Search

Brian Pennington

A blog about Cyber Security & Compliance

Month

February 2013

Survey reveals companies are taking risks whilst outsourcing consumer data

Experian Data Breach Resolution and the Ponemon Institute survey results identify opportunity for improved data oversight.

The study, “Securing Outsourced Consumer Data”, reveals that many organizations (46%) do not evaluate the security and privacy practices of vendors before sharing sensitive or confidential information.

The survey of almost 750 individuals in organizations that transfer consumer data to third-party vendors. The survey’s aim was to increase understanding of data breach frequency when consumer data is outsourced, to determine what steps are taken to ensure vendors’ data stewardship, and to evaluate privacy and security practices between companies and outsource vendors.

Many companies have higher standards for their in-house data security practices than they have for vendors that they enlist to hold customer information,” said Michael Bruemmer, vice president at Experian Data Breach Resolution. “The standards should be consistent, because not adhering to the same policies leaves companies vulnerable.

When sharing sensitive and confidential consumer information, 49% said that they do not monitor or are unsure whether their organization monitors vendor security and privacy practices.

Additional key findings from the survey include:

  • 56% of respondents acknowledged incidents when their organizations did not act on a vendor’s data breach
  • Outsourcing consumer information demands oversight survey results indicate that organizations that transfer or share consumer data with vendors experience data breaches more often than not
  • 65% of respondents said their organization had a data breach involving the loss or theft of their organization’s information
  • 64% of respondents reported their organization has experienced more than one data breach
  • Training is essential to protect against data breaches. Causes for data breaches can be reduced significantly through enforcement of policies and effective training
  • 45% of respondents reported negligence as the root cause of third-party data breaches
  • 40% of data breaches were the result of lost or stolen devices
  • Security and control procedures need improvement
  • 56% said their organization learned about a data breach accidentally
  • Only 27% said the organization’s security and control procedures uncovered the incident
  • 23% said the vendor’s security and control procedures alerted the organization to a breach

It is imperative that businesses and organizations place a priority on evaluating a vendor’s ability to secure sensitive data said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.

.

What happens after a data breach?

A report by Solera Networks and Ponemon reveals rise in security breaches, with organisations taking months to detect and contain them.

The Ponemon report “The Post Breach Boom”’ commissioned by Solera Networks polled 3,529 IT and IT security professionals in eight countries to understand the steps they are taking in the aftermath of malicious and non-malicious data breaches over the past 24 months.

Highlights of the research include:

Data breaches are on the rise and organizations are unprepared to detect them or resolve them:

  • 54% of respondents said data breaches have increased in both severity
  • 52% said the frequency had increased

Additionally

  • 63% say that knowing the root causes of breaches strengthens their organization’s security posture
  • 40% say they have the tools, personnel and funding to pinpoint the root causes
  • Breaches remain undiscovered and unresolved for months. On average, it is taking companies nearly three months (80 days) to discover a malicious breach and then more than four months (123 days) to resolve it.
  • Security defences are not preventing a large portion of breaches. One third of malicious breaches are not being caught by any of the companies’ defences they are instead discovered when companies are notified by a third party, either law enforcement, a partner, customer or other party or discovered by accident.
  • 34% of non-malicious breaches are discovered accidentally
  • Malicious breaches are targeting key information assets within organization. 42% of malicious breaches targeted applications
  • 36% targeted user accounts

Details of Impact and the cost of breaches from the report

  • On average, malicious breaches cost $840,000, significantly more costly than non-malicious data breaches at $470,000.
  • The average cost of a data breach per compromised record is $194
  • However, if the root cause is the result of a malicious insider or attack the average per record cost climbs to $222
  • While breaches attributed to a negligent insider averages far less at $174 per compromised record

For non-malicious breaches, lost reputation, brand value and image were reported as the most serious consequences by participants. For malicious breaches, organizations suffered lost time and productivity followed by loss of reputation.

Following a malicious breach, organizations more often invested in enabling security technologies (65% vs. 42% of respondents). More often they also made changes to its operations and compliance processes to better prevent and detect future breaches (63% vs. 54%).

Endpoint security and encryption tools were the most popular following a non-malicious breach and SIEM and encryption tools were most frequently purchased following a malicious breach. Breaches drive increased spending on data security, according to 61% of respondents. The average increase is 20%.

52% of respondents say the breach resulted in an increase in spending on forensic capabilities. Among those organizations that spent more the increase was an average of 33%. This represents 13% more than the increase in data security funding.

Security breaches continue to occupy the headlines on a daily basis, making it clear that there is still much work to be done before companies are prepared for the inevitability of today’s advanced targeted attacks,” said John Vecchi, vice president of marketing, Solera Networks. “In a post-prevention world, organizations must shift their focus toward attaining the real-time visibility, context and big data security analytics needed to see, detect, eradicate and respond to advanced malware and zero-day attacks

“Our study confirms that organizations are facing a growing flood of increasingly malicious data breaches, and they don’t have the tools, staff or resources to discover and resolve them,” said Larry Ponemon, chairman and founder, Ponemon Institute. “Meanwhile, months are passing as their key information assets are left exposed. The results demonstrate a clear need for greater and faster visibility as well as a need to know the root cause of the breaches themselves in order to close this persistent window of exposure

.

Big Data Analytics can improve IT Security defences

A new study by the Ponemon Institute, Big Data Analytics in Cyber Defense, confirms that Big Data analytics offers substantial benefits to organisations but adoption is very slow.

The report commissioned by Teradata Corporation contains some interesting results:

  • Cyber-attacks are getting worse but only 20% say their organizations are more effective at stopping them.
  • The greatest areas of cyber security risk are caused by mobility, lack of visibility and multiple global interconnected network systems.
  • 56% are aware of the technologies that provide big data analytics and 61% say they will solve pressing security issues, but only 35% have them. The 61% say big data analytics is in their future.
  • 42% of organizations are vigilant in preventing anomalous and potentially malicious traffic from entering networks or detecting such traffic (49%) in their networks.
  • Big data analytics with security technologies ensure a stronger cyber defense.
  • 82% would like big data analytics combined with anti-virus/anti-malware
  • 80% say anti-DoS/DDoS would make their organizations more secure.

While data growth and complexity are explosive factors in cyber defense, new big data tools and data management techniques are emerging that can efficiently handle the volume and complexity of IP network data,” said Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute, a research “think tank” dedicated to advancing privacy and data protection practices. “These new database analytic tools can bring more power and precision to an enterprise cyber defense strategy, and will help organizations rise to meet the demands of complex and large-scale analytic and data environments

Poneman-Release-Graphic

Many organisations struggle with in-house technology and skill sets

  • 35% say they have big data solutions in place today
  • 51% say they have the in-house analytic personnel or expertise

Big data analytics can bridge the existing gap between technology and people in cyber defense through big data tools and techniques which capture, process and refine network activity data and apply algorithms for near-real-time review of every network node.  A benefit of big data analytics in cyber defense is the ability to more easily recognize patterns of activity that represent network threats for faster response to anomalous activity.

The Ponemon study is a wakeup call,” said Sam Harris, Director of Enterprise Risk Management, Teradata. “Enterprises must act immediately to add big data capabilities to their cyber defense programs to close the gap between intrusion, detection, compromise and containment. When multi-structured data from many sources is exploited, organizations gain a very effective weapon against cyber-crimes

Harris said that in the cyber security realm, effective defense means managing and analyzing unimaginable volumes of network transaction data in near real time. “Many security teams have realized that it is no small feat to quickly sift through all of their network data to identify the 0.1% of data indicating anomalous behavior and potential network threats. Cyber security and network visibility have become a big data problem. Organizations entrusted with personal, sensitive and consequential data need to effectively augment their security systems now or they are putting their companies, clients, customers and citizens at risk

.

How Employees are Putting Your Intellectual Property at Risk

“What’s Yours is Mine: How Employees are Putting Your Intellectual Property at Risk” is a white paper produced by the Ponemon Institute on behalf of Symantec.

The paper reviews the way employees perceive corporate data and their mindset and motivations for copying data and Intellectual Property

Key Findings

  • Employees are moving IP outside the company in all directions
  • When employees change jobs, sensitive business documents often travel with them
  • Employees are not aware they are putting themselves and their companies at risk
  • They attribute ownership of IP to the person who created it
  • Organizations are failing to create a culture of security

Impact on Organizations

According to Ponemon Institute, employees are moving IP outside the company in all directions

  • Over half admit to emailing business documents from their workplace to their personal email accounts
  • 41% say they do it at least once a week
  • 44% also say they download IP to their personally owned tablets or smartphones, leaving confidential information even more vulnerable as it leaves corporate-owned  devices

The data loss continues through employees sharing confidential information in the cloud

  • 37% use file-sharing apps (such as Dropbox or Google Docs) without permission from their employer
  • Worse, the sensitive data is rarely cleaned up; the majority of employees put these files at further risk because they don’t take steps to delete the data after transferring it.

When employees change jobs, sensitive business documents often travel with them. In most cases, the employee is not a malicious insider, but merely negligent or careless about securing IP. However, the consequences remain. The IP theft occurs when an employee takes any confidential information from a former employer

  • Half of the survey respondents say they have taken information
  • 40% say they will use it in their new jobs

This means precious intelligence is also falling into the hands of competitors, causing damage to the losing company and adding risk to the unwitting receiving company.

Understanding Employee Attitudes about IP Theft

The attitudes that emerged from the survey suggest that employees are not aware that they are putting themselves and their employers at risk when they freely share information across multiple media. Most employees do not believe that transferring corporate data to their personal computers, tablets, smartphones, and cloud file-sharing apps is wrong. A third say it is OK as long as the employee does not personally receive economic gain, and about half justified their actions by saying it does not harm the company. Others blamed the companies for not strictly enforcing policies and for not proactively securing the information. These findings suggest that employees do not recognize or acknowledge their role in securing confidential company data.

To shed further insight, over half do not believe that using competitive data taken from a previous employer is a crime. Employees attribute ownership of IP to the person who created it. When given the scenario of a software developer who re-uses source code that he or she created for another company, 42% do not believe it is wrong and that the a person should have ownership stake in his or her work and inventions. They believe that the developer has the right to re-use the code even when that developer does not have permission from the company. These findings portray today’s knowledge workers as unaware that intellectual property belongs to the organization.

Recommendations from the paper

Given these findings, what can companies do to minimize risk? We suggest that companies take a multi-pronged approach:

  • Educate employees. Organizations need to let their employees know that taking confidential information is wrong. Employee training and awareness is critical, companies should take steps to ensure that IP theft awareness is a regular and integral part of security awareness training. Create and enforce policies that provide the do’s and don’ts of information use in the workplace and when working remotely. Help employees understand that sensitive information should remain on corporate-owned devices and databases. Make it clear that new employees are not to bring IP from a former employee to your company.
  • Enforce non-disclosure agreements (NDAs). Review existing employment agreements to ensure that it uses strong and specific language regarding company IP. Conduct focused conversations during exit interviews with departing employees and have them review the original IP agreement. Include and describe, in checklist form, an overt description of information that may and may not transfer with a departing employee. Make sure all employees are aware that any policy violations will be strictly managed and will affect their jobs. Employment agreements should contain specific language about the employee’s responsibility to safeguard sensitive and confidential information.
  • Implement monitoring technology. Support education and policy initiatives by using monitoring technology to gain insight into where IP is going and how it’s leaving. Deploy data loss prevention software to notify managers and employees in real-time when sensitive information is inappropriately sent, copied, or otherwise inappropriately exposed. Implement a data protection policy that monitors inappropriate access/use of IP and notifies employees of violations, which increases security awareness and deters theft. Leverage technology to learn what IP is leaving your organization and how to prevent it from escaping your network.

.

RSA’s February Online Fraud Report 2013 including an update on Phishing activity

RSA’s February 2013 Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of the report is below.

Phishing still stands as the top online threat impacting both consumers and the businesses that serve them online. In 2012, there was an average of over 37,000 phishing attacks each month identified by RSA.

The impact of phishing on the global economy has been quite significant: RSA estimates that worldwide losses from phishing attacks cost more than $1.5 billion in 2012, and had the potential to reach over $2 billion if the average uptime of phishing attacks had remained the same as 2011. 

This monthly highlight goes beyond the growing numbers recorded for phishing attacks and looks deeper into the evolution of attack tactics facilitating the sustained increase witnessed over the last year. 

Phishing kits recently analyzed by RSA show another phish tactic increasingly used by phishers. Although this is not entirely new, it is interesting to see it implemented by miscreants planning to evade email filtering security. 

The scheme includes a number of redirections from one website to another. What kit authors typically do in such cases is exploit and take over one legitimate website, hijacking it but not making any changes to it. They will be using this site as a trampoline of sorts, making their victims reach it and then be bounced from there to a second hijacked website: the actual phishing page.

What good can this serve? Simple: the first site is purposely preserved as a “clean” site so that phishers can send it as an unreported/unblocked URL to their victims, inside emails that would not appear suspicious to security filtering. The recipient will then click the link, get to the first (good) URL and be instantly redirected to the malicious one. 

Another similar example is reflected in time-delayed attacks – again, not new, but increasingly used by attackers. This variation uses the same clean site, sends the email spam containing the “good” URL and stalls. The malicious content will only be loaded to the hijacked site a day or two later. These are often weekend attacks, where the spam is sent on a Sunday, clears the email systems, then the malicious content is available on Monday. The same scheme is used for spear phishing and Trojan infection campaigns. 

Research into attack patterns proves that Fridays are a top choice for phishers to send targeted emails to employees – spear phish Friday if you will. Why Friday? When it comes to phishing, phishers make it their business to know their targets as well as possible. It stands to reason that employees may be a little less on guard on the last day of the week, clean their inbox from the week’s emails and browse the Internet more – making them more likely to check out a link they received via email that day. 

Typo squatting is a common way for phishers to try and trick web users into believing they are looking at a legitimate URL and not a look-alike evil twin. The basics of typo squatting is registering a website for phishing, choosing a domain name that is either very similar to the original or visually misleading.

The most common ways of doing this are:

  • Switching letters, as in bnak or bnk for “bank”
  • Adding a letter at the end of the word or doubling in the wrong place, as in Montterrey for “Monterrey”
  • Swapping visually similar letters 

Phishers are creative and may use different schemes to typo squat. This phish tactic can be noticed by keen-eyed readers who actually pay close attention to the URL they are accessing, however, for more individuals on a busy day, typo squatting can end with an inadvertent click on the wrong link. This is especially important today, since fake websites look better than ever and are that much harder to tell apart. 

A quick search engine search for domain iwltter.com immediately revealed that it was registered by someone in Shanghai and already reported for phishing. 

But the notion plays against phishers in other aspects. Typos are one of the oldest tell-tale signs of phishing. You’d think that by now phishers would have learned that their spelling mistakes and clunky syntax impairs their success rates, but luckily, they haven’t. This could be in part due to the fact that many kit authors are not native English speakers 

Another phish tactic analyzed by RSA in the recent month came in the shape of a kit that selected its audience from a 3,000 strong pre-loaded list. It may sound like a long list, but is it very limiting in terms of exposure to the phishing attack itself. 

This case showed that phishers will use different ways to protect the existing campaign infrastructure they created and make sure strangers, as in security and phish trackers, keep out of their hijacked hostage sites while they gather credentials and ship them out to an entirely different location on the web. 

Water-holing in the phishing context became a tactic employed by attackers looking to reach the more savvy breed of Internet users. Instead of trying to send an email to a security-aware individual, attempting to bypass security implemented in-house and reinventing the phish, water-holing is the simple maneuver of luring the victim out to the field and getting him there. 

A water-hole is thus a website or an online resource that is frequently visited by the target-audience. Compromise that one resource, and you’ve got them all. Clearly fully patched systems will still be rather immune and secured browsers that will not allow the download of any file without express permission from the user will deflect the malware.

Water-holing has been a tactic that managed to compromise users by using an exploit and infecting their machines with a RAT (remote administration tool). This is also the suspected method of infection of servers used for the handling of payment-processing data. Since regular browsing from such resources does not take place on daily basis, the other possibility of a relatively wide campaign is to infect them through a resource they do reach out to regularly. 

Water-holing may require some resources for the initial compromise of the website that will reap the rewards later, but these balance out considering the attacker does not need to know the exact contacts/their email addresses/the type of content they will expect or suspect before going after the targeted organization. 

RSA Conclusion

Although there is not much a phishing page can surprise with, one can’t forget that the actual page is just the attack’s façade. Behind the credential-collecting interface lay increasingly sophisticated kits that record user hits and coordinates, push them from one site to the next, lure them to infection points after robbing their information and always seeking the next best way to attack. According to recent RSA research into kits, changes in the code’s makeup and phish tactics come from intent learning of human behavior patterns by logging statistical information about users and then implementing that knowledge into future campaigns. 

Phishing Attacks per Month In January, RSA identified 30,151 attacks launched worldwide, a 2% increase in attack volume from December. Considering historical data, the overall trend in attack numbers in an annual view shows slightly lower attack volumes through the first quarter of the year. 

Number of Brands Attacked

In January, 291 brands were targeted in phishing attacks, marking a 13% increase from December.

US Bank Types Attacked

U.S. nationwide banks continue to be the prime target for phishing campaigns – targeted by 70% of the total phishing volume in January. Regional banks’ attack volume remained steady at 15%, while attacks against credit unions increased by 9%.

Top Countries by Attack Volume

The U.S. was targeted by phishing most in January – with 57% of total phishing volume. The UK endured 10%, followed by India and Canada with 4% of attack volume respectively.

Top Countries by Attacked Brands

Brands in the U.S were most targeted in January; 30% of phishing attacks were targeting U.S. organizations followed by the UK that represented 11% of worldwide brands attacked by phishers. Other nations whose brands were most targeted include India, Australia, France and Brazil. 

Top Hosting Countries

In January, the U.S. remained the top hosting country, accounting for 52% of global phishing attacks, followed by Canada, Germany, the UK and Colombia which together hosted about one-fifth of phishing attacks in January.

Previous 3 months of RSA Online Fraud Report Summaries:

  • The RSA January 2013 Online Fraud Report Summary here.
  • The RSA December 2012 Online Fraud Report Summary here.
  • The RSA November 2012 Online Fraud Report Summary here.

.

How the British have changed the way they spend their money over the last decade

The UK Payments Council has published its latest report, The Way We Pay, and brings together all the significant trends over the past decade. It shows how many cash payments are continuing to migrate to debit card, how the debit card has won the day for now, but also how it’s possible to see the end of the road for plastic as the mobile phone could take over our payments arsenal. 

Executive Summary

Getting Paid

  • The shift from cash is gathering pace as firms, the state, and pension funds increasingly eliminate cash and cheques from their payments to individuals
  • Now only 9% of adults do not have a current account, and only 4% have no sort of account at all. Use of branches has declined sharply but having an account is the key to accessing all the modern ways to pay

Spending it

  • Cash still makes up the largest proportion of our daily one-off transactions – three in five of our purchases – but they are very small in value
  • Just ten years ago, three quarters of our shop purchases used cash. Now just over half do
  • Debit cards are quickly taking over in the lower value transaction
  • Contactless payment is poised to become ever more popular, and will push even more transactions onto plastic
  • We use our credit cards for bigger purchases than debit cards, and we use them less than we used to
  • Cheques are very niche nowadays with usage halving every five years, but remain popular with some groups of people and some organisations. Effectively gone from the high street, we mainly use them for financial transactions
  • Supermarkets now account for over half of our retail spending, up from 46% in 2001 as they have added more and more products and opened stores rapidly
  • Entertainment spending is the big winner. The economy may be gloomy, but we are spending more having fun, and doing more of it on plastic
  • Spending abroad doubled in a decade

Regular Payments

  • Automatic payments (like Direct Debit) are now over three quarters of our regular commitments – up from half in 2001
  • Housing costs have escalated, whether you own or rent
  • Charities have shown great success in a decade of recruiting Direct Debit commitments
  • Flashing less cash, but plastic may quickly lose its place in the sun to more innovative forms of payment, like mobile payments
  • Number of cash machines doubles in decade, as people abandon the bank queue for the hole-in-the-wall
  • But cash is becoming less important to us, particularly by value
  • By value debit cards overtook cash in 2010, even before contactless took off
  • Debit card holding is now 90%, up from 84% in 2001
  • In 2001 debit card spending caught up with credit cards, but now far exceeds them
  • Credit cards matured in the 2000s, and card holding even declined

How businesses do it

  • 98% of businesses are small, with fewer than 20 employees, so the payment needs of firms vary enormously according to their size and complexity
  • Cheque usage is still popular with the smallest firms, but even so, cheque usage by business continues to fall sharply
  • The smallest firms bank more like consumers, and often even use personal accounts
  • Use of Direct Debit among businesses lags behind consumer use. Businesses prefer the flexibility on the timing of payments

The future

  • The use of contactless debit cards is set to increase. Many chains of stores already have point-of-sale devices to accept them, with more retailers planning to come on stream, this will continue to increase consumer awareness
  • The debit card may have had its day. New technology means payment chips are now being embedded in phones, with more innovation to come
  • New entrants may also appear. Smartphones are capable of scanning barcodes, a system which could easily be designed to take a payment from an account at a point-of-sale
  • Paying a friend or business on your mobile as easily as sending a text is set to become a mainstream option in spring 2014, when the Payments Council launches the new mobile payments service. The service will be the first to link up every bank account in the country with a mobile number
  • In future, the wallet may be obsolete altogether as more payments become electronic and our phones become the hub of our financial transactions

Summarised details from the report

Debit cards are currently making gains in sectors previously dominated by cash and are likely to take a greater share as contactless cards reach mass adoption.

  • 28% of our spontaneous transactions are made on a debit card (a rise of 59% over the last five years), with the average transaction size at £42 and falling
  • 56% debit card purchases are between £10 and £50
  • 91% of all our one-off cash transactions were under £25
  • the contactless payment limit of £20 would allow many cash payments to potentially migrate onto cards. Debit card holding is widespread across all ages and socio-economic groups.

The triumph of the debit card, but has it passed its peak?

The arrival of the debit card in the 1980s, which was billed as the consumers’ alternative to the cheque, also provided customers with an alternative to the credit card. 84% of adults had a debit card in 2001, but they were less widely accepted, and many people still preferred cheques and cash. Spending was still just higher on credit cards (£93 billion) than debit cards (£77 billion) at the turn of the century. The balance tipped in favour of debit cards in 2001. As businesses like pubs, dentists and hairdressers began to accept the cards, thanks partly to the introduction of chip and PIN and to the rapid roll out of hand held point-of-sale devices, usage and card holding took off and the dominance of the debit card was secured.

Credit cards, by contrast, are more commonly used by people drawing higher incomes or in higher social classes. This reflects the fact that they are more able to access credit and pass credit scoring criteria. They also have greater spending power and appetite to accumulate rewards such as Air Miles and cashback through their credit cards. Credit cards account for one in twelve of our spontaneous payments with an average value of £56 per transaction.

Cheques account for just 1% of spontaneous transactions, but have an average value of £375, as they are more likely to be used for high value payments such as financial transfers (see section on cheques for more detail). There is now a quite narrow demographic profile for cheque usage which reflects its diminishing status as a mass payment method. Cheques tend to be favoured by older people who are used to paying that way, the self-employed and families with children who have to pay for childcare and children’s activities.

Between 2005 and 2011 the total value of plastic card spending increased by £179 billion. 91% of this growth was attributable to debit cards. In 2011, debit card spending in the UK amounted to £334 billion from 7.3 billion transactions. This was approximately two and half times the amount spent on credit cards of £140 billion from 2.1 billion transactions. This represented an increase of 252% on the corresponding amount spent in the year 2001, making this rate of growth three times higher than that recorded for consumer spending over the decade to 2011. In the next decade debit card spending in the UK could close to double – as we forecast £664 billion from 14 billion transactions, with credit card spending projected to be £204 billion from 3.1 billion transactions.

Debit card holding is much more widely spread across the social spectrum than credit cards, with 90% ownership across the adult population in 2011. 98% of AB adults held a debit card compared to 57% of E adults in 2011. For credit cards the figure is 77% v 26% respectively. The wide issuance of debit cards has positive social consequences as it means lower income consumers are able to access the world of e-commerce.

Without the mass adoption of cards the e-commerce industry could never have developed, and self-service in shops and filling stations would be non-existent.

In 2001 online purchases took just 3.3p in every £1 spent on a card. By 2011, that had risen almost quadrupling to 12.8p in every £1, and the total continues to grow.

Contactless functionality means debit cards can continue to take a greater share of our spending, but in the longer term, the future of the piece of plastic could be impacted by the arrival of mobile payments. The huge success of the debit card has opened the door to new technologies that could even lead to its own demise, or at least heavily impact its use. In the next few years, if card technology gets incorporated into mobile payments, it could become possible to use the physical phone to make a debit card type payment instead of the physical card in a shop and if this happens the debit card as we know it today could become a thing of the past. reach maturity

The demise of the debit cards is still some way off, as despite having saturated the market, the use of debit cards will continue to grow for the time being. By contrast, the credit card market has already matured and usage has been subdued since 2009. Credit card issuance grew very strongly in the 1990s and 2000s as credit was more easily available.

Credit cards are a very useful tool in our payments arsenal, but they are not the payments of choice for a lot of our day-to-day purchases. They are most useful where a large expense needs to be spread over a longer period, or for the protection offered under section 75 of the Consumer Credit Act 1974, or indeed because a credit card is ring-fenced away from a current account.

Rapid growth in consumer borrowing and the increase in credit card usage in the early 2000s meant that 69.9 million credit cards were in issue by 2005, along with 4.7 million charge cards. Two thirds of adults held a credit card. During the recession a greater focus on the need to borrow and lend responsibly saw consumer attitudes to credit card use change. By 2011, there were 15.4 million fewer credit cards in our wallets, compared to 2005.

Spending on credit cards has increased by just 7.7%, which was well below the cumulative rate of inflation over the period. Last year we spent £140 billion and made 2.1 billion purchases in the UK. During the recession, repayments increased and in 2011 around 60% of cardholders paid off their balance in full each month, up from 54% in 2003.

In terms of business-to-business payments, the trends stay true. Last year, spending on credit cards fell and cardholding was also down by 2.7% compared to 2010, resulting in a total of 1.9 million cards. Interestingly it is larger businesses that are most likely to use credit or charge cards, whereas smaller businesses use debit cards.

The final piece of the cards puzzle is the continued expansion in the usage of prepaid cards. They are already ubiquitous in replacing gift vouchers, but more sophisticated versions are available for example for business-to person disbursements such as payments under reward, loyalty and incentive schemes. The insurance sector is also starting to issue prepaid cards to claimants, for use in a specific retail sector to cover a claim. Another area where these cards are starting to forge ahead is in the travel industry. They seem to have become a more attractive proposition compared with traveller’s cheques as they can be used directly in shops or to withdraw cash, as well as offering competitive rates for fees and charges when used abroad. However, though this market continues to expand, it is still at a slower rate than in 2009. Ultimately it is hard to imagine prepaid cards developing beyond a small niche.

How will we pay for it in the future?

Contactless payment technology began in the UK in 2007, but those living in and around London would have been familiar with the principle, having had the contactless Oyster card since 2003 for using public transport. The London Olympics used its venues as a testing ground for contactless cards. In 2011, all the major UK card schemes (American Express, MasterCard and Visa) began processing contactless payments. By December 2011, six major UK issuers were issuing cards with contactless functionality and the number of these cards reached 23 million, an increase of 75% from the end of 2010. Adoption is still slow however, as retailers and consumers are yet to embrace the changes in a big way. This will change, but first requires more retailers to roll-out more terminals, and for banks to issue more cards.

Ironically contactless technology may eventually contribute to us becoming less reliant on a physical piece of plastic, as it can be incorporated into a mobile phone or any other popular item, rendering it a payment tool. Only ten years ago paying for items on your mobile was unthinkable, but now one wonders why it’s not here in a bigger way already. The increasing demand for convenience and accessibility, along with the rising penetration of smartphones has driven the growth in mobile payment. The bold prediction made by PayPal that by 2016 people will no longer need to take a wallet with them shopping may be premature but nevertheless at some point we may be leaving the house just asking ourselves ‘keys, phone?’ KPMG expect mobile payments to be mainstream within the next 2-4 years, while Visa, which recently released its digital wallet V.me in November 2012, expects half of all payments to be made through mobile devices by 2020.

New entrants are muscling in to help us pay in shops. Google Wallet which launched in the US last year has already agreed deals with 25 national retailers to support the system through MasterCard’s PayPass programme. Google’s rival, Apple has yet to launch a competing system, but with such a huge, loyal customer base, well used to making many small transactions through iTunes all the time, it will surely not be far off. Microsoft has already announced that there will be a wallet feature on the Windows Mobile 8 operating system. Three of the big telecoms operators, Verizon, T-Mobile and AT&T are developing a service known as Iris.

For tradesmen on the move, new hardware is also on the market. Payment method Square, a mobile app and phone attachment which serves as its own cash register, has been created by one of the founders of Twitter and is in use in the US. This sort of kit will reduce the reliance among mobile tradesmen on cash and cheques. O2 UK also launched a new service that enables retailers to accept card payments on a smartphone or tablet by using a special keypad that connects via Bluetooth. A free app then manages the card transaction and sends a receipt.

For moving our money around, Barclays already offers a mobile payment service (Pingit). Anyone with a mobile phone can sign up with Barclays to receive payments though Pingit, but only Barclay’s customers can send payments. A similar service has also been launched by phone provider O2, with customers able to transfer up to £500 via text message. Similarly, PayPal has also recently launched an app in the UK that allows users to pay for items with their mobile phones across a number.

In addition to all these competitive offerings in the collaborative space, the Payments Council is developing the industry-wide, central service that will make it possible to send or receive a payment using just a mobile number, no matter who you bank with. The new service could be a handy way to split a bill for dinner or pay a tradesman without needing to know their account details. Payments made using the service will be protected by a passcode or similar security feature, and arrive almost instantly.

Internationally, consumers have been quicker to take it up mobile payments in Asia than in the West. In France McDonalds is currently testing mobile payments method arranged with PayPal. With over 30,000 restaurants worldwide, a McDonald’s deal would represent a larger business and cultural footprint for PayPal than perhaps any other mobile payment system in operation. In Africa payments technology is leapfrogging the developed world. Starting with few branch networks, fixed line telecoms and low card or bank account holding, banking is going straight to consumers’ mobiles. Since 2007, Kenya has been using a system called M-Pesa which allows mobile money transfer through a text message, with over 50% of the population already using this service. The Payments Council’s mobile payments database will make payment by mobile a possibility for the UK too, but it will be developed using existing payment systems, such as the Faster Payments Service or the Link network.

Worldwide the UK presents a key growth area in the uptake of mobile payment. Businesses should be planning now or risk falling behind consumer demand. From a consumer perspective in terms of making purchases using our phones, the amount of devices and potential new options, on offer at the moment can be confusing as people still grapple with all the commercial developments. Whilst the future may be unclear, it is exciting, and it will bring convenience and choice far greater than we have known until now. Ultimately only a handful of providers and products will create the winning proposition. Undeniably these new technologies will transform the way we manage our finances and the way we pay over the next decade.

Adrian Kamellard, chief executive of the Payments Council, says: “We scarcely notice the steady changes in the way we pay, yet someone in their thirties today will see more change in their lifetime than in the entire history of money. Even recent innovations such as payment via a mobile phone, which ten years ago some felt to be science fiction, will soon be commonplace. The 2000s were the decade of the debit card. The 2010s are likely to be the decade of the mobile phone. Just as we can’t imagine how we ever did without the internet, many people will soon wonder how we used to be so dependent on cash and cheque. Twenty years from now even cards may seem archaic.”

He adds: “The quiet revolution in payments has enabled the creation of whole new industries such as e-shopping, it has changed our behaviour, and it has reduced transaction costs, and increased the speed and efficiency with which we can all pay each other. The next ten years will see even faster change. It’s easy to imagine a future where we merely pat our pockets for our keys and phone. The wallet could become a historical curiosity.”

View the Payments Council Press Release here.

.

More Than 12 Million Identity Fraud Victims in 2012, study finds

Javelin Strategy & Research have released their 2013 Identity Fraud Report with some startling results the scariest being “one in four consumers who receive a data breach letter will become the victim of identity fraud.”

This means the days when a breached organisation would try to keep a breach quiet with the hope that it would go away have gone because the odds are far too high to ignore financial impacts that follow Identity Theft. 

This past year was one where there were both successes and setbacks for consumers, institutions and fraudsters,” said Jim Van Dyke, CEO of Javelin Strategy & Research, in a prepared statement. “Consumers and institutions are now starting to act as partners detecting and stopping fraud faster than ever before. But fraudsters are acting quicker than ever before and victimizing more consumers. Consumers must take data breach notifications more seriously and maintain vigilance to safeguard personal information, especially Social Security numbers

Key findings from the study include:

–  $21 billion was stolen in 2012. Higher than in recent years but considerably lower than the $47 billion in 2004

–  Almost 1 in 4 consumers who received a breach notification letter became a victim of identity fraud.

This underscores the need for consumers to take all notifications seriously. Not all breaches are created equal. The study found consumers who had their Social Security number compromised in a data breach were 5 times more likely to be a fraud victim than an average consumer

–  The stolen information was misused for a variety of fraud types, for example credit cards, loans and mobile phone bills and on average was misused for an average of 48 days during 2012 which is down from 55 days in 2011 and 95 days in 2010.

More than 50% of victims were actively detecting fraud using financial alerts, credit monitoring or identity protection services and by monitoring their account

–  15% of all fraud victims changed their online behavior and avoid smaller merchants

While credit card numbers remain the most popular item revealed in a data breach, in reality other information can be more useful to fraudsters. Personal information such as online banking login, username and password were compromised in 10% of incidents and 16% of incidents included Social Security numbers

It’s not just online fraud or data breaches. More than 1.5 million consumers were victims of familiar fraud, which is fraud when victims know the fraudster. Lower income consumers were more likely to be victims of familiar fraud. The information most likely to be taken via familiar fraud includes name, Social Security number, address and checking account numbers

Javelin have produced some guidance for consumers called the “Seven Safety Tips to Protect Consumers”

Javelin Strategy & Research recommends that consumers work in partnership with institutions to minimize their risk and impact of identity fraud by following a three-step approach: Prevention, Detection and Resolution™.

Prevention

1. Keep personal data private—Secure your personal and financial records behind a password or in a locked storage device whether at home, at work and on your mobile device. Familiar fraud is a serious issue with 12 percent of fraud victims knowing the perpetrator personally. Other ways to secure information include: not mailing checks to pay bills, shredding documents, monitoring your accounts weekly, and protecting your computer and mobile device with updated security software. Use a trusted and secure Internet connection (not a public Wi-Fi hotspot) when transmitting personal or financial information, and direct deposit payroll checks.

2. Look for security features—When paying online be sure you have a secure connection. Two ways you can denote a secure connection are to look for “https” and not just http at the start of the merchant’s web address or a bright green box and padlock graphic in the address bar of most browsers. Check for either one of these before entering personal or payment information.

3. Think before you share—Before providing any sensitive information, question who is asking for the information. Why do they need it? How is the information being used? Do not provide the information if you are unsure about the legitimacy of the request. Be careful when clicking on links that then take you to a page asking for personal information. If an organization asks you for your Social Security number to validate your identity, request another question.

Detection

4. Be Proactive—There are many different levels of identity theft protection and consumers should work in partnership with institutions on identity theft prevention. By setting up alerts that can be sent via e-mail and to a mobile device and monitoring accounts online at bank and credit card websites, consumers can take a more proactive role in detecting identity fraud and stopping misuse. In 2012, 50 percent of fraud was first detected by the victims.

5. Enlist others—There are a wide array of services available to consumers who want extra protection and peace of mind including payment transaction alerts, credit monitoring, credit report fraud alerts, credit freezes and database scanning. 3 out of every 5 identity fraud victims did not know the source of their fraud, but many services will now provide alerts directly to a consumer’s smartphone. Some services can be obtained for a fee and others at no cost to the consumers who are victims of a data breach. These services can monitor credit reports, public records and online activity for signs of fraudulent use of personal information.

Resolution

6. Take any data breach notification seriously—If you receive a data breach notification, take it very seriously as you are at a much higher risk according to the 2013 Identity Fraud Report. If you receive an offer from your financial institution or retailer for a free monitoring service after a breach, you should take advantage of the offer, closely monitor your accounts and put a fraud alert on your credit report.

7. Don’t wait. Report problems immediately—If you suspect or uncover fraud, contact your bank, credit union, wireless provider or protection services provider to take advantage of resolution services, loss protections and methods to secure your accounts. A fast response can enhance the likelihood that losses are reduced, and law enforcement can pursue fraudsters so they experience consequences for their actions.

.

Mobile phone users are not concerned with security until there is a breach and then they blame their provider

Crossbeam Systems have released research into Mobile Phone user’s opinions on security. 

The most revealing finding was that compromised security, rather than high monthly fees, would be the biggest reason for UK smartphone users to change mobile network providers. 

The independent blind survey of 1,076 UK adult smartphone users and bill payers examined: –

  • usage habits
  • the importance of mobile security and data services
  • purchasing considerations
  • what would motivate them to switch providers

A summary of the survey results are below:-

  • 75.6% of those surveyed would change mobile providers if their current, operator-supplied smartphone was compromised by hackers, malware or other security failure
  • 79% of 648 women surveyed stating they would change networks if their smartphone fell victim to a security issue.
  • 70% of 428 men surveyed would also change networks following a security incident
  • 56% of global respondents don’t know if their mobile network provider has measures in place to secure their smartphone
  • 35.7% of respondents were aware that their smartphone contained applications that stored or had access to financial information such as PayPal, retail apps with saved card payment information and mobile banking apps, and that third parties accessing these would be a concern
  • 52.9% would be scare of other people having “Access to my personal information, such as passwords and credit card details”
  • 5.8% said a lack of security would drive them away from their current network provider

If your smartphone was hacked by a criminal whose fault would it be?

  • 37.5% My mobile network provider (Vodafone, O2 etc.)
  • 31.6% Mine
  • 17.9% My smartphone manufacturer (Apple, Samsung, HTC, etc.)
  • 12.9% Other please specify

Smartphone users, like most people, don’t think about the security of their devices until they’ve been hacked. This may be misleading mobile network operators to focus less of their attention on customer security and underestimate the risk it creates said Peter Doggart of Crossbeam

The good news is 53 percent of global respondents expressed a willingness to pay their network provider additional fees to help improve security.

Card Not Present (CNP) Fraud Fall 57% Since 2010

FICO a  provider of analytics and decision management technology, has released data showing that card issuers using their FICO® Falcon® Fraud Manager have dramatically cut card-not-present (CNP) fraud losses from credit cards over the last two years, from £28 million in April 2010 to less than £12 million in March 2012

CNP fraud, which includes illegitimate online, mail order and phone transactions, is the most prevalent type of card fraud, accounting for about three-quarters of card fraud in the FICO® Falcon® Fraud Consortium for Europe, which includes 44 million active credit cards. 

“CNP fraud is now the top focus for card fraud across the region, as issuers look for new technology and best practices to stop the most widespread form of card fraud,” said Martin Warwick, FICO’s Fraud Chief in Europe, the Middle East and Africa. 

“FICO’s advanced fraud technology is enabling users to outperform the market. For comparison, industry-wide figures from Euromonitor show only modest declines in CNP fraud from 2010 to 2011, with the largest fall at just 6 percent in the UK.”

 Card Not Present fraud was behind

  • 72% of all accounts victimised by fraud
  • 74% of all card fraud losses in the FICO Falcon Fraud Consortium
  • This was higher than in last year’s data, where the figures were 69% and 72%, respectively

“Criminals are migrating to the easiest way of using compromised cards, which today is the internet,” said Warwick. “For example, fraud as a percentage of internet sales in the UK is 22 basis points (0.22 percent), which is double the rate for credit card transactions overall. In addition, 3D Secure protocols are moving the liability on losses from the retailer to the issuer.

“This puts great pressure on card issuers to resolve the CNP fraud problem, and it’s why issuers are looking at new capabilities in FICO Falcon, such as merchant profiling. As shown in the fraud map of Europe we released last year, countries with the strongest fraud detection systems have reduced fraud relative to countries that are lagging on the technology adoption curve.”

During the analysis window, April 2010 to March 2012, only about 1% of cards studied were victimised by fraud, according to FICO.

FICO’s data comes from card issuers in Germany, the UK, Ireland, the Netherlands, Poland and Switzerland.

.

Nursing and Midwifery Council fined for breaching the Data Protection Act

The Information Commissioner’s Office has issued a £150,000 fine to the Nursing and Midwifery Council was for breaching the Data Protection Act. 

The Nursing and Midwifery Council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. 

In October 2011 the DVDs, containing confidential information, was sent to a misconduct hearing via a courier and when the package arrived at the hearing the DVDs were missing and have never found 

After an investigation by the ICO it was found the information was not encrypted. 

David Smith, Deputy Commissioner and Director of Data Protection, said:

It would be nice to think that data breaches of this type are rare, but we’re seeing incidents of personal data being mishandled again and again. While many organisations are aware of the need to keep sensitive paper records secure, they forget that personal data comes in many forms, including audio and video images, all of which must be adequately protected. 

I would urge organisations to take the time today to check their policy on how personal information is handled. Is the policy robust? Does it cover audio and video files containing personal information? And is it being followed in every case? 

If the answer to any of those questions is no, then the organisation risks a data breach that damages public trust and a possible weighty monetary penalty.

The council had been couriering evidence relating to a ‘fitness to practise’ case to the hearing venue. When the packages were received the discs were not present, though the packages showed no signs of tampering. Following the security breach the council carried out extensive searches to find the DVDs, but they’ve never been recovered. 

The Nursing and Midwifery Council’s underlying failure to ensure these discs were encrypted placed sensitive personal information at unnecessary risk. No policy appeared to exist on how the discs should be handled, and so no thought was given as to whether they should be encrypted before being couriered. Had that simple step been taken, the information would have remained secure and we would not have had to issue this penalty.

.

PCI SSC releases guidance for merchants on mobile payment acceptance security

The PCI SSC has published the PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users.

The guidance educates merchants on the factors and risks that need to be addressed in order to protect card data when using mobile devices, such as smart phones and tablets, to accept payments.

Juniper Research predicts mobile transactions will hit $1.3 trillion worldwide by 2015, four times what it is today, as more and more businesses turn to consumer electronic handheld devices (eg; smart phones, tablets or PDAs) for payment acceptance. As these devices are not solely used as point of sale tools but also to carry out other functions, they introduce new security risks. By design, almost any mobile application could access account data stored in or passing through the mobile device.

The new guidance for merchants focuses on these scenarios and specifically the payment software that operates on these devices. The PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users leverages industry best practices to educate merchants on what is needed to isolate and prevent card data from exposure.

Even with rapid adoption of mobile technology in payments, security still tops concerns for merchants. It comes down to the basic element of trust. Consumers want to have confidence that their information is protected – whether at their favorite restaurant, shopping online or making a purchase using a mobile device in lieu of a traditional POS. Currently, it is challenging to demonstrate a high level of confidence in the security of sensitive financial data in devices that were designed for other consumer purposes. Which is why we encourage merchants to consider encrypting cardholder data securely prior to using mobile devices to process transactions, said Troy Leach, chief technology officer, PCI Security Standards Council

The guidance goes hand-in-hand with recommendations the Council published in September 2012 for mobile app developers and device vendors on designing appropriate security controls that provide secure mobile payment acceptance solutions for merchants.

Added Leach, When considering mobile payment acceptance, merchants need to go in with their eyes open. And that’s what the intent of this guidance is, to help merchants understand the risks so that together with developers and device vendors they can safely implement a solution that will enable mobile commerce to flourish.

The PCI Mobile Payment Acceptance Security Guidelines recognize payment security as a shared responsibility. By providing a high level introduction and overview of the mobile payments space and the security risks of mobile devices, the document outlines the unique, complex and evolving mobile environment that underscores the need for all parties in the payment chain to work together to ensure mobile acceptance solutions are deployed securely.

The guidance is organized around the following key areas and objectives:

  1. Objectives and Guidance for the Security of a Payment Transaction – addresses the three main risks associated with mobile payment transactions: account data entering the device, account data residing in the device, and account data leaving the device
  2. Guidelines for Securing the Mobile Device – provides recommended measures for merchants regarding the physical and logical security of mobile devices used for payment acceptance
  3. Guidelines for Securing the Payment Acceptance Solution – provides guidance for the different components of the payment acceptance solution; including the hardware, software, the use of the payment acceptance solution, and the relationship with the customer

For a link to the full document please use my PCI Resources page here.

.

Securing Patient data has improved massively but still has work to do

In it’s recent Winter 2013 Newsletter Experian released the details of the fifth annual Healthcare Information and Management Systems Society (HIMSS) which they sponsored.

The survey found many areas of improvement and highlighted them in the infographic below:

Infographic_-The-security-of-patient-data-in-a-virtual-universe3

Key highlights from the HIMSS study include:

  • Only 38% of the respondents encrypt mobile devices, such as smartphones and tablets, which is worrisome considering their rising use. In fact, there are currently 1.1 billion global smartphone subscribers, representing a 42% year over year growth rate. In addition, there’s been a 29% increase in tablet or e-reader users since 2009.
  • Only 43% of respondents test their data response plans, meaning they don’t know whether their plans work. Organisations should review their response plans regularly and conduct practice runs at least once per year. It’s also a good idea to update the contact list of your response team quarterly and redistribute it.
  • 64% of this year’s respondents encrypt emails, compared to 55% in 2008.
  • Two-thirds conduct a risk analysis at least once per year, compared to 54% in 2008
  • Nearly 25% of the respondents sustained a data breach in the past year alone
  • the high number of breaches has caused 21 million American patients to have their healthcare records exposed to date
  • 90% of the respondents (Hospitals) in a recent study indicating that they conduct formal risk analyses.

.

PCI SSC releases PCI DSS Cloud Computing Guidelines

The PCI Security Standards Council has published the PCI DSS Cloud Computing Guidelines Information Supplement, a product of the Cloud Special Interest Group (SIG).

The guide is an excellent introduction to the “cloud” and offers specific and helpful guidance on what to consider when processing payments involving the cloud as well as the storage of sensitive data.

One of cloud computing’s biggest strengths is its shared-responsibility model. However, this shared model can magnify the difficulties of architecting a secure computing environment,” said Chris Brenton, a PCI Cloud SIG contributor and director of security for CloudPassage. “One of this supplement’s greatest achievements is that it clearly defines the security responsibilities of the cloud provider and the cloud customer. With PCI DSS as the foundation, this guidance provides an excellent roadmap to crafting a secure posture in both private and public cloud. 

The PCI DSS Cloud Computing Guidelines Information Supplement builds on the work of the 2011 Virtualization SIG, while leveraging other industry standards to provide guidance around the following primary areas and objectives:

  • Cloud Overview – provides explanation of common deployment and service models for cloud environments, including how implementations may vary within the different types.
  • Cloud Provider/Cloud Customer Relationships– outlines different roles and responsibilities across the different cloud models and guidance on how to determine and document these responsibilities.
  • PCI DSS Considerations – provides guidance and examples to help determine responsibilities for individual PCI DSS requirements, and includes segmentation and scoping considerations.
  • PCI DSS Compliance Challenges– describes some of the challenges associated with validating PCI DSS compliance in a cloud environment.

The document also includes a number of appendices to address specific PCI DSS requirements and implementation scenarios, including: additional considerations to help determine PCI DSS responsibilities across different cloud service models; sample system inventory for cloud computing environments; sample matrix for documenting how PCI DSS responsibilities are assigned between cloud provider and client; and a starting set of questions that can help in determining how PCI DSS requirements can be met in a particular cloud environment.

Merchants who use or are considering use of cloud technologies in their cardholder data environment and any third-party service providers that provide cloud services or cloud products for merchants can benefit from this guidance. This document may also be of value for assessors reviewing cloud environments as part of a PCI DSS assessment.

At the Council, we always talk about payment security as a shared responsibility. And cloud is by nature shared, which means that it’s increasingly important for all parties involved to understand their responsibility when it comes to protecting this data,” said Bob Russo, general manager, PCI Security Standards Council. “It’s great to see this guidance come to fruition, and we’re excited to get it into the hands of merchants and other organizations looking to take advantage of cloud technology in a secure manner.

For a link to the full document please use my PCI Resources page here.

.

PCI SSC releases its PCI DSS E-commerce Security Guidelines

Hot on the heels of the ATM Guidelines the PCI SSC has released the PCI DSS E-commerce Guidelines Information Supplement. 

The guidelines are designed to help e-commerce merchants to decide on which technologies and third party service providers to choose.

The e-commerce Special Interest Groups (SIGs) helped put the guidelines together and that meant using their knowledge of the marketplace to produce an industry specific document. 

Take SQL injections as an example. This is not a new attack, and something we’ve known about in the industry for years. Yet it continues to be one of the most common methods by which e-commerce websites are compromised, said Bob Russo, general manager, PCI Security Standards Council. “This can be addressed through simple, prudent coding practices, but merchants often don’t know where to start. These guidelines will help them better understand their responsibilities and the kinds of questions they need to ask of their service providers. In the case of SQL injections, one of the most important items to request of an e-commerce service provider is a description of the security controls and methods it has in place to protect websites against these vulnerabilities.

The PCI DSS E-commerce Guidelines Information Supplement provides an introduction to e-commerce security and guidance around the following primary areas and objectives: 

  • E-commerce Overview – provides merchants and third parties with explanation of typical e-commerce components and common implementations and outlines high-level PCI DSS scoping guidance to be considered for each.
  •  Common Vulnerabilities in E-commerce Environments – educates merchants on vulnerabilities often found in web applications (such as e-commerce shopping carts) so they can emphasize security when developing or choosing e-commerce software and services.
  • Recommendations – provides merchants with best practices to secure their e-commerce environments, as well as list of recommended industry and PCI SSC resources to leverage in e-commerce security efforts.

 The document also includes two appendices to address specific PCI DSS requirements and implementation scenarios:

  1. PCI DSS Guidance for E-commerce Environments – provides high-level e-commerce guidance that corresponds to the main categories of PCI DSS requirements; includes chart to help organizations identify and document which PCI DSS responsibilities are those of the merchant and which are the responsibility of any e-commerce payment processor.
  2.  Merchant and Third-Party PCI DSS Responsibilities – for outsourced or “hybrid” e-commerce environments, includes sample checklist that merchants can use to identify which party is responsible for compliance and specify the details on the evidence of compliance.

E-commerce continues to be a target for attacks on card data, especially with EMV technology helping drive so much of the face-to-face fraud down in Europe and other parts of the world, said Jeremy King, European director, PCI Security Standards Council. “We are pleased with this guidance that will help merchants and others better understand how to secure this critical environment using the PCI Standards.

For a link to the full document please use my PCI Resources page here.

Blog at WordPress.com.

Up ↑

%d bloggers like this: