--- a/latest/requirements/requirements_draft.txt	Sun Jun 07 22:26:51 2015 -0400
+++ b/latest/requirements/requirements_draft.txt	Wed Jun 10 09:41:55 2015 -0400
@@ -288,7 +288,7 @@
 Key takeaways and notes from the documentation:
   - Identity & Authorization
      - Identity Management
-         - important to meeting cybersecurity goals. Identity Framework will provide better coverage than authentication solutions.
+        - Important to meeting cybersecurity goals. Identity Framework will provide better coverage than an authentication solution.
      - Significant advancements in technology allow for devices and mechanisms to identify their owner
      - Standards, approaches and solutions that could be tailored to address an individual organization’s priorities
      - Did the user authorized the transaction, sharing of his information, opening of personal records?
@@ -317,21 +317,44 @@
         - A large percentage of data breaches occurred from password/account recovery mechanisms of authorized vendor accounts.
         - Separation of the data security from the application security was viewed as a giant leap forward in event the application or operating system was compromised. This mechanism should be applied on consumer premise as well.
         - Consumer confidence in electronic payment systems is at an all time low. Millennials trust Bitcoin's more than fiat.
-        - Financial institutions must accept the consequence of a security failure but that does not always match who has the ability to correct those security gaps.
-          Example: Financial institution has no control over browser security mechanisms, Financial Institution have no control over zero day vulnerabilities in software applications written by 3rd parties.
+        - Financial institutions must accept the consequence of a fraud & security failure but that does not always match who has the ability to correct those security gaps.
+          Example: Financial institution has no control over browser security mechanisms, Financial Institution have no control over zero day vulnerabilities in software applications written by 3rd parties. Financial Institutions will have no control of the network security as future payments transition between closed loop systems and open loop system (ie public internet).
         - Information about the quality of commercial security products is imperfect and causes incorrect investment decisions
-        - Current security depends on the security of each element of a network. 
+        - Current security depends on the security of each element of a network.
+		- Studies conducted since 2009 show that hackers are attacking private data over payment instruments themselves. Having access to data is allowing the fraudsters to conduct large volumes of smaller value transactions. Smaller transactions may go unnoticed by consumers.
+		- Analysis of data breaches show serious weaknesses in data security at merchants, Depository Financial Institutions, and payment processors. Despite emphasizing larger merchants and recently imposing a system of fines for failing to comply with PCI standards, the PCI process has not prevented security weaknesses that allow large data breaches. Strengthening public oversight and adoption of data security techniques in nonfinancial organizations would supplement improvements to the financial systems.
+		- While many breaches have not exposed large quantities of sensitive data, what is exposed is particularly useful for identity theft.
      - All data must be protected at all times from UI entry/display to the very databases that information is stored.
      - Mechanism to measure threat intelligence of information. Threat intelligence must have context if its to be actionable.
      - Data security technology mechanisms must be integrated into an organization’s workflow and risk management practices.
      - The size and sophistication of an organization, to a large extent, indicates the threat information that contains and must protect.
      - Sharing private sector information with government still has many legal hurdles. Authorization mechanisms must be put into the data itself to authorized sharing of information with the government yet limit regulatory snooping.
-     - Cyber threat due to information sharing is a serious issue and must be addresses.
-     - Consumer use of corrective financial protection mechabisms, such as Fraud Alerts and Credit Freeze systems, has been very low (<10%) unsuccessful. Consumers don't use these particular types of identity theft protections and by the time the alert or freeze occurs the damage has been done. When consumers use those systems it ends up costing several days of time. Must protect the data around identity (ie credentials) with better access controls and protection mechanisms. It should be infeasible to defeat the authentication, identification, and access control mechanisms to expose the data even on a compromised PC or at a compromised consumer data collection facility.
+     - Cyber threat due to information storage, transit, and sharing mechanisms are serious issues and must be addresses.
+     - Consumer use of corrective financial protection mechanisms, such as Fraud Alerts and Credit Freeze systems, has been very low (<10%) and unsuccessful. Consumers don't use these particular types of identity theft protections and by the time the alert or freeze occurs the damage has been done. When consumers use those systems it ends up costing several days of time. Must protect the data around identity (ie credentials) with better access controls and protection mechanisms. It should be infeasible to defeat the authentication, identification, and access control mechanisms to expose the data even on a compromised PC or at a compromised consumer data collection facility.
      - Identity theft and fraud is drastically increasing (25-50% per year) because of personal data sharing mechanisms, data breaches, password/account recovery mechanisms, malware, etc.
+	 - Currently, the Federal Trade Commission and the Consumer Finance Protection Bureau have jurisdiction to enforce data security measures that deter payment fraud at merchants and processors. Legislators have proposed giving the FTC authority not only to enforce data security standards but to set them as well. Federal financial institution regulators may need to speed implementation of their new cybersecurity assessments of financial institutions and strongly emphasize data security.
+	 - Countries that adopted chip-n-pin carts have noticed that fraudsters shifted their efforts to identity fraud, taking over or creating new accounts, and IMOTO (Internet and Mail Order and Telephone Order) causing a dramatic rise in associated fraud losses. History shows that new payment instruments & technologies lack adequate protective measures, such as the Internet, causing a major influx of fraudsters. Adopting chin&pin in the US will have unintended consequences such as flocking to internet based payment mechanisms.
   - Security Framework
      - Security Framework should recognize the global nature of technology yet avoid guidance based on country of origin, which would impede international commerce.  National cybersecurity concerns can be addressed in alignment with international standards.
      - A data security standard/framework should wrap the details of the underlying technologies yet be flexible to let the industry define how the framework protects the assets within their organizations based on their overall risk management plans. Avoid developing a conformity assessment program, confidence before conformity.
      - Industry should define how the Framework should be adopted in their organizations based on their overall risk management plans. That approach has generally been well received. 
-     - Framework must address privacy and civil liberties methodology. Identity and privacy technology must be integrated with cybersecurity technology. Layer cybersecurity technologies into identity and privacy so identity theft and violation of privacy becomes infeasible.
-     - Framework should be directly referenced as "public policy" to prevent against misaligned incentives. Policymakers cant craft a policy that addresses constantly changing threats, complex interdependencies of todays information networks, nor provide enough details to implement adequate cybersecurity protection.
+     - Framework must address privacy and civil liberties methodology. Identity and privacy technology must be integrated with cybersecurity technology. Layer cybersecurity technologies into authentication, authorization, identity, message exchange, and private information sharing mechanisms so identity theft and violation of privacy becomes infeasible.
+     - Framework should be directly referenced as "public policy" to prevent against misaligned incentives. Policymakers cant craft a policy that addresses constantly changing threats, complex interdependencies of todays information networks, nor provide enough details to implement adequate cybersecurity protection. Under some assumptions, strategic uncertainty may lead to more effort to protect than is socially optimal
+     - Framework must address protection of the data itself. A payment and information networks consists of many components—computers, communication channels, software, and users—each subject to attack and requiring defense. The weakness of each component will vary, and attackers will strike vulnerabilities with the highest expected payoff. Engineers who protect these components make judgements about their vulnerability and prioritize each component to determine which weakness to correct. These assessments are difficult, costly, and uncertain, and some weaknesses will likely remain due to undetected vulnerabilities or imprecise assessments (such as underestimates of potential damages). Engineers cant protect all the components all the time so we must work on protecting the underlying data. This requires a data protection framework that spans the UI to the very data storage. A proper framework will allow the web/internet to be used as the payment pipes. Without such a data protection framework it will be impossible to safely use the web/internet because of the uncertainty of security of each network node a transaction goes through.
+	 - Without a proper framework the Engineers will protect a handful of weak network links but not all of them. Over time, the set of weak links will change. A mild amount of uncertainty can lead to additional protection of weaker links where expected losses are high and countermeasures are justified. On the other hand, high uncertainty can lead to no protection: the defender may not know which link is weakest and thus leave all links unprotected.
+	 - Installation of 'corporate malware' is a norm for financial institutions. They install this malware to allow them to follow misaligned compliance incentives. Without protecting the data itself, this approach to following compliance becomes the weakest link in the institutions security and the point of attack.
+  - Financial institution priorities:
+     - Short-term priority: protect payment and other sensitive data
+	 - Medium-term priority: protect electronic cash letters and improve authorization in card payments
+	 - Long-term priorities: effective security standards and improved incentives
+	    - One key long-run principle to ensure efficient processing and strong security would be to standardize security protocols embedded in and around the electronic payment messages. An example would be to segregate anonymized elements in every message in its own security layer such that each element is individually encrypted but also unusable without attacking and reassembling the whole.
+		- Standardization is critical for this because transactional value needs to move internationally and processors can adapt their systems to a limited set of protocols.
+		   - For example, there are a number of efforts to develop tokens for e-commerce transactions to replace card numbers in processing. The tokenization schemes work similarly, and if they all go to market, much of the processing chain will need costly upgrades to integrate with token systems that address the same security weakness.
+		   - While proprietary standards may be quick to develop, research suggests that an inclusive and cooperative development process, such as that provided by the ANSI, improves motivation to comply with standards. In any large and diverse payment system, even well-designed security standards will be adopted unevenly across participants, so it is critical to motivate participants to comply. To 'encourage' adoption statutory rules allow a basic principle that the entity in the best position to deter fraud will bear the losses for a payment it processes. This principle of assigning liability to the control point best suited to prevent fraud provides strong incentive to detect and deter fraud in a cost-effective manner.
+		   - As security for transactions becomes more standardized and adopted you can objectively measure the security and risk of a transaction to allow independent insurance to be cheaply added to cover those transactions.
+		   - The payment systems can attained low fraud loss rates without a central authority implementing significant rules or oversight.
+		   - Applying the same principle to data will help protect sensitive data on home computers. Malware, such as key loggers installed on desktop computers or malicious browser plugins, gives fraudsters credentials of consumer or business payment accounts. Stolen credentials allow unauthorized access to online banking systems and thus the ability to initiate fraudulent payments. Privacy laws and regulations require strong security measures over credentials and other personally identifiable information.
+		   - In an extreme form of account takeover, identity theft, fraudsters use a person’s credentials to create a new account under their control. Identity theft often results in large fraud losses because the victim is unaware of transactions on the new account. The U.S. Department of Justice estimated that 1.125 million persons in the United States suffered new account fraud in 2012, totalling several billion in out-ofpocket losses to victims both merchants and consumers.
+		   - Improving the security of home computers would significantly reduce fraud on all forms of payments.
+		     NOT TRUE: "Implementation of security on home requires changing laws concerning liability over damage due to malware and creating institutions to coordinate efforts to prevent and remediate malware."  Most users dont know how to protect their home computer against the plethora of malware that comes in through the browser. 
+			 That malware infects personal computers with key loggers that harvest online banking credentials, which are then used to generate fraudulent wire, check, credit card, bitcoin, or ACH payments.  If the enhanced security is added to the browser all PC's, Mac's, Mobile devices, laptops, and tablets get the enhanced security. A simple hardware token could be used as an unlocking mechanism to protect the sensitive data even after the data has been relayed to fraudsters. Home users are protected from themselves and everyone benefits. Browser enabled security protocols would effect a system-wide approach to payment security and be further enhanced by immediate acceleration of public & private efforts not even related to payments. This will further push payment participants to adopt effective security protocols.