In the past decade there has been a sharp increase in focus on the security of cardholder data held by third parties. High profile data breaches and the associated losses resulting from the fraudulent use of compromised cardholder data have made global headlines
and have struck fear into consumers and merchants alike.
Well publicised breaches include the Heartland payment Systems Inc in 2008 and TJX Companies Inc in 2007. In both cases it was reported that well over 40 million card details were compromised. Although breaches tend not to be as well publicised in Europe
(as the duty of disclosure is not mandated), in the UK fraud is known to have accounted for £610M of transactions in 2008 which was 0.12% of the total card turnover.
However fraud can and does, hit every corner of a business. According to a survey published in April 2010 by PwC, 92% of large British businesses have experienced some kind of security breach in the past year – including attacks by cybercriminals and accidental
leaks of confidential data. According to the report, large companies are dealing with an average of 45 incidents a year – up from 15 only two years ago – and the cost incurred to deal with these incidents is soaring with the worst cases cited as costing as
much as £690,000 to fix.
In addition to putting measures in place to prevent fraud at the point of purchase, merchants must also protect their infrastructures from security breaches and attacks. If network infrastructures are not protected from hackers’ intent on obtaining sensitive
information such as cardholder data, hackers will penetrate systems and steal consumer and business information which will be used for fraudulent activity.
All businesses, regardless of size or industry, need to fully understand the scope of their fraud and security landscape and put measures in place to prevent fraudulent activity from occurring. This includes reviewing exposure to card data fraud, identity
fraud, internal fraud and sector specific fraud. Implementing the correct procedures (and ensuring that the people in the business are aware of and following those procedures), incorporating appropriate anti-fraud systems, adhering to industry initiatives
such as 3D Secure and CV2, and training staff to recognise fraudulent activity should all be part of an overall anti-fraud strategy.
A multifaceted approach
The most comprehensive way for a merchant to protect their infrastructure is by complying to the Payment Card Industry Data Security Standard (PCI DSS) which was introduced to address the increasing threat of the loss of cardholder data and protect infrastructures
from attack. Merchants, acquirer’s, payment service providers and issuers are now mandated to become compliant with this standard to protect cardholder data both in transmission and at rest throughout the payment network infrastructure.
PCI DSS is multifaceted and includes requirements for security management, policies and procedures, network architecture, software design and other critical protective measures. This includes building and maintaining a secure network, protecting cardholder
data through encryption technology, developing and maintaining secure systems and applications, implementing access control measures, regular testing of security systems and processes, and maintaining a policy that addresses information security.
Though PCI DSS may initially be daunting, merchants should view compliance not just as a mandate, but as a critical component of their overall security and anti-fraud strategy. Opportunistic fraudsters continue to strike across different channels and securing
infrastructure against a breach is a necessary element of any security strategy.
The cost of non-compliance
While there is a significant threat of fines for non-compliance to the standard, merchants should also consider that a data breach resulting from non-compliance will inevitably result in significant damage to brand reputation. A report by Ipsos MORI found
that merchants could expect to see customers abandoning firms that suffer security breaches (53% of respondents), opting to cancel their credit cards (48% of the respondents) and lastly reporting them to the police (20% of the respondents) or national consumer
bodies (17% of the respondents).
The Logic Group recently carried out its fifth annual survey of PCI DSS compliance and awareness which encouragingly revealed that there is a growing trend toward adoption of the standard by card security professionals and that the standard is achieving
its objectives. According to the study, 83% of businesses believe that their organisation is more or significantly more secure due to PCI DSS which is good news for all.
The survey also discovered that organisations, although more attuned to the benefits of PCI DSS than ever before, are almost unanimous (98%) in their belief that greater focus should be placed upon improving security not just achieving compliance for the
sake of it. Perceived wisdom is that if organisations focus on comprehensive security across their business channels, then compliance will follow.
There are many specialists who can help organisations implement and comply with PCI DSS, however there are only around 40 organisations with Qualified Security Assessors (QSAs) in the UK which are authorised to conduct on-site audits validating a merchant’s
adherence to the requirements of the PCI DSS. To become a QSA their suitability as an organisation has to be reviewed as part of a rigorous application process, before an organisation can receive approval from the Security Standards Council to put forward
a number of individuals to take the QSA training course and exam.
When implemented correctly, the requirements of the PCI DSS successfully protects merchants from data exposure and compromise. As a result, on-site PCI DSS audits performed by QSAs have become vital in today’s environment. How successfully an assessment
is conducted can have a significant impact on the implementation of PCI measures and controls, which can be a costly and quite painful process for merchants, so it is a qualification that comes with significant responsibilities.
Although increasing numbers are embracing the broader benefits of PCI DSS, many however are still underestimating the amount of time it will take to achieve compliance. At the beginning of 2008 71% of respondents said they were either already compliant or
expected to be compliant within 12 months. One year on though the figure to have successfully achieved full compliance still stands at only 25%.
Technology and business processes linked to fighting card fraud and sustaining compliance are rapidly evolving and keeping up can be a challenge. Attacks and techniques are increasingly innovative and fraudsters are ever persistent. In addition to putting
measures in place to prevent fraudulent activity, organisations need to protect their infrastructure against security breaches and for this PCI DSS compliance is a must.
End to end encryption (E2EE) is a system which requires that card data is encrypted or more simply speaking, scrambled, at the point of payment, using a secure device. The data is only decrypted, or reformed within a secure data centre which has been certified
as a PCI DSS compliant environment. This practice ensures that card data is not exposed to the threat of fraud whilst it is being transferred to the point of storage.
Putting preventative and protective measures in place however isn’t foolproof; unfortunately 100% security doesn’t exist. The reality is that even if an organisation is PCI DSS compliant, they may still be the victim of a breach. Merchants therefore should
also have procedures in place to prepare themselves for the eventuality of a compromise so they are ready to pursue and rapidly respond to any external or internal breach should it occur.