Berlin 02/15 Mini Conference

Wrapped up a really successful mini payment conference at the Michelberger Hotel, Warschauer Straße 39-40, Berlin sponsored by Adyen and Secure Trading.  It takes a large amount of planning to pull in an event such as this, so firstly want to thank my colleagues Anika Wechsung from Adyen and Mark Gerban from Secure trading for all the work to make this a success.

Initial feedback I have received suggests that everyone attending had a positive experience & something new to learn at the event.  My personal takeaways & notes for the day are as follows:-

Started the day with a talk on Interchange Optimisation by Christos Georgousis from  Blacklane.   Indeed, interchange optimization is rocket science. Christos covered all nuances around the major models. It is mind boggling how something like Interchange which one expects to be completely  transparent has so many non trivial optimizations.  My main takeaway is that default bundled interchange strategy is  highly non optimized.   Lots of opportunity to tweak if you care about improving bottom line costs.

Your sincerely spoke about ‘Tokenization – a deep dive’.   The perspective I attempted to convey is that  Tokenization is a rather simple security primitive. Like all security primitives the devil is in the implementation.  Also, there are some subtle edge cases on the subject which one needs to be aware of and engineer.  Initial feedback I received was very positive.  Will respond to any questions / comments that I receive.

Mark Gerban grilled the panel ( Babak Farahani – InnoGames,  Christos Georgousis – Blacklane Matthieu Chapelle – Wargaming )  in his What’s Next in Payments & Security?   On a lighter note of course, I took umbrage with the dismissal of Bitcoin as a useful currency and the panel’s negative views on the greatest invention of our lifetime.   I think some of the less than positive news can be addressed objectively and as a self styled block chain missionary, I took it upon myself to attempt to correct the facts.  Anyways, Mark had some incisive questions around biometric authentication for which there were no crystal clear answers ( obviously due to the nature of the subject & this is no reflection on the panel ) . Also discussed in great depth was machine learning & big data.

Jürgen Schübel and Paul Whitmore from Mastercard delivered a compelling talk on E-commerce Acceptance Trends. Market trends.  Firstly, it is very gratifying for a Brand like MC to speak at our event & that too have speakers with the vast depth of knowledge & experience like Jürgen and Paul deliver this subject.  Granted that a subject like acceptance trends can feel rather open ended, that notwithstanding Jürgen & Paul dissected the subject with panache.  

To wrap up the day Alexander Matthey spoke on ‘using payment data’.  The talk was replete with specific examples on the metapoints.   I think we should appreciate that although there are just about a handful of primitives supported, the cartesian product of the various ways of passing in authorization data into an api makes the combos gargantuan.  One gripe which I shared with Alex was that I think tweaking data when a service does not abide with a documented api contract is that it is in fact a workaround to flagging the service provider to ‘show cause’ for the api violation and fix the *bug*.  However, I understand that we do not live in a perfect world & payments technology is not an exact science, so I appreciate Alex addressing that professionally.  Anyways, Alex has vast experience with analysing data to improve data and hats off to him for sharing his insights.

We continued to ‘talk shop’ at the dinner hosted by Secure Trading @  Weinstephaner,  Neue Promenade. .   Great venue to continue the open ended conversations on ecommerce payments over great food & beer at a Bavarian-style tavern with heavy wooden tables.  

Thanks to all presenters for agreeing to share their collaterals.  Please see links below for the artifacts.

We will plan a similar payments event, perhaps in Q2. Please stay tuned and feel free to send any suggestions for improvements for such events.

Over & out for now.





Posted in Useful Information

PCI Tokenization Ad Nauseam

Tokenization 101
Tokenization is a rather simple concept. Take a field representing classified information and store it in a protected secure area. Make a reference ( token) to that protected information. Now instead of storing the classified information, create a declassified reference to it. Indeed, this solves a huge problem as it is easier to secure a small area rather than a large area. When the classified information is required to be transported to other secure systems, the instruction set to do that can use the token instead of the raw information.

In practical terms in credit card systems it involves storing credit card information in a protected vault. A token to the credit card number in the vault is created that is used by systems outside the vault. The only property the reference token needs to possess is that it must not be possible to derive the original value from the token. Thus monotonically increasing numbers, time stamps, database row numbers, etc meet the definition for good credit card tokens. A scrambled credit card number, some classified substring of the original number, etc make poor tokens for obvious reasons. The PCI Council community has taken this simple and well established concept and beaten it to death with white papers, guidelines, blog posts, discussion forums and expert opinions.

PCI tokenization guideline info supplement
I have some specific consternation with the example in section 2.1.1 wherein it states that A one-way non-reversible cryptographic function (e.g., a hash function with strong, secret salt) as an example of an acceptable token. There is no explanation on how the salt should be kept secret i.e. should it be protected like a cryptographic key? should it be rotated ? Of course any standard reference on secure system design warns against using a static salt for hash functions. Hashing low entropy fields like credit card numbers is not recommended without salting. However, the salt like a nonce must be used only once for every record and with that there is no need to protect the salt at all.

Credit Card State of the State
Credit card security is broken by design. With the current design, Merchants need to accept private consumer information, then they are told they need to be ‘compliant’ and are forced to follow a ‘walled garden’ approach. A whole industry has been created to audit the walled garden. However, proven security primitives exist that make this handling of private information in the food chain completely unnecessarly. Several proven models exist ( think blockchain!) that eliminate the need for a payment system to have a centralized walled garden approach. This is what one gets with monopolies and duopolies i.e. no incentive to move ahead with the times!

Posted in Useful Information

Project R – Reduce PCI footprint & employ security best practices

I have dramatically reduced the PCI footprint for my client. Details are in my one pager RProjectOnepager ver0

Posted in Useful Information

Speaking on Bitcoin and e-Commerce Pain Points in NYC on 4/7

Look forward to speak at the ‘Inside Bitcoins’ event in NYC next week:-

Posted in Useful Information

Inside Bitcoins Conference Heads to NYC in Just 2 Weeks – Get 10% OFF

Inside Bitcoins Conference & Expo heads to New York City in just 2 weeks!
The conference is being held at the Javits Center and brings together
developers, entrepreneurs, experts from the financial sector, investors,
banks and financial institutions, payment processors and bitcoin

Jeremy Allaire, Founder & CEO of Circle, will deliver the opening keynote
on April 7 at Inside Bitcoins Conference & Expo in New York City at the
Javits Convention Center. Allaire is joined by Nicolas Cary, CEO of, who will deliver the afternoon keynote on April 7, and
Barry Silbert, Founder & CEO of SecondMarket and creator of the Bitcoin
Investment Trust, who will speak on the panel “Wall Street’s View of Fair
Value for Bitcoin” the morning of April 8.

Inside Bitcoins is excited to announce the NEW addition of the Bitcoin
Basics Booth
, open to every conference attendee, the experts at the booth
will help answer all questions about the virtual currency, from getting
set up with your first wallet, to making payments, and more.

A second track of conference sessions have been added to the event and
include: A Startup Perspective: Building a Trading Platform from Scratch
by Luke Jones, Co-Founder of Coinarch, Bitcoin Merchant On-Ramp by Steve
Beauregard, Founder & CEO of, Bitcoin in the Cloud by Benjamin
Gorlick, COO of CloudHashing, Bitcoin Comes To Main Street by Tyler Roye,
Co-Founder & CEO of eGifter, Beyond Bitcoin: BitShares Delves Into Digital
Shares by Daniel Larimer, Founder & CEO of, and Data Center
Planning Calculator for Megawatt Mining by Eric P. Doricko a Data Center

Alina Consultants readers get 10% OFF full conference passes with code
ALINA! Plus, if you register before April 7, you’ll save an additional
$300 on on-site prices!

Posted in Useful Information

Alina Consultants partners with Inside Bitcoins Event in NYC on April 7-8!


Posted in Useful Information

Heading to Berlin on Feb 11th.

I am running a panel on ‘Moving Bitcoin Forward: Bringing Trust, Legitimacy and Transparency to the Market
‘ for Inside Bitcoins, Berlin on 11th Feb, 2013.

Posted in Useful Information

Speaking on Bitcoin at WTIA on 22nd Jan 2014

Great to speaking at a local event with an exceptional panel!

Posted in Useful Information

Speaking on bitcoin at SeaGL

I am speaking at SeaGL – Seattle GNU/Linux Conference

Posted in Useful Information

Heading to Vegas for the 2013 PCI Council meeting.

The time of the year when PCI cognoscenti heads to Vegas! i will be there on 9/25 & 26 to get the 3.0 scoop firsthand!

Posted in Useful Information

Let’s meet!

Schedule an appointment to discuss your payments issues at no obligation