Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Visa

List of businesses targeted by global hacking ring that stole 160 million credit and debit card numbers

List of businesses targeted from 2005 to 2012 by an international hacking ring that stole more than 160 million credit and debit card numbers, according to an indictment announced Thursday in Newark, N.J. The government did not provide figures in each case of the number of card numbers stolen, or of the estimated losses. It also said not all of the breaches of corporate computer networks resulted in financial losses. 

  • 7-Eleven Inc., based in Dallas. Starting in 2007, malware placed on its network, resulting in the theft of an undetermined number of credit and debit card numbers.
  • Carrefour S.A., French multinational retailer. Starting in 2007, computer networks breached, about 2 million credit card numbers were covertly removed.
  • Commidea Ltd., European provider of electronic payment processing for retailers. In 2008, malware used in other attacks found on its networks; about 30 million card numbers covertly removed.
  • Dexia Bank Belgium. In 2008 and 2009, malware placed on its network, with theft of card numbers resulting in about $1.7 million in losses.
  • Discover Financial Services Inc., issuer of Discover Card and owner of Diners Club charge card network. In 2011, malware placed on network of Diners Singapore, exposing more than 500,000 Diners credit cards and causing losses of about $312,000.
  • Dow Jones Inc., publisher of news, business and financial information. In or before 2009, malware placed on network, about 10,000 sets of log-in credentials stolen.
  • Euronet, based in Leawood, Kan., global provider of electronic payment processing. In 2010 and 2011, malware placed on its network, resulting in theft of about 2 million card numbers.
  • Global Payment Systems, based in Atlanta, one of world’s largest electronic transaction processing companies. In 2011-12, malware placed on its payment processing system; more than 950,000 card numbers stolen, losses of nearly $93 million.
  • Hannaford Brothers Co., supermarket chain operating in northeastern U.S. In 2007, malware placed on network of related company, resulting in theft of about 4.2 million card numbers.
  • Heartland Payment Systems Inc., based in Princeton, N.J., one of world’s largest credit and debit card payment processing companies. Starting in 2007, malware placed on its payment processing system, resulting in theft of more than 130 million card numbers, losses of about $200 million.
  • Ingenicard US Inc., based in Miami, provider of international electronic cash cards. In 2012, malware placed on its network resulted in theft of cards used to withdraw more than $9 million within 24 hours.
  • J.C. Penney Co., based in Plano, Texas. Starting in 2007, malware placed on its network.
  • JetBlue Airways, based in Long Island City, N.Y. Starting in 2008, malware placed on portions of computer network that stored employee data.
  • Leading Abu Dhabi bank, identified only as “Bank A.” In 2010-11, malware placed on computer networks, facilitating theft of card numbers.
  • Nasdaq, the largest U.S. electronic stock exchange, which offers its customers online access to their accounts. Starting in 2007, malicious software, or malware, was placed on its computer network, resulting in the theft of log-in credentials. Prosecutors said its trading platform was not affected.
  • Visa Inc., manager of the Visa brand, providing payment processing services through a centralized network. In 2011, malware placed on network, about 800,000 card numbers stolen.
  • Wet Seal Inc., retailer based in Foothill Ranch, Calif. In 2008, malware placed on network.

 Copyright 2013 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Merchant sues VISA. Biting the hand that feeds you?

I know that if there were no merchants there would be no credit card companies and I know that the “alternative” payments market is growing, such as PayPal and V.me, but at this time it is fair to say that consumers still favour credit cards when it comes to online payments.

This is why when I read about a merchant suing a credit card company I was surprised. Not surprised that VISA had fined a merchant, not surprised that a merchant was upset at being fined but surprised it had got to court because that means normal reasonable commercial communication channels had failed.

On the 7th March Sports retailer Genesco filed a lawsuit against Visa to recover nearly $13.3 million in fines that the credit card company issued in January 2013 following a breach of the retailer’s systems.

The lawsuit argues that

  • Visa is not allowed to require other companies to pay penalties citing Visa’s own operating regulations and California law.
  • That Genesco was never out of compliance with PCI DSS regulations, and so it should not have been fined.

In December 2010 Genesco confirmed that a breach had happened within its credit card processing environment and speculation at the time was the hackers used a packet sniffer to siphon card data as it passed through the network.

The initial VISA fines of $5,000 via each of Genesco’s two banks was issued in June 2011 which is a standard charge and depending on your location will be 5,000 of the local currency for example, $5,000, €5,000 or £5,000.

Irrespective of the currency 5,000 is nothing more than a formal acknowledgement that the merchant is non-compliant to PCI DSS or was at the time.

If a merchant has never successfully completed an Audit or Self Assessment Questionnaire (SAQ) then they are non-compliant, bearing in mind that the standards were issued almost 8 years ago I think it is about time they were compliant.

However, in the case of a merchant who was successfully audited but then had a breach or failed to maintain the standard it is not so black and white.

Merchant who suffers a Data Breach

A PCI DSS compliant merchant who has a data breach is normally discovered by clever algorithms used by the card schemes, which based on fraudulent activity find the centre of the breach. Once the merchant at the centre of the breach is established they are required to undertake data forensics by an approved forensic company who using extensive skills and tools will establish how the credit card data was stolen for example via packet sniffing. The forensic report is shared between the affected parties, the merchant, the bank and the credit card companies.

The results of the forensic investigation may or may not show that the merchant had or had not been compliant to the standard at the time of the breach. It is reasonable to assume that the bad guys installed software or broke into Genesco and almost all scenarios for such a break in are covered by the PCI DSS and therefore the company could not have been taking adequate steps and was by definition not adhering to the requirements of the standard which means they were not compliant.

Merchant who fails to maintain the standard

It is very difficult to find a merchant who has failed to maintain the required standards unless

  • There is a breach
  • There is a whistle blower
  • A customer or someone similar notices practise that do not appear secure

At this point the merchant will be required to prove there are still abiding by the standard which may take the form of a forensics investigation, an audit, a letter from their QSA or a letter from their directors.

The non-compliance fine is not the biggest problem for Genesco it is the $13.3 million fine levied by VISA via Genesco’s two banks (Wells Fargo $12 million and Fifth Third $1.3million) for the costs incurred by VISA whilst resolving the breach e.g. credit card replacement, fraud cover, etc.

Visa’s imposition of the (fines) is a violation of Visa’s contract (with the banks), because at the time of the intrusion and all other relevant times, Genesco was in compliance with the PCI-DSS requirements,” the lawsuit stated. It added later,

“Visa does not even pretend that the Non-Compliance Fines represent actual damages that Visa incurred by reason of the Acquiring Banks‘ alleged failure to cause Genesco to maintain compliance with the PCI-DSS requirements”

The interesting thing for me is the nature of the way Merchants use VISA, MasterCard and the other credit card providers. The credit card company provides the facilities for the merchant’s (retailer) customers to buy from them in a secure and efficient way. They pay a percentage of the transaction to cover the costs (and profits) of the credit card companies and this percentage is agreed in a contract. The same commercial contract that agrees the other terms and conditions including the security required to perform the transaction.

To avoid confusion and rogue traders the credit card companies created the Payment Card Industry Security Standards Council who took the best security practises from the five credit card company members to create the Data Security Standard (PCI DSS).

This standard is an extension of the contract as will be the agreements for fees.

However because the cost of a data breach could never be known until it has occurred it is impossible to quantify the cost of a breach in a contract which is where I do have a great deal of sympathy for merchants because they are agreeing to fines but have no idea how much it is going to be or could be.

I remember in a meeting with several of the card companies and the discussion centred on repeat offenders i.e. merchants who kept being breached or who refused to become compliant to PCI DSS and whilst fines were mentioned it was agreed merchants might be tempted to absorb small fines if it was cheaper than achieving the required security standards and then the ultimate sanction was raised… STOPPING THEM FROM TAKING CREDIT CARD PAYMENTS.

What a sanction that is, because for almost all e-commerce business and most consumer driven business that would mean going out of business in a matter of weeks or possibly months.

As a consumer all I care about is being safe from the costs of the fraudulent activity against my stolen credit card but increasingly we as consumers are worried about the threat to our identity and expect when credit card details are leaked to be covered for all identity based threats resulting from the possible loss of data which increases the cost to the breached company, possibly via the credit card company.

I have a huge amount of sympathy for Genesco and every other merchant affected by a breach because they do not know what the possible cost to them will be. They cannot take out cyber-insurance against a specific amount “just in case”, they have to hope that the loss to the credit card company is not too great.

That is not a great way for a merchant to mitigate its risk and that cannot benefit the card companies who want prosperous and secure merchant to help them grow their profits.

The solution is simple, the credit card companies have to introduce and publish a schedule of fines from which a merchant can calculate their risk.

If a merchant knows, based on their transaction rate, that they could be liable for fines of $13.3 million then they can invest greater resources into breach prevention or seek to undertake insurance against the cost of a breach either way they can make an informed risk assessment.

Similarly if merchants who have not yet completed their PCI DSS compliance process know they could be fined for non-compliance PLUS X or Y for a breach they can will very quickly run a risk assessment.

let’s hope a result of this action is a clearer picture on fines because clarity in business and risk is essential.

.

midata kicks off with the support of government and businesses

The UK Government has announced a ground-breaking joint venture with 26 organisations to empower consumers to have more control over their personal data.

midata, launched on the 3rd November 2011, is a voluntary scheme that will allow consumers to access their data in a safe and secure way and make better decisions reflecting their personal wants and needs. New services made possible by midata will further assist consumers, whether it be in getting the best deal on their mobile phone contract or energy tariff, or managing their lives more efficiently.

Launching the midata vision, Consumer Affairs Minister, Edward Davey said:

“Currently, most consumer data is held by service providers, meaning only one side of the customer-business relationship is empowered with the tools of information management. midata seeks to redress that balance.

“This is the way the world is going and the UK is currently leading the charge. We see a real opportunity here, but others, including the US and EU, are also showing real interest in the programme and the economic benefits it can deliver. So if we want to continue leading the way, we need to develop a platform upon which the innovation and services that drive growth can be built. midata aims to do just that.

“I’m delighted that so many organisations are supporting our vision and I look forward to working with them closely as the programme progresses.”

The midata programme marks a non-regulatory approach to consumer empowerment and is in keeping with the Government’s broader focus on transparency and openness.

The next step will include setting time lines and developing online ‘personal data inventories’ (PDIs) in each sector, which will describe the types of data an organisation holds about each customer.

Protocols will also be established to handle any issues relating to privacy, data security and consumer protection. midata is also working with companies to develop common approaches that will allow customers to access their data including their contact details, current tariffs and contracts, etc and update basic information about themselves.

The PDI and access work will precede the release of data back to customers in an electronic format. The goal is to enable the first releases in the first half of 2012.

Businesses and organisations that have so far committed to working in partnership with Government to achieve the midata vision are:

  • Avoco Secure
  • billmonitor
  • British Gas
  • Callcredit
  • EDF Energy
  • E.ON
  • Garlik
  • Google
  • Lloyds Banking Group
  • MasterCard
  • Moneysupermarket.com
  • Mydex
  • npower
  • RBS
  • Scottish Power
  • Scottish Southern Energy
  • The UK Cards Association
  • Three
  • Visa

The other organisations involved are made up of government agencies and consumer groups

The Government’s vision for midata
Consumer Data Empowerment midata is a voluntary partnership between the UK Government, businesses, consumer groups, regulators and trade bodies to create an agreed, common approach to empowering individuals with their personal data.

midata recognises and supports the principle of individuals using their own customer information to gain an insight into their own behaviour, make more informed choices and better decisions, to manage their affairs more efficiently, and to obtain the products and services that best meet their needs.

midata is part of the Government’s growth agenda. It will help achieve economic growth by improving information sharing between organisations and their customers, sharpening incentives for businesses to compete keenly on price, service and quality, building trust and facilitating the creation a new market for personal information services that empower individuals to use their own data for their own purposes.

Organisations can help realise the goals of midata by providing customers with the ability to access and re-use their ‘customer data’ – including data about customer transactions, interactions and usage behaviours that organisations collect.

The aim of the midata project is for organisations that collect, store and use customer data to endorse and work towards the following goals and principles.

Organisations collecting, using and holding customer data should:

Maintain and make available to customers accurate and up-to-date descriptions of the types of personal data they hold about these customers. (Consumer Data Transparency)

Develop, support and promote ways to release customers’ data back to them in a safe, privacy-friendly, portable and re-usable manner. This data should be made available to them online for free and to use as they see fit. (Consumer Data Access) minimise risks of data breaches and invasions of privacy.  This includes

a) working to ensure that all personal information is accessed and released safely and securely

b) helping to create a personal data environment that enables individuals to hold, use and share their data in ways they understand and can trust, which protects their interests and empowers them to use their data for their own purposes. (Consumer Data Security) • work with other organisations via the midata project to encourage the innovation of new consumer information services that deliver midata goals. (Consumer Data Innovation)

Consumer Data principles

The following principles will guide the project:

  1. Data that is released to customers will be in reusable, machine-readable form in an open standard format.
  2. Consumers should be able to access, retrieve and store their data securely.
  3. Consumers should be able to analyse, manipulate, integrate and share their data as they see fit – including participating in collaborative or group purchasing.
  4. Standardisation of terminology, format and data sharing processes will be pursued as far as possible across sectors.
  5. Once requested, data will be made available to customers as quickly as possible.
  6. The focus will be to provide information or data that that may be actionable and useful in making a decision or in the course of a specific activity.
  7. Organisations should not place any restrictions on or otherwise hinder the retention or reuse of data.
  8. Organisations will work to increase awareness amongst consumers of the opportunities and responsibilities that arise from consumer data empowerment.
  9. Organisations will provide customers with clear explanations of how the data was collected and what it represents, and who to consult if problems arise.

.

PCI Security Standards Council adds PCI PIN Security requirements to PTS standard

The PCI Security Standards Council (PCI SSC)  has announced that the Council is expanding the PTS standards to encompass the PCI PIN Security Requirements, formerly administered by Visa and MasterCard, to provide organizations with one set of criteria for the protection of PIN data.

After officially taking over management of the requirements earlier this year, the PCI SSC solicited feedback from the PCI community to make updates to the standard. Today’s release contains a complete set of reqirements for the secure management, processing and transmission of personal identification number (PIN) data at ATMs, and attended and unattended point-of-sale (POS) terminals. The PIN Security Requirements will be included in current PTS security requirements.

The updated PTS program requirements and detailed listing of approved devices are available on the Council’s website here.

“Point of sale continues to be a security hotspot as criminals are using more advanced techniques to steal PIN and cardholder data,” said Bob Russo, general manager of the PCI Security Standards Council. The requirements are specifically geared toward protecting not just the devices that accept PINs but also the people and processes surrounding them.”

The PCI PIN Security Requirements provide one set of criteria for protection of Primary Identification Number (PIN) data. For merchants – examples of common vulnerabilities for PIN theft that the requirements address include:

  • PINs that are not protected by a secure PIN block
  • Failure to use approved cryptographic devices for PIN processing
  • Cryptographic keys that are non-random, not unique, and never change
  • Few, if any documented PIN-protection procedures
  • Audit trails or logs that are not maintained

“With this addition to the PTS requirements, we hope to strengthen POS security at merchants around the globe,” noted Russo.

The Council will also host a Webinar for Participating Organizations and the public outlining the newest updates to the PIN Transaction Security program, including the PIN Security Requirements, followed by a live Q&A session.

Register for the November 8 session here.

Register for the November 10 session here

.

Merchants are more concerned about their brand than PCI fines

Image representing Cybersource as depicted in ...
Image via CrunchBase

A joint CyberSource and Trustwave survey has shown that nearly 70% of Merchants cited the need to “protect the brand” as the primary driver for tightening controls against hackers and other payment security risks.

Only 26 percent said avoiding fines resulting from non-compliance with the Payment Card Industry Data Security Standard (PCI DSS) were the key motivator.

A few highlights from the report include:

  • Brand Protection is Key Driver of Investment: The need to protect the organization’s brand and its revenues was given as the primary driver for investment in payment security.
  • Threat from External and Internal Sources Perceived as Equal: While the successes of external hackers often make headlines, employees can be an equally damaging source of risk. The survey found that organizations perceive the threats from internal and external sources as being nearly equal.
  • Trend Towards Remote Data Storage: With the need to secure payment data and efficiently comply with PCI DSS, organizations are planning to shift their payment data security approach from an on-site strategy to a remote one. Those organizations that had already made the shift reported shorter time-to-compliance and fewer full-time equivalent employees managing payment security.
  • Payment Security Cost and Complexity Expected to Increase: Most survey respondents expect that the technological complexity, cost, and resources required to manage payment security will increase over the next 24 months.

A breach has serious consequences for nearly every division of an eCommerce merchant’s organization,” said Dayna Ford, Senior Director, Product Management at CyberSource. “But by far the most damaging impact is to the company’s brand, affecting revenue, customer loyalty, and even stock valuation. Knowledge of this phenomenon is now widespread, so we’re not surprised at the survey finding that puts brand integrity as the most important rationale for payment security investment.”

In the face of increasing numbers of security breaches and data theft, there’s a real urgency for organizations to deploy powerful and effective security strategies,” said James Paul, Senior Vice President of Global Compliance Services at Trustwave.  “Studies like ‘The Payment Security Practices and Trends Report,’ published today, should help organizations learn best practices and likely costs to attain appropriate levels of security.”

Selected survey findings

  • Data moving out:  Over the next 24 months, an increasing proportion of organizations expect to remove payment data from their environment as a way of reducing security risks.
  • Efficiency improving: Organizations that do not capture, transmit, or store data inside their own network tend to employ fewer personnel, validate PCI DSS compliance more quickly, and operate at a lower overall cost of payment security management.
  • “Data out” merchants spend less on infrastructure: 75 percent of PCI DSS Level 1 merchants  that have removed payment data from their environments spend less than $500,000  on their payment security infrastructure.  Only 60 percent of those that keep data in-house can make that claim.
  • Risk not confined to outsiders:  In one counter-intuitive finding, respondents said they felt the threat of payment data theft from inside employees was about equal to the threat from external hackers.

Read the full report here, registration is required.

Learn more about the Payment Card Industry Data Security Standard (PCI DSS) by visiting my PCI DS Resources page here.

.

Five Ways to Fall Victim to Credit Card Fraud

Fox News Talk
Image via Wikipedia

Originally published on September 09, 2011 by Fox News this article by Lora Shinn is a simple but effective way of avoiding becoming another victim of credit card fraud.

Review these mistakes to avoid becoming a victim of  debit or credit card fraud.

1. Failing to Look for Skimmers

Thieves may attach skimming devices to the exterior  of an ATM or point-of-sale terminals requiring a PIN, or personal identification  number. It’s worth the few seconds it takes to glance before you swipe.

“Always take a look at the machine to see if there  (are) any visible traces of activity, such as glue or scuff marks or loose bits  around the PIN pad or the place where you insert your card,” says Manisha  Thakor, co-author of “On My Own Two Feet: A Modern Girl’s Guide to Personal  Finance.” “Those are telltale signs that an attempt may have been made to attach  a skimmer.”

She says you should pay close attention when you’re  visiting an ATM in a low-traffic locale, where it’s easier for someone to attach  a device. When in doubt, use a different ATM.

2. Banking Online in a Cafe

You may have free Wi-Fi access at your favorite  coffee shop, but you might not want to use it to check the balance in your  savings account. If you’re using an open wireless network, it’s easier for  hackers to intercept online transactions, passwords and other private business.

 “It’s not the time to do financial business, your online banking or your  shopping,” says Marian Merritt, a Norton Internet safety advocate at Symantec,  a manufacturer of security software.

That goes for websites that start with HTTP and  HTTPS as well because you don’t know how securely the coffee shop, hotel or  other free Internet access point is set up. Hackers can set up “man in the  middle” attacks to grab your passwords, card number and other information while  you’re on the public network. So enjoy the latte and save checking your credit  card statement for later.

3. Responding to Phishing Messages

If you receive a text message on your phone from  your bank, and it asks you to log into your card account immediately — but you  didn’t contact the bank — raise your mental drawbridge. The same goes for a  message that arrives via Facebook, Twitter  or any other mode of communication.

“Any unsolicited phone call, email, text or social  media message could be a phishing attempt,” says Erik Mueller, vice president of  payment system integrity at MasterCard  Worldwide. “Be skeptical of these messages, especially if they request credit or  debit card data or personal information, or link to another website or Web  page.” With the right data, a phisher will quickly find a way to commit credit  card fraud.

If you think the message might be legitimate or you  have concerns about fraud, contact your issuer directly using the customer  service phone number on the back of your debit or credit card.

4. Ignoring Your Rights and Responsibilities

If you’ve lost your credit or debit card, suspect it  was stolen or think someone has lifted your number off the Internet, call your  card issuer immediately. Credit cards offer the greatest protection against  fraud. Most card issuers provide zero-liability fraud protection, and federal  law says once you report the loss or theft, you have no further responsibility  for unauthorized charges. Your maximum liability under federal law is $50 per  card.

With debit cards, your responsibilities and rights  change. While you may have zero-liability fraud protection on your debit card,  it may not apply to PIN-based transactions or ATM withdrawals. Federal law also  has some caveats when it comes to debit card fraud protection. If someone made  fraudulent purchases with the debit card data and you don’t report the theft  immediately, your liability could skyrocket, especially if you wait longer than  60 days to report it. In addition, if a thief uses your debit card to drain your  bank account, you’ll be short on cash while your bank investigates.

5. Not Using Free Fraud Protection

Additional fraud protection is available for free by  numerous card issuers and financial institutions, though most require a little  investigation or enrollment. For example, the Verified by Visa program sets up  Visa cardholders with an additional password they can use to shop at  participating online merchants. MasterCard SecureCode works similarly. It  requires the user to enter the correct PIN during checkout at a participating  online retailer.

Another option: Try one-time or “virtual” credit  card numbers, which are offered by some banks such as Citibank  and Bank of America. These numbers are used for only one purchase and then are  no longer usable — so you don’t have to worry they’ll be swiped and reused by a  fraudulent user.

You can also minimize debit and credit card fraud by  making use of free account alerts, which notify you when certain transactions or  changes occur, such as a transaction for more than a certain dollar amount or a  purchase made overseas.

Check your bank or card issuer’s site to find out  whether they participate in these programs and services.

The original Fox News post can be found here.

.

Exactly how many Merchants are PCI DSS compliant?

Credit cards
Image via Wikipedia

The number of Merchants who are compliant to the Payment Card Industry Data Security Standard (PCI DSS) vary from continent to continent, country to country but the figures released by VISA for the US make interesting reading.

The table below shows the results for the US up to the 30th June 2011 as per the VISA.com website.

Cardholder Information Security Programme (CISP) Category (Visa Transactions per year) Estimated Population Size Estimated % of
Visa Transactions
PCI DSS
Compliance Validated
Validated Not  storing Prohibited Data
Level 1   Merchant (>6M) 377 50% 97% 100%
Level 2 Merchant (1-6M) 881 13% 96% 100%
Level 3 Merchant (e-commerce only 20,000-1M) 3,024 <5% 60% N/A
Level 4 Merchant (<1M) ~5,000,000 32% Moderate * TBD
VisaNet Processor (Direct Connection) 62 100% 94% High
Agent (Downstream) 1,262 N/A 83% High

*Level 4 compliance is moderate among stand-alone terminal merchants, but lower among merchants using integrated payment applications

Since the PCI DSS standard was released and enforced the Level 1 Merchants has been the main focus of the Card Issuing companies and of course, the QSAs because, as the table above shows, they represent the largest percentage of transactions for a single group and are a small enough number to easily manage. This focus is why Visa can report a near 100% validation rate for Level 1 Merchants.

The largest risk group by number of business are the Level 4 Merchants with over 5,000,000 in the US alone.

Level 4 Merchants have not yet achieved a % on the Visa chart. This is probably because they do not need to have their Self Assessment Questionnaire (SAQ) validated by and external party e.g. a QSA, except in rare circumstances. Reliance on the Merchants ability to understand the requirements of PCI DSS and to be able to put in place the processes, policies and protections required to protect Credit Card Data requires a lot of “faith” by Visa.

The majority of credit card breaches happen in Level 4 Merchants, e.g. restaurants and hotels, which is why Visa is pushing EMV on a world-wide basis.

All in all it looks like the majority of Merchants are PCI DSS compliant, which means the programme is doing some good…

.

25% of Mobile Network Operators are not PCI DSS Compliant

Vesta Corporation conducted a survey of Mobile Network Operators (MNOs) in the USA and Europe and discovered that over a quarter of them were non-compliant to the Payment Card Industry Data Security Standards (PCI DSS).

Of equal concern are the 35% who did not know of the potential financial penalties they could face in the event of an Account Data Compromise (data breach).

Key findings of the survey

  • 25% of respondents are not currently PCI DSS compliant
  • 35% of respondents unaware of potential penalties for non-compliance
  • The average cost of initial PCI DSS compliance was approximately $700,000 USD
  • Over 50% were spending over $1,390,000 USD annually in PCI compliance maintenance costs.
  • 69% of respondents stated that more than three people in their organization work full time on maintaining PCI compliance.
  • 56% felt that the greatest impact of a security lapse or data breach to their business would be a loss of customer confidence.
  • Over a third of these maintain an internal security group for PCI compliance.
  • Under a quarter of respondents maintain PCI DSS via cross functional teams that receive direction on a group level with local implementation.
  • All respondents regard the touchpoints of live agent, Web and retail as very important to the success of their organization’s PCI compliance.
  • The areas of highest concern mentioned by the operators included ensuring applications and systems are compliant; network monitoring and scanning; and vulnerability management.

“The survey shows that there is clearly room for improvement by the mobile operator community in addressing PCI DSS compliance, and it is critical that operators not yet compliant take appropriate measures to ensure the security of their customer’s sensitive cardholder data,” said Joshua Rush, VP Marketing at Vesta. “However, compliance should not be viewed as a mandatory demand by the card associations but as a competitive sales and marketing differentiator at a time where data security is of paramount concern to subscribers.”

The white paper can be downloaded here.

For more information on PCI DSS visit the PCI resources page here.

.

PCI Compliance Risks for Small Merchants and where they are failing

Credit cards
Image via Wikipedia

Trustwave have released a supplement to their 2011 Global Security Report on Payment Card Trends and Risks for Small Merchants report.

According to the report, Merchants fail to achieve PCI DSS compliance in several areas with the Top 6 being:

99.2%   Track / Monitor Network Access
98.4%   Regularly Test Security
97.5%   Maintain a Firewall
95.1%   Maintain Internal Security Policies
92.6%   Assign Unique User Ids
90.9%   Develop Secure Systems and Applications

The report states, “approximately 90% of compromises came from the Level 4 merchant space in 2010.” The PCI DSS categories a Level 4 merchants as a businesses that process less than 20,000 Visa e-commerce transactions annually, and all other merchants processing up to 1 million Visa transactions annually.

The top 5 Industry Sectors that experience a PCI DSS compromise are:

57.0%   Food and Beverage
18.0%   Retail
10.0%   Hospitality
6.0%   Government
6.0%   Financial

Breaches occur in 5 specific areas with the majority occurring because of weaknesses in software:

75.0%   Software POS
11.0%   Employee Workstation
9.0%   e-commerce
3.0%   Payment Processing
2.0%   ATM

The Report has the Top Five Areas where Merchants are Falling Short of Compliance as:

  1. Do you have written security policies and procedures that address the protection of paper with credit card numbers such as receipts and the physical security of your card processing device?
  2. Do you have a formal training program for all relevant employees that teaches them about security as it relates to credit cards, paper with credit card numbers on them and the devices that process credit card transactions?
  3. Do you or does anyone at your business log or record your customers’ credit card numbers in a computer, for example, in a back office computer, a laptop or financial application?
  4. Do you check your store or office for unauthorized wireless access points on at least a quarterly basis?
  5. Do you perform external (Internet) network vulnerability scans at least once per quarter?

Cost of non-compliance

Trustwave’s Report states “Fines have averaged $5,000 to $15,000 per card brand. We see forensic investigations start in the $10,000 to $15,000 range as well. Card re-issuance and fraud loss are dependent on the size of the breach. However, fines can vary greatly depending on a number of factors and can reach into the hundreds of thousands of dollars in some cases”.

Trustware www.trustwave.com

See the PCI Resources page for more details on PCI DSS

.

Comparison Of Cost Of Ownership Between In-House And Managed Pay

Firmenkarten
Image via Wikipedia

Interesting article comparing two payment methods a Merchant could choose.

It is written by a managed Payments Provider but tries to deliver the assumptions and figures as accurately as it can.

“The objective of this study is to compare an in-house supported credit/debit card EMV (Europay,MasterCard and Visa) Chip & PIN and PCI-DSS(Payment Card Industry Data Security Standard) accredited payment solution with a managed outsourced payment service solution provided by YESpay through a comprehensive financial model analysis, consisting of cost-of-ownership and cash-flow analysis.

Cost-of-ownership and cash-flow analysis provides a good base for comparing the financial propositions of the two payment solutions, namely, in-house and managed. Combining this with the intangible costs and benefits of the two systems gives a complete comparative analysis.

The result of this study shows that by outsourcing their payment solution to a third party payment service provider, mid- to top-tier retailers can save more than 50% on cost of ownership of their payment solution depending on size of the POS till requirements.”

Access the white paper here Comparison Of Cost Of Ownership Between In-House And Managed Pay registration required and was written by Vivek Singh

For more information on PCI DSS visit the PCI Resouce centre here

.

CyberSource Brings World’s Largest Fraud Detection Radar to Online Merchants

CyberSource, a Visa company (NYSE: V), today announced availability of the world’s largest real-time fraud detection radar, empowering online merchants to pinpoint fraud faster, more accurately, and with less manual intervention.

This advance enables merchants to conduct more accurate analyses of their inbound orders, including comparison of those orders to the over 60 billion transactions Visa and CyberSource process annually, including orders that were confirmed to be fraudulent.

Data insight derives from transactions across multiple payment types and from merchants worldwide, spanning online, call center, mobile and POS sales channels. The transaction data is supplemented by 200 validation and correlation tests. This solution effectively expands the depth and breadth of transaction pattern visibility.

The new development comes at an opportune time.  

  • eCommerce merchants say fraud became more sophisticated and harder to detect in 2010, and this challenge is likely to grow. Download the CyberSource 2011 Fraud Report here 
  • 90% of online thieves are now associated with organized crime. Details of Fraud patterns can be found here
  • botnet” infections are growing at a rate of approximately 200,000 per day.  Download “10 Botnet Questions” White Paper here

The ability to accurately detect fraud in such a sophisticated criminal environment requires correlating vast amounts of information to detect subtle anomalies.

Data is the lifeblood of fraud detection,” said Michael Walsh, CyberSource President and CEO. “When Visa acquired CyberSource, one of the stated goals was to deliver a new level of fraud prevention to online merchants, enabled by our end-to-end view of electronic transactions, worldwide. We are now delivering exactly that.”

Read the full PRnewswire press release here

Blog at WordPress.com.

Up ↑

%d bloggers like this: