Prevent credit card fraud with PCI DSS

Version 2.0 of the PCI DSS is now in effect

Organised e-crime is on the rise and has grown increasingly sophisticated. The thriving business of buying and selling zero day vulnerabilities has been well documented, as well as the investment in paying developers to develop the malicious code. Although this level of sophistication in compromising systems has increased dramatically, it’s the same fundamental personal data that the perpetrators of these crimes are after; online banking details, personally identifiable information and credit card details.

Modern business depends a great deal on credit card transactions, providing convenience to consumers and more sales opportunities for merchants. With enormous amounts of business deals occurring in this way, it is no surprise that credit card fraud amounts to billions of dollars globally.

Data released in December 2010 by the Australian Payments Clearing Association (APCA) shows that although credit and charge card fraud (signature-permitted debit and credit cards, and card not present transactions) dropped from 60.1 cents to 58.6 cents in every $1000 transacted, the incidence of fraud on these cards has risen from 28 to 34 in every 100,000 transactions.

Debit card fraud (POS and ATM PIN-only card transactions) increased from 7.4 cents to 10.7 cents in every $1000 transacted. The incidence of debit card fraud has risen from two to three in every 100,000 transactions.

Credit cards were hardest hit by card not present (CNP) fraud. CNP is where the consumer is not physically present for the transaction such as over the internet, phone and mail purchases. CNP fraud has increased by 25 per cent to $102.6 million.

The biggest CNP threat comes from data security breaches or data theft. APCA recommends better implementation of the Payment Card Industry Data Security Standard (PCI DSS) to tighten control around card information, as well as improved authentication, as a critical first step in helping to reduce this type of fraud.

The PCI DSS is a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, including MasterCard Worldwide, Visa International, American Express, Discover Financial Services and JCB International, to help facilitate the broad adoption of consistent data security measures on a global basis. It provides best practices for securing IT systems and establishing processes for the use, storage and transmission of credit card data in e-commerce.

The PCI DSS applies to ALL merchants and service providers where a “Primary Account Number (PAN) is stored, processed, or transmitted”. It is only applicable to cards which include the brand of any of the five PCI members – typically credit cards but increasingly including debit cards as the card schemes expand their service offerings. By being PCI DSS compliant, merchants are helping to protect the confidentiality, availability and integrity of customer data.

PCI DSS consists of six categories:

  1. Build and maintain a secure network
  2. Protect cardholder data
  3. Maintain vulnerability program
  4. Implement strong access control measures
  5. Regularly monitor and test networks
  6. Maintain an information security policy.

Safeguarding your customers’ credit card data is essential to mitigating the risk of unauthorised use or disclosure. A sound layered security model is paramount in achieving this goal. To comply with the standard, merchants and other service providers holding cardholder data need to do 12 things:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters (wireless supplement)
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Use and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need to know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for employees and contractors

The standard continues to grow and move with changes to technologies. There are now more than 900 individual checks and associated evidence that have to be addressed as part of a report on compliance (RoC) program. With virtualisation becoming commonplace, the PCI Security Standards Council moved quickly to form a working group to determine a stance on virtualisation and its impact on the security of the Cardholder Data Environment (CDE). The Council’s recently released version 2.0 of the PCI DSS came into effect on 1 January 2011.

Version 2.0 does not introduce any new major requirements. The majority of changes are clarifications to make it easier for merchants to understand and adopt the standard. The standard and a detailed summary of changes can be found at

The standard, although not a panacea, is a vast improvement on most organisations’ security posture. It has done a great job in highlighting these inadequacies and bringing much more focus, and hence risk reduction, to their overall security exposure.

Tim Smith is a director of Bridge Point Communications and is responsible for its Information Security Consulting Practice group. Bridge Point is a Qualified Security Assessor (QSA) as part of the Payment Card Industry Data Security Standards (PCI DSS) program and has five QSA consultants performing compliance and certification projects for clients across Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags Australian Payments Clearing Association (APCA)Credit card fraudQSAPCI DSSCNPPCI Security Standards Council

More about American Express AustraliaAPCABridgePoint CommunicationsCA TechnologiesetworkVisaVisa International

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Smith

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts