Voltage Security®, the world leader in data-centric security, today announced a new partnership with Gertec, provider of global commercial and banking automation solutions. Gertec will integrate Voltage SecureData Payments™ encryption technology into the Gertec PPC 910 PIN pad for electronic funds transfer (EFT). The Gertec PPC 910 supports EMV and is also PTS 2.1 certified.

“Voltage Security’s encryption expertise is unparalleled and we are pleased to be partnering on this world-class solution that allows us to provide new freedom to our customers and, in turn, their customers — freedom from worry of unsecured payment transactions,” said Jorge Ribeiro Pereira, president, Gertec.

“Based on the success of this project, we plan to continue to partner with Voltage on future integrations,” Pereira added.

Gertec has 23 years of experience in commercial and banking automation, manufacturing encrypting PIN pads, price checkers, programmable keyboards and kiosk keyboards, as well the development of customized solutions. The company has eight product lines and over 50 models for point of sales, supermarkets, bookstores, web terminals, parking lot control and lotteries, among other applications. The company’s products are sold in its native Brazil and around the world including the USA, South Africa, Peru, Colombia, Ecuador, Venezuela, Uruguay and Paraguay.

“Our technology partnership with Gertec means that a broader range of global payment processors will now have the option of providing their customers with the highest level of transaction security. This is particularly important in countries like Brazil, which is one of the world’s fastest growing economies but is challenged with PCI data security, as well as other multinational deployments,” said George Rice, director business development, payments, Voltage Security.

Voltage SecureData Payments provides complete point-to-point encryption (P2PE) for retail payment transactions, and with tokenization from Voltage SecureData Enterprise enables PCI scope reduction without the massive IT disruptions traditionally associated with encryption.

The Voltage SecureData Payments POS SDK can be implemented with any mobile or POS devices and payment processing systems and is already integrated into leading payment card reading devices and PIN pads, offering merchants the flexibility to support the hardware of their choice.

More than 1,000 global customers across all industries including the Fortune 500, major retailers, banks and payment processors look to Voltage Security to seamlessly protect data while ensuring it remains accessible and usable, despite security threats and increased risk from data breaches.

For more information, please visit www.voltage.com.

The post Voltage Security Partners With Gertec to Deliver Secure Payment Transactions appeared first on Voltage Security.

Research conducted by Voltage Security®, the world leader in data-centric security, revealed that the pressure on companies to access information to get their job done is dividing the workforce. While 40% of companies have lost a sales opportunity because employees weren’t able to access the information they needed, an alarming 46% avoided the possibility of losing a sales opportunity by bypassing security controls to access necessary sensitive information to get the job done.

The study found that while an overwhelming 85% of employees say that security has added value to their company, 40% say security limits their ability to move information around. As a result, half of employees say their job is hindered because they aren’t getting access to all the information they need. With over half of respondents working for large organizations – the majority employing more than 5,000 people – employees are faced with a no-win situation. Forty percent of those questioned report simply giving up, resulting in lost sales opportunities, while a resilient 46% are pressured into circumventing security controls to close an opportunity.

The findings highlight the need for companies to strike a balance that allows employees to get to the data they need without compromising security by exposing sensitive information to the wrong people. With regards to security, the findings revealed a paradox: while 29% of organizations would notice within seconds or minutes if sensitive data wasn’t secured, a worrying 40% would never notice. This is even more alarming as more than half of respondents stated they had access to financial, customer or HR information they didn’t really need – putting potentially sensitive information at risk.

“It is safe to assume that with the majority of people working for major organizations with more than 5,000 employees, the loss of a single deal can be detrimental to business and may well cause millions in damage,” said Dave Anderson, senior director, marketing, at Voltage Security. “The results show that organizations employ an array of restricting security tools that struggle to make data available to the right people, though the fundamental issue of security remains. Protecting sensitive data is the key requirement. Security can, and should be, seamlessly integrated into current business processes, rather than stand-alone functions that enable employees to protect information at all times. Deploying a data-centric framework will enable companies to protect sensitive information at all times, while still allowing employees to access, use, and move the data within the enterprise as needed to perform their duties.”
Anderson recommends the following steps to make sure companies can best protect their data while still ensuring it can be accessed and moved with the organization as needed:

1. Think about a data-security strategy, not a security strategy based on only protecting a device, server, tape, disk, or media. This helps ensure any sensitive data can be protected anywhere it moves, and any way it is used.
2. Focus on integrating the core data protection functions, including encryption, tokenization and data masking capabilities, across a single vendor solution. Individual point products that are not integrated can be difficult to deploy and manage, and this is often where control gaps are found.
3. Implement data protection solutions that comprehensively protect all structured and unstructured data types across the entire IT infrastructure, including everything from legacy and mainframe, to data in the cloud and on mobile. Only protecting a single data type or a limited number of applications can leave an organization exposed to a potential data loss.

ⁱStudy conducted by Voltage at RSA San Francisco in February 2013 with 300 IT professionals

The post Voltage RSA 2013 Survey Release: 40% of Companies Have Lost Major Sales Opportunities Because They Couldn’t Access Information appeared first on Voltage Security.

Mark Bower, Vice President of Products at Voltage Security, Inc., comments with a security industry perspective.

The conversation is largely around anti-hacking legislation and Mark points out that these laws don’t seem to be deterring cyber criminals. Protecting sensitive data is a proactive and direct offensive that prevents hackers from compromising that information. Other panelists include Jay Liederman, attorney for Matthew Keys, who has taken on the case pro bono, and Rep. Jared Polis, Colorado talking about the U.S. government’s role and legislation, specifically The Computer Fraud and Abuse Act, and Hanni Fakhoury, attorney with the Electronic Frontier Foundation.

Contact Voltage Security

The post HuffPost Live: Matthew Keys Hacker Case Leads to Calls for Better Law appeared first on Voltage Security.

I had heard e-commerce merchants state—incorrectly—that PCI DSS didn’t apply to them because they used hosted payment pages.  Merchants were also confused by the different connection methods offered by their payment gateway, such as hosted payment pages or APIs, they didn’t understand the varied security implications of the different connection methods.

After a full year’s work, the final document is now available. You can find it here: https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf

The big takeaways from the document are that none of the common e-commerce implementations eliminate PCI DSS requirements entirely, and that the roles and responsibilities of merchants and service providers do vary, depending on the integration type. For example, fully outsourced implementations such as APIs, iFrames, and hosted payment pages have more scope reduction potential than merchant on-premise implementations. It’s all about choices and tradeoffs.

So what should merchant do to minimize their responsibility and scope, while maximizing checkout usability? Options that maximize scope reduction disrupt the consumer checkout process and are hard to customize. On the other hand, on-premise options that maximize usability increase scope.

Voltage SecureData Web with Page-Integrated Encryption offers the best of both worlds. Merchants only need to add a few lines of code to an existing checkout page to encrypt cardholder data at the point the consumer enters it in the browser.  The cardholder data remains encrypted until it reaches a trusted host destination, such as a payment processor, for decryption.  The checkout retains branding and flow while maximizing scope reduction.  Find more information about Voltage SecureData Web with Page-Integrated Encryption here: http://www.voltage.com/wp-content/uploads/Voltage_DS_SecureData_Web.pdf

The post PCI SSC Releases E-commerce Guidelines Paper appeared first on Voltage Security.

I promised that we were done with hashes, but there’s one more set of interesting and powerful uses for them that’s worth discussing: Message Digests (MDs), Message Authentication Codes (MACs*), and Hashed Message Authentication Codes (HMACs).

A Message Digest is just a hash of a message. MDs are useful to verify that the message was not accidentally damaged in transit. These were useful in the days of dialup and other technologies; with modern TCP/IP, not so much, although some websites will list an MD along with a download so that you can verify that you downloaded what you meant to get (the idea is that you’ll generate a hash after the download and manually verify it).

More interesting are MACs and HMACs. These are essentially the same thing in practice. A MAC takes a message plus a secret key (a password, if you will) and creates a token—a short piece of data, a “magic value”—from that. Since the two sides—the sender and receiver—are the only ones who know that key, a MAC provides both integrity (the message has not been altered since sending) and assurance (the sender is who we think it is).

A MAC need not use a hash function to generate the token (it could use an encryption algorithm, for example), but with the speed, ubiquity, and security of modern hash algorithms, typically hashes are the method of choice. And a MAC that uses a hash function is an HMAC.

So if you have a client that needs to send a transaction to a server, then instead of adding a login step with userid/password, you instead make it atomic, sending one request: the transaction plus an HMAC. That is, the contents of the transaction are hashed using the previously agreed-upon password as a salt, and sent along with the transaction as a kind of single-use password.

Since the server knows the password, it can take the contents of the transaction, hash them (again using that password as a salt), and thus authenticate the request.

Even if an attacker is somehow able to intercept the request, the request itself cannot be changed, nor can bogus requests be made: without the secret key, the attacker cannot create a new HMAC that the server will accept.

The post Cryptography for Mere Mortals #10 appeared first on Voltage Security.

Take a look here - http://csrc.nist.gov/groups/ST/toolkit/BCM/current_modes.html

The update is in the last section. 

“NIST is developing a special publication to specify three modes for format preserving encryption based on the FFX framework: FFX-base, VAES3, and the analogous component of BPS. (See the FFX and BPS proposals on the modes development page.) A draft SP 800-38G is currently undergoing internal NIST review; a revised draft is expected to be released for public comment by the early spring”

So there we have it – as mentioned before, its moving ahead nicely.

The post Format Preserving Encryption – FFX AES – NIST 800-38G Standard Development appeared first on Voltage Security.

In the EU, ever stronger rules have been on the cards for a long time with plenty of open debate and analysis. Meanwhile, some jurisdictions like the UK embraced tighter breach notifications through the ICO and FSA. In the EU Telecoms sector, breach regulations took hold some time back but as with all sector specific regulations, without strong enforcement the effects may not be as desired. But now the EU is taking things to the next level, especially to the large online data brokers and related services. The proposal is a unified breach disclosure model across all 27 EU member states with strict enforcement. This will mean the critical infrastructure and data brokerages will be affected – and could impact many global firms operating on large amounts of online data with its origins in the EU.

There's a nice article here.

The impact is big – with possibly over 42,000 firms in scope if the reports are accurate.

The upshot here is that e-commerce providers, financial services firms, energy networks, large scale retailers gathering consumer data, social networks and "big data" oriented businesses will need to seek new ways to stay agile against this ever changing regulatory landscape without slowing down the growth demanded by the markets, or impacting customer service to stay competitive.

The good news is that it’s a solved problem as many leading firms already know: data-centric security’s already here to keep the attackers away from live data while driving the data-hungry machines of commerce without increased risk, even across the most complex data processes.

Even if your enterprise is embracing the latest Hadoop variation and worried about privacy barriers, or pushing data into a complex aggregation of enterprise and cloud services, then protecting data from capture to destruction can be easily achieved. When the data itself is protected end-to-end over its lifecycle without compromising its value to the business process or analytics, it’s a win-win for business and IT. Innovations like Format-Preserving Encryption and Stateless key management deliver consumable data-centric security that’s never been easier to use.

Data-centric security is both an enabler and a powerful risk management tool – with the ability to protect structured and unstructured data anywhere. In fact, just in the last two weeks we helped a new, innovative cloud-based business that provides online social network based retail services to secure its sensitive personal and payment data in the cloud in just a few days from start to finish – all nicely integrated into an agile Ruby on Rails applications using NIST FFX mode Format Preserving Encryption to protect data from the moment its captured. They're now privacy regulation ready and minimizing risk to sensitive customer data anywhere it goes, including into their IaaS provider's systems.  They are the only ones with control over their keys – and thus control to data. That’s in line with general best practices as outlined last year by Gartner, which reflect our data-centric advice we've been pioneering for several years as readers know.

So, when the next sophisticated privacy regulation comes along, having a data-centric strategy in place for security probably means you're already won compliance boxing match – but more importantly, already many steps ahead of the attackers.

It’s never too late to see how data-centric security can give your business the protection it needs from modern risks – for more information, don’t hesitate to drop me a line at info@voltage.com, or send us a request for more information right here.

The post Into the regulatory boxing ring like a champ: Tackling new EU privacy rules appeared first on Voltage Security.

The news coverage of this discovery was decent considering the subject matter, with the occasional facepalm-inducing moment, such as NBC News declaring it the largest prime number.  I think an old mathematician named Euclid might have something to say about that if he were still around.

One of the more notable aspects of this story was how quickly the primality of this number was verified.  An Intel Core2 Duo PC desktop sitting in a classroom at the University of Central Missouri ran the Lucas-Lehmer primality test on this number in 39 days, presumably using a single core.  The verifications all took less than 8 days, the fastest of which ran for only 3.6 days on an Nvidia GPU.

With the rapid rate of advances in both GPU software and hardware, there is a good chance that the next world-record prime will be found with a GPU.

The post New world record prime number discovered appeared first on Voltage Security.

The advice is to turn off Java in browsers until there's a fix. It's harder to do than you might think, due to having to open less-than-intuitive application control panels to adjust the Java install package settings. However, it is possible and there are good guides out there to show you how. Mind you, a lot of web-facing Internet applications (not web sites) use Java due to its sophistication and ability to deliver a nice customer experience outside the browser. Take WebEx, for example. It has a Java package that runs locally on the desktop to enable nice online meetings. So turning it off may not be practical all the time for business reasons.

However, the biggest area of confusion I've seen is with JavaScript. It’s simply not really related to Java despite the "j", the "a", the "v", and the other "a" before the “Script” word. You don’t need to turn it off. In fact, turning it off has no relationship to the reported Java vulnerability itself. Most e-commerce shopping carts and shopping sites, auction sites, blog sites, file sharing sites, social network sites, and webmail clients like GMail and Yahoo! will have much-reduced functionality with JavaScript disabled — and
may, in fact, not work at all without it. About 99% of top web sites use JavaScript. That’s all the big names. Take a look at this ranking page, Top Sites using JavaScript, for example. If you’re at an enterprise of any size, it’s likely your own web site uses it for analytics or other purposes.

JavaScript is a handy, HTML-related coding tool which can streamline web experiences. JavaScript
executes in the browser itself. Of course, there are some places JavaScript shouldn’t be used — in email messages for example. JavaScript in an email attachment looks like malware to most scanners, and may be blocked or stripped — and quite rightly. That’s why in Voltage SecureMail we only use neutral and simple HTML for example.

On the other hand, Java is used to create actual applications. Java applications need a Java
virtual machine to execute. Using Java in the browser or on the desktop requires a hefty install for the Java VM and Java application stack, with browser plugins from Oracle and of course regular, annoying patching. Java applications may run using a browser plugin, but they may also be standalone applications with their own GUI. They might also be on smart devices. Android runs mostly Java-based applications, for example. The latest vulnerabilities relate to the execution of arbitrary applications exploiting the Java system itself.

To help explain all this, I found this article useful to share when asked questions on this topic.

However, also remember that fixing one vulnerability simple leads to trying to fix the next. That’s not a fun game. So, if data breaches and attackers stealing data are your concern— or you want to be able to use data easily in low-trust environments that are probably vulnerable to compromise — then instead of worrying about Java issues or similar vulnerabilities, why not protect the data independently of the system, using data-centric security?

Data-centric security can be applied to email inside and outside the enterprise, files, payment transactions, data in applications, databases, big data, cloud, mobile email, and even back office legacy mainframe infrastructure — practically any structured or unstructured data, anywhere it goes.

With data-centric security, organizations can protect the data from cradle to grave, instead of trying to keep up with the constant barrage of IT system vulnerabilities. Patching is of course important and a good best practice, but it’s not always practical to do immediately — and sometimes a patch might not even exist. After all, patching is a burdensome arms race that can never be won.

Data-centric security, on the other hand, is a powerful enabler that can be applied easily
and quickly, and opens new doors to more use of data without increasing risk. It provides enterprises large and small with more freedom to expand and grow as data-driven leaders, and to escape the burden of traditional approaches to IT security that are becoming increasingly transparent to the new attackers — the bad guys now creating powerful malware to steal your data from vulnerable systems. So why not take a look at a newer, powerful data-centric approach to ease the pain of compliance and data breach risk management?

As always, to find out more don’t hesitate to drop me a line at info@voltage.com, or
send us a request for more information right here.

The post Java vs JavaScript, vulnerabilities, and how to protect your sensitive data from attack. appeared first on Voltage Security.

You can read about it here.

There are many unanswered questions springing up as this story emerges. However, I have to ask the obvious: Why is a major government department entrusted with oversight over millions of sensitive records unable to protect them from compromise and misuse when the tools to easily and quickly protect data are readily available? I suspect the 38,000 people about to get the first round notification letters offering basic credit protection will be asking exactly the same question.

Clearly a new approach to data privacy is needed in organizations like BC Health to avoid these kinds of huge and impactful data breaches. Data breaches undermine citizens trust, lead to potential identity fraud, and involve complicated, costly remediation. It’s one thing for attackers to steal data with sophisticated malware, but to simply share vast quantities of private data inappropriately is inexcusable – and it’s also easily avoidable.

Data sharing and analysis is an essential business process, especially in healthcare. It’s invaluable to be able to extract trends in health data or pharmaceutical studies. It’s essential to be able evaluate seasonal changes across a region or the nation for planning and distribution of medical supplies. Data analysis may enable pro-active measures for patient treatment to improve quality of care or to manage of emerging health risks. The net is that healthcare data analysis has a direct value in potentially saving millions of dollars in health costs, but more importantly it can save lives. 

However, when this kind of data is shared and processed in this way, it’s also essential to securely de-identify the live data to ensure that the personal details and sensitive fields of patients and citizens aren’t exposed in low trust system. These might include Big Data platforms like Hadoop, researcher’s computer systems including spreadsheets or even USB sticks. Of course, there's also the ever present privacy compliance mandates to meet too: the data protection regulations that exist to force organizations to manage the high impact risks to data this breach illustrates. These apply wherever the data goes – including the research and analysis side.

So how do we fix this problem? How do we easily meet or even avoid compliance mandates and costs, and see a return from the data analysis without risk?

The good news is that the tools are already here to make this a snap. Many large scale organizations are already seeing the benefits, especially in healthcare but across all verticals. Today, leading organizations have taken the simple but powerful steps to protect their sensitive data everywhere it goes: in applications, in databases, to outsourcers, to the cloud, in Big Data, in and out of the enterprise – in a consistent, secure and scalable way.

Through powerful breakthroughs in data-centric security, it’s now possible to extract the maximum value from even the most sensitive data without exposing the “live” data to low trust environments – even in the very latest Big Data analytic platforms. The technique is called Format Preserving Encryption (FPE) – NIST FFX mode AES. The solution using this powerful technology is Voltage SecureData Enterprise. FPE is simple to use. It's secure and proven. It preserves the value in the data, but removes the risk. It scales tremendously, and it can be distributed and consumed on any platform anywhere from mainframe to the cloud with minimal impact. It can work with existing investments in data management including ETL systems and data lifecycle management tools. And it works. 

Leaders across the public and private sector including major healthcare providers and insurance companies and even US Government military agencies dealing with healthcare informatics use data-centric approaches today. They protect live data in production, de-identify data for use in development and QA, and enable sharing of sensitive multi-terabyte datasets with third party research hospitals back-and-forth for analysis without risk, all without compromising the integrity of the data or the research. Quicker analysis from more data means better results, faster decision making, more value from data, and improved healthcare. Data-centric security is the enabler.

Data-centric security can be achieved easily and quickly at any scale – especially in healthcare to release the full value in the data without increased risk. So why didn’t BC Health take that extra step to safeguard its data on the millions citizens it serves instead of just writing handling rules that clearly weren't followed? Maybe we will never know, but why would anyone wait when data-centric security is that easy and so powerful?

To find out more don’t hesitate to drop me a line at info@voltage.com or send us a request for more information right here.

The post The BC Health data breach: How can healthcare organizations avoid risk, but still use patient data to improve care? appeared first on Voltage Security.