breach 1m affected
- Swedish Air Space Infringed, Aircraft Not Required
- Why cybercriminals attack healthcare more than any other industry
- Setting the Benchmark in the Network Security Forensics Industry
- Spotify denies hack users subjected to weird music beg to differ
- The Dangerous Game of DNS
- Threat Recap Week of April 22nd
- Is your security appliance actually FIPS validated
- Deploying SAST Static Application Security Testing
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.190.17.190 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.190.17.190 to any 80"
- Nous contacter par mail
| Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
| Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
| Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
| Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|
