Blog article
See all stories »

The value of information through the ages

June 18, 1815. The defeat of Napoleon at Waterloo brought Nathan Rothschild £ 40 million and from the time the phrase: "Who owns the information, he owns the world" became known. After two centuries, this phrase has become stronger and has become a kind of slogan of the era of digitalization. 

History knows many examples of when information leaks led to multimillion-dollar losses. As the famous say, BIG DATA - BIG LOSS. Over the past few years, there have been several major "leaks". 

  • The first place in all ratings is taken by the leak of data from the American credit history bureau Equifax. Equifax is the largest credit agency in America. The company provides a wide range of services: from credit scoring and provision of credit ratings to credit monitoring services. July 2017 was not easy for the 143 million Americans affected by the company leak. Equifax has been accused of some security and response violations. The main flaw is the application vulnerability (which allowed attackers to gain access to user data). More precisely, not the vulnerability itself, but the fact that the company did not fix it. The stolen data included social security numbers, addresses, and dates of birth. And also the data of 209,000 credit cards. Equifax has been one of the most notable data breaches in recent memory. But this was certainly not the last case. 
  • In 2018, British Airways customers were pretty nervous. The hack affected customers (passengers) who made online reservations and provided names and home addresses. It was initially unclear how the violation occurred at all. But later it was discovered that a script had been modified on the company's site that sent customer information to an external database. 

And British Airways isn't the only carrier that has been hit by hackers. In March 2018, there was a leak of information about the customers of another carrier - Cathay Pacific. As a result of the hack, more than 850,000 passport numbers were stolen, as well as some credit cards. 

It's not just online payments that can be risky in terms of data interception. Every store purchase puts your credit card at risk. And if it's the same credit card that you use on the Internet, the consequences of a hack can be even more painful. 

  • In early April 2018, a major data breach was announced involving Hudson's Bay Co, the parent company of retailers Saks and Lord & Taylor. More than 5 million credit and debit cards have been listed for sale by a group called JokerStash. This card data was obtained from physical payments at stores in various locations, including the famous Saks Fifth Avenue. 

All of the above events could not pass without leaving a trace and not pull a series of consequences. First of all, these changes have directly affected merchants. Companies that are rewarded for their services/goods by paying users/buyers with credit cards. 

What is the first thing a merchant needs to know? What companies should do to protect themselves and their customers (or general industry rules and who regulates them)? 

The Payment Card Industry (PCI) is the payment card industry. Participants are all organizations that store, process and transmit cardholder data. 

After several major leaks, the Payment Card Industry Security Standards Board was established in 2016. The founders were international payment systems (Visa, MasterCard, American Express, JCB, and Discover). 

The security standards developed by the Payment Card Industry Security Standards Board apply to all organizations that accept payments through these payment systems. This applies not only to large organizations but also to small companies. 

The measure of ensuring compliance with PCI standards implies a comprehensive approach to ensuring information security of payment card data. 

Moreover, the requirements to comply with standards include both the software used by the company independently and the one that the company takes or leases (license). 

For merchants who use software for themselves, need to obtain a PCI DSS certificate. What for? First of all, it's reputable. Put an icon in the footer of your site and your customers (and not only) will know that you are serious about information security. And if the aesthetic component may not excite everyone, then opening accounts is a pain for many. And not opening an account due to the lack of certification is a very real picture. 

PCI DSS (Data Security Standard) is a data security standard for payments over the Internet (if the software for your own needs).

The PCI DSS standard regulates the rules for the operation of payment systems, as well as the procedures for their development and monitoring. 

The necessity for PCI DSS compliance is established by each payment system operator. Each payment system has its security program: for MasterCard is Site Data Protection (SDP); for American Visa - Cardholder Information Security (CISP); for European Visa - Account Information Security (AIS). 

The standard contains only 12 clear, detailed requirements: 

  • Computer network protection; 
  • Configuration of information structure components; 
  • Protection of stored cardholder data; 
  • Protection of transmitted data about cardholders; 
  • Anti-virus protection of information infrastructure; 
  • Development and support of information systems; 
  • Controlling access to cardholder data; 
  • Authentication mechanisms; 
  • Physical protection of information infrastructure; 
  • Information Security Management; 
  • Logging of events and actions; 
  • Information infrastructure security control. 

There are 4 levels of certifications are depending on the number of transactions processed per year. Kindly note, for organizations of the 1st level (more than 6 million transactions), apply increased requirements and external audit. For merchants 3-4 levels, we have a simple procedure it is quite enough to fill out a questionnaire corresponding to the activity (SAQ) to receive certification. 

PA DSS is a standard that is applicable for the software which is going to be rent.

PA-DSS certification is required for payment applications that hold, process, and transfer cardholders` information. What is the difference between PCI DSS and PA-DSS? The standards are related, however, PA DSS certification applies only to applications that are created to be sold or licensed. Applications developed for their own needs do not need to be certified according to this standard. 

Typical applications requiring PA-DSS certification are POS and ATM software modules. 

What information can be stolen and can all data be used against you (moment`s peace)? 

Leaks of data are more common than people think. Not all data breaches are widely reported in the media. 

It is important to note that data breaches by themselves do not directly affect your life. It depends on how the stolen information will be used (if it is used at all). The consequences of a data breach depend on the type of information stolen (what exactly was stolen). 

  • FULL NAME: name, address, and date of birth may not be enough to commit a scam. However, the thief may try to use this information to launch a phishing attack (try to force you to provide additional personal information: credit card number, etc.). 
  • E-mail: email addresses are not enough to outright credit card fraud or to steal your identity. The thief may try to get information from you by sending you emails on behalf of your bank. Do not forget about information hygiene - do not open suspicious letters, even if they came from a familiar mailbox (a friend could have been hacked and phishing through it). 
  • Usernames, passwords, and answers to security questions. It's worth starting to get nervous. It is not worth writing about how important this information can be (especially logins and passwords from online banking). 

Therefore, if you suspect that your internet banking login information may have been compromised as a result of a data leak, change your password immediately. It is recommended to change passwords (at least twice a year), especially for the most important accounts. 

  • Stolen credit and debit card numbers. Card numbers may not be enough to proceed, without your name, credit card expiration date, and CVV (security code) number on the back of your credit card. If all this information is available, fraudsters can create fake cards or make transactions on the Internet. 

Fraudulent activity can be detected as it occurs or when transactions are not completed. Frequent monitoring of your account can protect you. If you find out that your information may have been stolen as a result of a data breach, immediately start taking additional measures to protect your accounts.

1866

Comments: (0)

Ananstasiia Svarych

Ananstasiia Svarych

Partner

Taxus Law&Finance

Member since

06 May

Location

Kyiv

Blog posts

1

This post is from a series of posts in the group:

Banking Strategy, Digital and Transformation

Latest thinking in respect to Banking Strategy, Digital and Transformation. Harnessing our collective wisdom to make banking better. Ambrish Parmar


See all