01:45 PM
Connect Directly

NCHA Offers Check Security Feature Registry

Creates registry to verify security features on checks.

In late September, the National Clearing House (NCHA) (NCHA) introduced a registry for image-survivable check security features designed to combat check fraud. "There are a number of security features with various verification systems behind them," explains Frank Jaffe, president of MorSecure (Portland, Maine), a project management and consulting firm involved in the registry initiative. "Vendors developed their own ways to do this because there are no standards. People don't really know how to verify [check security features]."

The risk management tool supports the interoperability framework developed by the New York-based Financial Services Technology Consortium (FSTC) (FSTC), which "allows simple messages to be used in common for the verification process of checks," Jaffe explains. The FSTC asked NCHA (Dallas) to create the registry, he says, and "also asked [Annapolis, Md.-based Accredited Standards Committee] X9 to develop a draft standard for trial use to eventually formalize the standard around the messaging piece" and enable interoperable security feature verification.

Glenn Wheeler, president and CEO of the NCHA, says that this interoperability will be key to the industry's efforts in creating additional fraud controls in the check space. "Check fraud is still a problem," he notes. "Over 30 billion checks are still being written in this country, and a lot is going on in the check area with imaging and image share. So through this work, we want to be able to define standards so that regardless of which vendor solution a bank is using, they will still have that interoperability."

The registry is Web-based and can be found at Vendors are invited to register their security features there after completing a questionnaire. MorSecure's Jaffe says the XML-based registry can be downloaded and will be updated as needed.

Vendor Sign-Up

Currently, according to the NCHA's Wheeler, the organization only is registering the vendors and validating their security features. "As [X9] finalizes the standards, then we'll allow financial institutions and merchants to sign in and identify those registered vendors and their solutions," he says. While there is no set timetable for when X9 will complete its part of the job, Wheeler says, "It is on a fast track."

In the short time the registry has been available to vendors, response has been rather good, according to Wheeler. "Several vendors have registered; four registered within a couple of days after it became available," he says. "The next step is being able to provide the interoperability for the industry. This project is a great example of cooperation between many players in the industry." * --Maria Bruno-Britz

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.