Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Credit Card

Merchant sues VISA. Biting the hand that feeds you?

I know that if there were no merchants there would be no credit card companies and I know that the “alternative” payments market is growing, such as PayPal and V.me, but at this time it is fair to say that consumers still favour credit cards when it comes to online payments.

This is why when I read about a merchant suing a credit card company I was surprised. Not surprised that VISA had fined a merchant, not surprised that a merchant was upset at being fined but surprised it had got to court because that means normal reasonable commercial communication channels had failed.

On the 7th March Sports retailer Genesco filed a lawsuit against Visa to recover nearly $13.3 million in fines that the credit card company issued in January 2013 following a breach of the retailer’s systems.

The lawsuit argues that

  • Visa is not allowed to require other companies to pay penalties citing Visa’s own operating regulations and California law.
  • That Genesco was never out of compliance with PCI DSS regulations, and so it should not have been fined.

In December 2010 Genesco confirmed that a breach had happened within its credit card processing environment and speculation at the time was the hackers used a packet sniffer to siphon card data as it passed through the network.

The initial VISA fines of $5,000 via each of Genesco’s two banks was issued in June 2011 which is a standard charge and depending on your location will be 5,000 of the local currency for example, $5,000, €5,000 or £5,000.

Irrespective of the currency 5,000 is nothing more than a formal acknowledgement that the merchant is non-compliant to PCI DSS or was at the time.

If a merchant has never successfully completed an Audit or Self Assessment Questionnaire (SAQ) then they are non-compliant, bearing in mind that the standards were issued almost 8 years ago I think it is about time they were compliant.

However, in the case of a merchant who was successfully audited but then had a breach or failed to maintain the standard it is not so black and white.

Merchant who suffers a Data Breach

A PCI DSS compliant merchant who has a data breach is normally discovered by clever algorithms used by the card schemes, which based on fraudulent activity find the centre of the breach. Once the merchant at the centre of the breach is established they are required to undertake data forensics by an approved forensic company who using extensive skills and tools will establish how the credit card data was stolen for example via packet sniffing. The forensic report is shared between the affected parties, the merchant, the bank and the credit card companies.

The results of the forensic investigation may or may not show that the merchant had or had not been compliant to the standard at the time of the breach. It is reasonable to assume that the bad guys installed software or broke into Genesco and almost all scenarios for such a break in are covered by the PCI DSS and therefore the company could not have been taking adequate steps and was by definition not adhering to the requirements of the standard which means they were not compliant.

Merchant who fails to maintain the standard

It is very difficult to find a merchant who has failed to maintain the required standards unless

  • There is a breach
  • There is a whistle blower
  • A customer or someone similar notices practise that do not appear secure

At this point the merchant will be required to prove there are still abiding by the standard which may take the form of a forensics investigation, an audit, a letter from their QSA or a letter from their directors.

The non-compliance fine is not the biggest problem for Genesco it is the $13.3 million fine levied by VISA via Genesco’s two banks (Wells Fargo $12 million and Fifth Third $1.3million) for the costs incurred by VISA whilst resolving the breach e.g. credit card replacement, fraud cover, etc.

Visa’s imposition of the (fines) is a violation of Visa’s contract (with the banks), because at the time of the intrusion and all other relevant times, Genesco was in compliance with the PCI-DSS requirements,” the lawsuit stated. It added later,

“Visa does not even pretend that the Non-Compliance Fines represent actual damages that Visa incurred by reason of the Acquiring Banks‘ alleged failure to cause Genesco to maintain compliance with the PCI-DSS requirements”

The interesting thing for me is the nature of the way Merchants use VISA, MasterCard and the other credit card providers. The credit card company provides the facilities for the merchant’s (retailer) customers to buy from them in a secure and efficient way. They pay a percentage of the transaction to cover the costs (and profits) of the credit card companies and this percentage is agreed in a contract. The same commercial contract that agrees the other terms and conditions including the security required to perform the transaction.

To avoid confusion and rogue traders the credit card companies created the Payment Card Industry Security Standards Council who took the best security practises from the five credit card company members to create the Data Security Standard (PCI DSS).

This standard is an extension of the contract as will be the agreements for fees.

However because the cost of a data breach could never be known until it has occurred it is impossible to quantify the cost of a breach in a contract which is where I do have a great deal of sympathy for merchants because they are agreeing to fines but have no idea how much it is going to be or could be.

I remember in a meeting with several of the card companies and the discussion centred on repeat offenders i.e. merchants who kept being breached or who refused to become compliant to PCI DSS and whilst fines were mentioned it was agreed merchants might be tempted to absorb small fines if it was cheaper than achieving the required security standards and then the ultimate sanction was raised… STOPPING THEM FROM TAKING CREDIT CARD PAYMENTS.

What a sanction that is, because for almost all e-commerce business and most consumer driven business that would mean going out of business in a matter of weeks or possibly months.

As a consumer all I care about is being safe from the costs of the fraudulent activity against my stolen credit card but increasingly we as consumers are worried about the threat to our identity and expect when credit card details are leaked to be covered for all identity based threats resulting from the possible loss of data which increases the cost to the breached company, possibly via the credit card company.

I have a huge amount of sympathy for Genesco and every other merchant affected by a breach because they do not know what the possible cost to them will be. They cannot take out cyber-insurance against a specific amount “just in case”, they have to hope that the loss to the credit card company is not too great.

That is not a great way for a merchant to mitigate its risk and that cannot benefit the card companies who want prosperous and secure merchant to help them grow their profits.

The solution is simple, the credit card companies have to introduce and publish a schedule of fines from which a merchant can calculate their risk.

If a merchant knows, based on their transaction rate, that they could be liable for fines of $13.3 million then they can invest greater resources into breach prevention or seek to undertake insurance against the cost of a breach either way they can make an informed risk assessment.

Similarly if merchants who have not yet completed their PCI DSS compliance process know they could be fined for non-compliance PLUS X or Y for a breach they can will very quickly run a risk assessment.

let’s hope a result of this action is a clearer picture on fines because clarity in business and risk is essential.

.

Advertisements

How the British have changed the way they spend their money over the last decade

The UK Payments Council has published its latest report, The Way We Pay, and brings together all the significant trends over the past decade. It shows how many cash payments are continuing to migrate to debit card, how the debit card has won the day for now, but also how it’s possible to see the end of the road for plastic as the mobile phone could take over our payments arsenal. 

Executive Summary

Getting Paid

  • The shift from cash is gathering pace as firms, the state, and pension funds increasingly eliminate cash and cheques from their payments to individuals
  • Now only 9% of adults do not have a current account, and only 4% have no sort of account at all. Use of branches has declined sharply but having an account is the key to accessing all the modern ways to pay

Spending it

  • Cash still makes up the largest proportion of our daily one-off transactions – three in five of our purchases – but they are very small in value
  • Just ten years ago, three quarters of our shop purchases used cash. Now just over half do
  • Debit cards are quickly taking over in the lower value transaction
  • Contactless payment is poised to become ever more popular, and will push even more transactions onto plastic
  • We use our credit cards for bigger purchases than debit cards, and we use them less than we used to
  • Cheques are very niche nowadays with usage halving every five years, but remain popular with some groups of people and some organisations. Effectively gone from the high street, we mainly use them for financial transactions
  • Supermarkets now account for over half of our retail spending, up from 46% in 2001 as they have added more and more products and opened stores rapidly
  • Entertainment spending is the big winner. The economy may be gloomy, but we are spending more having fun, and doing more of it on plastic
  • Spending abroad doubled in a decade

Regular Payments

  • Automatic payments (like Direct Debit) are now over three quarters of our regular commitments – up from half in 2001
  • Housing costs have escalated, whether you own or rent
  • Charities have shown great success in a decade of recruiting Direct Debit commitments
  • Flashing less cash, but plastic may quickly lose its place in the sun to more innovative forms of payment, like mobile payments
  • Number of cash machines doubles in decade, as people abandon the bank queue for the hole-in-the-wall
  • But cash is becoming less important to us, particularly by value
  • By value debit cards overtook cash in 2010, even before contactless took off
  • Debit card holding is now 90%, up from 84% in 2001
  • In 2001 debit card spending caught up with credit cards, but now far exceeds them
  • Credit cards matured in the 2000s, and card holding even declined

How businesses do it

  • 98% of businesses are small, with fewer than 20 employees, so the payment needs of firms vary enormously according to their size and complexity
  • Cheque usage is still popular with the smallest firms, but even so, cheque usage by business continues to fall sharply
  • The smallest firms bank more like consumers, and often even use personal accounts
  • Use of Direct Debit among businesses lags behind consumer use. Businesses prefer the flexibility on the timing of payments

The future

  • The use of contactless debit cards is set to increase. Many chains of stores already have point-of-sale devices to accept them, with more retailers planning to come on stream, this will continue to increase consumer awareness
  • The debit card may have had its day. New technology means payment chips are now being embedded in phones, with more innovation to come
  • New entrants may also appear. Smartphones are capable of scanning barcodes, a system which could easily be designed to take a payment from an account at a point-of-sale
  • Paying a friend or business on your mobile as easily as sending a text is set to become a mainstream option in spring 2014, when the Payments Council launches the new mobile payments service. The service will be the first to link up every bank account in the country with a mobile number
  • In future, the wallet may be obsolete altogether as more payments become electronic and our phones become the hub of our financial transactions

Summarised details from the report

Debit cards are currently making gains in sectors previously dominated by cash and are likely to take a greater share as contactless cards reach mass adoption.

  • 28% of our spontaneous transactions are made on a debit card (a rise of 59% over the last five years), with the average transaction size at £42 and falling
  • 56% debit card purchases are between £10 and £50
  • 91% of all our one-off cash transactions were under £25
  • the contactless payment limit of £20 would allow many cash payments to potentially migrate onto cards. Debit card holding is widespread across all ages and socio-economic groups.

The triumph of the debit card, but has it passed its peak?

The arrival of the debit card in the 1980s, which was billed as the consumers’ alternative to the cheque, also provided customers with an alternative to the credit card. 84% of adults had a debit card in 2001, but they were less widely accepted, and many people still preferred cheques and cash. Spending was still just higher on credit cards (£93 billion) than debit cards (£77 billion) at the turn of the century. The balance tipped in favour of debit cards in 2001. As businesses like pubs, dentists and hairdressers began to accept the cards, thanks partly to the introduction of chip and PIN and to the rapid roll out of hand held point-of-sale devices, usage and card holding took off and the dominance of the debit card was secured.

Credit cards, by contrast, are more commonly used by people drawing higher incomes or in higher social classes. This reflects the fact that they are more able to access credit and pass credit scoring criteria. They also have greater spending power and appetite to accumulate rewards such as Air Miles and cashback through their credit cards. Credit cards account for one in twelve of our spontaneous payments with an average value of £56 per transaction.

Cheques account for just 1% of spontaneous transactions, but have an average value of £375, as they are more likely to be used for high value payments such as financial transfers (see section on cheques for more detail). There is now a quite narrow demographic profile for cheque usage which reflects its diminishing status as a mass payment method. Cheques tend to be favoured by older people who are used to paying that way, the self-employed and families with children who have to pay for childcare and children’s activities.

Between 2005 and 2011 the total value of plastic card spending increased by £179 billion. 91% of this growth was attributable to debit cards. In 2011, debit card spending in the UK amounted to £334 billion from 7.3 billion transactions. This was approximately two and half times the amount spent on credit cards of £140 billion from 2.1 billion transactions. This represented an increase of 252% on the corresponding amount spent in the year 2001, making this rate of growth three times higher than that recorded for consumer spending over the decade to 2011. In the next decade debit card spending in the UK could close to double – as we forecast £664 billion from 14 billion transactions, with credit card spending projected to be £204 billion from 3.1 billion transactions.

Debit card holding is much more widely spread across the social spectrum than credit cards, with 90% ownership across the adult population in 2011. 98% of AB adults held a debit card compared to 57% of E adults in 2011. For credit cards the figure is 77% v 26% respectively. The wide issuance of debit cards has positive social consequences as it means lower income consumers are able to access the world of e-commerce.

Without the mass adoption of cards the e-commerce industry could never have developed, and self-service in shops and filling stations would be non-existent.

In 2001 online purchases took just 3.3p in every £1 spent on a card. By 2011, that had risen almost quadrupling to 12.8p in every £1, and the total continues to grow.

Contactless functionality means debit cards can continue to take a greater share of our spending, but in the longer term, the future of the piece of plastic could be impacted by the arrival of mobile payments. The huge success of the debit card has opened the door to new technologies that could even lead to its own demise, or at least heavily impact its use. In the next few years, if card technology gets incorporated into mobile payments, it could become possible to use the physical phone to make a debit card type payment instead of the physical card in a shop and if this happens the debit card as we know it today could become a thing of the past. reach maturity

The demise of the debit cards is still some way off, as despite having saturated the market, the use of debit cards will continue to grow for the time being. By contrast, the credit card market has already matured and usage has been subdued since 2009. Credit card issuance grew very strongly in the 1990s and 2000s as credit was more easily available.

Credit cards are a very useful tool in our payments arsenal, but they are not the payments of choice for a lot of our day-to-day purchases. They are most useful where a large expense needs to be spread over a longer period, or for the protection offered under section 75 of the Consumer Credit Act 1974, or indeed because a credit card is ring-fenced away from a current account.

Rapid growth in consumer borrowing and the increase in credit card usage in the early 2000s meant that 69.9 million credit cards were in issue by 2005, along with 4.7 million charge cards. Two thirds of adults held a credit card. During the recession a greater focus on the need to borrow and lend responsibly saw consumer attitudes to credit card use change. By 2011, there were 15.4 million fewer credit cards in our wallets, compared to 2005.

Spending on credit cards has increased by just 7.7%, which was well below the cumulative rate of inflation over the period. Last year we spent £140 billion and made 2.1 billion purchases in the UK. During the recession, repayments increased and in 2011 around 60% of cardholders paid off their balance in full each month, up from 54% in 2003.

In terms of business-to-business payments, the trends stay true. Last year, spending on credit cards fell and cardholding was also down by 2.7% compared to 2010, resulting in a total of 1.9 million cards. Interestingly it is larger businesses that are most likely to use credit or charge cards, whereas smaller businesses use debit cards.

The final piece of the cards puzzle is the continued expansion in the usage of prepaid cards. They are already ubiquitous in replacing gift vouchers, but more sophisticated versions are available for example for business-to person disbursements such as payments under reward, loyalty and incentive schemes. The insurance sector is also starting to issue prepaid cards to claimants, for use in a specific retail sector to cover a claim. Another area where these cards are starting to forge ahead is in the travel industry. They seem to have become a more attractive proposition compared with traveller’s cheques as they can be used directly in shops or to withdraw cash, as well as offering competitive rates for fees and charges when used abroad. However, though this market continues to expand, it is still at a slower rate than in 2009. Ultimately it is hard to imagine prepaid cards developing beyond a small niche.

How will we pay for it in the future?

Contactless payment technology began in the UK in 2007, but those living in and around London would have been familiar with the principle, having had the contactless Oyster card since 2003 for using public transport. The London Olympics used its venues as a testing ground for contactless cards. In 2011, all the major UK card schemes (American Express, MasterCard and Visa) began processing contactless payments. By December 2011, six major UK issuers were issuing cards with contactless functionality and the number of these cards reached 23 million, an increase of 75% from the end of 2010. Adoption is still slow however, as retailers and consumers are yet to embrace the changes in a big way. This will change, but first requires more retailers to roll-out more terminals, and for banks to issue more cards.

Ironically contactless technology may eventually contribute to us becoming less reliant on a physical piece of plastic, as it can be incorporated into a mobile phone or any other popular item, rendering it a payment tool. Only ten years ago paying for items on your mobile was unthinkable, but now one wonders why it’s not here in a bigger way already. The increasing demand for convenience and accessibility, along with the rising penetration of smartphones has driven the growth in mobile payment. The bold prediction made by PayPal that by 2016 people will no longer need to take a wallet with them shopping may be premature but nevertheless at some point we may be leaving the house just asking ourselves ‘keys, phone?’ KPMG expect mobile payments to be mainstream within the next 2-4 years, while Visa, which recently released its digital wallet V.me in November 2012, expects half of all payments to be made through mobile devices by 2020.

New entrants are muscling in to help us pay in shops. Google Wallet which launched in the US last year has already agreed deals with 25 national retailers to support the system through MasterCard’s PayPass programme. Google’s rival, Apple has yet to launch a competing system, but with such a huge, loyal customer base, well used to making many small transactions through iTunes all the time, it will surely not be far off. Microsoft has already announced that there will be a wallet feature on the Windows Mobile 8 operating system. Three of the big telecoms operators, Verizon, T-Mobile and AT&T are developing a service known as Iris.

For tradesmen on the move, new hardware is also on the market. Payment method Square, a mobile app and phone attachment which serves as its own cash register, has been created by one of the founders of Twitter and is in use in the US. This sort of kit will reduce the reliance among mobile tradesmen on cash and cheques. O2 UK also launched a new service that enables retailers to accept card payments on a smartphone or tablet by using a special keypad that connects via Bluetooth. A free app then manages the card transaction and sends a receipt.

For moving our money around, Barclays already offers a mobile payment service (Pingit). Anyone with a mobile phone can sign up with Barclays to receive payments though Pingit, but only Barclay’s customers can send payments. A similar service has also been launched by phone provider O2, with customers able to transfer up to £500 via text message. Similarly, PayPal has also recently launched an app in the UK that allows users to pay for items with their mobile phones across a number.

In addition to all these competitive offerings in the collaborative space, the Payments Council is developing the industry-wide, central service that will make it possible to send or receive a payment using just a mobile number, no matter who you bank with. The new service could be a handy way to split a bill for dinner or pay a tradesman without needing to know their account details. Payments made using the service will be protected by a passcode or similar security feature, and arrive almost instantly.

Internationally, consumers have been quicker to take it up mobile payments in Asia than in the West. In France McDonalds is currently testing mobile payments method arranged with PayPal. With over 30,000 restaurants worldwide, a McDonald’s deal would represent a larger business and cultural footprint for PayPal than perhaps any other mobile payment system in operation. In Africa payments technology is leapfrogging the developed world. Starting with few branch networks, fixed line telecoms and low card or bank account holding, banking is going straight to consumers’ mobiles. Since 2007, Kenya has been using a system called M-Pesa which allows mobile money transfer through a text message, with over 50% of the population already using this service. The Payments Council’s mobile payments database will make payment by mobile a possibility for the UK too, but it will be developed using existing payment systems, such as the Faster Payments Service or the Link network.

Worldwide the UK presents a key growth area in the uptake of mobile payment. Businesses should be planning now or risk falling behind consumer demand. From a consumer perspective in terms of making purchases using our phones, the amount of devices and potential new options, on offer at the moment can be confusing as people still grapple with all the commercial developments. Whilst the future may be unclear, it is exciting, and it will bring convenience and choice far greater than we have known until now. Ultimately only a handful of providers and products will create the winning proposition. Undeniably these new technologies will transform the way we manage our finances and the way we pay over the next decade.

Adrian Kamellard, chief executive of the Payments Council, says: “We scarcely notice the steady changes in the way we pay, yet someone in their thirties today will see more change in their lifetime than in the entire history of money. Even recent innovations such as payment via a mobile phone, which ten years ago some felt to be science fiction, will soon be commonplace. The 2000s were the decade of the debit card. The 2010s are likely to be the decade of the mobile phone. Just as we can’t imagine how we ever did without the internet, many people will soon wonder how we used to be so dependent on cash and cheque. Twenty years from now even cards may seem archaic.”

He adds: “The quiet revolution in payments has enabled the creation of whole new industries such as e-shopping, it has changed our behaviour, and it has reduced transaction costs, and increased the speed and efficiency with which we can all pay each other. The next ten years will see even faster change. It’s easy to imagine a future where we merely pat our pockets for our keys and phone. The wallet could become a historical curiosity.”

View the Payments Council Press Release here.

.

Consumers express their opinions of Data Breach Notifications

Ponemon Institute have released an Experian® Data Breach Resolution sponsored survey into what consumer think about Data Breach Notifications, titled 2012 Consumer Study on Data Breach Notifications.

I have made a summary of the survey below.

Consumers in the Ponemon and Experian joint study believe data breach notification is important under certain conditions

  • 85% believe notification about data breach and the loss or theft of their personal information is relevant to them
  • 57% say that they want to be informed only if the organization is certain that they are at risk
  • 58% say that if they remembered the notification it failed to explain all the facts and “sugar coated” the message

The trustworthiness of an organization is linked to the efforts it makes to protect personal information

  • 83% of respondents believe organizations that fail to protect their personal information are untrustworthy
  • 82% believe the privacy and security of their personal information is important

Following a data breach, consumers believe organizations have obligations to provide compensation and protect them from identity theft

  • 63% say organizations should be obligated to compensate data breach victims with cash, their products or services
  • 59% believe a data breach notification means there is a high probability they will become an identity theft victim. As a result, 58% say the organization has an obligation to provide identity protection services and 55% say they should provide credit-monitoring services.

Most consumers recall receiving a form letter and more than one notification

  • 65% of consumers say they have received at least one notification
  • 35% recall receiving at least three In 2005, 91% said they received only one
  • 62% of consumers say the notification was a form letter 19% who say it was a personal letter.

Most consumers do not believe the organizations that sent them notifications did a good job in communicating and handling the data breach

  • 72% of consumers were disappointed in the way the notification was handled
  • 28% say the organization did a good job in communicating and handling the data breach

A key reason for the disappointment is respondents’ belief that the notification did not increase their understanding about the data breach. In fact, since 2005 respondents are more in the dark about what happened with their data.

  • 41% of respondent say their data was most likely stolen
  • 37% say they have no idea what the data breach incident was about
  • This is an increase from 37% in 2005 who said their data was most likely stolen and 28% of consumers who said they had no idea what the data breach incident was about
  • 51% say their customer or consumer information was stolen
  • 21% who say it was their financial information such as credit card/debit card account numbers
  • In 2005 86% said it was their customer or consumer information 10% said it was employee records
  • 44% of consumers do not know the specific data that was lost or stolen which makes it more difficult for them to take steps to protect themselves from further harm. Those who do know say the following were most likely to have been lost or stolen: name, credit card or bank payment information and Social Security number.

Personal data respondents worry most about if lost or stolen

  • 48% Email address
  • 48% Health plan provider account number
  • 48% Taxpayer ID number/Employer ID number
  • 52% Telephone or mobile number
  • 53% Driver’s license number
  • 57% Credit or payment history
  • 65% Credit card or bank payment information
  • 65% Prescriptions
  • 68% Social media accounts/handles
  • 89% Social Security number
  • 92% Password/PIN

Consumers say key facts about the breach are missing in most communications. 67% say the notification did not provide enough details about data breach.

The majority of consumers (51%) would like to have more information about how the organization will protect them to minimize the harm to them and their family. This is consistent with the 2005 study.

How the data breach may affect them and their family decreased significantly from 40% of respondents in 2005 to 24% this year. Identity protection or credit monitoring services and steps to take to protect their personal information were included for the first time in this year’s study and were significantly lower than the first choice about protections to minimize the possible negative consequences of a data breach.

Notification letters are increasingly perceived to be junk mail, according to many consumers

  • 36% say they thought the data breach notification letter looked like junk mail This is an increase from 15% in 2005
  • 34% say it was an important communication, this is a significant decrease from 51% in 2005

If they thought it looked like junk mail

  • 63% of respondents recommend that the notification provide the names of individuals they can contact if they have questions or concerns
  • 54% say the notification should be personalized
  • 50% suggest making a phone call or email alerting them to the notification

Customer loyalty is at risk following notification. In response to being notified by an organization

  • 15% say they will terminate their relationship
  • 39% say they will consider ending the relationship
  • 35% say their relationship and loyalty is dependent upon the organization not having another data breach

Only a small percentage of respondents in both studies do not blame the organization reporting the data breach. Further, respondents’ reactions to a breach have not changed significantly in the past seven years.

As in the previous finding, data breaches diminish customer loyalty and trust and this has not changed much since 2005. The study reveals that 62% say the notification decreased their trust and confidence in the organization Only 30% say it had no affect on their trust and confidence.

Since 2005, data breach notifications have not become easier to understand with 61% of consumers have problems understanding the notification An increase from 52% in 2005.

The biggest improvements that could be made would be to explain the risks or harms that they are most likely to experience as a result of the breach and to disclose all the facts.

The believability of data breach notifications has declined

  • In 2005, 61% say the message was believable
  • This has decreased to 55% in 2012

Scepticism about the content of the notification has increased since 2005. Of the 45% who say it was not believable, 51% say the message did not tell them about the harms or risks they will likely experience. This is an increase from 37% who believed this in 2005. In addition, perceptions that the organization is hiding key facts about the data breach have increased from 37% to 44%,

Respondents are just as worried today as they were in 2005 about the security of their personal information

  • 63% are more worried about the security of their personal information
  • 44% say they have had to spend time resolving problems as a result of the breach
  • Despite concerns about identity theft and other harms, almost half (49%) are doing nothing to protect themselves

Consumers are, however, more cautious about sharing personal information with the organization that had the breach (45%) and 35% are more cautious about sharing information with all organizations.

Ponemon’s Conclusion

Consumers in our study believe the privacy and security of their personal information is important. Organizations that do not provide adequate safeguards are considered untrustworthy. Further, typical responses to a data breach notification are to immediately discontinue the relationship with the organization that had the breach, to consider discontinuing the relationship or to continue the relationship only as long as another breach does not occur.

One of the goals of this research is to determine if consumers’ perceptions about data breach notification have changed since 2005 when we conducted the first study about this topic. Based on the findings, improvements need to be made to both how the notifications are delivered and the information that is communicated to victims of the data breach.

These include

  • Making the notification easier to understand by making it shorter with less legalese
  • Eliminating the perception that the notification is junk mail by providing names that can be contacted if there are questions or concerns, personalizing the message and making a phone call or sending an email in advance of sending the notification
  • Providing specifics about the incident that explain the cause of the breach and the type of data that was lost or stolen so the victim understands what the data breach is all about
  • Assuring the victims that the organization will take steps to protect them from identity theft and other negative consequences

Most of the consumers who responded to the survey cannot recall if they received notification. We conclude that despite their concern about privacy and security, consumers are not paying attention to the notices. They also are not being proactive about preventing identity theft following notification. Instead, they believe it is the obligation of the organization to fully explain the potential harms they are likely to experience and to take steps to reduce the risk of identity theft.

In many instances, when organizations have a data breach the notification process is a matter of sending out a form letter. As shown in this study, communicating the circumstances of the data breach can influence customer loyalty, trustworthiness and reputation. Resources spent on personalizing the message, offering assistance to reduce the likelihood of identity theft and future harms and providing specific information about the incident may help organizations avoid the risk of losing customer trust and loyalty in the aftermath of the data breach.

Read the full report by registering here.

With Breach Notifications to be mandatory in the not so distant future it would be worth reading my review of the proposed European Data Protection Act here.

Last chance to review your PCI readiness before the holiday season

As we enter the busiest period of credit card spending it is probably a good time for a bit of last minute house keeping to ensure your business is meeting the Payment Card Industry Data Security Standard (PCI DSS), or as much of it as you can.

First things first, DO NOT STORE CREDIT CARDS unless you really really have to.

  • If you know you are un-necessarily storing credit cards, delete them and delete them with a deletion tool so there is no way they can come back to haunt you.
  • If you have to retain credit card data make sure they are encrypted and never ever store the CVV/CV2/etc. As a short term fix, to get you through the next couple of weeks encrypt hard drives and put in a plan to have effective credit card encryption and tokenization in place for early 2012. For a better understanding of how tokenization can help you reduce the risks and the scope of PCI DSS download a white paper called  “Eight Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Datahere.
  • Check to see if there are cards being stored that you do not know about. In a recent survey SecurityMetrics found an “8 Percent Increase of Unencrypted Cards”, read the press release here. There are some excellent scanning tools that will scan your network and devices for the existence of credit cards so you can then decide to delete or secure.

You now need to revisit the Payment Card Industry Data Security Standard’s Version 2 to ensure you are meeting as much of the standard as possible. The best place to start is with the PCI DSS Prioritized Approach (find it here). The Prioritized Approach will ensure the efforts you make are directed towards the most important areas with the quickest wins.

The Prioritized approach consists of 6 key milestone and Merchants are advised to start with number 1.

  1. Milestone 1 Remove Sensitive Authentication Data and limit data retention
  2. Milestone 2 Protect the perimeter, internal, and wireless networks
  3. Milestone 3 Secure payment card applications (e.g. PA DSS approved)
  4. Milestone 4 Monitor and control access to your systems
  5. Milestone 5 Protect stored cardholder data
  6. Milestone 6 Finalize remaining compliance efforts, and ensure all controls are in place

Another reason to revisit your PCI DSS posture are revealed in Verizon‘s 2011 Global report which reports that many organisations lose sight of compliance after their initial compliance activity. Some specific findings from the report are below:-

  • 21 % of organizations were fully compliant at the time of their Initial Report on Compliance (IROC)
  • 78% of organisations met all test procedures at the IROC stages
  • 20% of organizations passed less than half of the PCI DSS requirements
  • 60% scored above the 80% mark

The full review of the Verizon report is here.

If you want to look at a range of other documents and guides have a visit to my PCI Resources page here.

Good luck with your Christmas and the New Year business and compliance activities.

.

The U.S. Leads the World in Credit Card Fraud

In the Nilson Report: Global Credit Card Fraud Losses they reveal that the U.S. currently accounts for 47% of global credit and debit card fraud even though it generates only 27% of the total volume of purchases and cash, according to the Nilson report: Global Card Fraud.

Payment card fraud losses totaled $3.56 billion last year in the U.S. from all general purpose and private label, signature and PIN payment cards.

“The U.S. has a disproportionate percentage of the global total losses for two reasons, U.S. banks have been slow to adopt newer technologies such as EMV chip cards, and issuers are reluctant to decline card authorization from merchants because they don’t want to alienate their cardholder,” said David Robertson, publisher of The Nilson Report.

“Competition among U.S. issuers, which has resulted in the average cardholder having four credit cards in their wallet, makes any issuer reluctant to decline an authorization. The consumer will just pull out a competitor’s card,” said Robertson.

Institutions across Europe, Latin America, the Middle East, Africa and Asia have introduced security processes and technologies to reduce fraud for example Chip and PIN.

Global card fraud worldwide as a percentage of total volume has decreased. In 2010, total fraud losses equaled 4.46c per $100 in total volume of purchases and cash, down from 4.71c per $100 in 2009.

Total global fraud losses, at $7.60 billion, however, increased in 2010 by 10.2% compared to the prior year, because the rate of spending is outpacing losses.

The payment card industry is expected to continue to grow sales volume at a faster pace than thieves can compromise the system.

The Nilson Report is a highly respected source of global news and analysis of the credit, debit and prepaid card industry. The subscription newsletter provides in-depth rankings and statistics on the current status of the industry, as well as company, personnel and product updates. Nilson Report Publisher, David Robertson, is a recognized expert in the field, and is a frequent speaker at industry conferences.

.

Big increase in communications fraud

CIFAS, a UK’s Fraud Prevention Service, has reported on frauds recorded by its 260 member organisations during the 9 nine months of 2011.

The report reveals a 34% increase in fraud related to communications products, when compared with the same period in 2010.

CIFAS conclude that some “communications” products, for example smartphones like the iPhone handsets are viewed as essential items rather a luxury items which infers an entitlement to commit fraud.

CIFAS have also seen:

  • 93% increase in impersonation of the victim at their current address, also known as current address fraud
  • 85% increase in the use of completely fictitious
  • 64% surge in identity fraud individuals trying to gain a obtain products or services
  • 20% increase in misuse of facility cases

CIFAS Communications Manager, Richard Hurley, notes:

“The rise in current address fraud alarms because it signifies either that fraudsters are becoming increasingly sophisticated (as it is more difficult to impersonate someone at their address and then try to intercept goods or paperwork), or it demonstrates that friends, family and co-habitees are involved. Allied to the similarly enormous increase in the use of completely false identities, this surely indicates that communications products have become so essential that fraudsters not only obtain goods or handsets to sell on but will also attempt to use any identity in order to avoid becoming liable for bills.”

“nearly 100% of this increase can be accounted for by regular payment fraud, where fraudulent direct debit instructions are given in an attempt to evade the payment of bills. The reality of the situation is that the communications product, device or service has become so embedded in our lives that many of us seem unable to do without them. With sacrifices having to be made by most individuals and households, these figures depressingly indicate that many people feel that, economically, they have no choice but to attempt fraud in order to continue receiving such services.”

CIFAS Notes

  1. CIFAS is the UK’s Fraud Prevention Service, a not for profit Membership organisation with over 260 cross sector Members including banking, credit cards, asset finance, retail credit, mail order, insurance, telecommunications and the public sector. Members lawfully share information on frauds in the fight to prevent further fraud.
  2. The following tables show a summary of communications fraud cases recorded by CIFAS Members, broken down by the type of fraud identified. Definitions are given below the table.
Jan to Sept 2010 Jan to Sept 2011 % Change
Application Fraud 3,679 4,347 18%
Facility Takeover Fraud 5,292 4,330 -18%
Identity Fraud 12,673 20,842 64%
Misuse of Facility Fraud 3,430 4,125 20%
Total 25,074 33,644 34%

UK Cards Association warns of growing Credit Card fraud phone scam targeting the over-60s

Basic creditcard / debitcard / smartcard graph...

The UK Cards Association has warned about an old-style phone scam that is increasingly being used by fraudsters across the UK.

The scam involves unsuspecting cardholders being called and duped into handing over their debit or credit card, and revealing their PIN, by a fraudster pretending to be from their bank, card company or the police. Just this year more than £750,000 has been lost to this type of fraud, with the criminals responsible stealing an average of £10,000 per incident.

The scam begins with the fraudster phoning up, typically claiming to be from the prospective victim’s bank, and saying either that their systems have flagged up a fraudulent transaction on their card or that their card is due to expire and needs replacing. By seeming to offer assistance, the fraudster tries to gain the victim’s trust. In most cases the victim is then asked to ‘activate’ or ‘authorise’ the replacement card in advance by keying their PIN into their phone’s handset.

The fraudster or an accomplice then poses as a bank representative or a courier to pick up the customer’s card from them at their home, sometimes also giving the victim a replacement card (which is a fake). In some cases a genuine courier company is hired to pick up the card, which the victim has been asked to place in an envelope. Once they have the victim’s card and the PIN the fraudster uses them to withdraw cash and go on a spending spree.

Top tips to avoid this scam:

  • Your bank will never ring you and tell you that they are coming around to pick up your card, so never hand it over to anyone who comes to ‘collect it’.
  • Your bank will never ask you to ‘authorise’ anything by entering your PIN into the telephone.
  • Never share your PIN with anyone – the only times you should use your PIN is at a cash machine or when you use a shop’s chip and PIN machine.

If you think you may have been the victim of a fraud or a scam of this nature you should call your bank or card company immediately.
DCI Paul Barnard, Head of the Dedicated Cheque and Plastic Crime Unit (DCPCU), the special police unit established by the banking industry to fight fraud, said:

“You should never hand over your bank card to someone who turns up on your doorstep, however convinced you are that they are genuine. Likewise, you should never give anyone your PIN or punch the number into your phone as a result of someone contacting you out-of-the-blue – wherever they claim to be from. If you have any doubts when approached in this way you should hang up the phone and call the organisation back on a number that you know is correct. If you think you have already been a victim of this scam, contact your bank or card company immediately. If you are the innocent victim of card fraud you will not suffer any financial loss.”

.

Advice for Small Businesses on how to avoid Identity theft

The Identity Theft Council (ITC) has recently issued a press release promoting Identity Theft awareness and offered advice on how to avoid the problem.

They quote from a Javelin Strategy & Research study found that fraud suffered by

  • Small Business Owners (SMBO) totaled an $8 billion
  • Banks, merchants and other providers absorbed at least $5.43 billion of that loss
  • The cost to victims was $2.61 billion

According to the U.S. Small Business Administration, the small business represents more than 99 percent of all U.S. businesses, and of the estimated 27 million small businesses, more than 21 million are sole proprietors. The ITC concluded that small business were ideal candidates for identity theft.

“The ITC works with individual identity theft victims and small business owners to educate them about identity theft and to provide resolution services,” said Neal O’Farrell, Executive Director of the Identity Theft Council (ITC), and security expert. “Unfortunately, small business owners are being targeted more today than ever before due to the criminals ability to easily access important information and go undetected.”

Identity Theft Council Tips for Preventions and Detection:

  • Write a security plan. Security starts with a plan. A plan can be as simple as the security rules, guidelines, and goals for your business, and the consequences for ignoring them. A plan is also an easy way to help you remember your security priorities.
  • Do an inventory of your data. Data is what the thieves want, whether its customer account or credit card data, employee Social Security numbers, or even databases of target customers. If you don’t know what data you have in your business, or where it is, then you can’t effectively protect it.
  • Train your employees. Enlist every employee, family member, partner, and contractor as a vigilant sentry so that every stakeholder understands how to protect their corner of cyberspace. Most thieves will target the weakest link, and that’s usually a careless or untrained employee.
  • Guard your business accounts well. As a business owner you don’t enjoy the benefits of zero liability, so if your account is emptied by crooks, the bank won’t bail you out.
  • Restrict employee and insider access to data. For everyone’s safety employees should only have access to the data they need to do their job. And that access should also be monitored.
  • Be especially wary of banking Trojans. These highly sophisticated programs can easily creep on to your computers, steal banks logins and passwords, and quickly empty your bank accounts.
  • Monitor your bank accounts and credit cards constantly. These can often provide the earliest warning that thieves have obtained your account information and have started to use it. Most financial institutions provide free instant alerts to warn you about any unusual account activity.
  • Be wary of business identity theft, too. Business identity theft is a growing problem, and it involves criminals using publicly available information about your company to pretend to be the legitimate owners of your business so they can take out substantial loans and leave you to clean up the mess. An easy precaution is to regularly Google your business name for any clones.
  • Use the available technologies. As a small business owner you have many choices when it comes to protecting your employees, your computers, and your data from cyber thieves. And some of the best tools are free. So make sure every computer in your business is locked down with layers of security technology.

“As a co-founder of the Identity Theft Council, Intersections believes in helping victims of ID theft find resolution, and in educating the community about how to protect themselves from the crime,” said Michael Stanfield, Chairman and CEO of Intersections Inc. “Small business owners are a unique group of victims that straddle between the consumer and business world, and are a prime target for criminals.”

Find the ITC website here

.

Hotel association to create unified security standards for Credit Card payments

HOTEL.
Image by SeeMidTN.com (aka Brent) via Flickr

Under the banner of the Hotel Technology Next Generation (HTNG), 16 major hotel groups from around the world are planning to work together to develop an industry specific IT Security framework  for handling sensitive and credit card data.

The HTNG will be a not for profit trade body which will develop solutions and standards that can be used in the hospitality industry.

Hotel credit card transactions are more difficult to secure than in other industries.  During the hotel reservation process, sensitive data often flows across systems managed by different companies. The data could be stored for weeks or months from the initial booking, to the checking in, charges for additional services e.g. bar bills all the way through to the final check out.

There are lots of different systems and software used in the processing of reservation making Security Standards very important.

Solutions like tokenization can provide an answer for a single hotel or hotel chain but they will require a great deal of sharing and integration if more than one company wishes to share the same token.

Wiki leak definition of Tokenization is “the process of breaking a stream of text up into words, phrases, symbols, or other meaningful elements called tokens. The list of tokens becomes input for further processing such as parsing or text mining. Tokenization is useful both in linguistics (where it is a form of text segmentation), and in computer science, where it forms part of lexical analysis“.

To find out more about Tokenization download the Tokenization for Dummies booklet by clicking here, registration is required.

While major hotel companies have invested heavily in security within their own systems, they have no control over the hundreds of third-party systems that may touch their reservations prior to their guests arrival.

Early discussions indicate a broad agreement that a single industry framework is required, and that the framework needs to work with existing security approaches in place at major hotel companies and in commonly used systems for example PCI DSS.  There was also agreement on the key elements needed for the industry framework.  The group intends to document this framework conceptually in a white paper that will form the basis for subsequent standards development.

Doug Rice, CEO of HTNG, said organization initiated the process for the industry security framework in June. A charter has been created to ensure the hotels and organizations involved are on the same page. The group’s first meeting will take place in November.

Rice said everyone involved in accepting payments in the hotel industry needs to agree on the same framework for it to work effectively. Online travel agencies, distribution partners and payment processors will all need to be on board. The plan is for the major hotel companies to inform their partners of the plan at approximately the same time. Vendors will realize this is what they need to do if they want to meet the needs of the hotel industry, he said.

Once the partners are on board with the solution, independent hotels will start getting involved, too.

Rice said education will not necessarily be the role of HTNG. However, the group expects to work with organizations such as the Hospitality Financial and Technology Professionals to help implement the solution and spread the word in the industry.

“This is not going to be an overnight solution, it’s a journey, but it’s something that the industry has recognized needs to be addressed,” Rice said

Read the HTNG Press Release here.

Also read “77% of Hospitality Sector Mistakenly Believe They Are PCI Compliant“.

.

Merchants are more concerned about their brand than PCI fines

Image representing Cybersource as depicted in ...
Image via CrunchBase

A joint CyberSource and Trustwave survey has shown that nearly 70% of Merchants cited the need to “protect the brand” as the primary driver for tightening controls against hackers and other payment security risks.

Only 26 percent said avoiding fines resulting from non-compliance with the Payment Card Industry Data Security Standard (PCI DSS) were the key motivator.

A few highlights from the report include:

  • Brand Protection is Key Driver of Investment: The need to protect the organization’s brand and its revenues was given as the primary driver for investment in payment security.
  • Threat from External and Internal Sources Perceived as Equal: While the successes of external hackers often make headlines, employees can be an equally damaging source of risk. The survey found that organizations perceive the threats from internal and external sources as being nearly equal.
  • Trend Towards Remote Data Storage: With the need to secure payment data and efficiently comply with PCI DSS, organizations are planning to shift their payment data security approach from an on-site strategy to a remote one. Those organizations that had already made the shift reported shorter time-to-compliance and fewer full-time equivalent employees managing payment security.
  • Payment Security Cost and Complexity Expected to Increase: Most survey respondents expect that the technological complexity, cost, and resources required to manage payment security will increase over the next 24 months.

A breach has serious consequences for nearly every division of an eCommerce merchant’s organization,” said Dayna Ford, Senior Director, Product Management at CyberSource. “But by far the most damaging impact is to the company’s brand, affecting revenue, customer loyalty, and even stock valuation. Knowledge of this phenomenon is now widespread, so we’re not surprised at the survey finding that puts brand integrity as the most important rationale for payment security investment.”

In the face of increasing numbers of security breaches and data theft, there’s a real urgency for organizations to deploy powerful and effective security strategies,” said James Paul, Senior Vice President of Global Compliance Services at Trustwave.  “Studies like ‘The Payment Security Practices and Trends Report,’ published today, should help organizations learn best practices and likely costs to attain appropriate levels of security.”

Selected survey findings

  • Data moving out:  Over the next 24 months, an increasing proportion of organizations expect to remove payment data from their environment as a way of reducing security risks.
  • Efficiency improving: Organizations that do not capture, transmit, or store data inside their own network tend to employ fewer personnel, validate PCI DSS compliance more quickly, and operate at a lower overall cost of payment security management.
  • “Data out” merchants spend less on infrastructure: 75 percent of PCI DSS Level 1 merchants  that have removed payment data from their environments spend less than $500,000  on their payment security infrastructure.  Only 60 percent of those that keep data in-house can make that claim.
  • Risk not confined to outsiders:  In one counter-intuitive finding, respondents said they felt the threat of payment data theft from inside employees was about equal to the threat from external hackers.

Read the full report here, registration is required.

Learn more about the Payment Card Industry Data Security Standard (PCI DSS) by visiting my PCI DS Resources page here.

.

9 steps to take if your credit card data is hacked

Credit card
Image via Wikipedia

Lisa Bertagnoli on Creditcards.com has produced a list of the 9 things you should do if your credit card is hacked/stolen/cloned or otherwise dealt with in a criminal fashion.

As a checklist it contains some excellent advice, not just for credit card security but for all your data.

1. Make sure there’s really been a breach. “When you get the scary communication, make sure it’s legitimate,” says Steven Weisman, a Boston-based attorney and author of “The Truth About Avoiding Scams.” “People get phony security notifications and that can turn into identity theft,” he says. His advice: Don’t trust email, the U.S. mail or even a phone call. Call your bank yourself to confirm a breach.

2. Find out exactly what information was stolen. “There’s a big difference between a credit card and checking account,” says Jeremy Miller, director of operations for Kroll’s Fraud Solutions, a division of Kroll Inc., a Nashville-based security company. With a credit card account, consumers are responsible (in most states) for only $50 of unauthorized charges. However, most banks will forgive that, particularly if the breach is their fault. “But a checking account is different — you might get your account cleaned out,” Miller says.3. Find out what your bank will do. In late June, thieves breached CitiGroup’s database, accessing 360,000 records and stealing a total of $2.7 million from 3,600 credit card holders. The bank agreed to compensate the cardholders. Other banks may offer a free credit monitoring service that alerts customers about activity over a certain dollar amount. Use them, advises Ed Bellis, CEO of HoneyApps, a Chicago-based data security firm.

3. Find out what your bank will do. In late June, thieves breached CitiGroup’s database, accessing 360,000 records and stealing a total of $2.7 million from 3,600 credit card holders. The bank agreed to compensate the cardholders. Other banks may offer a free credit monitoring service that alerts customers about activity over a certain dollar amount. Use them, advises Ed Bellis, CEO of HoneyApps, a Chicago-based data security firm.

“The best thing consumers can do is have alerts and triggers on their credit card and bank statements,” Ed Bellis says.

Such alerts will tip you off to fraudulent activity before it spins into major trouble. Keep in mind that the free alert offer will expire; find out when so you don’t end up paying an automatic monthly fee.

4. Cancel your cards. If the bank didn’t do so automatically after the breach, do it yourself. Cancel your credit cards and debit cards that were issued by the institution that suffered the breach. Be sure to notify companies that have your card on file for automatic monthly fees, say for website hosting or a newspaper subscription, that your card was cancelled.

5. Reset your passwords, and make them challenging. Weisman  says that “123456” and “password” are the most common passwords: Easy for good guys to remember, easy for bad guys to steal with.  Avoid choosing easily findable information, such as your birthday or street address. Choose something more obscure, and make the password a mix of letters and numbers. For extra security, create a different password for each account. Just make sure to write them down and store them in a safe place, such as a home lockbox.

6. Monitor credit card statements closely. Bellis says thieves love to test the viability of accounts with a small purchase, say a 99% iTunes download. Review every statement, each purchase, each charge,  to make sure you or a household member with access to your card made that purchase. If you see an unauthorized charge, report it to the card issuer immediately.

7. Pull your credit reports. Federal law requires the three main credit bureaus, TransUnion, Equifax and Experian, to give you a free credit report if your account information has been stolen. Review each report carefully for errors or fraudulent activity; if you find any, go to the reporting institution and fix them. If there’s a chance your Social Security number has been stolen, put a security freeze on your files. At minimum, issue a fraud alert, suggests Sheila Adkins, spokeswoman for the Council of Better Business Bureaus, Arlington, Va.

8. Beware of email asking for personal, financial or account information.

“Legitimate companies you rely on for your online shopping, financial needs and college tests will not request this information, they already have it,” Adkins says.

If you want to communicate with an online company, find its website and use that website’s contact information.

9. Tighten up your own security. This won’t keep your data safe if someone hacks into your some other company’s database, but it’s a smart move anyway. Update your home computer’s security. Don’t click on links sent by strangers; such links can contain invisible malware that will monitor your computers’ keystrokes and thus steal passwords. If you bank online, dedicate a browser to online banking, and use it for nothing else. “You have to have data and information discipline,” says Daniel Mohan, president and chief operating officer of ID Watchdog, a Denver-based data monitoring, detection and resolution firm.

The original article is here.

.

PCI DSS – updated guidelines for WiFi and new guidance on Bluetooth

wireless tower
Image via Wikipedia

The Wireless Special Interest Group (SIG) PCI Security Standards Council (PCI SSC) have released an Information Supplement for PCI DSS Wireless Guidelines.

The update updates the PCI DSS guidance to align to version 2 of the PCI Data Security Standard and incorporates guidance for Bluetooth.

All Merchants and Credit Card processors should read the document which can be found here.

The three main sections in the Information Supplement are:

  1. Wireless Guidance Overview
  2. Generally Applicable Wireless Requirements
  3. Applicable Requirements for In-scope Wireless Networks

For further information on the PCI Data Security Standard visit the PCI Resources page on my blog here.

.

Most Small Business Owners do not treat Fraud as a Top Priority – survey results

New logo for TD Bank
Image via Wikipedia

On the 15th August 2011 TD Bank launched the results of a survey that indicates small businesses (sub $5 million) do not have Business Fraud as their top priority, in fact only 1% of survey respondents said it was a top priority.

TD Bank’s survey polled 300 small business executives in its Maine to Florida area  to understand their current awareness of small business fraud, as well as their top external concerns over the next 12 months.

“It’s encouraging to see that small business owners are taking steps to protect their business, but fraud protection should be a high priority and it pays to be vigilant,” says Fred Graziano, Head of Commercial and Small Business Banking at TD Bank. “Given the influx of new digital technologies and operational tools available for small business owners, it’s increasingly important to learn about the latest trends and techniques used by criminals, and to be more diligent in defending against fraud.”

Graziano and Robert Dunlop, TD Bank Director of Corporate Security and Investigations, offer the following advice to small business owners to protect their business from fraud:

Manage finances  using secure online banking.

Online banking is a secure and essential tool for any small business  owner. The benefits of this useful service include 24/7 access to real-time information, account transfers and payment management. Small business owners can easily schedule and manage payments, submit remittance information, and have an audit trail of all transactions.

“It’s important for small business owners to check their account activity regularly,” says Graziano. “Having instant access to payment history helps businesses closely monitor their spending for any discrepancies. If there are any, contact your financial institution immediately.”

Protect computer systems and practice online awareness.

“Being complacent about cyber protection can lead to the compromise of critical information and detrimental consequences for a business,” says Dunlop. “Every computer at home or in the office should have installed and regularly updated firewalls and anti-virus software.”

While conducting business online, be aware of “phishing” – an electronic scam that attempts to obtain confidential personal or financial information from its target. It takes the form of a fake message, usually an e-mail, which appears to be from a financial institution or service provider. While some e-mails are easily identified as fraudulent, including some containing enticing headlines, others may appear to come from a legitimate address.

“If an offer received via e-mail or on a website sounds too good to be true, it probably is,” says Graziano.

Safely handle sensitive documents and financial statements.

“The web isn’t the only place where thieves can steal valuable information from a small business,” says Dunlop. “Employees and outside parties can steal important mail, credit card information or checks, and commit fraud.”

Printed financial statements, social security numbers and other sensitive papers should be disposed properly using a shredder or saved in a securely locked device.

“To avoid the hassle of handling several papers, banks such as TD Bank allow customers to opt out of paper statements and receive online statements instead,” says Graziano.

According to Dunlop, technological advances have even put photocopiers at risk, “Most photocopiers built since 2002 contain a hard drive that stores every image scanned, copied or emailed. When a business sells or upgrades their copier, the machine is usually cleaned up and reconditioned, but often times the hard drive is left intact and is not scrubbed,” says Dunlop.

Once resold, it’s possible for anyone to simply pop out the hard drive and access, and sell confidential information such as income tax and bank records, social security numbers, and birth and medical records.

“Businesses need to be aware of this and treat documents in the standard office copier just as they would any printed document, and guard that information accordingly,” says Dunlop.

Obtain fidelity insurance.

“Crime and fraud-related losses generally aren’t covered by property insurance policies, so it’s important to protect money losses from workplace fraud,” says Dunlop.

Fidelity insurance protects your business against criminal acts such as robbery, embezzlement, forgery and credit card fraud. Liabilities secured under this type of insurance usually include money loss coverage (burglary or theft) and employee dishonesty (embezzlement and forgery).

Search for low rates and partner with a broker, such as TD Insurance, who can help shop for the best deal.

Incorporate appropriate checks and balances.

Every small business owner should perform an internal review and assessment of company finances on a monthly basis. Make sure payment amounts match all invoices and check for any missing documents.  “Running random audits or having a third party audit the books once a year will show employees you are serious about fraud and deter them from committing deceptive acts,” says Graziano.

TD Bank advise that if you think you are a victim of business fraud, immediately contact the fraud department of any of the three major credit bureaus to place a fraud alert on your credit file. Also, contact your banks, credit card issuers and other creditors where your finances and information are available.

More information on TD Banks Security can be found here.

.

The ICO judgment on Lush after the breach of 5,000 people’s bank details

Christopher Graham, the UK Information Commiss...
Image via Wikipedia

 7 months after the disclosure of the data breach at Lush Cosmetics Ltd the Information Commissioners Office (ICO) has delivered its findings and has imposed its actions against Lush.

The ICO has announced:- 

Cosmetics retailer Lush breached the Data Protection Act after the security of its website was compromised for a four month period, the Information Commissioner’s Office (ICO) said today. The breach, which occurred between October 2010 and January 2011, meant that hackers were able to access the payment details of 5,000 customers who had previously hopped on the company’s website.

As a result of the breach, the ICO has required Lush to sign an undertaking to ensure that future customer credit card data will be processed in accordance with the Payment Card Industry Data Security Standard. The ICO is taking this opportunity to warn online retailers that if they do not adopt this standard, or provide equivalent protection when processing customers’ credit card details, they risk enforcement action from the ICO.

Lush discovered the security lapse in January 2011 after receiving complaints from 95 customers who had been the victim of card fraud. After making enquiries, Lush found out that their website had been subject to a hacking incident which had allowed hackers to access their customers’ payment details. On uncovering the incident, the security of Lush’s website was immediately restored.

The ICO’s investigation found that, although the company had measures in place to keep customers’ payment details secure, they were not sufficient to prevent a determined attack on their website. The retailer’s methods of recording suspicious activity on their website were also insufficient, which delayed the time it took them to identify the security breach.

Acting Head of Enforcement, Sally Anne Poole said: “With over 31 million people having shopped online last year, retailers must recognise the value of the information they hold and that their websites are a potential target for criminals.

“Lush took some steps to protect their customers’ data but failed to do regular security checks and did not fully meet industry standards relating to card payment security. Had they done this, it may have prevented the fraud taking place and could have saved the victims a great deal of worry and time invested in claiming their money back. This breach should serve as a warning to all retailers that online security must be taken seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all times.”

Mark Constantine, Managing Director of Lush Cosmetics Ltd, has signed an undertaking committing the retailer to taking necessary steps, including that the company only stores the minimum amount of payment data necessary to receive payments, and that this information will not be kept for longer than is necessary. All future payments will also be managed by an external provider compliant with the Payment Card Industry Data Security Standard and the retailer will also make sure that appropriate technical and organisational measures are employed and maintained.

It is understood that Lush now uses Netittude to do penetration testing, Trustwave to secure its payments system, and RBS Worldpay to process transactions.

Related articles:-

25/2/2011 Lush once again trading

15/2/2011 Lush confirm their Australian Website has been hacked

Serious Disconnect Between Businesses and Mobile Users

Image representing McAfee as depicted in Crunc...
Image via CrunchBase

McAfee have released their report “Mobility and Security: Dazzling Opportunities, Profound Challenges”.

“Devices are no longer just consumer devices or business devices. They are both,” said Richard Power, a CyLab Distinguished Fellow at Carnegie Mellon University, the primary author of the report. “Devices are more than extensions of the computing structure, they are extensions of the user. The way users interact with their personal data mirrors the way they want to interact with corporate data.”

Key Report Findings:

  • Reliance on mobile devices is already significant and accelerating rapidly; the emerging mobile environment is both diverse and freewheeling
  • IT is becoming increasingly consumerized as evidenced by the fact that 63 percent of devices on the network are also used for personal activities.
  • Lost and stolen mobile devices are seen as the greatest security concern for IT professionals and end-users – Four in 10 organizations have had mobile devices lost or stolen and half of lost/stolen devices contain business critical data. More than a third of mobile device losses have had a financial impact on the organization and two-thirds of companies that had mobile devices lost/stolen have increased their device security after this loss.
  • Risky behaviors and weak security postures are commonplace – Although the need for mitigating mobile security risks and threats is acknowledged, fewer than half of device users back up their mobile data more frequently than on a weekly basis. Around half of device users keep passwords, pin codes or credit card details on their mobile devices. One in three users keeps sensitive work-related information on their mobile devices.
  • There is a serious disconnect between the policy and reality – 95 percent of organizations have policies in place in regard to mobile devices
  • Mobile devices are being used by much of the workforce, over extended periods of time, for a significant percentage of tasks previously conducted on desktops.
  • On average, employees use mobile devices for work purposes between 2 and 4.5 hours a day. On average, use of laptops was 4.5 hours per day.

Mobile devices are used in a wide range of job functions

  • Business executives using them most – 56%
  • Sales and others in the mobile workforce – 47%

Mobile phone usage

  • Email – 93%
  • Contacts – 77%
  • Web access – 75%
  • Calendaring – 72%

Four different types of mobile devices are used by at least one-third of employees both for professional and personal use,

  • Laptops – 72%
  • Smartphones – 48%
  • Removable media, including USBs – 46%
  • External hard drive – 33%

Almost Half of Users Keep Sensitive Data on Mobile Devices

  Passwords/Pin Codes Credit Card details
Professional & personal information & data 23% 19%
Only professional information & data 11% 7%
Only personal information & data 17% 15%
I do not use, store or send this information or data using mobile devices 49% 58%

Recommendations for Businesses

  • Mobility is ushering a new computing paradigm into the workplace. With devices eclipsing PCs and virtually every business application being device-ready, mobile computing offers an opportunity to make workers more productive, competitive, and happy. Mobility done right is a major competitive advantage in the workplace.
  • Consumerization of IT is here to stay. Many smart companies are allowing, encouraging, and, in some cases, providing a stipend for,  employee owned technology to work. Businesses need to find ways to enable, secure, and manage employee-owned technology in an optimal way to drive cost savings.
  • Users are changing the way they think about policies. Because employee-owned devices are artifacts of the more entrepreneurial employee-employer relationship, organizations need to apply policies in a nuanced, risk-based way that depends on the industry, the role, and the situational context.
  • Data loss and leakage are of utmost concern to individuals and enterprises, and there is no silver bullet. Classify data, even at a high level, and apply data leakage processes and mechanisms in order to protect corporate data while respecting users’ privacy.
  • User awareness about mobile threats is still nascent. Apply security and management paradigms from laptops and desktops to mobile devices. Educate users about the risks and threats through employee agreements and training. “Businesses must find ways to protect corporate data, and call it back when an employee leaves, while ensuring the privacy of the employee,” says David Goldschlag, vice president of Mobility for McAfee. “Employees are no longer lifelong members of the organization, but rather consumers, who often change jobs every few years. When they do, they come with a kit of stuff, but once they leave, they need to give you back the data that belongs to the company. Businesses need a way to facilitate that process while respecting the ‘kit’ that the employee brings to the company.”

Recommendations for Mobile Users

  • You are part of a computing sea of change. With devices eclipsing PCs, and virtually every app device-ready, mobile computing offers you an opportunity to be entertained, informed and connected wherever you are. Use this to your advantage to be more productive on the go.
  • Driven by users’ desire for device choice and employers’ need for cost savings, individuals are increasingly bringing their own devices to work. Take advantage of your employers’ program and use your technology to be more nimble in your work.
  • Familiarize yourself with your employer’s mobile device policy and the intent behind it, and decide whether it fits your needs. If so, accept the policy and move on; if not, use two devices, one for personal use and one for work.
  • Take steps to secure your device. Install anti-theft technology, and back up your data. Configure your device to auto-lock after a period of time. Don’t store data you can’t afford to lose or have others access on an insecure device.
  • Be aware of mobile device threats. In many ways, they are the same as in the online world. You can be hacked, infected, or phished on a mobile device just as easily (and often more easily) as you can online.

The McAfee White Paper can be found here http://www.mcafee.com/us/about/news/2011/q2/20110523-01.aspx

.

25% of Mobile Network Operators are not PCI DSS Compliant

Vesta Corporation conducted a survey of Mobile Network Operators (MNOs) in the USA and Europe and discovered that over a quarter of them were non-compliant to the Payment Card Industry Data Security Standards (PCI DSS).

Of equal concern are the 35% who did not know of the potential financial penalties they could face in the event of an Account Data Compromise (data breach).

Key findings of the survey

  • 25% of respondents are not currently PCI DSS compliant
  • 35% of respondents unaware of potential penalties for non-compliance
  • The average cost of initial PCI DSS compliance was approximately $700,000 USD
  • Over 50% were spending over $1,390,000 USD annually in PCI compliance maintenance costs.
  • 69% of respondents stated that more than three people in their organization work full time on maintaining PCI compliance.
  • 56% felt that the greatest impact of a security lapse or data breach to their business would be a loss of customer confidence.
  • Over a third of these maintain an internal security group for PCI compliance.
  • Under a quarter of respondents maintain PCI DSS via cross functional teams that receive direction on a group level with local implementation.
  • All respondents regard the touchpoints of live agent, Web and retail as very important to the success of their organization’s PCI compliance.
  • The areas of highest concern mentioned by the operators included ensuring applications and systems are compliant; network monitoring and scanning; and vulnerability management.

“The survey shows that there is clearly room for improvement by the mobile operator community in addressing PCI DSS compliance, and it is critical that operators not yet compliant take appropriate measures to ensure the security of their customer’s sensitive cardholder data,” said Joshua Rush, VP Marketing at Vesta. “However, compliance should not be viewed as a mandatory demand by the card associations but as a competitive sales and marketing differentiator at a time where data security is of paramount concern to subscribers.”

The white paper can be downloaded here.

For more information on PCI DSS visit the PCI resources page here.

.

PCI Compliance Risks for Small Merchants and where they are failing

Credit cards
Image via Wikipedia

Trustwave have released a supplement to their 2011 Global Security Report on Payment Card Trends and Risks for Small Merchants report.

According to the report, Merchants fail to achieve PCI DSS compliance in several areas with the Top 6 being:

99.2%   Track / Monitor Network Access
98.4%   Regularly Test Security
97.5%   Maintain a Firewall
95.1%   Maintain Internal Security Policies
92.6%   Assign Unique User Ids
90.9%   Develop Secure Systems and Applications

The report states, “approximately 90% of compromises came from the Level 4 merchant space in 2010.” The PCI DSS categories a Level 4 merchants as a businesses that process less than 20,000 Visa e-commerce transactions annually, and all other merchants processing up to 1 million Visa transactions annually.

The top 5 Industry Sectors that experience a PCI DSS compromise are:

57.0%   Food and Beverage
18.0%   Retail
10.0%   Hospitality
6.0%   Government
6.0%   Financial

Breaches occur in 5 specific areas with the majority occurring because of weaknesses in software:

75.0%   Software POS
11.0%   Employee Workstation
9.0%   e-commerce
3.0%   Payment Processing
2.0%   ATM

The Report has the Top Five Areas where Merchants are Falling Short of Compliance as:

  1. Do you have written security policies and procedures that address the protection of paper with credit card numbers such as receipts and the physical security of your card processing device?
  2. Do you have a formal training program for all relevant employees that teaches them about security as it relates to credit cards, paper with credit card numbers on them and the devices that process credit card transactions?
  3. Do you or does anyone at your business log or record your customers’ credit card numbers in a computer, for example, in a back office computer, a laptop or financial application?
  4. Do you check your store or office for unauthorized wireless access points on at least a quarterly basis?
  5. Do you perform external (Internet) network vulnerability scans at least once per quarter?

Cost of non-compliance

Trustwave’s Report states “Fines have averaged $5,000 to $15,000 per card brand. We see forensic investigations start in the $10,000 to $15,000 range as well. Card re-issuance and fraud loss are dependent on the size of the breach. However, fines can vary greatly depending on a number of factors and can reach into the hundreds of thousands of dollars in some cases”.

Trustware www.trustwave.com

See the PCI Resources page for more details on PCI DSS

.

Call Centre Security and PCI Compliance

An Indian call center
Image via Wikipedia

Credit Card data is the Crown Jewels for hackers and the financial lifeblood of many companies. An Account Data Compromise, also known as a breach can lead to bad press and a bad reputation, you only need to Google Play.com or Lush to see the impact.

With the 18th March 2011 launch of the PCI Councils “Protecting Telephone Based Payment Card Data” on Call Centres it is worth noting that, according to research from Connected World 36.7% of contact Centres claimed to be fully compliant with the Payment Card Industry Data Security Standard (PCI DSS).

However, the majority (89%) admitted to not understanding PCI DSS, the requirements nor penalties.

There are many business and regulatory requirements that impact Call Centres, especially the recording of telephone calls, for example in the United Kingdom, the Financial Services Act.

The act of recording a call can break the rules of PCI DSS as most calls will involve the recording of ALL the data. Data such as, CAV2, CVC2, CVV2 or CID, which should never be recorded. Storing the PAN and Expiry data is acceptable so long as the data is encrypted and the Merchant has acted on all the questions within SAQ D or undertaken a formal Audit if they are a level 1 Merchant.

The number one piece of advice for Call Recording is DO NOT DO IT unless you really have to.

However, the recording of the calls and storing of Credit Card Data in an encrypted format are small parts of the issue facing Call Centres.

By considering the following points and reviewing the documents on the PCI Resource page  you can go a long way towards achieving a PCI compliant Call Centre.

  • Employee vetting is the first step in ensuring a secure Call Centre.
  • There needs to be a formal employee induction programme where employees learn about the company’s policies (rules) and the ramifications of breaching the policies.
  • Specifically, there needs to be a documented Policy on how employees handle Calls and Data resulting from the Calls, especially Credit Card Data?
  • The Merchant needs to communicate the Policy to all employees that have access to Credit Card Data.
  • Do employees regularly receive training on the Policy and its importance? They should do.
  • Are employees made aware of their IT Security responsibilities?
  • Security Awareness training needs to be provided, for example, how to deal with the threat of computer viruses, how to report suspicious activity, etc
  • Security Awareness has to be promoted, for example, on posters and in newsletters.
  • Do supervisors/managers enforce a clear desk Policy? For example, no MP3 players, no note pads or any other methods to record information.
  • Access to photocopiers and scanners needs to be restricted.
  • Restricting physical access to the Call Centre should be considered.
  • Call Centres should be restricted to employees only and visitors need to be escorted.
  • All paperwork leaving the Call Centre should be shredded to avoid the unnecessary risk or Personally Identifiable Information (PII) finding its way into the public domain.
  • Consideration should be made to CCTV
  • Do all employees have unique logon identities?
  • Are strong passwords enforced?
  • Are passwords changes enforced every 30 days, or less?
  • Are password changes significantly different after every change? For example, not simply adding a 1 or a 2 at the end of previous password.
  • Home and remote workers need to have local security installed, for example, personal Firewalls and Anti Virus.
  • Do systems and servers that store credit card data, for example, CRMs and Databases, have access restricted on a need to know basis?
  • Are logs taken and stored for system and networks where data is stored?
  • Is the Merchant’s network and systems attached to the network adequately protected against viruses, hackers and other threats?
  • Are these systems regularly scanned and patched for vulnerabilities. PCI DSS requires that all systems and networks with the scope of the card data environment be scanned by an Approved Scanning Vendor at least quarterly.
  • Is the Merchant’s security regularly tested? For example, by having Penetration Tests.
  • Does the Merchant have a plan on how to deal with a breach and is this plan tested? This is often called an Incident Response Plan and can be tuned to deal with all types of breaches for example, the Epsilon Email Breach.

In summary, PCI DSS is not the only area on compliance affecting the Call Centre but PCI DSS does help focus the business on what security, processes and procedures are required to achieve best practice.

.

CyberSource Brings World’s Largest Fraud Detection Radar to Online Merchants

CyberSource, a Visa company (NYSE: V), today announced availability of the world’s largest real-time fraud detection radar, empowering online merchants to pinpoint fraud faster, more accurately, and with less manual intervention.

This advance enables merchants to conduct more accurate analyses of their inbound orders, including comparison of those orders to the over 60 billion transactions Visa and CyberSource process annually, including orders that were confirmed to be fraudulent.

Data insight derives from transactions across multiple payment types and from merchants worldwide, spanning online, call center, mobile and POS sales channels. The transaction data is supplemented by 200 validation and correlation tests. This solution effectively expands the depth and breadth of transaction pattern visibility.

The new development comes at an opportune time.  

  • eCommerce merchants say fraud became more sophisticated and harder to detect in 2010, and this challenge is likely to grow. Download the CyberSource 2011 Fraud Report here 
  • 90% of online thieves are now associated with organized crime. Details of Fraud patterns can be found here
  • botnet” infections are growing at a rate of approximately 200,000 per day.  Download “10 Botnet Questions” White Paper here

The ability to accurately detect fraud in such a sophisticated criminal environment requires correlating vast amounts of information to detect subtle anomalies.

Data is the lifeblood of fraud detection,” said Michael Walsh, CyberSource President and CEO. “When Visa acquired CyberSource, one of the stated goals was to deliver a new level of fraud prevention to online merchants, enabled by our end-to-end view of electronic transactions, worldwide. We are now delivering exactly that.”

Read the full PRnewswire press release here

Benefits of PCI Compliance – direct and indirect

Credit cards
Image via Wikipedia

Many Merchants see the Payment Card Industry’s Data Security Standard (PCI DSS) as an expense they could do without. 

The counter argument is most businesses would struggle if nothing was done to tackle Credit Card Fraud because the Credit Card companies would need to charge Merchants a higher transaction rate to cover their losses. 

So, what other reasons could there be for becoming PCI Compliant? 

The answer very much depends on your business type and the loyalty of your customers and prospective customers. 

Some very good reasons for becoming PCI compliant are listed below.

Continue reading “Benefits of PCI Compliance – direct and indirect”

Blog at WordPress.com.

Up ↑

%d bloggers like this: