Be ready or be dead!

"If you Know Yourself and you know your enemies, you will not be imperiled in a hundred battles..."

- Sun Tzu -

Wednesday, March 19, 2014

PCI DSS Requirements

This is a brief compilation of PCI DSS requirements; it is possible to tell software from infrastructure responsibilities. PCI DSS fundamental requirements are 12 (twelve) that are categorized into six main containers as follows:

A. Build and maintain a secure network

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor supplied defaults for system passwords and other security parameters
B. Protect cardholder data
  1. Protect stored cardholder data
  2. Encrypt transmission of cardholder data across open, public, networks
C. Maintain a vulnerability management program

  1. Use and regularly update anti-virus software
  2. Develop and maintain secure systems applications
D. Implement strong access control measures

  1. Restrict access to cardholder data by business need-to-know
  2. Assign unique ID to each person with computer access
  3. Restrict physical access to cardholder data
E. Regularly monitor and test networks

  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes
F. Maintain an information security policy

  1. Maintain a policy than addresses information security
Currently, PCI DSS 3.0 standard compliance should be observed. It is important to point that PCI DSS is focused on security, it tries to ensure that payments are made business-as-usual. No more, no less.

Security problems exists inside organizations. more that outside threats. Employees who do not follow adequate security principles can put their company´s data on risk. Consequently, the first step every organization needs to do is to educate its people on security habits.
PCI DSS 3.0 states that is mandatory to observe:

A. Increased security and Awareness
  1. Password education for users
  2. POS Security training and education
B. Greater Flexibility. 
It means that every organization can adopt the best security model, based on its business model and goals, that does not mean to implement weak security rules, but adopting the best solution. So, the new requirements in version 3.0 textually express the following
  1. "Allows for organizations to implement the password strength that is appropriate for its security strategy"
  2. "More flexibility to prioritize log reviews based on organization’s risk management strategy"
C. Security is a shared responsibility.

3.0 is clear and direct to state that security matters to all participants. Support, maintenance and development constitutes a main point to consider in this respect. Commonly, institutions rely on third parties for those tasks.  Outsourcing brings a security treat that apparently is outside business boundary, but it is not. Just think that if you have in-house solution, this means one point of failure but with outsourced services there are various points. Due this problem, PCI DSS 3.0 defined responsibilities that service providers must comply.

These days, other channel that demands special attention is mobile. Since mobile devices are very common and users tend to make a massive use of mobile networks and devices, close attention is needed to comply with version 3.0.

PCI DSS 3.0 started to be in effect by January 31, 2014 but  organizations responsible for complying  with PCI DSS and PCI App Data Security have until January 2015, it means that version 2.0 will be accepted as valid until December 2014.

To summarize, the  new requirements for PCI DSS are:

  • 5.1.2 - evaluate evolving malware threats for any systems not considered to be commonly affected;
  • 8.2.3 - combined minimum password complexity and strength requirements into one, and increased flexibility for alternatives;
  • 8.5.1 - for service providers with remote access to customer premises, use unique authentication credentials for each customer;
  • 8.6 - where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates) these must be linked to an individual account and ensure only the intended user can gain access;
  • 9.3 - control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination;
  • 9.9 - protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution;
  • 11.3 and 11.3.4 - implement a methodology for penetration testing. If segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective;
  • 11.5.1 - implement a process to respond to any alerts generated by the change-detection mechanism;
  • 12.8.5 - maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity;
  • 12.9 - for service providers, provide the written, agreement/acknowledgment to their customers as specified at requirement 

and the new requirements for Application Data Security Standards (PA-DSS) are:


  • 5.1.5 – payment application developers to verify integrity of source code during the development process;
  • 5.1.6 – payment applications to be developed according to industry best practice for secure coding techniques;
  • 5.4 - payment application suppliers to incorporate versioning methodology for each payment application;
  • 5.5 - payment application suppliers to incorporate risk assessment techniques into their software development process;
  • 7.3 - application supplier to provide release notes for all application updates; ( I like this one)
  • 10.2.2 - suppliers with remote access to customer premises (for example, to provide support/maintenance services) use unique authentication credentials for each customer;
  • 14.1 – provide information security and PA-DSS training for supplier personnel with PA-DSS responsibility at least annually.










Trends: Intelligent Deposit demistified


I know this can sound like an echo or an annoying phrase: Reduce Costs. This phrase will be present in a number of posts but it´s quite important to point.   Something that Banks look for is to obtain more profit, so, if they are able to gain more Revenue and reduce costs, everything looks fine. We could visualize also the chance that has not increase in revenue but the cost reduction strategy makes the difference. The intelligent deposit concept is quite easy: accept bills and checks without envelop and providing on-line processing, it means that customer´s funds are inmediately available after completing the deposit transaction.
In such effort, one of the current trends in Banking Services is the so called: Intelligent Deposit. The purpose is to transform the way that Banks offer services for deposits, shrink queues at branch offices at the teller stations and reduce time needed for transaction execution from start to end.  Currently, users (customers) have become very familiar with Self Deposit stations, this means banks and customers have adopted the concept and are ready.  Banks report operational savings, but there is something else, consumer adoption has surpassed expectations in many cases creating a 2nd line business case mainly due increase in branch sales thanks to productivity increase. And more important, customer´s loyalty increases with this solution.  In some studies, using advanced machines for Intelligent Deposit, the average customer can be served in just 1 minute; it is only the 30%- of the transaction service time needed at teller station. As a conclusion, banks that do not adopt intelligent Deposit Solutions are clear losers, since they won´t attract customers due apparition of service and loyalty gaps, worse than that, they will lose customers.

According to RBR, there is a global increase on Deposit Automation trend. It is possible to see that USA and Brazil are leading this change in the Americas since they are adopting solutions to replace envelop deposit. The overhead of envelop deposit is crunched by allowing customers to deposit checks and money directly in the machine, it means zero hand writing for deposit forms, proof of deposit as soon as the transaction ends with checks images printed in the receipt.  One of the key drivers in Intelligent Deposit is the improved efficiency for check deposits.  In USA alone, the first forecast predicted to have around 135.000 ATMs for 2018 with this feature enabled. It looks reasonable to see this feature as a commodity in the coming years.

To sum up, there are 3 main advantages when Banks opt for intelligent deposit:
  • .       Cost reduction through operational efficiency
  • .       Improvement in CX
  • .       Revenue generation

Just imagine the possibility to enable users to perform transactions at any time and location faster than at branches, reducing time needed to access brick and mortar facilities and with less wait time in queue or none.  Some banks are taking advantage of those savings to sell additional products. Any change in process that reduces steps is a good change, more if it comes with such advantages as the 3 aforementioned.

But, further reasons to adopt intelligent deposits, among them is fraud reduction, since the mechanisms used in such terminals allows positive recognition of cash and checks that were deposited.  Bills are validated and counterfeit ones are rejected immediately. As for checks, those undergo a validation process using the MICR line and an OCR validates CAR and LAR along an on-line scanning feature that prepares the check for remote deposit, sending the image to first line ACH system. Finally it eliminates empty envelops and the need of personnel activities that hast to do with manual empty of containers boxes at specific times during the day for manual processing. Customers receive its receipt that verifies its transaction and timely credit for its deposits.

On the other hand, banks can extend the deposit cut-off because they are no longer dependent upon physical check processing.  Also, they can expand its delivery channel by locating ATMs with intelligent deposit enabled at strategic locations, let´s talk about residential or business areas considered in increasing demand for branch services. It´s said that for the same cost of a classic brick and mortar branch office, it is possible to expand the branch in a neighborhood, installing ATMs with intelligent deposit enabled, in such way the branch office is not only a small spot in the map but a large octopus alike with virtual tellers disseminated in an specific space, each of them separated by a few streets.

Banks are facing a new channel together with increases in amounts deposited and confirmed adoption from its customers. AS for now, there are considerations for banks, they should look for solutions where processing speed and consumer experience will go hand and hand, allowing customers to execute bunch bill recycling, bunch and single check deposit for improved item processing, bunch and single bill deposit for deposit and payment transaction automation. Thus, you can envision additional services like payments, ticket selling, SIM cards dispense, top up cards and more.  Not bad huh!







Friday, March 14, 2014

Welcome. This is the starting point. Este es el punto de partida

Creo que esta es la forma más adecuada de difundir, ideas, noticias, captar opiniones (espero que existan algunas) Este día empiezo con el asunto entonces.

Y claro, para llegar un poco más lejos en audiencia, algunas cosas las publicaré en Inglés. No es que el español tenga nada malo, pero inglés habla un gran cantidad de personas inmiscuidas en tecnología y es necesario difundir los pensamientos e ideas interesantes. La democratización del conocimiento viene desde ese punto.

Let´s start!
Technology for banks, what a big field! Yes, but are there  real big and enormous possibilities for new technology and innovation addressed exclusively for banks? Maybe yes, maybe not. As for any other industry, you should look for great thing happening in other places,. take the good ideas, modify and bring them to your home. But no simple, according to studies made by Gartner, for instance, there will be such changes like Internet of  Things where every single appliance is connected to internet. Starting from that point and moving to other fields like for instance nanotechnology, the tech-universe is expanding  at fantastic speed, it is not possible to catch up. From time to time, nevertheless,  comes an outstanding revolution that changes everything! What to say of a number of researching centers, we could point at easily to identify such Microsoft Labs  or complicated ones like CERN. Anyway. from that bunch of sources, there´s the chance to find things like Object Detection and Recognition, Automated Reasoning based on data and data-mining, etc. Putting together all of those technologies is possible to imagine a sort of them making click to offer new services and functionality for banks. Just imagine that you never again need to carry your debit card to take cash from ATMs, just because there is an intelligent software that recognize your face or scans your eyes.

This is all about, trying to find advances in technology, try to discuss how to apply Information Technology and other sciences for the Bank Industry.

I hope of having a good start, and more important to continue.