GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

Diverse perspectives on end-to-end encryption

News

Industry Update

PPISC urges solidarity for security

Red Flag enforcement delayed

Minding merchants' identities

Economic indicators suggest cautious optimism

MasterCard interchange rates as of April 2009

Features

AgenTalkSM:
Bob Dickerson

Small business remote deposit capture: Will ISOs claim the market as they have done with credit card

Bob Meara
Celent LLC

Selling Prepaid

Prepaid in brief

A new passport for the corporate world

Loyalty is closed-loop gift card's 'second wind'

Control your destiny, manage your program

Views

Use checks to open new verticals

Patti Murphy
The Takoma Group

Education

Street SmartsSM:
Developing your elevator speech

Jon Perry and Vanessa Lang
888QuikRate.com

Ten ways to juice your business

Michael Dotson
Worksmart Media Group

Pitfalls to avoid in acquiring relationships

Adam Atlas
Attorney at Law

The POS trifecta

Dale S. Laszig
DSL Direct LLC

Look to the stars

Vicki M. Daughdrill
Small Business Resources LLC

Company Profile

Infinity Payment Systems

New Products

Flag and filter online payments

Advanced Fraud Detection Suite
Authorize.Net

Outsourced residual computing

EZPay ISO Portal
Company: ePayware Inc.

Inspiration

May the forgiving force be with you

Departments

Forum

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

May 25, 2009  •  Issue 09:05:02

previous next

PPISC urges solidarity for security

The inaugural meeting of the Payments Processor Information Sharing Council was attended by 30 industry veterans representing 20 merchant acquirers and third-party payment processors. The council is dedicated to sharing information about data breaches and preventing attacks on payment networks.

As the PPISC's organizer, Robert O. Carr, who is also founder, Chairman and Chief Executive Officer of Heartland Payment Systems Inc., felt the May 5, 2009, meeting in St. Pete Beach, Fla., was a success.

"The group in general seemed very positive about acquirers and processors getting together to share information," Carr said. "To them, the security issues were so important that competitive issues were set aside for the greater good of the industry - and payment processors have never done that."

Subjects reflected

Topics of discussion at the PPISC meeting were data breaches going back to January 2008, the issues relative to Payment Card Industry Data Security Standard compliance and the inadequacies of audits.

"The audits we had were not helpful at all because the problems we had that ultimately allowed us to be breached were in our system," Carr said. "They were always in our system, and six years of audits never caught it." Heartland has experienced significant repercussions from a data breach it suffered in 2008. For more information, see "Heartland clamps down on breach," The Green Sheet, Feb. 9, 2009, issue 09:02:01.

The PPISC works with the Financial Services Information Sharing and Analysis Center, a nonprofit organization dedicated to distributing breach-related and security-compliance information to its members, the government, and telecommunication and utility companies. Members receive alerts regarding cyber and physical threats, vulnerabilities and incidents of concern.

Victims protected

"The reason we chose FS-ISAC is that it already has the infrastructure in place to report fraudulent activity without identifying the submitting party," Carr said. "If someone gets breached, they can turn that information over to the FS-ISAC, and nobody is going to penalize them or disclose who it was. It's confidential and nonpunitive, so it gives us a chance to pull together the new malware that's found on a regular basis and distribute it to PPISC members."

Malware from several breaches, including Heartland's, was distributed to representatives in attendance. "We also distributed software that will help find those malware binaries on a particular machine," Carr said. "The problem, obviously, is international, so getting the current malware is pretty valuable in attracting more international players to the PPISC."

Parties connected

Carr said breach forensics teams have found that malware inserted into payment networks tends to be used repeatedly until cyber criminals have to rewrite it because of anti-virus tools designed to keep it out. "But the anti-virus tools haven't caught any of this malware," he said. "That's why it's malware. So we're trying to get the forensics firms to submit what they learn on a confidential basis to the FS-ISAC system."

To assist representatives of companies unable to attend the Florida meeting, Heartland will offer a conference call on June 23, 2009, at 1:00 p.m. EST to go through information covered in the meeting. A webinar is also planned, though no date for that has been set. Carr extends an invitation to any merchant acquirer and third-party processor wishing to learn more about the activities and membership benefits of PPISC and the FS-ISAC.

"We agreed that this group should be limited to those organizations, but it's still a pretty big group," Carr said. "In order to become a member of the PPISC, there is a membership fee to join the FS-ISAC, as well as different levels of membership. And they will need to sign a nondisclosure agreement not to discuss any information learned here outside the group. Cyber criminals go after anybody they can, so this kind of solidarity is critical."

For more information, visit www.fsisac.com or contact Carr at bob.carr@e-hps.com.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Electronic Merchant Systems | Board Studios