Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Credit Card

Merchant sues VISA. Biting the hand that feeds you?

I know that if there were no merchants there would be no credit card companies and I know that the “alternative” payments market is growing, such as PayPal and V.me, but at this time it is fair to say that consumers still favour credit cards when it comes to online payments.

This is why when I read about a merchant suing a credit card company I was surprised. Not surprised that VISA had fined a merchant, not surprised that a merchant was upset at being fined but surprised it had got to court because that means normal reasonable commercial communication channels had failed.

On the 7th March Sports retailer Genesco filed a lawsuit against Visa to recover nearly $13.3 million in fines that the credit card company issued in January 2013 following a breach of the retailer’s systems.

The lawsuit argues that

  • Visa is not allowed to require other companies to pay penalties citing Visa’s own operating regulations and California law.
  • That Genesco was never out of compliance with PCI DSS regulations, and so it should not have been fined.

In December 2010 Genesco confirmed that a breach had happened within its credit card processing environment and speculation at the time was the hackers used a packet sniffer to siphon card data as it passed through the network.

The initial VISA fines of $5,000 via each of Genesco’s two banks was issued in June 2011 which is a standard charge and depending on your location will be 5,000 of the local currency for example, $5,000, €5,000 or £5,000.

Irrespective of the currency 5,000 is nothing more than a formal acknowledgement that the merchant is non-compliant to PCI DSS or was at the time.

If a merchant has never successfully completed an Audit or Self Assessment Questionnaire (SAQ) then they are non-compliant, bearing in mind that the standards were issued almost 8 years ago I think it is about time they were compliant.

However, in the case of a merchant who was successfully audited but then had a breach or failed to maintain the standard it is not so black and white.

Merchant who suffers a Data Breach

A PCI DSS compliant merchant who has a data breach is normally discovered by clever algorithms used by the card schemes, which based on fraudulent activity find the centre of the breach. Once the merchant at the centre of the breach is established they are required to undertake data forensics by an approved forensic company who using extensive skills and tools will establish how the credit card data was stolen for example via packet sniffing. The forensic report is shared between the affected parties, the merchant, the bank and the credit card companies.

The results of the forensic investigation may or may not show that the merchant had or had not been compliant to the standard at the time of the breach. It is reasonable to assume that the bad guys installed software or broke into Genesco and almost all scenarios for such a break in are covered by the PCI DSS and therefore the company could not have been taking adequate steps and was by definition not adhering to the requirements of the standard which means they were not compliant.

Merchant who fails to maintain the standard

It is very difficult to find a merchant who has failed to maintain the required standards unless

  • There is a breach
  • There is a whistle blower
  • A customer or someone similar notices practise that do not appear secure

At this point the merchant will be required to prove there are still abiding by the standard which may take the form of a forensics investigation, an audit, a letter from their QSA or a letter from their directors.

The non-compliance fine is not the biggest problem for Genesco it is the $13.3 million fine levied by VISA via Genesco’s two banks (Wells Fargo $12 million and Fifth Third $1.3million) for the costs incurred by VISA whilst resolving the breach e.g. credit card replacement, fraud cover, etc.

Visa’s imposition of the (fines) is a violation of Visa’s contract (with the banks), because at the time of the intrusion and all other relevant times, Genesco was in compliance with the PCI-DSS requirements,” the lawsuit stated. It added later,

“Visa does not even pretend that the Non-Compliance Fines represent actual damages that Visa incurred by reason of the Acquiring Banks‘ alleged failure to cause Genesco to maintain compliance with the PCI-DSS requirements”

The interesting thing for me is the nature of the way Merchants use VISA, MasterCard and the other credit card providers. The credit card company provides the facilities for the merchant’s (retailer) customers to buy from them in a secure and efficient way. They pay a percentage of the transaction to cover the costs (and profits) of the credit card companies and this percentage is agreed in a contract. The same commercial contract that agrees the other terms and conditions including the security required to perform the transaction.

To avoid confusion and rogue traders the credit card companies created the Payment Card Industry Security Standards Council who took the best security practises from the five credit card company members to create the Data Security Standard (PCI DSS).

This standard is an extension of the contract as will be the agreements for fees.

However because the cost of a data breach could never be known until it has occurred it is impossible to quantify the cost of a breach in a contract which is where I do have a great deal of sympathy for merchants because they are agreeing to fines but have no idea how much it is going to be or could be.

I remember in a meeting with several of the card companies and the discussion centred on repeat offenders i.e. merchants who kept being breached or who refused to become compliant to PCI DSS and whilst fines were mentioned it was agreed merchants might be tempted to absorb small fines if it was cheaper than achieving the required security standards and then the ultimate sanction was raised… STOPPING THEM FROM TAKING CREDIT CARD PAYMENTS.

What a sanction that is, because for almost all e-commerce business and most consumer driven business that would mean going out of business in a matter of weeks or possibly months.

As a consumer all I care about is being safe from the costs of the fraudulent activity against my stolen credit card but increasingly we as consumers are worried about the threat to our identity and expect when credit card details are leaked to be covered for all identity based threats resulting from the possible loss of data which increases the cost to the breached company, possibly via the credit card company.

I have a huge amount of sympathy for Genesco and every other merchant affected by a breach because they do not know what the possible cost to them will be. They cannot take out cyber-insurance against a specific amount “just in case”, they have to hope that the loss to the credit card company is not too great.

That is not a great way for a merchant to mitigate its risk and that cannot benefit the card companies who want prosperous and secure merchant to help them grow their profits.

The solution is simple, the credit card companies have to introduce and publish a schedule of fines from which a merchant can calculate their risk.

If a merchant knows, based on their transaction rate, that they could be liable for fines of $13.3 million then they can invest greater resources into breach prevention or seek to undertake insurance against the cost of a breach either way they can make an informed risk assessment.

Similarly if merchants who have not yet completed their PCI DSS compliance process know they could be fined for non-compliance PLUS X or Y for a breach they can will very quickly run a risk assessment.

let’s hope a result of this action is a clearer picture on fines because clarity in business and risk is essential.

.

How the British have changed the way they spend their money over the last decade

The UK Payments Council has published its latest report, The Way We Pay, and brings together all the significant trends over the past decade. It shows how many cash payments are continuing to migrate to debit card, how the debit card has won the day for now, but also how it’s possible to see the end of the road for plastic as the mobile phone could take over our payments arsenal. 

Executive Summary

Getting Paid

  • The shift from cash is gathering pace as firms, the state, and pension funds increasingly eliminate cash and cheques from their payments to individuals
  • Now only 9% of adults do not have a current account, and only 4% have no sort of account at all. Use of branches has declined sharply but having an account is the key to accessing all the modern ways to pay

Spending it

  • Cash still makes up the largest proportion of our daily one-off transactions – three in five of our purchases – but they are very small in value
  • Just ten years ago, three quarters of our shop purchases used cash. Now just over half do
  • Debit cards are quickly taking over in the lower value transaction
  • Contactless payment is poised to become ever more popular, and will push even more transactions onto plastic
  • We use our credit cards for bigger purchases than debit cards, and we use them less than we used to
  • Cheques are very niche nowadays with usage halving every five years, but remain popular with some groups of people and some organisations. Effectively gone from the high street, we mainly use them for financial transactions
  • Supermarkets now account for over half of our retail spending, up from 46% in 2001 as they have added more and more products and opened stores rapidly
  • Entertainment spending is the big winner. The economy may be gloomy, but we are spending more having fun, and doing more of it on plastic
  • Spending abroad doubled in a decade

Regular Payments

  • Automatic payments (like Direct Debit) are now over three quarters of our regular commitments – up from half in 2001
  • Housing costs have escalated, whether you own or rent
  • Charities have shown great success in a decade of recruiting Direct Debit commitments
  • Flashing less cash, but plastic may quickly lose its place in the sun to more innovative forms of payment, like mobile payments
  • Number of cash machines doubles in decade, as people abandon the bank queue for the hole-in-the-wall
  • But cash is becoming less important to us, particularly by value
  • By value debit cards overtook cash in 2010, even before contactless took off
  • Debit card holding is now 90%, up from 84% in 2001
  • In 2001 debit card spending caught up with credit cards, but now far exceeds them
  • Credit cards matured in the 2000s, and card holding even declined

How businesses do it

  • 98% of businesses are small, with fewer than 20 employees, so the payment needs of firms vary enormously according to their size and complexity
  • Cheque usage is still popular with the smallest firms, but even so, cheque usage by business continues to fall sharply
  • The smallest firms bank more like consumers, and often even use personal accounts
  • Use of Direct Debit among businesses lags behind consumer use. Businesses prefer the flexibility on the timing of payments

The future

  • The use of contactless debit cards is set to increase. Many chains of stores already have point-of-sale devices to accept them, with more retailers planning to come on stream, this will continue to increase consumer awareness
  • The debit card may have had its day. New technology means payment chips are now being embedded in phones, with more innovation to come
  • New entrants may also appear. Smartphones are capable of scanning barcodes, a system which could easily be designed to take a payment from an account at a point-of-sale
  • Paying a friend or business on your mobile as easily as sending a text is set to become a mainstream option in spring 2014, when the Payments Council launches the new mobile payments service. The service will be the first to link up every bank account in the country with a mobile number
  • In future, the wallet may be obsolete altogether as more payments become electronic and our phones become the hub of our financial transactions

Summarised details from the report

Debit cards are currently making gains in sectors previously dominated by cash and are likely to take a greater share as contactless cards reach mass adoption.

  • 28% of our spontaneous transactions are made on a debit card (a rise of 59% over the last five years), with the average transaction size at £42 and falling
  • 56% debit card purchases are between £10 and £50
  • 91% of all our one-off cash transactions were under £25
  • the contactless payment limit of £20 would allow many cash payments to potentially migrate onto cards. Debit card holding is widespread across all ages and socio-economic groups.

The triumph of the debit card, but has it passed its peak?

The arrival of the debit card in the 1980s, which was billed as the consumers’ alternative to the cheque, also provided customers with an alternative to the credit card. 84% of adults had a debit card in 2001, but they were less widely accepted, and many people still preferred cheques and cash. Spending was still just higher on credit cards (£93 billion) than debit cards (£77 billion) at the turn of the century. The balance tipped in favour of debit cards in 2001. As businesses like pubs, dentists and hairdressers began to accept the cards, thanks partly to the introduction of chip and PIN and to the rapid roll out of hand held point-of-sale devices, usage and card holding took off and the dominance of the debit card was secured.

Credit cards, by contrast, are more commonly used by people drawing higher incomes or in higher social classes. This reflects the fact that they are more able to access credit and pass credit scoring criteria. They also have greater spending power and appetite to accumulate rewards such as Air Miles and cashback through their credit cards. Credit cards account for one in twelve of our spontaneous payments with an average value of £56 per transaction.

Cheques account for just 1% of spontaneous transactions, but have an average value of £375, as they are more likely to be used for high value payments such as financial transfers (see section on cheques for more detail). There is now a quite narrow demographic profile for cheque usage which reflects its diminishing status as a mass payment method. Cheques tend to be favoured by older people who are used to paying that way, the self-employed and families with children who have to pay for childcare and children’s activities.

Between 2005 and 2011 the total value of plastic card spending increased by £179 billion. 91% of this growth was attributable to debit cards. In 2011, debit card spending in the UK amounted to £334 billion from 7.3 billion transactions. This was approximately two and half times the amount spent on credit cards of £140 billion from 2.1 billion transactions. This represented an increase of 252% on the corresponding amount spent in the year 2001, making this rate of growth three times higher than that recorded for consumer spending over the decade to 2011. In the next decade debit card spending in the UK could close to double – as we forecast £664 billion from 14 billion transactions, with credit card spending projected to be £204 billion from 3.1 billion transactions.

Debit card holding is much more widely spread across the social spectrum than credit cards, with 90% ownership across the adult population in 2011. 98% of AB adults held a debit card compared to 57% of E adults in 2011. For credit cards the figure is 77% v 26% respectively. The wide issuance of debit cards has positive social consequences as it means lower income consumers are able to access the world of e-commerce.

Without the mass adoption of cards the e-commerce industry could never have developed, and self-service in shops and filling stations would be non-existent.

In 2001 online purchases took just 3.3p in every £1 spent on a card. By 2011, that had risen almost quadrupling to 12.8p in every £1, and the total continues to grow.

Contactless functionality means debit cards can continue to take a greater share of our spending, but in the longer term, the future of the piece of plastic could be impacted by the arrival of mobile payments. The huge success of the debit card has opened the door to new technologies that could even lead to its own demise, or at least heavily impact its use. In the next few years, if card technology gets incorporated into mobile payments, it could become possible to use the physical phone to make a debit card type payment instead of the physical card in a shop and if this happens the debit card as we know it today could become a thing of the past. reach maturity

The demise of the debit cards is still some way off, as despite having saturated the market, the use of debit cards will continue to grow for the time being. By contrast, the credit card market has already matured and usage has been subdued since 2009. Credit card issuance grew very strongly in the 1990s and 2000s as credit was more easily available.

Credit cards are a very useful tool in our payments arsenal, but they are not the payments of choice for a lot of our day-to-day purchases. They are most useful where a large expense needs to be spread over a longer period, or for the protection offered under section 75 of the Consumer Credit Act 1974, or indeed because a credit card is ring-fenced away from a current account.

Rapid growth in consumer borrowing and the increase in credit card usage in the early 2000s meant that 69.9 million credit cards were in issue by 2005, along with 4.7 million charge cards. Two thirds of adults held a credit card. During the recession a greater focus on the need to borrow and lend responsibly saw consumer attitudes to credit card use change. By 2011, there were 15.4 million fewer credit cards in our wallets, compared to 2005.

Spending on credit cards has increased by just 7.7%, which was well below the cumulative rate of inflation over the period. Last year we spent £140 billion and made 2.1 billion purchases in the UK. During the recession, repayments increased and in 2011 around 60% of cardholders paid off their balance in full each month, up from 54% in 2003.

In terms of business-to-business payments, the trends stay true. Last year, spending on credit cards fell and cardholding was also down by 2.7% compared to 2010, resulting in a total of 1.9 million cards. Interestingly it is larger businesses that are most likely to use credit or charge cards, whereas smaller businesses use debit cards.

The final piece of the cards puzzle is the continued expansion in the usage of prepaid cards. They are already ubiquitous in replacing gift vouchers, but more sophisticated versions are available for example for business-to person disbursements such as payments under reward, loyalty and incentive schemes. The insurance sector is also starting to issue prepaid cards to claimants, for use in a specific retail sector to cover a claim. Another area where these cards are starting to forge ahead is in the travel industry. They seem to have become a more attractive proposition compared with traveller’s cheques as they can be used directly in shops or to withdraw cash, as well as offering competitive rates for fees and charges when used abroad. However, though this market continues to expand, it is still at a slower rate than in 2009. Ultimately it is hard to imagine prepaid cards developing beyond a small niche.

How will we pay for it in the future?

Contactless payment technology began in the UK in 2007, but those living in and around London would have been familiar with the principle, having had the contactless Oyster card since 2003 for using public transport. The London Olympics used its venues as a testing ground for contactless cards. In 2011, all the major UK card schemes (American Express, MasterCard and Visa) began processing contactless payments. By December 2011, six major UK issuers were issuing cards with contactless functionality and the number of these cards reached 23 million, an increase of 75% from the end of 2010. Adoption is still slow however, as retailers and consumers are yet to embrace the changes in a big way. This will change, but first requires more retailers to roll-out more terminals, and for banks to issue more cards.

Ironically contactless technology may eventually contribute to us becoming less reliant on a physical piece of plastic, as it can be incorporated into a mobile phone or any other popular item, rendering it a payment tool. Only ten years ago paying for items on your mobile was unthinkable, but now one wonders why it’s not here in a bigger way already. The increasing demand for convenience and accessibility, along with the rising penetration of smartphones has driven the growth in mobile payment. The bold prediction made by PayPal that by 2016 people will no longer need to take a wallet with them shopping may be premature but nevertheless at some point we may be leaving the house just asking ourselves ‘keys, phone?’ KPMG expect mobile payments to be mainstream within the next 2-4 years, while Visa, which recently released its digital wallet V.me in November 2012, expects half of all payments to be made through mobile devices by 2020.

New entrants are muscling in to help us pay in shops. Google Wallet which launched in the US last year has already agreed deals with 25 national retailers to support the system through MasterCard’s PayPass programme. Google’s rival, Apple has yet to launch a competing system, but with such a huge, loyal customer base, well used to making many small transactions through iTunes all the time, it will surely not be far off. Microsoft has already announced that there will be a wallet feature on the Windows Mobile 8 operating system. Three of the big telecoms operators, Verizon, T-Mobile and AT&T are developing a service known as Iris.

For tradesmen on the move, new hardware is also on the market. Payment method Square, a mobile app and phone attachment which serves as its own cash register, has been created by one of the founders of Twitter and is in use in the US. This sort of kit will reduce the reliance among mobile tradesmen on cash and cheques. O2 UK also launched a new service that enables retailers to accept card payments on a smartphone or tablet by using a special keypad that connects via Bluetooth. A free app then manages the card transaction and sends a receipt.

For moving our money around, Barclays already offers a mobile payment service (Pingit). Anyone with a mobile phone can sign up with Barclays to receive payments though Pingit, but only Barclay’s customers can send payments. A similar service has also been launched by phone provider O2, with customers able to transfer up to £500 via text message. Similarly, PayPal has also recently launched an app in the UK that allows users to pay for items with their mobile phones across a number.

In addition to all these competitive offerings in the collaborative space, the Payments Council is developing the industry-wide, central service that will make it possible to send or receive a payment using just a mobile number, no matter who you bank with. The new service could be a handy way to split a bill for dinner or pay a tradesman without needing to know their account details. Payments made using the service will be protected by a passcode or similar security feature, and arrive almost instantly.

Internationally, consumers have been quicker to take it up mobile payments in Asia than in the West. In France McDonalds is currently testing mobile payments method arranged with PayPal. With over 30,000 restaurants worldwide, a McDonald’s deal would represent a larger business and cultural footprint for PayPal than perhaps any other mobile payment system in operation. In Africa payments technology is leapfrogging the developed world. Starting with few branch networks, fixed line telecoms and low card or bank account holding, banking is going straight to consumers’ mobiles. Since 2007, Kenya has been using a system called M-Pesa which allows mobile money transfer through a text message, with over 50% of the population already using this service. The Payments Council’s mobile payments database will make payment by mobile a possibility for the UK too, but it will be developed using existing payment systems, such as the Faster Payments Service or the Link network.

Worldwide the UK presents a key growth area in the uptake of mobile payment. Businesses should be planning now or risk falling behind consumer demand. From a consumer perspective in terms of making purchases using our phones, the amount of devices and potential new options, on offer at the moment can be confusing as people still grapple with all the commercial developments. Whilst the future may be unclear, it is exciting, and it will bring convenience and choice far greater than we have known until now. Ultimately only a handful of providers and products will create the winning proposition. Undeniably these new technologies will transform the way we manage our finances and the way we pay over the next decade.

Adrian Kamellard, chief executive of the Payments Council, says: “We scarcely notice the steady changes in the way we pay, yet someone in their thirties today will see more change in their lifetime than in the entire history of money. Even recent innovations such as payment via a mobile phone, which ten years ago some felt to be science fiction, will soon be commonplace. The 2000s were the decade of the debit card. The 2010s are likely to be the decade of the mobile phone. Just as we can’t imagine how we ever did without the internet, many people will soon wonder how we used to be so dependent on cash and cheque. Twenty years from now even cards may seem archaic.”

He adds: “The quiet revolution in payments has enabled the creation of whole new industries such as e-shopping, it has changed our behaviour, and it has reduced transaction costs, and increased the speed and efficiency with which we can all pay each other. The next ten years will see even faster change. It’s easy to imagine a future where we merely pat our pockets for our keys and phone. The wallet could become a historical curiosity.”

View the Payments Council Press Release here.

.

Consumers express their opinions of Data Breach Notifications

Ponemon Institute have released an Experian® Data Breach Resolution sponsored survey into what consumer think about Data Breach Notifications, titled 2012 Consumer Study on Data Breach Notifications.

I have made a summary of the survey below.

Consumers in the Ponemon and Experian joint study believe data breach notification is important under certain conditions

  • 85% believe notification about data breach and the loss or theft of their personal information is relevant to them
  • 57% say that they want to be informed only if the organization is certain that they are at risk
  • 58% say that if they remembered the notification it failed to explain all the facts and “sugar coated” the message

The trustworthiness of an organization is linked to the efforts it makes to protect personal information

  • 83% of respondents believe organizations that fail to protect their personal information are untrustworthy
  • 82% believe the privacy and security of their personal information is important

Following a data breach, consumers believe organizations have obligations to provide compensation and protect them from identity theft

  • 63% say organizations should be obligated to compensate data breach victims with cash, their products or services
  • 59% believe a data breach notification means there is a high probability they will become an identity theft victim. As a result, 58% say the organization has an obligation to provide identity protection services and 55% say they should provide credit-monitoring services.

Most consumers recall receiving a form letter and more than one notification

  • 65% of consumers say they have received at least one notification
  • 35% recall receiving at least three In 2005, 91% said they received only one
  • 62% of consumers say the notification was a form letter 19% who say it was a personal letter.

Most consumers do not believe the organizations that sent them notifications did a good job in communicating and handling the data breach

  • 72% of consumers were disappointed in the way the notification was handled
  • 28% say the organization did a good job in communicating and handling the data breach

A key reason for the disappointment is respondents’ belief that the notification did not increase their understanding about the data breach. In fact, since 2005 respondents are more in the dark about what happened with their data.

  • 41% of respondent say their data was most likely stolen
  • 37% say they have no idea what the data breach incident was about
  • This is an increase from 37% in 2005 who said their data was most likely stolen and 28% of consumers who said they had no idea what the data breach incident was about
  • 51% say their customer or consumer information was stolen
  • 21% who say it was their financial information such as credit card/debit card account numbers
  • In 2005 86% said it was their customer or consumer information 10% said it was employee records
  • 44% of consumers do not know the specific data that was lost or stolen which makes it more difficult for them to take steps to protect themselves from further harm. Those who do know say the following were most likely to have been lost or stolen: name, credit card or bank payment information and Social Security number.

Personal data respondents worry most about if lost or stolen

  • 48% Email address
  • 48% Health plan provider account number
  • 48% Taxpayer ID number/Employer ID number
  • 52% Telephone or mobile number
  • 53% Driver’s license number
  • 57% Credit or payment history
  • 65% Credit card or bank payment information
  • 65% Prescriptions
  • 68% Social media accounts/handles
  • 89% Social Security number
  • 92% Password/PIN

Consumers say key facts about the breach are missing in most communications. 67% say the notification did not provide enough details about data breach.

The majority of consumers (51%) would like to have more information about how the organization will protect them to minimize the harm to them and their family. This is consistent with the 2005 study.

How the data breach may affect them and their family decreased significantly from 40% of respondents in 2005 to 24% this year. Identity protection or credit monitoring services and steps to take to protect their personal information were included for the first time in this year’s study and were significantly lower than the first choice about protections to minimize the possible negative consequences of a data breach.

Notification letters are increasingly perceived to be junk mail, according to many consumers

  • 36% say they thought the data breach notification letter looked like junk mail This is an increase from 15% in 2005
  • 34% say it was an important communication, this is a significant decrease from 51% in 2005

If they thought it looked like junk mail

  • 63% of respondents recommend that the notification provide the names of individuals they can contact if they have questions or concerns
  • 54% say the notification should be personalized
  • 50% suggest making a phone call or email alerting them to the notification

Customer loyalty is at risk following notification. In response to being notified by an organization

  • 15% say they will terminate their relationship
  • 39% say they will consider ending the relationship
  • 35% say their relationship and loyalty is dependent upon the organization not having another data breach

Only a small percentage of respondents in both studies do not blame the organization reporting the data breach. Further, respondents’ reactions to a breach have not changed significantly in the past seven years.

As in the previous finding, data breaches diminish customer loyalty and trust and this has not changed much since 2005. The study reveals that 62% say the notification decreased their trust and confidence in the organization Only 30% say it had no affect on their trust and confidence.

Since 2005, data breach notifications have not become easier to understand with 61% of consumers have problems understanding the notification An increase from 52% in 2005.

The biggest improvements that could be made would be to explain the risks or harms that they are most likely to experience as a result of the breach and to disclose all the facts.

The believability of data breach notifications has declined

  • In 2005, 61% say the message was believable
  • This has decreased to 55% in 2012

Scepticism about the content of the notification has increased since 2005. Of the 45% who say it was not believable, 51% say the message did not tell them about the harms or risks they will likely experience. This is an increase from 37% who believed this in 2005. In addition, perceptions that the organization is hiding key facts about the data breach have increased from 37% to 44%,

Respondents are just as worried today as they were in 2005 about the security of their personal information

  • 63% are more worried about the security of their personal information
  • 44% say they have had to spend time resolving problems as a result of the breach
  • Despite concerns about identity theft and other harms, almost half (49%) are doing nothing to protect themselves

Consumers are, however, more cautious about sharing personal information with the organization that had the breach (45%) and 35% are more cautious about sharing information with all organizations.

Ponemon’s Conclusion

Consumers in our study believe the privacy and security of their personal information is important. Organizations that do not provide adequate safeguards are considered untrustworthy. Further, typical responses to a data breach notification are to immediately discontinue the relationship with the organization that had the breach, to consider discontinuing the relationship or to continue the relationship only as long as another breach does not occur.

One of the goals of this research is to determine if consumers’ perceptions about data breach notification have changed since 2005 when we conducted the first study about this topic. Based on the findings, improvements need to be made to both how the notifications are delivered and the information that is communicated to victims of the data breach.

These include

  • Making the notification easier to understand by making it shorter with less legalese
  • Eliminating the perception that the notification is junk mail by providing names that can be contacted if there are questions or concerns, personalizing the message and making a phone call or sending an email in advance of sending the notification
  • Providing specifics about the incident that explain the cause of the breach and the type of data that was lost or stolen so the victim understands what the data breach is all about
  • Assuring the victims that the organization will take steps to protect them from identity theft and other negative consequences

Most of the consumers who responded to the survey cannot recall if they received notification. We conclude that despite their concern about privacy and security, consumers are not paying attention to the notices. They also are not being proactive about preventing identity theft following notification. Instead, they believe it is the obligation of the organization to fully explain the potential harms they are likely to experience and to take steps to reduce the risk of identity theft.

In many instances, when organizations have a data breach the notification process is a matter of sending out a form letter. As shown in this study, communicating the circumstances of the data breach can influence customer loyalty, trustworthiness and reputation. Resources spent on personalizing the message, offering assistance to reduce the likelihood of identity theft and future harms and providing specific information about the incident may help organizations avoid the risk of losing customer trust and loyalty in the aftermath of the data breach.

Read the full report by registering here.

With Breach Notifications to be mandatory in the not so distant future it would be worth reading my review of the proposed European Data Protection Act here.

Last chance to review your PCI readiness before the holiday season

As we enter the busiest period of credit card spending it is probably a good time for a bit of last minute house keeping to ensure your business is meeting the Payment Card Industry Data Security Standard (PCI DSS), or as much of it as you can.

First things first, DO NOT STORE CREDIT CARDS unless you really really have to.

  • If you know you are un-necessarily storing credit cards, delete them and delete them with a deletion tool so there is no way they can come back to haunt you.
  • If you have to retain credit card data make sure they are encrypted and never ever store the CVV/CV2/etc. As a short term fix, to get you through the next couple of weeks encrypt hard drives and put in a plan to have effective credit card encryption and tokenization in place for early 2012. For a better understanding of how tokenization can help you reduce the risks and the scope of PCI DSS download a white paper called  “Eight Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Datahere.
  • Check to see if there are cards being stored that you do not know about. In a recent survey SecurityMetrics found an “8 Percent Increase of Unencrypted Cards”, read the press release here. There are some excellent scanning tools that will scan your network and devices for the existence of credit cards so you can then decide to delete or secure.

You now need to revisit the Payment Card Industry Data Security Standard’s Version 2 to ensure you are meeting as much of the standard as possible. The best place to start is with the PCI DSS Prioritized Approach (find it here). The Prioritized Approach will ensure the efforts you make are directed towards the most important areas with the quickest wins.

The Prioritized approach consists of 6 key milestone and Merchants are advised to start with number 1.

  1. Milestone 1 Remove Sensitive Authentication Data and limit data retention
  2. Milestone 2 Protect the perimeter, internal, and wireless networks
  3. Milestone 3 Secure payment card applications (e.g. PA DSS approved)
  4. Milestone 4 Monitor and control access to your systems
  5. Milestone 5 Protect stored cardholder data
  6. Milestone 6 Finalize remaining compliance efforts, and ensure all controls are in place

Another reason to revisit your PCI DSS posture are revealed in Verizon‘s 2011 Global report which reports that many organisations lose sight of compliance after their initial compliance activity. Some specific findings from the report are below:-

  • 21 % of organizations were fully compliant at the time of their Initial Report on Compliance (IROC)
  • 78% of organisations met all test procedures at the IROC stages
  • 20% of organizations passed less than half of the PCI DSS requirements
  • 60% scored above the 80% mark

The full review of the Verizon report is here.

If you want to look at a range of other documents and guides have a visit to my PCI Resources page here.

Good luck with your Christmas and the New Year business and compliance activities.

.

The U.S. Leads the World in Credit Card Fraud

In the Nilson Report: Global Credit Card Fraud Losses they reveal that the U.S. currently accounts for 47% of global credit and debit card fraud even though it generates only 27% of the total volume of purchases and cash, according to the Nilson report: Global Card Fraud.

Payment card fraud losses totaled $3.56 billion last year in the U.S. from all general purpose and private label, signature and PIN payment cards.

“The U.S. has a disproportionate percentage of the global total losses for two reasons, U.S. banks have been slow to adopt newer technologies such as EMV chip cards, and issuers are reluctant to decline card authorization from merchants because they don’t want to alienate their cardholder,” said David Robertson, publisher of The Nilson Report.

“Competition among U.S. issuers, which has resulted in the average cardholder having four credit cards in their wallet, makes any issuer reluctant to decline an authorization. The consumer will just pull out a competitor’s card,” said Robertson.

Institutions across Europe, Latin America, the Middle East, Africa and Asia have introduced security processes and technologies to reduce fraud for example Chip and PIN.

Global card fraud worldwide as a percentage of total volume has decreased. In 2010, total fraud losses equaled 4.46c per $100 in total volume of purchases and cash, down from 4.71c per $100 in 2009.

Total global fraud losses, at $7.60 billion, however, increased in 2010 by 10.2% compared to the prior year, because the rate of spending is outpacing losses.

The payment card industry is expected to continue to grow sales volume at a faster pace than thieves can compromise the system.

The Nilson Report is a highly respected source of global news and analysis of the credit, debit and prepaid card industry. The subscription newsletter provides in-depth rankings and statistics on the current status of the industry, as well as company, personnel and product updates. Nilson Report Publisher, David Robertson, is a recognized expert in the field, and is a frequent speaker at industry conferences.

.

Big increase in communications fraud

CIFAS, a UK’s Fraud Prevention Service, has reported on frauds recorded by its 260 member organisations during the 9 nine months of 2011.

The report reveals a 34% increase in fraud related to communications products, when compared with the same period in 2010.

CIFAS conclude that some “communications” products, for example smartphones like the iPhone handsets are viewed as essential items rather a luxury items which infers an entitlement to commit fraud.

CIFAS have also seen:

  • 93% increase in impersonation of the victim at their current address, also known as current address fraud
  • 85% increase in the use of completely fictitious
  • 64% surge in identity fraud individuals trying to gain a obtain products or services
  • 20% increase in misuse of facility cases

CIFAS Communications Manager, Richard Hurley, notes:

“The rise in current address fraud alarms because it signifies either that fraudsters are becoming increasingly sophisticated (as it is more difficult to impersonate someone at their address and then try to intercept goods or paperwork), or it demonstrates that friends, family and co-habitees are involved. Allied to the similarly enormous increase in the use of completely false identities, this surely indicates that communications products have become so essential that fraudsters not only obtain goods or handsets to sell on but will also attempt to use any identity in order to avoid becoming liable for bills.”

“nearly 100% of this increase can be accounted for by regular payment fraud, where fraudulent direct debit instructions are given in an attempt to evade the payment of bills. The reality of the situation is that the communications product, device or service has become so embedded in our lives that many of us seem unable to do without them. With sacrifices having to be made by most individuals and households, these figures depressingly indicate that many people feel that, economically, they have no choice but to attempt fraud in order to continue receiving such services.”

CIFAS Notes

  1. CIFAS is the UK’s Fraud Prevention Service, a not for profit Membership organisation with over 260 cross sector Members including banking, credit cards, asset finance, retail credit, mail order, insurance, telecommunications and the public sector. Members lawfully share information on frauds in the fight to prevent further fraud.
  2. The following tables show a summary of communications fraud cases recorded by CIFAS Members, broken down by the type of fraud identified. Definitions are given below the table.
Jan to Sept 2010 Jan to Sept 2011 % Change
Application Fraud 3,679 4,347 18%
Facility Takeover Fraud 5,292 4,330 -18%
Identity Fraud 12,673 20,842 64%
Misuse of Facility Fraud 3,430 4,125 20%
Total 25,074 33,644 34%

UK Cards Association warns of growing Credit Card fraud phone scam targeting the over-60s

Basic creditcard / debitcard / smartcard graph...

The UK Cards Association has warned about an old-style phone scam that is increasingly being used by fraudsters across the UK.

The scam involves unsuspecting cardholders being called and duped into handing over their debit or credit card, and revealing their PIN, by a fraudster pretending to be from their bank, card company or the police. Just this year more than £750,000 has been lost to this type of fraud, with the criminals responsible stealing an average of £10,000 per incident.

The scam begins with the fraudster phoning up, typically claiming to be from the prospective victim’s bank, and saying either that their systems have flagged up a fraudulent transaction on their card or that their card is due to expire and needs replacing. By seeming to offer assistance, the fraudster tries to gain the victim’s trust. In most cases the victim is then asked to ‘activate’ or ‘authorise’ the replacement card in advance by keying their PIN into their phone’s handset.

The fraudster or an accomplice then poses as a bank representative or a courier to pick up the customer’s card from them at their home, sometimes also giving the victim a replacement card (which is a fake). In some cases a genuine courier company is hired to pick up the card, which the victim has been asked to place in an envelope. Once they have the victim’s card and the PIN the fraudster uses them to withdraw cash and go on a spending spree.

Top tips to avoid this scam:

  • Your bank will never ring you and tell you that they are coming around to pick up your card, so never hand it over to anyone who comes to ‘collect it’.
  • Your bank will never ask you to ‘authorise’ anything by entering your PIN into the telephone.
  • Never share your PIN with anyone – the only times you should use your PIN is at a cash machine or when you use a shop’s chip and PIN machine.

If you think you may have been the victim of a fraud or a scam of this nature you should call your bank or card company immediately.
DCI Paul Barnard, Head of the Dedicated Cheque and Plastic Crime Unit (DCPCU), the special police unit established by the banking industry to fight fraud, said:

“You should never hand over your bank card to someone who turns up on your doorstep, however convinced you are that they are genuine. Likewise, you should never give anyone your PIN or punch the number into your phone as a result of someone contacting you out-of-the-blue – wherever they claim to be from. If you have any doubts when approached in this way you should hang up the phone and call the organisation back on a number that you know is correct. If you think you have already been a victim of this scam, contact your bank or card company immediately. If you are the innocent victim of card fraud you will not suffer any financial loss.”

.

Advice for Small Businesses on how to avoid Identity theft

The Identity Theft Council (ITC) has recently issued a press release promoting Identity Theft awareness and offered advice on how to avoid the problem.

They quote from a Javelin Strategy & Research study found that fraud suffered by

  • Small Business Owners (SMBO) totaled an $8 billion
  • Banks, merchants and other providers absorbed at least $5.43 billion of that loss
  • The cost to victims was $2.61 billion

According to the U.S. Small Business Administration, the small business represents more than 99 percent of all U.S. businesses, and of the estimated 27 million small businesses, more than 21 million are sole proprietors. The ITC concluded that small business were ideal candidates for identity theft.

“The ITC works with individual identity theft victims and small business owners to educate them about identity theft and to provide resolution services,” said Neal O’Farrell, Executive Director of the Identity Theft Council (ITC), and security expert. “Unfortunately, small business owners are being targeted more today than ever before due to the criminals ability to easily access important information and go undetected.”

Identity Theft Council Tips for Preventions and Detection:

  • Write a security plan. Security starts with a plan. A plan can be as simple as the security rules, guidelines, and goals for your business, and the consequences for ignoring them. A plan is also an easy way to help you remember your security priorities.
  • Do an inventory of your data. Data is what the thieves want, whether its customer account or credit card data, employee Social Security numbers, or even databases of target customers. If you don’t know what data you have in your business, or where it is, then you can’t effectively protect it.
  • Train your employees. Enlist every employee, family member, partner, and contractor as a vigilant sentry so that every stakeholder understands how to protect their corner of cyberspace. Most thieves will target the weakest link, and that’s usually a careless or untrained employee.
  • Guard your business accounts well. As a business owner you don’t enjoy the benefits of zero liability, so if your account is emptied by crooks, the bank won’t bail you out.
  • Restrict employee and insider access to data. For everyone’s safety employees should only have access to the data they need to do their job. And that access should also be monitored.
  • Be especially wary of banking Trojans. These highly sophisticated programs can easily creep on to your computers, steal banks logins and passwords, and quickly empty your bank accounts.
  • Monitor your bank accounts and credit cards constantly. These can often provide the earliest warning that thieves have obtained your account information and have started to use it. Most financial institutions provide free instant alerts to warn you about any unusual account activity.
  • Be wary of business identity theft, too. Business identity theft is a growing problem, and it involves criminals using publicly available information about your company to pretend to be the legitimate owners of your business so they can take out substantial loans and leave you to clean up the mess. An easy precaution is to regularly Google your business name for any clones.
  • Use the available technologies. As a small business owner you have many choices when it comes to protecting your employees, your computers, and your data from cyber thieves. And some of the best tools are free. So make sure every computer in your business is locked down with layers of security technology.

“As a co-founder of the Identity Theft Council, Intersections believes in helping victims of ID theft find resolution, and in educating the community about how to protect themselves from the crime,” said Michael Stanfield, Chairman and CEO of Intersections Inc. “Small business owners are a unique group of victims that straddle between the consumer and business world, and are a prime target for criminals.”

Find the ITC website here

.

Hotel association to create unified security standards for Credit Card payments

HOTEL.
Image by SeeMidTN.com (aka Brent) via Flickr

Under the banner of the Hotel Technology Next Generation (HTNG), 16 major hotel groups from around the world are planning to work together to develop an industry specific IT Security framework  for handling sensitive and credit card data.

The HTNG will be a not for profit trade body which will develop solutions and standards that can be used in the hospitality industry.

Hotel credit card transactions are more difficult to secure than in other industries.  During the hotel reservation process, sensitive data often flows across systems managed by different companies. The data could be stored for weeks or months from the initial booking, to the checking in, charges for additional services e.g. bar bills all the way through to the final check out.

There are lots of different systems and software used in the processing of reservation making Security Standards very important.

Solutions like tokenization can provide an answer for a single hotel or hotel chain but they will require a great deal of sharing and integration if more than one company wishes to share the same token.

Wiki leak definition of Tokenization is “the process of breaking a stream of text up into words, phrases, symbols, or other meaningful elements called tokens. The list of tokens becomes input for further processing such as parsing or text mining. Tokenization is useful both in linguistics (where it is a form of text segmentation), and in computer science, where it forms part of lexical analysis“.

To find out more about Tokenization download the Tokenization for Dummies booklet by clicking here, registration is required.

While major hotel companies have invested heavily in security within their own systems, they have no control over the hundreds of third-party systems that may touch their reservations prior to their guests arrival.

Early discussions indicate a broad agreement that a single industry framework is required, and that the framework needs to work with existing security approaches in place at major hotel companies and in commonly used systems for example PCI DSS.  There was also agreement on the key elements needed for the industry framework.  The group intends to document this framework conceptually in a white paper that will form the basis for subsequent standards development.

Doug Rice, CEO of HTNG, said organization initiated the process for the industry security framework in June. A charter has been created to ensure the hotels and organizations involved are on the same page. The group’s first meeting will take place in November.

Rice said everyone involved in accepting payments in the hotel industry needs to agree on the same framework for it to work effectively. Online travel agencies, distribution partners and payment processors will all need to be on board. The plan is for the major hotel companies to inform their partners of the plan at approximately the same time. Vendors will realize this is what they need to do if they want to meet the needs of the hotel industry, he said.

Once the partners are on board with the solution, independent hotels will start getting involved, too.

Rice said education will not necessarily be the role of HTNG. However, the group expects to work with organizations such as the Hospitality Financial and Technology Professionals to help implement the solution and spread the word in the industry.

“This is not going to be an overnight solution, it’s a journey, but it’s something that the industry has recognized needs to be addressed,” Rice said

Read the HTNG Press Release here.

Also read “77% of Hospitality Sector Mistakenly Believe They Are PCI Compliant“.

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: