Beautiful Trade/Analyzing the Security Context - Revision history http://commons.oreilly.com/wiki/index.php?title=Beautiful_Trade/Analyzing_the_Security_Context&action=history Revision history for this page on the wiki en MediaWiki 1.11.0 Fri, 24 May 2013 12:19:26 GMT Ebellis: New page: '''Analyzing the Security Context''' The fundamental problem is that cardholder data becomes a shared secret. As we’ve seen, this secret often needs to be shared amongst a lot of part... http://commons.oreilly.com/wiki/index.php?title=Beautiful_Trade/Analyzing_the_Security_Context&diff=24533&oldid=prev <p>New page: '''Analyzing the Security Context''' The fundamental problem is that cardholder data becomes a shared secret. As we’ve seen, this secret often needs to be shared amongst a lot of part...</p> <p><b>New page</b></p><div>'''Analyzing the Security Context''' <br /> <br /> The fundamental problem is that cardholder data becomes a shared secret. As we’ve seen, this <br /> secret often needs to be shared amongst a lot of parties in order to fulfill even a single <br /> transaction. Because security relies on the least common denominator of security controls <br /> amongst these parties, a leak is almost inevitable during the life of an account. <br /> Visa, Inc. stated, in its earnings report for the third quarter of 2008, that the total transactions <br /> on Visa’s brands—Visa, Interlink, Plus, and Electron—grew 11% from $8.65 billion a year to <br /> $9.59 billion. This gives us some perspective when analyzing breach data. Visa is the largest of <br /> the card brands, but it is only one of many. And each transaction probably passed through <br /> multiple merchant systems, payment gateways, service providers, fulfillment systems, bank <br /> networks, and card networks. That’s an awful lot of shared secrets! <br /> <br /> To compound the issues and complexities of these shared secrets, a merchant or service <br /> provider has several reasons to store information such as account numbers after finishing the <br /> initial transaction: <br /> <br /> '''Recurring charges''' <br /> <br /> Many merchants offer services that require regular payments on a weekly, monthly, <br /> quarterly, or annual basis. In order to continue to charge the same account on a regular <br /> basis, the merchant needs to store sensitive payment information as long as the consumer <br /> remains a customer. <br /> <br /> '''Chargebacks''' <br /> <br /> To issue a refund, the merchant must store the account number that its service or <br /> merchandise was charged to. As a measure of fraud prevention, many acquiring banks <br /> require the merchants and service providers to refund the exact card account that was <br /> originally charged. <br /> <br /> '''Consumer convenience''' <br /> <br /> Consumers often elect to store their account information with a merchant where they <br /> make frequent purchases. This aligns with our discussion later around consumer <br /> incentives. For many people, convenience outweighs the risks.</div> Tue, 30 Jun 2009 02:14:33 GMT Ebellis http://commons.oreilly.com/wiki/index.php/Talk:Beautiful_Trade/Analyzing_the_Security_Context