GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Legislative outlook:
Some clouds but no rain

Patti Murphy
The Takoma Group


Industry Update

New fees, more money for Visa, MasterCard

RBS, Heartland PCI compliance revoked: What's next?

A token of payments to come

Raising the ACH bar

Virtucard for virtual goods


Bill Pirtle

Breaches across America
installment two

Selling Prepaid

Prepaid in brief

Boom time for prepaid game card market

Global payroll done with SaaS

The state of escheatment


Be the toast of hosts

Scott Henry

Sluggish economy spurs faster payments

Nasreen Quibria
Association for Financial Professionals

Mobile payments? Not yet

Biff Matthews
CardWare International


Street SmartsSM:
Who are you?

Jon Perry and Vanessa Lang

Pull back the expense curtain

Jeff Fortney
Clearent LLC

Downshifting to rev up sales

Christian Murray
Global eTelecom Inc.

PCI versus tricky technology

Michael Wright
Panoptic Security Inc.

Five magical questions in making sales

Daniel Wadleigh
Marketing Consultant

Company Profile

UseMyBank Services Inc.

Data Delivery Services Inc.

New Products

Instant mobile processing

MerchantWare Mobile
Company: Merchant Warehouse

A most literate check reader

Company: Parascript LLC


See it, believe it



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

April 13, 2009  •  Issue 09:04:01

previous next

PCI versus tricky technology

By Michael Wright

Use of peer-to-peer (P2P) applications like BitTorrent, Kazaa and the various instant messaging (IM) programs is growing explosively, and their impact on security can be explosive as well. ISOs, merchant level salespeople (MLSs) and merchants who think they don't have to worry about the vulnerabilities in P2P applications should sit up and take notice.

Investigators recently found detailed blueprints and electronic schematics of Marine One, the U.S. president's helicopter, on a server in Iran. This incredible security breach cut straight through multiple layers of security experts, defense contractors and government agencies. And it was caused by misuse of P2P applications.

Payment professionals who aren't concerned about this are basically saying that they, and their merchants, have better security than the President of the United States.

How did such sensitive information make its way onto an Iranian server? Someone installed a P2P file-sharing program on a computer that contained the helicopter specifications.

This made it possible for someone to access these sensitive files and transfer them to other computers. It all came down to just one careless person installing a popular P2P program available everywhere.

Another problem for PCI

Many individuals in the payments industry want to use such P2P and IM programs, too. But if the computers they use also process or store credit card information - or are connected to other computers that do - there are serious Payment Card Industry (PCI) Data Security Standard (DSS) consequences, and major security risks. Requirement 1.1.5 of the PCI DSS requires that all "services, protocols, and ports allowed" into the network be justified and documented.

This is an onerous task. It requires a detailed understanding of every application in the system and how they communicate. Keeping up with the proliferation of protocols is difficult enough for a network security professional, but it is impossible for someone without such training.

Several technical reasons exist why P2P applications can be very difficult to control.

What to do

Given these security vulnerabilities, steps can be taken to minimize risk.

Further steps

To deal with the danger of P2P applications, ISOs, MLSs, banks, processors and merchants should remember the following:

Spotlight Innovators:

North American Bancard | USAePay | Board Studios