23 October 2014

Prevent Protect Pursue

Robin Adams - The Logic Group

14 | posts 67,303 | views 0 | comments

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

Comprehensive Protection Against Fraud

22 July 2010  |  5024 views  |  1

In the past decade there has been a sharp increase in focus on the security of cardholder data held by third parties. High profile data breaches and the associated losses resulting from the fraudulent use of compromised cardholder data have made global headlines and have struck fear into consumers and merchants alike.

Well publicised breaches include the Heartland payment Systems Inc in 2008 and TJX Companies Inc in 2007. In both cases it was reported that well over 40 million card details were compromised. Although breaches tend not to be as well publicised in Europe (as the duty of disclosure is not mandated), in the UK fraud is known to have accounted for £610M of transactions in 2008 which was 0.12% of the total card turnover.

However fraud can and does, hit every corner of a business. According to a survey published in April 2010 by PwC, 92% of large British businesses have experienced some kind of security breach in the past year – including attacks by cybercriminals and accidental leaks of confidential data. According to the report, large companies are dealing with an average of 45 incidents a year – up from 15 only two years ago – and the cost incurred to deal with these incidents is soaring with the worst cases cited as costing as much as £690,000 to fix.

In addition to putting measures in place to prevent fraud at the point of purchase, merchants must also protect their infrastructures from security breaches and attacks. If network infrastructures are not protected from hackers’ intent on obtaining sensitive information such as cardholder data, hackers will penetrate systems and steal consumer and business information which will be used for fraudulent activity.

All businesses, regardless of size or industry, need to fully understand the scope of their fraud and security landscape and put measures in place to prevent fraudulent activity from occurring. This includes reviewing exposure to card data fraud, identity fraud, internal fraud and sector specific fraud. Implementing the correct procedures (and ensuring that the people in the business are aware of and following those procedures), incorporating appropriate anti-fraud systems, adhering to industry initiatives such as 3D Secure and CV2, and training staff to recognise fraudulent activity should all be part of an overall anti-fraud strategy.

A multifaceted approach

The most comprehensive way for a merchant to protect their infrastructure is by complying to the Payment Card Industry Data Security Standard (PCI DSS) which was introduced to address the increasing threat of the loss of cardholder data and protect infrastructures from attack. Merchants, acquirer’s, payment service providers and issuers are now mandated to become compliant with this standard to protect cardholder data both in transmission and at rest throughout the payment network infrastructure.

PCI DSS is multifaceted and includes requirements for security management, policies and procedures, network architecture, software design and other critical protective measures. This includes building and maintaining a secure network, protecting cardholder data through encryption technology, developing and maintaining secure systems and applications, implementing access control measures, regular testing of security systems and processes, and maintaining a policy that addresses information security.

Though PCI DSS may initially be daunting, merchants should view compliance not just as a mandate, but as a critical component of their overall security and anti-fraud strategy. Opportunistic fraudsters continue to strike across different channels and securing infrastructure against a breach is a necessary element of any security strategy.

The cost of non-compliance

While there is a significant threat of fines for non-compliance to the standard, merchants should also consider that a data breach resulting from non-compliance will inevitably result in significant damage to brand reputation. A report by Ipsos MORI found that merchants could expect to see customers abandoning firms that suffer security breaches (53% of respondents), opting to cancel their credit cards (48% of the respondents) and lastly reporting them to the police (20% of the respondents) or national consumer bodies (17% of the respondents).

The Logic Group recently carried out its fifth annual survey of PCI DSS compliance and awareness which encouragingly revealed that there is a growing trend toward adoption of the standard by card security professionals and that the standard is achieving its objectives. According to the study, 83% of businesses believe that their organisation is more or significantly more secure due to PCI DSS which is good news for all.

The survey also discovered that organisations, although more attuned to the benefits of PCI DSS than ever before, are almost unanimous (98%) in their belief that greater focus should be placed upon improving security not just achieving compliance for the sake of it. Perceived wisdom is that if organisations focus on comprehensive security across their business channels, then compliance will follow.

There are many specialists who can help organisations implement and comply with PCI DSS, however there are only around 40 organisations with Qualified Security Assessors (QSAs) in the UK which are authorised to conduct on-site audits validating a merchant’s adherence to the requirements of the PCI DSS. To become a QSA their suitability as an organisation has to be reviewed as part of a rigorous application process, before an organisation can receive approval from the Security Standards Council to put forward a number of individuals to take the QSA training course and exam.

When implemented correctly, the requirements of the PCI DSS successfully protects merchants from data exposure and compromise. As a result, on-site PCI DSS audits performed by QSAs have become vital in today’s environment. How successfully an assessment is conducted can have a significant impact on the implementation of PCI measures and controls, which can be a costly and quite painful process for merchants, so it is a qualification that comes with significant responsibilities.

Although increasing numbers are embracing the broader benefits of PCI DSS, many however are still underestimating the amount of time it will take to achieve compliance. At the beginning of 2008 71% of respondents said they were either already compliant or expected to be compliant within 12 months. One year on though the figure to have successfully achieved full compliance still stands at only 25%.

Constant evolution

Technology and business processes linked to fighting card fraud and sustaining compliance are rapidly evolving and keeping up can be a challenge. Attacks and techniques are increasingly innovative and fraudsters are ever persistent. In addition to putting measures in place to prevent fraudulent activity, organisations need to protect their infrastructure against security breaches and for this PCI DSS compliance is a must.

End to end encryption (E2EE) is a system which requires that card data is encrypted or more simply speaking, scrambled, at the point of payment, using a secure device. The data is only decrypted, or reformed within a secure data centre which has been certified as a PCI DSS compliant environment. This practice ensures that card data is not exposed to the threat of fraud whilst it is being transferred to the point of storage.

Putting preventative and protective measures in place however isn’t foolproof; unfortunately 100% security doesn’t exist. The reality is that even if an organisation is PCI DSS compliant, they may still be the victim of a breach. Merchants therefore should also have procedures in place to prepare themselves for the eventuality of a compromise so they are ready to pursue and rapidly respond to any external or internal breach should it occur.

Comprehensive protection against fraud TagsSecurityPayments

Comments: (1)

Uri Rivner - BioCatch - Tel Aviv | 27 July, 2010, 08:15

Very good article.

Many of the credit card data breaches happen at the merchant processor level. Heartland is a classic example: it processed transactions for 250,000 businesses, and was breached by the infamous Albert Gonzalez, who was charged with stealing 130 million cards, most of them from Heartland.

An interesting move in this respect was the announcement of First Data, one of the biggest merchant processors, that it now offers merchants a tokenization of credit card data (http://www.finextra.com/news/announcement.aspx?pressreleaseid=29858)

It works like this: once a payment card is used at a merchant’s Point of Sale (POS) device, it is encrypted, sent to First Data, and is immediately replaced with a token value that looks like a credit card number but cannot be linked in any way with the original. If someone inside or outside First Data ever gets their hands on these tokens, they can’t use them anywhere because they’re not the actual card numbers. This dramatically reduces the PCI DSS compliance costs as you don’t need to protect actual card numbers.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Robin

New Requirements for Point to Point Encryption

18 October 2011  |  5122 views  |  0  |  Recommends 0 TagsSecurityPaymentsGroupInformation Security

Are compromised certificates the root of all Evil?

15 September 2011  |  4153 views  |  1  |  Recommends 0 TagsSecurityRisk & regulationGroupInformation Security

Comparing Mobile and Contactless Payments

25 July 2011  |  6434 views  |  3  |  Recommends 0 TagsCardsPaymentsGroupInformation Security

Assessing Risk? Ask a pigeon.

14 July 2011  |  5773 views  |  0  |  Recommends 1 TagsSecurityRisk & regulationGroupInformation Security

The PCI SSC Publish Virtualisation and Cloud Advice

23 June 2011  |  5051 views  |  0  |  Recommends 0 TagsSecurityRisk & regulationGroupInformation Security
name

Robin Adams

job title

Director of Security Fraud Risk Mgmt

company name

The Logic Group

member since

2010

location

Fleet

Summary profile See full profile »
Robin Adams, Director of Security, Fraud and Risk Management is a Qualified Security Assessor (QS...

Robin's expertise

Robin's blog archive
2011 (8)2010 (6)

Who is commenting on Robin's posts