Recently in Security Category


From SecureIDNews -- Link

Pilots concluding but final access control policies still more than a year out

John Schwartz, program manager for the Transportation Worker Identification Credential (TWIC), was going to begin an update on the program with the words "eight-years ago," but then thought better of it. It has been that long since Congress mandated that the Transportation Security Administration (TSA) create a credential for secure access to ports, and the agency is still working on the roll out.

It will most likely be 2012 before there are widespread readers electronically verifying the credentials, Schwartz said during a presentation at the Interagency Advisory Board meeting in September. But while critics dismiss the credential as an expensive flash pass, progress has been made toward wide-scale electronic verification at ports.


The TSA reports that at 135 enrollment centers across the country, 1.7 million workers have been enrolled and of those 1.6 million have activated their ID.

Schwartz and his team are working on a congressionally-mandated reader test that will lead to the final rule for reading the TWIC. His team has done testing in the lab, in the field without looking at the impact on a port's business processes and finally in the field while considering at the impact on business.

Through lab testing the TSA approved 28 readers and associated systems, Schwartz says. The lab tests looked at reader performance in different environmental conditions, extreme hot and cold temperatures, water and humidity, as well as durability tests.

The 28 approved readers include two alternative biometric systems. If a port can show a chain of trust in enrolling a worker in the local physical access control system, it is acceptable to use an alternative biometric, such as iris, to access the facility.

TWIC follows the FIPS 201 specification but diverges in the utilization of biometric and contactless technologies. In order to access the biometric on a TWIC a cardholder must be enrolled in the local physical access control system first. That means the TWIC privacy key, which is storied on the card's magnetic stripe and chip, must be registered into the local physical access control system before it can be read using the contactless interface.

This is different from other PIV credentials where the biometric is accessed only via the card's contact interface. TWIC modified the FIPS 201 spec for its use because port operators demand high throughput and PIN protected contact interface reads were deemed too time intensive.

For the field-testing, Congress instructed that the readers be used in at least five distinct geographic locations to test the business processes, technology and operational impacts.

The sites selected for the tests needed to be from a broad spectrum of operations and climates, Schwartz says. The final report on the testing was due in April but implementing specifications and identifying volunteer ports delayed the project.

The TSA received $8.1 million to provide independent testing, data collection and analysis, Schwartz says. The ports, terminal and vessel operators received $23 million in security grants with $15 million for the pilot and the remainder held in reserve for future reader deployments.

While $15 million may sounds like a lot of money to spend on readers, it wasn't spent just on that technology, Schwartz explains. Cabling, updating infrastructure and deploying physical access control systems had to be done in many instances for the system to work.

The tests have already generated some important lessons, Schwartz says. There have been challenges integrating the TWIC readers into different physical access control systems.

The messaging from the readers needs to be standardized and made to be visible in all environments, Schwartz says. He cites the example of a card rejected by a reader without an adequate error message. "If the card gets an error the guard would tell the worker they need a new one when it may not have been registered in the PACS or something more minor," Schwartz says.

There have also been issues with creating a standard for the information processing. The TSA has determined that the sequences for authenticating the card, checking the registration in the physical access control system and checking the hot list all need to be done in the same sequence.

The read range of the contactless readers has been problematic too, Schwartz says. Ports that used proximity cards previously are reeducating workers that the card may need to be held closer to the reader than with the prior technology. The cards, which come with plastic sleeves, also have to be removed from the sleeve to be read in some instances.

Educating cardholders on how to take care of the credential has been a learning experience, he says. Some truck drivers will keep the credential around the rearview mirror in the sun and this can damage the chip and antenna.

Explaining the hot list, or revocation list, has been problematic too, Schwartz says. A worker will lose the card, call the number to report it lost at which point it is placed on the revocation list. If the worker finds the card a day or two later and tries to use it, it is flagged port security is alerted.

Other problems have included general installation issues including electrical power fluctuations, physical reader placements that are too high, too low or too far from worker, and slow turnstile and gate mechanism responses.

The TSA is planning to deliver a report with the test findings to Congress in 2011, Schwartz says. After that the U.S. Coast Guard, which is responsible for enforcing TWIC, will make a rule for ports and port operators to follow. That will most likely not be until 2012.

Because of the delay in the final rule most port operators are opting to wait before deploying TWIC reading systems, says Walter Hamilton, senior consultant at ID Technology Partners. Port operators could deploy the systems now but are afraid they will have to retrofit or tear out technology depending on the rule.

But some reader manufacturers have given guarantees that if they opt for the maintenance package the vendor will guarantee compatibility with the final rule, Hamilton says. "It give the maritime operators some level of comfort," he says.

The TSA is looking to solve some other logistics issues as well, Schwartz says. Enrollment and card activation services for remote locations can be a hardship for some areas. Workers have to show up once to apply for the credential with all the appropriate documentation and then show up again a few days later to receive and activate the card.

This has been problematic in areas where the enrollment center is far from the port or port worker's home, he explains. Congress has questioned the TSA on this, asking if the credential can be mailed but the FIPS 201 standard doesn't allow the ID to be mailed. TSA is looking at other alternatives to solve this problem.

The durability of the credential has been another problem, Schwartz says. The card is tested before leaving the central production facility and before leaving the activation center, but there have been problems with card failures in the field.

Without the presence of a TWIC team member with card analysis tools, it has been difficult to determine whether the problem is with the card, the reader or the access control system at the facility.

The TSA is considering a move from a 72K chip to a 144K chip, Schwartz says. Before the change is made official, however, they are verifying that no other system changes will be necessary and that there will be little or no impact on production and reader equipment.

The TWIC road has been a long and arduous one, ultimately taking more than a decade from mandate through roll out to electronic verification of the credential. But one day soon U.S. ports may have the increased security originally envisioned by TWIC initiators.

While there are many trends in the credit and debit card industry, security is the trend that most restaurants should put at the top of their list. Security goes beyond locking the front door at closing time. Restaurant operators also must secure the sensitive information their customers provide when paying for their services.
 
Identity theft and credit card fraud are chief concerns for consumers and the credit card industry, and should have great significance to the restaurant operator. Card and identity thieves are becoming increasingly more capable.
 
In 2009, there was a considerable increase in businesses affected by security breaches in the hospitality and restaurant industry. In response to the growing threat, major credit card brands like Visa and MasterCard have continued to increase the scope and rigor of consumer protection standards.
 
The PCI DSS (Payment Card Industry Data Security Standard) has been implemented in phases, with various deadlines, to control the way card data is transmitted and stored. Credit card processors have a looming deadline of July 1, 2010, to ensure their customers operate in a PCI compliant manner.
 
The PCI DSS standard covers many aspects of storing and handling credit card data. The PCI PED (PIN Entry Devices) component is focused on the hardware used at the point of sale (POS) for capturing the 4-digit PIN number on a consumer's debit card. Restaurant owners must ensure that debit card accepting devices are PCI PED compliant, or they risk fines and fees from their processors and the card brands.
 
While the July 1 deadline is directed at the member organizations (banks), processors enabling the acceptance of these transactions are expected to ensure their customers comply with these standards. Many processors are mandating that their customers undergo a PCI audit to ensure compliance and are assessing fees for those customers that do not comply.
 
The goal of these fees is to encourage customer compliance, which will help reduce the risk to both the merchant and the processor. A PCI audit varies in cost, based on the price negotiated by the customer or processor, but is intended to identify security concerns, including devices, software, and processes, that may expose the merchant to the risk of data theft.


Scientists have identified security flaws in chip and pin technology that they say are so serious as to require a rethink of the whole system.

The Cambridge University researchers discovered a loophole that could be used to make bank card payments without knowing the correct pin.

Link for Video

Lessons Learned From PCI Compliance

Assessors reveal mistakes companies make with data security standard. -- To help companies get ready for a an evaluation, we asked QSAs to describe common problems they encounter when working with IT groups on PCI compliance. What follows are five best practices to help companies better prepare for an assessment and maintain compliance.

1. Know Where Data Lives

First off, you must know how credit card data flows through your system, where the data resides in the enterprise, and who has access to it. Assessors ask for this information at the outset of an assessment because it determines the scope of the project. They aren't there to review your entire security infrastructure, just the systems that collect, process, transport, and store credit card data. A surprising number of companies don't have a good grasp of this information. "It's common for a client to completely miss a particular data flow and have no idea that credit card data is being forked off to system X, Y, or Z," says a QSA at Neohapsis, who asked to remain anonymous.

Companies express an "extreme amount of frustration" over the amount of effort they have to put in to put the full picture together, says Ted Keniston, a QSA and managing consultant with the global compliances group at Trustwave. "We should be validating this information, not determining it."

Having a complete picture of credit card data isn't just a courtesy to your assessor; it also affects your ability to protect customer information, because you can't secure what you don't know about.

2. PCI Is A Moving Target

Let's say your assessor has just stamped you "compliant." You breathe a sigh of relief. The PCI assessment is annual, so you don't have to worry about it for another 12 months, right? Not so.

PCI compliance is only valid and only applies to the state of the network and systems at the time of the assessment. The moment you make changes to systems that fall under the 


Rest of article and pdf of entire article


inside-pci-compliance_884972.pdf

Tokenization and your store

New approach shapes how retailers secure private information and consumer confidence against data breaches

With stores located in various states and, in some cases, overseas, chain stores face a unique data security challenge. The plethora of recent State Breach Notification Laws and European privacy laws, as well as industry mandates such as the Payment Card Industry's Data Security Standard, put a lot of pressure on chain store CSOs to come up with foolproof ways to protect consumer information against a data breach.

Source Article

Many retailers have already adopted localized encryption and follow data security best practices but, for some companies, this may not be the most efficient way to protect credit-card numbers and various forms of personally identifiable information (PII), including customer loyalty data, and employee social security and commercial drivers' license numbers, etc.

With traditional localized encryption, the encrypted data is stored in applications and databases in place of the original unencrypted data, which means it is located in many places throughout the enterprise. Every system that contains encrypted data is a point of risk and remains "in scope" for PCI DSS compliance and audits. What's more, encrypted data takes more space than unencrypted data, requiring costly programming modifications to applications and databases, along with increased data storage costs.

To solve these challenges, a new data security model -- format preserving tokenization -- is beginning to gain traction with retailers. Tokenization reduces the number of points where sensitive data is stored within an enterprise by replacing encrypted data with data surrogates (tokens) and storing the encrypted information in a central data vault. This makes data security easier to manage and provides an extra layer of security, but it also takes systems "out of scope" for PCI DSS compliance.

Tokenization explained

With traditional encryption, when a database or application needs to store sensitive data, those values are encrypted and the cipher text is returned to the original location. With tokenization, a token -- or surrogate value -- is returned and stored in place of the original data. The token is a reference to the actual cipher text, which can be stored locally ("in-place tokenization") or, as in the newly-emerging model in a central data vault. As long as the token is format-preserving, it can be safely used by any application, database or backup medium throughout the organization. This minimizes the risk of exposing the actual sensitive data and allows business and analytical applications to work without modification.

Format-preserving tokens can either match the expected data type or expose a subset of the original value to simultaneously protect the information and enable applications and job functions to continue unmodified. For example, the token could expose the last four digits of the social security number or credit card number to enable call center operations.

Tokens use the same amount of storage space as the original clear text data instead of the larger amount of storage required by encrypted data. And since tokens are not mathematically derived from the original data, they are arguably safer than exposing cipher text. They can be passed around the network between applications, databases and business processes safely while leaving the encrypted data they represent securely stored in a central data vault. Authorized applications that need access to encrypted data can only retrieve it using a token issued from a token server, providing an extra layer of protection for sensitive information and preserving storage space at data collection points.

Encryption, tokenization, or both: What's right for your enterprise?

There are two distinct scenarios where implementing a token strategy can be beneficial: to reduce the number of places sensitive encrypted data resides or to reduce the scope of a PCI DSS audit. The hub and spoke model is the same for both and contains these three components:

* Centralized encryption key manager to manage the lifecycle of keys.
* Token server to encrypt data and generate tokens.
* Central data vault to hold the encrypted values, or cipher text.

These three components comprise the hub. The spokes are the endpoints where sensitive data originates such as point-of-sale terminals or the servers in stores, various departments at headquarters, a call center or Web site.

In the traditional model, data is encrypted at the stores (spokes) and stored there; or encrypted at headquarters and distributed back out to the stores. Under the tokenization model, encrypted data is stored in a central data vault and tokens replace the corresponding cipher text in applications available to the stores, thereby reducing the instances where cipher text resides throughout the enterprise. This reduces risk because the only place encrypted data resides is in the central data vault until it is needed by authorized applications and employees.

In the second scenario, the model is the same but the focus is on using only tokens in spoke applications thereby reducing scope for a PCI DSS audit. In this case, employees only need a "format-preserving" token where the token provides enough insight for them to perform their jobs. For instance, the token will contain the last four digits of a credit card. In the traditional encryption model, cipher text resides on machines throughout the organization. All of these machines are "in scope" for a PCI DSS audit. In the centralized tokenization model, many of the spokes can use tokens in place of cipher text, which takes those systems out of scope for the audit.

Format preserving tokenization is ideal for some chain store enterprises, while a hybrid approach is better for others. Localized encryption is the default when stores are not always connected to a central data vault. In instances where stores are electronically connected to the data vault, tokenization is often the solution of choice. For many chain store companies, using a combination of localized encryption and tokenization is a practical approach for improving data security.

Format preserving tokenization protects payment-card information and employee information as well as all types of customer PII and loyalty data collected by many chain store marketers. Not only does the technology provide an extra layer of security in an extended enterprise, but it reduces storage space requirements and the scope of PCI DSS audits.

Gary Palgon is VP product management for data protection software vendor nuBridges, and is a frequent contributor to industry publications and a speaker at conferences on eBusiness security issues and solutions. He can be reached at gpalgon@nubridges.com. 


The conventional wisdom is that when large vendors enter a niche market, those vendors "legitimize" that market. But the announcement that First Data and RSA Security are getting into the credit card tokenization business raises many issues beyond them simply "making" the tokenization market. Here is my first take on the implications of this announcement:

Posted from StorefrontBackTalk

  • Pressure On The PCI SSC To Embrace Tokenization
    The PCI Security Standards Council already commissioned Price-Waterhouse Coopers to do a study of tokenization, end-to-end encryption and other "beyond PCI" issues. The results will likely be discussed at the PCI SSC Community Meetings. That's great. Merchants, service providers and even QSAs want specific guidance about tokenization. This announcement and the weight of the players in the market should virtually guarantee that tokenization will be specifically addressed in the next release of PCI DSS, in addition to QSA training and other guidance from the SSC.

  • Pressure On Payment Processors And Gateways
    I have said before that the number of companies offering tokenization will increase several-fold within a year. We've already seen about a dozen players enter the market in the last six months. I'm expecting 30 to 40 more announced packages over the next six months, as payment processors, gateways, encryption vendors and application vendors all vie to see who can remove credit card data from the merchant environment the fastest.

  • Tokenization Standards And Portability Will Be Hot Topics In 2010
    The more options in the market, the more the demand for "token switching" will increase. Merchants who have entrusted their card data to Service Provider X will increasingly seek shorter duration contracts and have more specific demands about how they migrate their data from one tokenization provider to another.


    Because there are not currently any standards for either the form of a credit card token, how it is generated or how one token type can be converted to another (they can't, BTW), as more merchants realize this, they will raise concerns about being "locked in" to a particular tokenization approach. Smaller vendors will develop "token migration" or conversion tools, etc.

  • Multi-Channel Options And Other Complexity Issues Will Emerge


    Read rest of story at StorefrontBackTalk


  • New driver license legislation proposed

    Some believe that new proposed driver license legislation would help states better secure IDs while also protecting citizen privacy. Others say it "guts" an existing law and takes states back to pre-9/11 identity vetting for IDs.

    Debate on whether it increases or decreases security

    Story Link

    A hearing held in the U.S. Senate Committee on Homeland Security and Governmental Affairs on the proposed bill called the Providing Additional Security in States' Identification (PASS) Act of 2009. Testimony revealed very different takes on the bill that would basically roll back, REAL ID. It's not clear how the proposed change would impact states already complying with REAL ID and rolling out new documents. Even with this new bill looming, some states are still moving ahead to comply with REAL ID.


    "The major problem with REAL ID is that it is producing very little progress in terms of securing driver's licenses, and it is not getting us to where we need to be," said Janet Napolitano, secretary of the U.S. Department of Homeland Security. "Simply put, REAL ID is unrealistic."

    Citing the almost $4 billion estimated price tags for states to switch to REAL ID and unfeasible deadlines, Napolitano offers up PASS as an alternative. Napolitano, when she was governor of Arizona, had signed a law against REAL ID.

    "PASS ID is a critical piece of national security legislation that will fix the REAL ID Act of 2005 and institute strong security standards for government-issued identification," she said. "PASS ID will fulfill a key recommendation of the 9/11 Commission, that the federal government set standards for identification such as driver's licenses and non-driver identification cards-and this bill will do so in a way that states will implement, rather than disregard. PASS ID will enact the same strong security standards set out by REAL ID as quickly as REAL ID but, critically, this bill provides a workable way to get there."

    Napolitano said that PASS ID keeps document verification and authenticating of source documents, advocates the physical security of ID production, requires that photos of applicants be taken and still has the requirement to show compliant IDs. "All in all, PASS ID would match the security provided in REAL ID, while providing the states with more flexibility to innovate and meet the standards," she said.

    How does it differ from REAL ID?

    The major difference is that PASS ID gives states different options to meet the criteria. "While REAL ID mandates electronic verification for all source document information, PASS ID would maintain a focus on ensuring the authenticity of identity source documents that applicants present, allowing states to adopt cost-effective ways to achieve or exceed that threshold," Napolitano said.

    Since states would be able to choose how to verify identity there would be some cost savings, Napolitano said. The bill would also codify state grants for driver licenses and speed up implementation.

    "States would have one year after the issuance of final DHS regulations to begin issuing compliant documents, and would have five years from that date to enroll driver's license holders as they see fit," she said. "The REAL ID deadline for completing issuance of compliant driver's licenses is December 2017. If Congress enacts the PASS ID Act as it is currently written by October 2009, states could complete enrollment by July 2016, a full one year and five months ahead of the REAL ID timetable."

    PASS ID potentially rolls back one key requirement of REAL ID, checking other states to see if an individual has multiple licenses. Napolitano and others say this was cause for privacy concerns. "PASS ID would not require states to provide direct access to each other's driver's license databases; in fact, the bill contains protections against creating any national identity database containing all driver's license information and requires states to adopt adequate procedures to prevent unauthorized access to or sharing of personally identifiable information," she said.

    Read rest of the story and how Opponents see PASS ID as a weak substitute for REAL ID.

    Link to story

    EMV takes aim at U.S.

    Nice article on SecureIDnews covering EMV. by Andy Williams, Associate Editor, Avisian Publications

    Like a massive tidal wave, EMV continues to roll across the world, changing the global payments landscape. Since UK banks first committed to EMV five-years ago, more than 100 countries have taken the plunge in efforts to stem credit card fraud.

    But the U.S. has always remained outside the EMV plan. This, however, may be changing as fraud, technology and business is changing the payments landscape.

    Brian Byrne, head of product technology for standards and specifications at Visa estimates there are some 730 million EMV cards and 10 million terminals in existence around the world.


    Toni Merschen, group head of chip at MasterCard Worldwide, notes that the Single European Payments Area initiative requires 38 countries to complete the migration to EMV by Jan. 1, 2011.

    EMV gets its name from the companies which originally created it, Europay, MasterCard and Visa. Seven years ago Europay merged with MasterCard and the new standards body was renamed EMVCo. Its members now include Visa, MasterCard, Japan-based JCB and its newest member, American Express.

    EMVCo's primary goal "is to facilitate global interoperability and compatibility of chip-based payment cards and acceptance devices through deployment of relevant EMV Specifications," says an EMVCo spokesperson.

    EMV also goes by "chip and PIN," because the card contains a chip and a PIN is required before a transaction is processed. But nowadays, that chip and PIN moniker may be misleading. As Byrne, points out, many countries are foregoing the PIN part of EMV implementation, the predominant reason being that many consumers don't want to remember a PIN.

    The country most advanced towards EMV implementation is the UK, the banks their were the first to adopt chip and PIN, says Merschen. Other markets that have reached maturity for EMV migration on either cards, point-of-sales devices and ATMs include France and Turkey in Europe and Malaysia in the Asia-Pacific region, he adds.

    The migration isn't easy. Merschen says a number of infrastructure changes are required to handle EMV. "For issuers, there are new data elements that need to be supported by the issuer authorization and clearing host systems. Card data preparation, including key management, and card personalization also require hardware and software upgrades," Merschen says. "On the acquiring side, the impacts are similar. Acquirer host systems must be able to receive new data fields from terminals, which also need to be upgraded from both a hardware and software perspective."

    Glitches all but resolved

    In the early days of EMV there were issues, Merschen says, such as a shortage of approved products, lack of customer and vendor expertise with EMV and areas where the specifications left implementation options.

    That was then. These issues from the early days of EMV have largely been resolved, says Merschen. "Robust migration processes are available to guide the banks, merchant, and consumers in their migration involvement," he adds.

    Visa's Byrne describes the early road bumps as minor. "This card issued in country A was having some acceptance problems in country B. In some cases, some of the older terminals wouldn't work properly, but that was usually due to configuration issues, fairly minor stuff."

    EMV in the U.S.?

    So with the U.S. sandwiched between two EMV countries-Mexico and Canada-most think it's only a matter of time before the U.S. joins the EMV parade.

    Paul Beverly, president of Gemalto North America, believes increased fraud will mandate such changes.

    In an article in the spring 2009 issue of Regarding ID magazine, Beverly wrote: "The rest of the world is well on the way to EMV implementation. Europe and Asia have long been issuing cards and ... Latin America, faced with exploding credit card skimming fraud, is fully committed to EMV smart cards. .. Yet stakeholders in the United States still find fraud losses and identity theft risks acceptable. It is disappointing that U.S. companies are trailing the rest of the world in this area."

    Charles Walton, executive vice president for payments for INSIDE Contactless, believes that the U.S. will ultimately get on board with the secure cards. "We're seeing inherent insecurities in the system, such as the Heartland Payment Systems hack. It's only a matter of time before these types of hacks will become intolerable."

    Walton says hackers will look at the weakest point in the payment chain and exploit it. "If you start securing one point in the chain, it begins to expose the other points, the path of least resistance for water, will find the lowest point."

    MasterCard's Merschen says that these fraud migration and data compromise incidents, plus the possibility of government regulation will lead several U.S. banks to consider EMV.

    The handwriting is on the wall, so to speak. "It's inevitable that the U.S. migrate to EMV, primarily because fraud is escalating," adds Randy Vanderhoof, executive director of the Smart Card Alliance. "Major financial institutions in the U.S. are also international so it will not be a big step for them to issue these cards in the U.S."

    Contactless and EMV

    At first blush it would seem that contactless and EMV would be working toward opposite purposes, but Walton says EMV can run on top of contactless. "I would think of EMV as a security protocol that works with contactless as well as contact chips."

    Visa is using EMV specs in its contactless payWave technology, Byrne says. "The way we're deploying contactless in the U.S. is using EMV specs," says Byrne. "It's based on EMV technology making use of strong security elements baked into EMV. These new cards will not only be accepted in readers in the U.S. but also in the UK."

    The next generation of contactless cards will be a step toward EMV, says Vanderhoof. For example, MasterCard terminals certified for contactless also carry elemental portions of EMV. "We're seeing these gradual upgrades of the infrastructure to support it," he says.

    Vanderhoof says these new rules for EMV contactless are different than those for EMV contact cards. Purchases under about $25 can be a contactless transaction in the UK, just like in the U.S. "Just tap it and go, no PIN or signature. After a certain number of transactions you might be required to enter your PIN."

    Rest of story

    The opportunities offered by the advent of proximity mobile payments are clear; differentiated payment services, increased transaction volumes, faster transactions, increased customer convenience, operational efficiencies and the ability to increase customer loyalty through targeted gift and loyalty programs. With implementations already in place in Europe and Japan, strong consumer interest and the ability to leverage the contactless POS infrastructure already in place, NFC-enabled proximity mobile payments show much promise. But how will security be managed in an ecosystem with so many stakeholders, each managing their own unique aspect of the process? The news is good.

    Both the financial and mobile industries have made much progress in defining how NFC-enabled mobile payments will take place and how financial information will be secured. Security is bolstered by the use of industry standards and by the technology supporting proximity mobile payments. Industry organizations have defined standards based approaches to ensuring that payment account information is delivered securely to the mobile phone and stored securely in the phone's secure element.

    The NFC-enabled mobile phone leverages the existing ISO/IEC 14443 standard for communicating payment information from the phone to the merchant's POS terminal. Appropriate risk analysis of an operational model for proximity mobile payments can identify where there is potential for fraud or misuse, develop mitigation measures and assign responsibility. From the consumer's perspective, the proximity mobile phone payment looks just like a contactless credit or debit card transaction.

    Mobile phones can also leverage two-factor authentication technology to secure the payment application and information. Requiring a passcode or a fingerprint to initiate or respond to the terminal's attempt to initiate or validate a transaction can provide the consumer with additional comfort and a sense of control over a transaction.

    While implementations may vary, industry players are moving in a consistent direction. Industry organizations are working to increase ease of access, global interoperability and security of mobile payment technology to consumers. Pilot studies in the United States and implementations worldwide have tested both the technology and the mobile payments process. Proximity mobile payments technology is solid, and will serve this exciting new payment frontier well. Industry stakeholders can leverage the proven technology and a merchant infrastructure that is ready to go to take advantage of consumers' ever-growing love of mobile technology.

    Download whitepaper