Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Credit Card

PCI SSC Board of Advisors 2011 elections are now open

The PCI SSC Board of Advisors elections for 2011 to 2013 are now open.

All Participating PCI SSC organisations can vote. Votes close 08 April 2011. The votes will decide the composition of the Board of Advisors for the next 2 years.   A complete list of the candidates is below:

Financial Institution – 3 votes

  • Australia and New Zealand Banking Group Limited (ANZ)
  • Bank of America
  • Bank of America Merchant Services
  • Banrisul S.A.
  • BARCLAYCARD
  • Citi
  • JPMorgan Chase & Co.
  • SIX Multipay
  • WorldPay (UK) Ltd 

Merchant – 3 votes

  • Allstate Insurance Company
  • British Airways
  • CHS Inc.
  • CVS Caremark
  • Exxon Mobil Corporation
  • FedEx
  • Hawaiian Airlines
  • HMSHost
  • Intuit Inc.
  • Loves Travel Stops & Country Stores, Inc.
  • McDonald’s Corporation
  • National Association of College and University Business Officers
  • Starbucks Coffee Company
  • Tesco Stores Limited
  • The Walt Disney Company
  • VF Corporation
  • Wal-Mart Stores, Inc.
  • Woolworths Limited 

Processor – 3 votes

  • Cielo
  • DirectCash Payments Inc.
  • Elavon
  • First Data Corporation
  • Fiserv
  • Global Payments Inc. (NYSE:GPN)
  • Heartland Payment Systems
  • Litle & Co.
  • Merchant Warehouse
  • Mercury Payment Systems
  • Moneris Solutions
  • Payment Processing Inc
  • Point International (Point Group)
  • Sage Payment Solutions
  • The SHAZAM Network
  • TSYS 

Vendor – 3 votes

  • Agilysys
  • ATX Innovation
  • Cisco
  • Citrix Systems, Inc.
  • Convergys
  • Datapipe
  • Fico
  • Hypercom Corporation
  • Ingenico
  • Mako Networks
  • MICROS Systems, Inc.
  • nuBridges, Inc.
  • Panasonic Avionics Corporation
  • Reliant Security
  • RSA
  • Shift4 Corporation
  • Vanguard Integrity Professionals
  • VeriFone Systems, Inc.
  • Voltage Security 

Other – two votes

  • Apriva
  • CARTES BANCAIRES
  • Envision Telephony Inc.
  • European Payments Council
  • IATA
  • Interac Association
  • Network Frontiers (the Unified Compliance Framework)
  • Payment Alliance International
  • Paypal
  • RSPA – Retail Solutions Providers Association
  • The UK Cards Association
  • Vendorcom
  • VigiTrust Ltd
  • Wright Express

 Data supplied by VeriTape.

Fraud losses drop on UK cards, cheques and online banking

The UK Card Association reports that fraud losses over 2010 in the UK on cards, cheques and online backing has dropped against 2009 figures.

Total fraud losses on UK cards fell to £365.4 million in 2010 – a 17 per cent reduction compared with losses in 2009. This is the lowest annual total since 2000 and follows on from a fall of 28 per cent in 2009. This current downward trend is due to the banking industry’s ongoing investment to deter, detect and prosecute fraudsters.  Initiatives include: better awareness amongst retailers about how to protect their chip and PIN equipment from criminal attack; greater sign-up to online fraud prevention initiatives such as MasterCard SecureCode and Verified by Visa by cardholders and retailers; improved industry sharing of fraud data and intelligence; increasing use of fraud detection tools by banks and retailers; the increasing roll-out of chip and PIN abroad and the upgrade of chips on UK cards.

Online banking fraud losses totalled £46.7 million in 2010a 22 per cent fall on the 2009 figure. Factors contributing to this fall include customers better protecting their own computers with up-to-date anti-virus software combined with banks’ use of sophisticated fraud detection software. This decrease has occurred despite a continuing rise in phishing attacks, up 21% from 2009.

Phone banking fraud losses totalled £12.7 million during 2010, an increase of five per cent from 2009. Most losses involve customers simply being tricked into disclosing their personal security details – through cold calling or fake emails – which the criminal then uses to commit fraud. This suggests that some customers are still not aware that their bank will never cold call or email them to ask for login details and passwords.

Cheque fraud losses decreased from £29.8 million in 2009 to £28.9 million during 2010. The vast majority of attempted fraud gets stopped before the cheque is paid. The industry’s ongoing work to prevent cheque fraud has helped drive these losses down. The continuing drop in cheque usage has also contributed to the three per cent fall in overall cheque fraud losses.

Detective Chief Inspector Paul Barnard, Head of the Dedicated Cheque and Plastic Crime Unit (DCPCU) – the industry-sponsored specialist police unit that tackles the organised criminal gangs behind fraud – comments: 

“Whilst another drop in fraud is good news, the fraudsters haven’t shut up shop which is why there can be no room for complacency on the part of the banking industry, retailers, law enforcement or indeed customers themselves.  By taking simple steps, such as:  shielding our PIN with our free hand whenever we enter it, particularly at cash machines; being wary of unsolicited emails or calls; and making sure that our computers have regularly updated anti-virus software in place, we can make life harder for the criminals.

“Fortunately in the UK – unlike some other countries – innocent victims of any type of payment fraud on their debit or credit card or account are protected and should not suffer any financial loss.”

Melanie Johnson, Chair of The UK Cards Association, which represents UK credit and debit card providers said:

“The cards industry is greatly encouraged by the major decrease in card fraud losses for a second successive year, but we will not be easing off our efforts as a result. It is essential to us that customers feel safe and secure when they use their cards and we will continue to invest in a wide range of fraud prevention initiatives to keep it this way.”

Fraud figures released by the National Fraud Authority (NFA) earlier in the year also serve to put these banking fraud losses into perspective. The NFA estimated that fraud in all its guises costs the UK more than £38 billion a year – card and banking fraud accounts for just over one per cent of this figure.

Details of the figures from 2007, 2008, 2009 and 2010 compare can be found here http://www.theukcardsassociation.org.uk/media_centre/press_releases_new/-/page/1323/

Where do security breaches occur? What type of data is stolen and who makes the discovery?

Credit card
Image via Wikipedia

Trustwave has published its Global Security Report 2011 and it has some very interesting research.

The research is from incidents investigated by the company. Specifically, a total of 220 investigations, undertaken against suspected breaches, 85% were confirmed with 90% resulted in data theft.

The headline statistics are:

Industry breakdown of where the incident happened

  • Food and beverage   57%
  • Retail   18%
  • Hospitality   10%
  • Government   6%
  • Financial   6%
  • Education   1%
  • Entertainment   1%
  • Construction   1%

 Types of Data stolen

  • Payment Card Data   87%
  • Sensitive company data   8%
  • Trade Secrets   3%
  • Authentication Credential   2%
  • Customer records   2%

It could be that Trustwave is a Payment Card Industry Forensics and Incident Investigator or it is further proof, if we needed it, that the bad guys are after the money.

Who found out that there had been an incident?

  • Regulatory detection   60%
  • Self detection   20%
  • Public detection   13%
  • Law enforcement   7%

Is it any wonder why the credit card issuers are strictly enforcing Payment Card Industry Data Security Standards (PCI DSS) when Merchants find 1 in 5 Account Data Compromises (ADC), also known as a breach.

Previous research found that the majority of cards are used in multiple frauds.

Merchants come out on top in the time to detect a breach

  • Regulatory detection  156.5 days
  • Public Detection   87.5days
  • Law Enforcement   51.5 days
  • Self Detection   28 days

This is interesting, 1 in 5 breaches were found first by a Merchant which means the majority of breaches take over 100 days to be discovered.

Trustwave www.trustwave.com

Lush Cosmetics is once again trading online

Lush the company that has suffered “security issues” over the last few months is up and running again.

The Lush website states “The Lush IT team have worked with our security advisers and bank providers

The site also states “Should you choose to make a purchase, you will see that our payment page now takes you away from the Lush website and directly to our card providers site, where your payment is safely in the hands of the big boys at the money institutions. You can shop with confidence knowing that your details will be safe.”

Hopefully, the lessons have been learnt and they will be trading as well as they did in the past.

Read about the original UK and Australia Hacks here

Card Payments Roadmap in the U.S.: How Will EMV Impact the Future Payments Infrastructure? – Smart Card Alliance

Close up of contacts on a Smart card with sign...
Image via Wikipedia

The EMV specification defines technical requirements for bank cards with embedded microchips and for the accompanying point-of-sale (POS) infrastructure. With few exceptions (primarily in the United States), financial institutions worldwide issue EMV bank cards to businesses and consumers.

According to EMVCo, approximately 1 billion EMV cards have been issued globally and 15.4 million POS terminals accept EMV cards. The primary purposes of including a chip in a bank card are to store cardholder data securely, protect data stored on the chip against unauthorized modification, and reduce the number of fraudulent transactions resulting from counterfeit, lost, and stolen cards.

Smart Card Alliance website

Smart Card Alliance White Paper: Card Payments Roadmap in the U.S.: How Will EMV Impact the Future Payments Infrastructure?

Downloadable: CyberSource’s report on UK Online Fraud 2011

The report is based on an industry wide survey, and addresses the detection, prevention and management of online fraud.

The Cost of Fraud

On average, the percentage of annual online revenue that businesses expect to lose to payment fraud in 2010 has dropped from 1.8% to 1.6%.

The survey revealed that this does vary dramatically by merchant size:

  • very large businesses expected to lose £365,500 to online payment fraud, equating to an average of 1.5%
  • Large businesses expect to lose £173,500 (1.2%)
  • Medium businesses £66,000 (2.4%)
  • Small businesses £3,500 (1.5%)

The report delivers:

  • Key fraud metrics, including review and order reject rates
  • Most widely used fraud detection tools
  • Chargeback practices; re-presentment and win rates
  • Merchants’ fraud management priorities for 2011

Download the report here, required registration.

29% of credit card holders hit by fraud as global fraud rises

ACI Worldwide conducted fraud research in 14 countries and found that 29% of the 4,200 respondents had been victims of credit card fraud in the last 5 years.

The percentage in the UK was above the norm at 33%, a rise of 6% in the last 18 months. This estimates the number of UK Consumers hit by credit card fraud as 14.6 million in the past five years.

Other countries fared better, such as the Netherlands with 11% experiencing fraud whilst others, like China with a 43% fraud rate, fared worse.

ACI Worldwide http://www.aciworldwide.com

Lush confirm their Australian Website has been hacked

Credit cards
Image via Wikipedia

In a statement on the Lush Australia website http://www.lush.com.au/ Lush have confirmed that hackers have gained access to the site and that customer data “may” have been obtained (hacked). Lush advice customers to contact their bank about their credit cards.

They point out that the Australian website is not directly connected to their recently hacked UK site. The hacked UK site has a similar announcement to the Australian site http://www.lush.co.uk

Top 5 Riskiest Places To Use Your Credit Card | B2B News

From B2B News

You can still be a victim of credit card fraud even if you use it with utmost caution. Credit card companies and banks are more and more often putting the onus of catching phony or incorrect credit card charges on the consumer.
The most important thing is to check your billing statement. And there are organizations like Creditcards.com that offer tips on how to keep your cards safe as well. Here, we take a look at 5 of the riskiest places you might use your card, according to Creditcards.com, and what you can do to stay away from dangers.

 Non-Bank Owned ATMs

Encryption at these ATMs is often not as good as at bank ATMs. These ATMs also are more likely to be hacked. And in some cases, people have put up devices that look like ATMs but don’t give out cash. Instead, they are just card-skimming devices aimed at stealing your credit card or debit card information.

 Flea Markets

Flea market merchants are often transient and can be difficult to locate if there is a problem with charges. It’s especially true for vendors who don’t have online credit card terminals and instead make carbon copies of your credit card.

That doesn’t mean those vendors are necessarily fraudulent, but it makes the transaction less secure. The credit card company might have trouble doing a charge back. If you’re going to the flea market, take cash. It’s also easier to negotiate that way.

 Small Shops/Cafes in Foreign Countries

These smaller merchants have a significantly higher percentage of credit card fraud as reported by large banks and credit card companies. Many of these transactions end up being written off by the banks because the merchants simply can’t be located. There’s just a higher chance of fraud when you get outside of the mainstream, so when in doubt, use cash.

Non-Secure Online Checkout

Any safe, reputable e-commerce site is going to have a secure checkout page, like the one shown at left. If that doesn’t appear, it should be a red flag. You can almost be sure it’s not legitimate, and even if it is, you’re opening yourself to that transaction being seen by others.

Purchases on Smart Phones

Purchases on smart phones can also be less than secure. If your smart phone connects to a public wi-fi signal, you’re going to be much less secure. Someone else can potentially see the transaction, or malware can be placed on your device that can potentially transmit your personal information

Top 5 Riskiest Places To Use Your Credit Card | B2B News.

14 Arrested for Credit Card Fraud

First 4 digits of a credit card
Image via Wikipedia

Authorities arrested 14 members of a criminal ring that has netted $30 million in credit card and bank frauds

Courthouse News Service.

Risk of identity theft in hotel declines – USATODAY.com

Hotels are no longer the No. 1 target of hackers in their quest to steal credit card information but your data still has a higher chance of being stolen inside a hotel, a veteran cybersleuth tells Hotel Check-In.

Last year, hotels became a top priority for online criminals seeking to steal travelers’ credit-card information and other data.

But this year, online thieves are now focusing on restaurants, Nicholas Percoco, senior vice president and head of SpiderLabs at data security firm Trustwave, told me. That means they might target a posh hotel restaurant with a sommelier, a fast-food joint or anything else in between.

Thieves started to ease up on hotel computer systems in mid-2010, about 18 months after attacking Wyndham hotel computers and computers of other chains.

I asked Percoco if hotels moved down a notch because the industry spent more money to protect their computer systems, if travelers got smarter or if thieves just decided to move on.

It’s a mix, he told me. Many of the big chains – like Marriott, Hilton and InterContinental Hotels Group, though he wouldn’t name names – have thrown resources to shore up their computer security, he told me.

Furthermore, all the media reports about hotels being at risk for cybercrimes made the thieves fearful that they could get caught.

As they did with hotels, these cybercriminals look for a weak link in a restaurant or fast-food chain and enter their computer system to steal credit-card information and other data

Risk of identity theft in hotel declines – USATODAY.com.

http://travel.usatoday.com/hotels/post/2011/02/trustwave-spiderlabs-hotels-hackers-identity-security/142372/1

PCI fines could put merchants out of business

Sample American Express-type credit card featu...
Image via Wikipedia

An interesting interview with Bob Russo, general manager of the PCI Security Standards Council and Practical e-Commerce, an online resource for merchants.

This part of the interview concerns the rarely discussed issues of fines

Practical e-Commerce asked the question “although there is a lot of talk about having to comply with PCI standards, there don’t seem to have been any real ramifications for non-compliant merchants to date.

Bob Russo replied “I totally disagree. You’re playing Russian roulette here with your business. While there might not be a validation requirement (which is to say that you may not have to prove to anyone that you are PCI compliant), if in fact you suffer a breach and you are found not to be compliant at the time of this breach, then there are tremendous ramifications.

“There are fines, and for a small business, a fine could literally put them out of business. There is the specter of customers walking away because they’ve either figured out, or  with our breach notification laws  someone has told them that the breach occurred at the merchant’s site. There’s the specter that they will not shop with the merchant anymore because they feel like you [the merchant] are not keeping their information safe, whether it be credit card information or personal information. It’s a really big issue. Are your readers willing to play Russian roulette? They’re the only ones who can answer that question.”

Read the full interview at http://www.practicalecommerce.com/articles/2565-PCI-Council-General-Manager-on-Non-Compliance-Russian-Roulette-

The majority of stolen Credit Cards stop being used after 24 hours

Ethoca in their report “Fraud Attacks Cross Industries” (Jan 2011) have established that in 86% of cases, fraudsters stopped using a credit card in less than 1 day (24 hours) either because the card was cancelled by the issuer or because the fraudster began using another card.

They also found that 10% of stolen cards were used at multiple merchants.

In only 29% of the cases did the fraudster stay within the same industry sector. In other words the fraudsters try to spread their fraud across as wide a field as possible. Probably to avoid the credit card issuers anti fraud procedures which can spot buying patterns – how many mobile phones does one person need?

The report established that the number one target for cross industry fraud was Mobile Phones followed by pre-paid Gift Cards. This means that in almost all case of organised fraud the fraudster will have a Mobile Phone and a Gift Card on their shopping list.

About the report

Ethoca’s data came from credit card issuers and online merchants. The 95 merchants studied in their program represent 61% of the top 500 Internet merchants as measured by revenue*.

Issuers had identified the fraud with their own risk management systems and then confirmed with the cardholder that the order was indeed fraudulent before providing the transaction details to Ethoca. As a result, Ethoca was able to study a total of 25,188 confirmed cases of fraudulent transactions from June 2010 through October 2010.

*Source: Internet Retailer Magazine for 2009 www.top500guide.com

Blog at WordPress.com.

Up ↑

%d bloggers like this: