In a communications survey of 60 retailers conducted by Iconnyx the number one challenge to retailers is Security with 47% identifying it as their biggest issue.
The full list of technology challenges for retailers are:
57% of respondents ranked PCI compliance as a very important business issue.
Other reported business issues were listed
answering customer calls
synchronisation between Point of Sale and card payment machines
reducing the overall cost of connectivity to stores
Tim Walker, Iconnyx Managing Director explains:
“It’s surprising to see that cloud is low on the list of retailer concerns, given that security and PCI compliance is top of the list.
This signals that for retailers, cloud-based technologies are neither seen as a solution or an issue. In either instance, use of the cloud can resolve security concerns and could be explored as a reliable means of addressing retailers’ issues,
The PCI SSC definition of Tokenization: “Tokenization technology replaces a Primary Account Number (PAN) with a surrogate value called a “token”. Specific to PCI DSS, this involves substituting sensitive PAN values with non-sensitive token values, meaning a properly implemented Tokenization solution can reduce or remove the need for a merchant to retain PAN in their environment once the initial transaction has been processed.
Merchants are ultimately responsible for the proper implementation of any Tokenization solution they use, including its deployment and operation, and validation of its Tokenization environment as part of their annual Payment Card Industry Data Security Standard (PCI DSS) compliance assessment.
Organizations should carefully evaluate any solution before implementation to fully understand the potential impact to their CDE (Cardholder Data Environment). The paper helps guide merchants through this process by:
Outlining explicit scoping elements for consideration
Providing recommendations on scope reduction, the tokenization process itself, deployment and operation factors
Detailing best practices for selecting a tokenization solution Defining the domains, or areas that specific controls need to be applied and validated, where tokenization could potentially minimize the card data environment
This additional guidance also benefits tokenization service providers and assessors by informing them on how the technology can help their merchant customers limit or eliminate system components that process, store, or transmit Cardholder data, and reduce the scope of the CDE and thus the scope of a PCI DSS assessment.
“We’ve continued the process to investigate these technologies and ways that the community can use them to potentially increase the security of their PCI DSS efforts” said Bob Russo, general manager of the PCI Security Standards Council. “These specific guidelines provide a starting point for merchants when considering tokenization implementations. The Council will continue to evaluate tokenization and other technologies to determine the need for further guidance and/or requirements.”
Jeremy King, European director of the PCI SSC, said the process is challenging because not all cards have a 16-digit primary account number (PAN). Some Tokenization methods are more applicable than others according to the card in question. Some tokens try to preserve the format of the original PAN in order to maintain compatibility with internal processing applications, while other approaches may generate a new truncated or randomised number, King said.
“Systems that allow you to get back to the PAN need to be properly protected, and are in scope,” King said.
Tokenisation can have a dramatic reduction on the requirements of PCI DSS. In simple terms if a Merchant has no credit card data stored the scope of PCI DSS is reduced.
For the majority of Merchants reducing the scope of PCI DSS by not storing Credit Card Data can mean the difference between a relatively simple Self Assessment Questionnaire (SAQ) e.g. SAQ A and the highly complex and extremely difficult SAQ D.
The PCI SSC Tokenization Information Supplement can be downloaded here.
The report states, “approximately 90% of compromises came from the Level 4 merchant space in 2010.” The PCI DSS categories a Level 4 merchants as a businesses that process less than 20,000 Visa e-commerce transactions annually, and all other merchants processing up to 1 million Visa transactions annually.
The top 5 Industry Sectors that experience a PCI DSS compromise are:
Food and Beverage
Breaches occur in 5 specific areas with the majority occurring because of weaknesses in software:
The Report has the Top Five Areas where Merchants are Falling Short of Compliance as:
Do you have written security policies and procedures that address the protection of paper with credit card numbers such as receipts and the physical security of your card processing device?
Do you have a formal training program for all relevant employees that teaches them about security as it relates to credit cards, paper with credit card numbers on them and the devices that process credit card transactions?
Do you or does anyone at your business log or record your customers’ credit card numbers in a computer, for example, in a back office computer, a laptop or financial application?
Do you check your store or office for unauthorized wireless access points on at least a quarterly basis?
Do you perform external (Internet) network vulnerability scans at least once per quarter?
Cost of non-compliance
Trustwave’s Report states “Fines have averaged $5,000 to $15,000 per card brand. We see forensic investigations start in the $10,000 to $15,000 range as well. Card re-issuance and fraud loss are dependent on the size of the breach. However, fines can vary greatly depending on a number of factors and can reach into the hundreds of thousands of dollars in some cases”.
Verizon have released their Data Breach Investigations Report 2011 and as usual with the Verizon report there is a lot to take in.
The investigations by Verizon and the U.S. Secret Service discovered that data breaches had dropped from 144 million in 2009 to only 4 million in 2010, representing the lowest volume of data loss since the report’s launch in 2008.
The percentage of internal breaches fell massively from 49% to 16% which the report claim is due to the large increase in external attacks rather than a fall in internal breaches.
Key results from the 2011 report shown in the Verizon press release are below:
Focus on essential controls. Many enterprises make the mistake of pursuing exceptionally high security in certain areas while almost completely neglecting others. Businesses are much better protected if they implement essential controls across the entire organization without exception.
Eliminate unnecessary data. If you do not need it, do not keep it. For data that must be kept, identify, monitor and securely store it.
Secure remote access services. Restrict these services to specific IP addresses and networks, minimizing public access to them. Also, ensure that your enterprise is limiting access to sensitive information within the network.
Audit user accounts and monitor users with privileged identity. The best approach is to trust users but monitor them through pre-employment screening, limiting user privileges and using separation of duties. Managers should provide direction, as well as supervise employees to ensure they are following security policies and procedures.
Monitor and mine event logs. Focus on the obvious issues that logs pick up, not the minutiae. Reducing the compromise-to-discovery timeframe from weeks and months to days can pay huge dividends.
Be aware of physical security assets. Pay close attention to payment card input devices, such as ATMs and gas pumps, for tampering and manipulation.
Verizon Recommendations for Enterprises
Large-scale breaches dropped dramatically while small attacks increased. The report notes there are several possible reasons for this trend, including the fact that small to medium-sized businesses represent prime attack targets for many hackers, who favor highly automated, repeatable attacks against these more vulnerable targets, possibly because criminals are opting to play it safe in light of recent arrests and prosecutions of high-profile hackers.
Outsiders are responsible for most data breaches. Ninety-two percent of data breaches were caused by external sources. Contrary to the malicious-employee stereotype, insiders were responsible for only 16 percent of attacks. Partner-related attacks continued to decline, and business partners accounted for less than 1 percent of breaches.
Physical attacks are on the rise. After doubling as a percentage of all breaches in 2009, attacks involving physical actions doubled again in 2010, and included manipulating common credit-card devices such as ATMs, gas pumps and point-of-sale terminals. The data indicates that organized crime groups are responsible for most of these card-skimming schemes.
Hacking and malware is the most popular attack method. Malware was a factor in about half of the 2010 caseload and was responsible for almost 80 percent of lost data. The most common kinds of malware found in the caseload were those involving sending data to an external entity, opening backdoors, and keylogger functionalities.
Stolen passwords and credentials are out of control. Ineffective, weak or stolen credentials continue to wreak havoc on enterprise security. Failure to change default credentials remains an issue, particularly in the financial services, retail and hospitality industries.
Interesting article comparing two payment methods a Merchant could choose.
It is written by a managed Payments Provider but tries to deliver the assumptions and figures as accurately as it can.
“The objective of this study is to compare an in-house supported credit/debit card EMV (Europay,MasterCard and Visa) Chip & PIN and PCI-DSS(Payment Card Industry Data Security Standard) accredited payment solution with a managed outsourced payment service solution provided by YESpay through a comprehensive financial model analysis, consisting of cost-of-ownership and cash-flow analysis.
Cost-of-ownership and cash-flow analysis provides a good base for comparing the financial propositions of the two payment solutions, namely, in-house and managed. Combining this with the intangible costs and benefits of the two systems gives a complete comparative analysis.
The result of this study shows that by outsourcing their payment solution to a third party payment service provider, mid- to top-tier retailers can save more than 50% on cost of ownership of their payment solution depending on size of the POS till requirements.”
CyberSource, a Visa company (NYSE: V), today announced availability of the world’s largest real-time fraud detection radar, empowering online merchants to pinpoint fraud faster, more accurately, and with less manual intervention.
This advance enables merchants to conduct more accurate analyses of their inbound orders, including comparison of those orders to the over 60 billion transactions Visa and CyberSource process annually, including orders that were confirmed to be fraudulent.
Data insight derives from transactions across multiple payment types and from merchants worldwide, spanning online, call center, mobile and POS sales channels. The transaction data is supplemented by 200 validation and correlation tests. This solution effectively expands the depth and breadth of transaction pattern visibility.
The new development comes at an opportune time.
eCommerce merchants say fraud became more sophisticated and harder to detect in 2010, and this challenge is likely to grow. Download the CyberSource 2011 Fraud Report here
90% of online thieves are now associated with organized crime. Details of Fraud patterns can be found here
“botnet” infections are growing at a rate of approximately 200,000 per day. Download “10 Botnet Questions” White Paper here
The ability to accurately detect fraud in such a sophisticated criminal environment requires correlating vast amounts of information to detect subtle anomalies.
“Data is the lifeblood of fraud detection,” said Michael Walsh, CyberSource President and CEO. “When Visa acquired CyberSource, one of the stated goals was to deliver a new level of fraud prevention to online merchants, enabled by our end-to-end view of electronic transactions, worldwide. We are now delivering exactly that.”
Trustwave has published its Global Security Report 2011 and it has some very interesting research.
The research is from incidents investigated by the company. Specifically, a total of 220 investigations, undertaken against suspected breaches, 85% were confirmed with 90% resulted in data theft.
The headline statistics are:
Industry breakdown of where the incident happened
Food and beverage 57%
Types of Data stolen
Payment Card Data 87%
Sensitive company data 8%
Trade Secrets 3%
Authentication Credential 2%
Customer records 2%
It could be that Trustwave is a Payment Card Industry Forensics and Incident Investigator or it is further proof, if we needed it, that the bad guys are after the money.
Who found out that there had been an incident?
Regulatory detection 60%
Self detection 20%
Public detection 13%
Law enforcement 7%
Is it any wonder why the credit card issuers are strictly enforcing Payment Card Industry Data Security Standards (PCI DSS) when Merchants find 1 in 5 Account Data Compromises (ADC), also known as a breach.
The EMV specification defines technical requirements for bank cards with embedded microchips and for the accompanying point-of-sale (POS) infrastructure. With few exceptions (primarily in the United States), financial institutions worldwide issue EMV bank cards to businesses and consumers.
According to EMVCo, approximately 1 billion EMV cards have been issued globally and 15.4 million POS terminals accept EMV cards. The primary purposes of including a chip in a bank card are to store cardholder data securely, protect data stored on the chip against unauthorized modification, and reduce the number of fraudulent transactions resulting from counterfeit, lost, and stolen cards.