Questions? Feedback? powered by Olark live chat software

Voltage Security Partners With Gertec to Deliver Secure Payment Transactions

Technology Integration Provides Global Payment Processing Industry With Proven Point-to-Point Encryption Security

Voltage Security®, the world leader in data-centric security, today announced a new partnership with Gertec, provider of global commercial and banking automation solutions. Gertec will integrate Voltage SecureData Payments™ encryption technology into the Gertec PPC 910 PIN pad for electronic funds transfer (EFT). The Gertec PPC 910 supports EMV and is also PTS 2.1 certified.

“Voltage Security’s encryption expertise is unparalleled and we are pleased to be partnering on this world-class solution that allows us to provide new freedom to our customers and, in turn, their customers — freedom from worry of unsecured payment transactions,” said Jorge Ribeiro Pereira, president, Gertec.

“Based on the success of this project, we plan to continue to partner with Voltage on future integrations,” Pereira added.

Gertec has 23 years of experience in commercial and banking automation, manufacturing encrypting PIN pads, price checkers, programmable keyboards and kiosk keyboards, as well the development of customized solutions. The company has eight product lines and over 50 models for point of sales, supermarkets, bookstores, web terminals, parking lot control and lotteries, among other applications. The company’s products are sold in its native Brazil and around the world including the USA, South Africa, Peru, Colombia, Ecuador, Venezuela, Uruguay and Paraguay.

“Our technology partnership with Gertec means that a broader range of global payment processors will now have the option of providing their customers with the highest level of transaction security. This is particularly important in countries like Brazil, which is one of the world’s fastest growing economies but is challenged with PCI data security, as well as other multinational deployments,” said George Rice, director business development, payments, Voltage Security.

Voltage SecureData […]

By |April 26th, 2013|Payments, PCI, Voltage Security|0 Comments
Read More

Voltage RSA 2013 Survey Release: 40% of Companies Have Lost Major Sales Opportunities Because They Couldn’t Access Information

Meanwhile, 46% admitted to bypassing security to get their job done, and 40% admitted that if they were breached no one would notice

Research conducted by Voltage Security®, the world leader in data-centric security, revealed that the pressure on companies to access information to get their job done is dividing the workforce. While 40% of companies have lost a sales opportunity because employees weren’t able to access the information they needed, an alarming 46% avoided the possibility of losing a sales opportunity by bypassing security controls to access necessary sensitive information to get the job done.

The study found that while an overwhelming 85% of employees say that security has added value to their company, 40% say security limits their ability to move information around. As a result, half of employees say their job is hindered because they aren’t getting access to all the information they need. With over half of respondents working for large organizations – the majority employing more than 5,000 people – employees are faced with a no-win situation. Forty percent of those questioned report simply giving up, resulting in lost sales opportunities, while a resilient 46% are pressured into circumventing security controls to close an opportunity.

The findings highlight the need for companies to strike a balance that allows employees to get to the data they need without compromising security by exposing sensitive information to the wrong people. With regards to security, the findings revealed a paradox: while 29% of organizations would notice within seconds or minutes if sensitive data wasn’t secured, a worrying 40% would never notice. This is even more alarming as more than half of respondents stated they had access to financial, customer or HR information they didn’t really […]

By |April 18th, 2013|Security, Voltage Security|0 Comments
Read More

HuffPost Live: Matthew Keys Hacker Case Leads to Calls for Better Law

huffpost-live-matthew-keys-hacker-case-leads-to-calls-for-better-lawHuffPost Today: Hacker Case Leads to Calls for Better Law

Mark Bower, Vice President of Products at Voltage Security, Inc., comments with a security industry perspective.

The conversation is largely around anti-hacking legislation and Mark points out that these laws don’t seem to be deterring cyber criminals. Protecting sensitive data is a proactive and direct offensive that prevents hackers from compromising that information. Other panelists include Jay Liederman, attorney for Matthew Keys, who has taken on the case pro bono, and Rep. Jared Polis, Colorado talking about the U.S. government’s role and legislation, specifically The Computer Fraud and Abuse Act, and Hanni Fakhoury, attorney with the Electronic Frontier Foundation.

Contact Voltage Security

By |March 18th, 2013|Breach|0 Comments
Read More

PCI SSC Releases E-commerce Guidelines Paper

Prior to the 2011 PCI community meeting, I submitted a proposal asking the council to sponsor a SIG (Special Interest Group) to help the e-commerce ecosystem better understand e-commerce security, because I felt that there was a lack of common understanding of this topic.

I had heard e-commerce merchants state—incorrectly—that PCI DSS didn’t apply to them because they used hosted payment pages.  Merchants were also confused by the different connection methods offered by their payment gateway, such as hosted payment pages or APIs, they didn’t understand the varied security implications of the different connection methods.

After a full year’s work, the final document is now available. You can find it here: https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf

The big takeaways from the document are that none of the common e-commerce implementations eliminate PCI DSS requirements entirely, and that the roles and responsibilities of merchants and service providers do vary, depending on the integration type. For example, fully outsourced implementations such as APIs, iFrames, and hosted payment pages have more scope reduction potential than merchant on-premise implementations. It’s all about choices and tradeoffs.

So what should merchant do to minimize their responsibility and scope, while maximizing checkout usability? Options that maximize scope reduction disrupt the consumer checkout process and are hard to customize. On the other hand, on-premise options that maximize usability increase scope.

Voltage SecureData Web with Page-Integrated Encryption offers the best of both worlds. Merchants only need to add a few lines of code to an existing checkout page to encrypt cardholder data at the point the consumer enters it in the browser.  The cardholder data remains encrypted until it reaches a trusted host destination, such as a payment processor, for decryption.  The checkout retains branding and flow while maximizing scope reduction.  […]

By |March 11th, 2013|PCI|0 Comments
Read More

Cryptography for Mere Mortals #10

An occasional feature, Cryptography for Mere Mortals attempts to provide clear, accessible answers to questions about cryptography for those who are not cryptographers or mathematicians.

I promised that we were done with hashes, but there’s one more set of interesting and powerful uses for them that’s worth discussing: Message Digests (MDs), Message Authentication Codes (MACs*), and Hashed Message Authentication Codes (HMACs).

A Message Digest is just a hash of a message. MDs are useful to verify that the message was not accidentally damaged in transit. These were useful in the days of dialup and other technologies; with modern TCP/IP, not so much, although some websites will list an MD along with a download so that you can verify that you downloaded what you meant to get (the idea is that you’ll generate a hash after the download and manually verify it).

More interesting are MACs and HMACs. These are essentially the same thing in practice. A MAC takes a message plus a secret key (a password, if you will) and creates a token—a short piece of data, a “magic value”—from that. Since the two sides—the sender and receiver—are the only ones who know that key, a MAC provides both integrity (the message has not been altered since sending) and assurance (the sender is who we think it is).

A MAC need not use a hash function to generate the token (it could use an encryption algorithm, for example), but with the speed, ubiquity, and security of modern hash algorithms, typically hashes are the method of choice. And a MAC that uses a hash function is an HMAC.

So if you have a client that needs to send a transaction to a server, then instead of adding a login step […]

By |March 7th, 2013|Crypto|0 Comments
Read More

Format Preserving Encryption – FFX AES – NIST 800-38G Standard Development

NIST, the US Government standards body, recently went on the public record with an update about the Format Preserving Encryption standards track process. Great news! Lots of progress made and the final steps are in play.

Take a look here - http://csrc.nist.gov/groups/ST/toolkit/BCM/current_modes.html

The update is in the last section. 

NIST is developing a special publication to specify three modes for format preserving encryption based on the FFX framework: FFX-base, VAES3, and the analogous component of BPS. (See the FFX and BPS proposals on the modes development page.) A draft SP 800-38G is currently undergoing internal NIST review; a revised draft is expected to be released for public comment by the early spring”

So there we have it – as mentioned before, its moving ahead nicely.

By |February 18th, 2013|Cloud, Crypto, Payments, PCI, Standards, Technology, Voltage Security|0 Comments
Read More

Into the regulatory boxing ring like a champ: Tackling new EU privacy rules

Data breach regulations don’t go away do they? Like an annoyed bulldog they just get more aggressive. With the pain felt by governments world-wide from the one-two punch of critical infrastructure data breaches and the big costs to society and negative impact on consumer confidence, the response of increasing compliance requirements should surprise no-one.

In the EU, ever stronger rules have been on the cards for a long time with plenty of open debate and analysis. Meanwhile, some jurisdictions like the UK embraced tighter breach notifications through the ICO and FSA. In the EU Telecoms sector, breach regulations took hold some time back but as with all sector specific regulations, without strong enforcement the effects may not be as desired. But now the EU is taking things to the next level, especially to the large online data brokers and related services. The proposal is a unified breach disclosure model across all 27 EU member states with strict enforcement. This will mean the critical infrastructure and data brokerages will be affected – and could impact many global firms operating on large amounts of online data with its origins in the EU.

There's a nice article here.

The impact is big – with possibly over 42,000 firms in scope if the reports are accurate.

The upshot here is that e-commerce providers, financial services firms, energy networks, large scale retailers gathering consumer data, social networks and "big data" oriented businesses will need to seek new ways to stay agile against this ever changing regulatory landscape without slowing down the growth demanded by the markets, or impacting customer service to stay competitive.

The good news is that it’s a solved problem […]

By |February 11th, 2013|Cloud, Crypto, Payments, PCI, Privacy, Risk, Security, Standards, Technology, Voltage Security|0 Comments
Read More

New world record prime number discovered

The GIMPS Project has announced the discovery of the largest known prime number to date, the Mersenne prime 257885161-1.  At 17,425,170 digits, it is more than four million digits longer than the previous record, set in 2008.

The news coverage of this discovery was decent considering the subject matter, with the occasional facepalm-inducing moment, such as NBC News declaring it the largest prime number.  I think an old mathematician named Euclid might have something to say about that if he were still around.

One of the more notable aspects of this story was how quickly the primality of this number was verified.  An Intel Core2 Duo PC desktop sitting in a classroom at the University of Central Missouri ran the Lucas-Lehmer primality test on this number in 39 days, presumably using a single core.  The verifications all took less than 8 days, the fastest of which ran for only 3.6 days on an Nvidia GPU.

With the rapid rate of advances in both GPU software and hardware, there is a good chance that the next world-record prime will be found with a GPU.

By |February 5th, 2013|Math|0 Comments
Read More

Java vs JavaScript, vulnerabilities, and how to protect your sensitive data from attack.

The recent reported vulnerabilities in Java are of course a top concern for enterprises large and small. However, as reported by some of the media, there's a lot of confusion about what do do.

The advice is to turn off Java in browsers until there's a fix. It's harder to do than you might think, due to having to open less-than-intuitive application control panels to adjust the Java install package settings. However, it is possible and there are good guides out there to show you how. Mind you, a lot of web-facing Internet applications (not web sites) use Java due to its sophistication and ability to deliver a nice customer experience outside the browser. Take WebEx, for example. It has a Java package that runs locally on the desktop to enable nice online meetings. So turning it off may not be practical all the time for business reasons.

However, the biggest area of confusion I've seen is with JavaScript. It’s simply not really related to Java despite the "j", the "a", the "v", and the other "a" before the “Script” word. You don’t need to turn it off. In fact, turning it off has no relationship to the reported Java vulnerability itself. Most e-commerce shopping carts and shopping sites, auction sites, blog sites, file sharing sites, social network sites, and webmail clients like GMail and Yahoo! will have much-reduced functionality with JavaScript disabled — and
may, in fact, not work at all without it. About 99% of top web sites use JavaScript. That’s all the big names. Take a look at this ranking page, Top Sites using JavaScript, for example. If you’re at an enterprise of any size, it’s likely your own web site uses it […]

By |January 22nd, 2013|Risk, Security|0 Comments
Read More

The BC Health data breach: How can healthcare organizations avoid risk, but still use patient data to improve care?

It’s amazing that just a few days into 2013 we see another potentially massive data breach on day 15! This time it’s in Canada, with healthcare related data at BC Health. Maybe 5 million records involved. This could be huge.

You can read about it here.

There are many unanswered questions springing up as this story emerges. However, I have to ask the obvious: Why is a major government department entrusted with oversight over millions of sensitive records unable to protect them from compromise and misuse when the tools to easily and quickly protect data are readily available? I suspect the 38,000 people about to get the first round notification letters offering basic credit protection will be asking exactly the same question.

Clearly a new approach to data privacy is needed in organizations like BC Health to avoid these kinds of huge and impactful data breaches. Data breaches undermine citizens trust, lead to potential identity fraud, and involve complicated, costly remediation. It’s one thing for attackers to steal data with sophisticated malware, but to simply share vast quantities of private data inappropriately is inexcusable – and it’s also easily avoidable.

Data sharing and analysis is an essential business process, especially in healthcare. It’s invaluable to be able to extract trends in health data or pharmaceutical studies. It’s essential to be able evaluate seasonal changes across a region or the nation for planning and distribution of medical supplies. Data analysis may enable pro-active measures for patient treatment to improve quality of care or to manage of emerging health risks. The net is that healthcare data analysis has a direct value in potentially saving millions of dollars […]

By |January 15th, 2013|Cloud, Crypto, HIPAA, Privacy, Standards, Technology, Voltage Security|0 Comments
Read More