Prime Factors Blog

Jeff Cherrington

VP of Product Management & Marketing Cherrington brings over 30 years of experience in technology development, implementation, sales, & promotion, primarily focused on payments, banking, & financial. More than half of that time was spent directly in the payments industry, either working for the largest third party transaction processor of that time (First Data Resources) or the largest issuer of Visa credit cards (Bank One/JPMorgan Chase). In the latter role, he focused on regulatory compliance, vendor audit & security controls, and third party service agreement negotiations. Most recently, Cherrington held a variety of roles on the executive team of PKWARE, a leading provider of data management, protection, and integrity applications, including VP of Product Management, Technical Director for EMEA, and VP of Vertical Solutions. Cherrington holds an Executive MBA from the University of Nebraska.
Find me on:

Recent Posts

Tokenization vs Encryption - Your Questions on Reversibility

Posted by Jeff Cherrington on May 21, 2015 3:00:00 AM

Prime Factors' recently presented a well attended webinar "Contrast & Compare: Tokenization vs. Encryption for Data Protection."  The audience was active, offering many questions - more than I had time to answer before the end of the session.  As promised, we are responding to each of the questions in this blog, focusing today on the question "If it is accurate to say that tokenization is irreversible, then why is encryption reversible?"  This excellent question cuts to the heart of one of the key differences between the two data protection strategies.

Read More

Topics: Tokenization

Tokenization vs Encryption - When Should You Use Either...or Both?

Posted by Jeff Cherrington on Apr 22, 2015 6:52:41 PM

I recently had the pleasure of a stimulating dialog with an acquaintance, which all started from a simple question.  He asked "When would I use tokenization and when would I use encryption?"  His short question spawned several extended calls and emails, as we explored the implications together.  I will share parts of the conversation over the next few posts, and invite you to join the dialog.  Also, if you find this discussion interesting, please join me next week, when I will explore this topic during a webinar "Contrast & Compare: Tokenization vs. Encryption for Data Protection".

Read More

Topics: Tokenization

How Will PCI DSS V3.1 Impact You?

Posted by Jeff Cherrington on Apr 16, 2015 3:00:00 AM

The Payment Card Industry Security Standards Council (PCI SSC) announced the latest version, 3.1, of PCI Data Security Standard (PCI DSS) today (April 15, 2015).  This incremental update to v3.0, released in November, 2013, is largely a set of clarifications, with at least one notable exception impacting allowable secure communications protocols. The latter had been anticipated by a prior notification from the SSC to Qualified Security Assessors (QSAs) in a newsletter last January:

In order to address a few minor updates and clarifications and one impacting change, there will be a revision for PCI DSS and PA-DSS v3.0 in the very near future. The impacting change is related to several vulnerabilities in the SSL protocol. Because of this, no version of SSL meets PCI SSC’s definition of “strong cryptography,” and updates to the standards are needed to address this issue.  [Bolding of font is mine, for emphasis.]

While SSL and early versions of TLS were considered adequately secure by prior versions of the DSS, this update serves notification that they will not be allowed after the end of June, 2016.

Read More

Topics: Enterprise Data Protection

HSM Surveyor and supported hardware security modules -- What next?

Posted by Jeff Cherrington on Apr 13, 2015 11:04:05 AM

Most readers of this blog recall that Prime Factors' introduced HSM Surveyor last February -- if you missed it, see the press release or listen to my interview of Sr. Solution Architect, Mary Still where she described its capabilities.  During that webinar and since, we've received a lot of questions about HSM Surveyor, its current capabilities, and how it can be used.  As promised, we'll be replying to those questions in this blog, over the next few weeks.

Read More

Topics: HSM Management

Who Really Needs HSM Monitoring?

Posted by Jeff Cherrington on Apr 9, 2015 3:30:00 AM

Hardware security module (HSM) monitoring has traditionally been a highly technical task relegated to execution level administrators and like IT professionals.  Output from their work generally appears as raw numbers for a given unit, even when some enterprises have many appliances in their HSM estate.  Some in the market are questioning if that is sufficient, begging the question - who really needs HSM monitoring?

Read More

Topics: HSM Management

Healthcare Lacks Breach Warning System - Needs Data-at-rest Encryption

Posted by Jeff Cherrington on Feb 8, 2015 9:12:00 PM

Much of the media chatter regarding the Anthem data breach focuses on asking when that company’s management team knew about the breach. That question is important – delays in notifying authorities and individuals impacted means the latter were exposed to risk unknowingly for weeks if not longer. While research shows that “only” 36% data breach victims suffer out-of-pocket expense related to stolen health records, such costs average almost $19,000 when expenses occur. These victims can be compelled to reimburse “…healthcare providers for services provided to identity thieves.” Those impacted certainly want every chance to avoid such costs, and any delays only increase the risk of being one of the unlucky 36%.

Read More

Topics: Enterprise Data Protection

Identity Theft Bonanza: Implications of the Anthem Health Data Breach

Posted by Jeff Cherrington on Feb 5, 2015 11:56:47 AM

Reports hit the net this morning of a massive data breach affecting the customers of Anthem, Inc., the US’ second largest health insurer. While the reports are initial and preliminary, the breach may be the largest ever in the healthcare vertical and rank high in the largest ever. Some sources report Anthem’s database holds details on as many as “…80 million current and former U. S. customers….” while others indicate the carrier admits to having been “…comprehensively ransacked….”

Read More

Topics: Enterprise Data Protection

How Anonymous is that Anonymized Data in Your Testbed?

Posted by Jeff Cherrington on Feb 4, 2015 8:53:00 PM

Catching up in SlashDot late last week, I came across an article one of the contributors lifted up, reporting some surprising research on anonymization.  Researchers at MIT demonstrated that, starting from anonymized payment data, they required as few as four transactions to be able to identify a cardholder.  They could accomplish the same thing with as few as three transactions, if price was included.  This may have implications that impact best practices for manipulating copies of production data moved into quality assurance or development test beds.

Read More

Users Will Be Users – Don’t Hold That Against Them

Posted by Jeff Cherrington on Jan 21, 2015 7:18:00 PM

After a relatively quiet holiday on the data protection front (thank you, world, for no repeat of anything like last year’s Target® Stores data breach), a few things are starting to pop in the media the last few days. Some are expected annual summaries & reports, while some are from popular media. The latter comes from late night television – Jimmy Kimmel Live! ® aired a vignette of an on-the-street reporter asking passers-by for their passwords. This bit makes a nice bookend to a study done a decade ago, showing that more than two thirds of those asked would give up their password in exchange for a chocolate bar.

Kimmel posts video showing users giving their passwords to a random interviewer on street

While so much has changed in the last ten years, some things remain largely the same.  While it’s disappointing to see that many can still be tricked out of their passwords with very simple social engineering tactics, I find it encouraging that password security is becoming so commonly appreciated that it can be fodder for late night talk shows. 

Read More

Topics: Crypto Key Management, Enterprise Data Protection

How Our EMV Basics Webinar Led to a Discussion of Global Cybercrime

Posted by Jeff Cherrington on Jan 13, 2015 7:14:00 PM

Prime Factors’ makes a point of providing in-depth industry and market education to our customers and contacts. We’ve seen very strong response to our EMV education series, both in the US where the liability shift date is looming and internationally. After receiving an announcement related to the first webinar in that series, EMV Basics, Fabian Soler contacted me to share his thoughts about how EMV adoption could play out in the US. I read his comments with a good deal of interest and respect – Soler carries a number of security certifications and was, at one time, CSO for Payments Solutions Group of Fiserv.

Reflecting on the lag in universal EMV adoption in the US that many anticipate, Soler observes, “The deadline for full EMV support in Canada is Dec 2015 after which no payment terminal will be allowed to process magstripe domestic debit transactions – they will simply be declined by the Acquirer. This might be something you choose to share with your customers because the research here indicates all the fraudsters are moving their activities to the US.  As such, not only are US merchants subject to the October liability shift but the frequency and amount of fraud they pay for will be higher.”

Read More

Topics: Payment Card Personalization