Organised e-crime is on the rise and has grown increasingly sophisticated. The thriving business of buying and selling zero day vulnerabilities has been well documented, as well as the investment in paying developers to develop the malicious code. Although this level of sophistication in compromising systems has increased dramatically, it’s the same fundamental personal data that the perpetrators of these crimes are after; online banking details, personally identifiable information and credit card details.
Modern business depends a great deal on credit card transactions, providing convenience to consumers and more sales opportunities for merchants. With enormous amounts of business deals occurring in this way, it is no surprise that credit card fraud amounts to billions of dollars globally.
Data released in December 2010 by the Australian Payments Clearing Association (APCA) shows that although credit and charge card fraud (signature-permitted debit and credit cards, and card not present transactions) dropped from 60.1 cents to 58.6 cents in every $1000 transacted, the incidence of fraud on these cards has risen from 28 to 34 in every 100,000 transactions.
Debit card fraud (POS and ATM PIN-only card transactions) increased from 7.4 cents to 10.7 cents in every $1000 transacted. The incidence of debit card fraud has risen from two to three in every 100,000 transactions.
Credit cards were hardest hit by card not present (CNP) fraud. CNP is where the consumer is not physically present for the transaction such as over the internet, phone and mail purchases. CNP fraud has increased by 25 per cent to $102.6 million.
The biggest CNP threat comes from data security breaches or data theft. APCA recommends better implementation of the Payment Card Industry Data Security Standard (PCI DSS) to tighten control around card information, as well as improved authentication, as a critical first step in helping to reduce this type of fraud.
The PCI DSS is a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, including MasterCard Worldwide, Visa International, American Express, Discover Financial Services and JCB International, to help facilitate the broad adoption of consistent data security measures on a global basis. It provides best practices for securing IT systems and establishing processes for the use, storage and transmission of credit card data in e-commerce.
The PCI DSS applies to ALL merchants and service providers where a “Primary Account Number (PAN) is stored, processed, or transmitted”. It is only applicable to cards which include the brand of any of the five PCI members – typically credit cards but increasingly including debit cards as the card schemes expand their service offerings. By being PCI DSS compliant, merchants are helping to protect the confidentiality, availability and integrity of customer data.
PCI DSS consists of six categories:
- Build and maintain a secure network
- Protect cardholder data
- Maintain vulnerability program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy.
Safeguarding your customers’ credit card data is essential to mitigating the risk of unauthorised use or disclosure. A sound layered security model is paramount in achieving this goal. To comply with the standard, merchants and other service providers holding cardholder data need to do 12 things:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters (wireless supplement)
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for employees and contractors
The standard continues to grow and move with changes to technologies. There are now more than 900 individual checks and associated evidence that have to be addressed as part of a report on compliance (RoC) program. With virtualisation becoming commonplace, the PCI Security Standards Council moved quickly to form a working group to determine a stance on virtualisation and its impact on the security of the Cardholder Data Environment (CDE). The Council’s recently released version 2.0 of the PCI DSS came into effect on 1 January 2011.
Version 2.0 does not introduce any new major requirements. The majority of changes are clarifications to make it easier for merchants to understand and adopt the standard. The standard and a detailed summary of changes can be found at www.pcisecuritystandards.org.
The standard, although not a panacea, is a vast improvement on most organisations’ security posture. It has done a great job in highlighting these inadequacies and bringing much more focus, and hence risk reduction, to their overall security exposure.
Tim Smith is a director of Bridge Point Communications and is responsible for its Information Security Consulting Practice group. Bridge Point is a Qualified Security Assessor (QSA) as part of the Payment Card Industry Data Security Standards (PCI DSS) program and has five QSA consultants performing compliance and certification projects for clients across Australia.