New Techniques for Guarding Financial Data

February 7th, 2007

In the 2/6/07 edition of E-Commerce Times, Andrew Rolfe has published an article that discusses ways to use out-of-band authentication to secure online transactions. He defines this as “the use of two separate networks working simultaneously to authenticate a user.” The practice of two-factor authentication has certainly received much press, but out-of-band authentication is a relatively new concept.


Mr. Rolfe discusses the increased sophistication of criminals, particularly through the proliferation of malware and phishing. He describes how out-of-band authentication for activities such as online financial transactions can be used to thwart criminal activities. In particular, he describes how some financial institutions now use the telephone network as out-of-band authentication for certain types of transactions such as balance transfers. The article is a good read if you want to stay up on the latest ideas in this industry.

Increased Scrutiny From Card Associations in 2007

February 6th, 2007

In the latest issue of The Green Sheet, David H. Press writes about the increased scrutiny to expect in 2007 from the credit card associations. He cites a Visa announcement that states: “By combining both incentives and fines, we expect acquirers to increase their efforts with merchants to accelerate their progress toward becoming PCI-compliant and eliminating the storage of sensitive card data. Nothing is more important to Visa than securing commerce.”

Visa estimated that PCI compliance among level 1 merchants would be only 65% at the end of 2006. Effective Oct. 1, 2007, acquirers whose merchants have validated their PCI-compliance may qualify to get lower interchange rates for both Visa and Interlink tiers. Visa has also announced fines for data compromises – regardless of the size of the merchants.

Visa has also stepped up their enforcement of PCI-compliance for merchants and service providers, even before data breaches occur. Visa stated, “For prohibited data storage, acquirers failing to provide confirmation that their level 1 and 2 merchants are not storing full track data, CVV2 or PIN data by March 31, 2007, will be eligible for fines up to $10,000 a month per merchant, subject to escalation in the event material progress toward compliance is not made in a timely manner.”

The State of PCI Compliance 2007

January 28th, 2007

Ellen Messmer has written an excellent article in the 1/25/07 edition of Network World entitled “Credit Card Industry Struggles to Enforce Security Standard

Rob Tourt, vice president of network services at Discover, comments on the state of PCI compliance and admits that compliance is not widespread. “All the merchants are required to comply with the PCI data-security standards or face fines.”

Ms. Messmer writes that “Visa’s new approach calls for levying punitive fines on banks that fail to get their merchant customers to comply with the PCI standard….”

A very interesting fact is that, according to Visa, only 36% of level 1 merchants is PCI compliant and only 15% of level 2 merchants. Visa levied $4.6 million in fines in 2006.

Perhaps the most interesting part of the article is Ms. Messmer’s assessment that “The frequency of news about data breaches could soon put the card-processing business community in the hot seat with Congress. The new chairman of the House Financial Services Committee, Barney Frank (D-Mass.), voiced dismay earlier this month over the TJX breach, and his aides suggested he might consider legislation aimed at payment-card protection.”

Background Checks on IT Personnel

January 23rd, 2007

Alice Snell has written an excellent article in the 1/22/07 issue of Network World entitled “IT Security Gets Personal.” She builds the case for conducting background checks on IT staff and cites interesting statistics related to background checks. For example, an estimated 7% to 12% of applicants are rejected due to results of background checks, with about 5% to 6% due to criminal issues and about 2% to 4% due to false information provided on resumes or job applications.

The article includes another astounding statistic: 75% of banking employees have stolen from their employers, according to U.S. Banker.


She concludes the article by stating: “Optimizing the IT background check process can improve accuracy, shorten turnaround time, and lower costs. Better quality screening results can safeguard both employees and employers.”

100 Million Notifications of Data Breaches in US

January 5th, 2007

In an article posted to www.TechNewsWorld.com on 1/4/07, Ed Moyle writes that there have now been roughly 100 million notifications sent to individuals in the US notifying them that their personal information has been compromised. He does point out that there is no way to know how many unique individuals have been impacted, since there could be some overlap. According to Mr. Moyle, “Looking ahead, it won’t be long before the majority of Americans will have been notified about a breach affecting their data.”

The article also provide practical tips for monitoring your personal records to watch out for fraud as well as action steps to take in the event that you receive a notification of a data breach.

Inside Jobs: The Risk of Data Breach From Insider Threats

December 17th, 2006

An excellent article appeared in the December 11, 2006, edition of Information Week entitled Insider Threats. The article starts with a description of the now infamous attack by an employee against UBS Paine Webber. What is surprising is the fact that UBS did not conduct a background check before he was hired nor before granting him the highest level of access to its computer systems. In this case, a background check would have revealed a criminal record. By the way, background checks to attain and maintain PCI compliance.

The article provides some interesting suggestions for reducing risks. One seemingly obvious one is to revoke a terminated employee’s access privileges BEFORE the termination. However, Dawn Cappelli, a senior member at the CERT Coordination Center at Carnegie Mellon, stated that about half of all insider attacks occur after an IT employee is dismissed but before his/her access privileges are revoked.

Another tip for IT managers is to watch for warning signs in the behavior of their employees, such as “insubordination, anger over perceived mistreatment, or resistance to sharing responsibility or training colleagues.”

The article also suggests informing IT employees that their system access will be monitored and their system changes will be tracked. Another IT policy should be to grant each IT employee just enough privileges to get his/her job done. “Usually, a person who does damage was given more access than they needed,” according to Bill Moylan, senior director of Aon Consulting’s IT risk group.

Good article — great tips — well worth reading.

Card Associations Step Up PCI Enforcement

December 12th, 2006

The 11/25/06 edition of The Green Sheet has a very interesting article entitled Card Associations Get Aggressive on PCI Enforcement. According to the article, Visa has publicly indicated its intent to begin levying fines for noncooperative level 1 merchants. Visa’s projection is that 65% of level 1 merchants will be compliant by year-end, according to Hector Rodriguez, director of Payment System Risk & Compliance for Visa. “Penalties may be levied to an acquirer if its merchants fail to comply with the PCI Data Security Standard, particularly in the event of a compromise or in cases where a merchant retains full track data,” according to Martin Elliott, vice president for Emerging Risk at Visa.

The article cites an interesting case involving a data breach at Chipotle Mexican Grill. “Prior to August 2004, the possible theft of patrons’ card data led to up to 2,000 incidents of fraudulent charges totaling $1.4 million, for which the restaurant became liable. … After the possible thefts came to light, [Chipotle] set aside $4 million to cover reimbursement of fraudulent charges, the cost of replacing cards, monitoring expenses, and fines imposed by Visa and MasterCard. … In its 2005 annual report, the company disclosed fines from Visa and MasterCard totaling a combined $1.3 million, which had been levied against the restaurant’s acquiring bank. Adding in legal fees, the chain’s total expenses related to its liability stand at $5.5 million….”

The article goes on to address the common misconception that fines are only levied by Visa and MasterCard when data breaches have occurred. “While Chipotle’s fines stemmed from an actual compromise, acquirers face potential fines of $10,000 to $100,000 monthly for their merchants’ failure to become compliant, according to Visa.”  Unfortunately, there are still some merchants and service providers that pretend that they are unlikely targets and that their risk is minimal – in effect, sticking their heads in the sand and ignoring compliance requirements.

According to Mr. Herman of Visa, Visa considers storage of full-track magnetic stripe data to be “an egregious violation, which is susceptible to fines ranging up to $100,000 per month until compliance is achieved.” The article also asserts that the Federal Trade Commission can “levy penalties that can go well beyond fines from the Card Associations.”

As has been noted in prior posts to this blog, there is a significant benefit for organizations that achieve and maintain compliance with PCI: safe harbor. According to the article, “Acquirers for all levels of merchants who are in full compliance with PCI at the time of a security breach would not be subject to Visa fines,” citing Mr. Elliott of Visa.

Given the investment that Visa and MasterCard have made in instituting the PCI standards, and given the scrutiny that Congress has imposed regarding data breaches and security, it would seem likely that articles like this will become commonplace in the near future.

CompTIA Survey Emphasizes Importance of Security Training

December 1st, 2006

In the November 20, 2006, edition of eWeek, Brian McCarthy, COO of the Computing Technology Industry Association (CompTIA), reports on results from the 4th annual CompTIA study of information security threats and responses. He states that this year’s study revealed that human error was responsible for nearly 60 percent of data breaches, up from 47 percent last year. Given the role of human error, the shocking revelation of the study is that only 29 percent of the 574 organizations participating in the survey have a required security training program for their IT staff.

With the plethora of news stories about data breaches, it is truly fascinating that such a small percentage of organizations have implemented security training. Mr. McCarthy also points out the value that such proactive training has: “Yet among those organizations that use security training, 84 percent said that it has resulted in a reduced number of major security breaches since implementation; typically through increasing awareness, giving staff the tools to better identify security risks, and improving security measures in general and response time of staff to problems.” You mean the training actually worked???

CompTIA Survey Emphasizes Importance of Security Training

December 1st, 2006

In the November 20, 2006, edition of eWeek, Brian McCarthy, COO of the Computing Technology Industry Association (CompTIA), reports on results from the 4th annual CompTIA study of information security threats and responses. He states that this year’s study revealed that human error was responsible for nearly 60 percent of data breaches, up from 47 percent last year. Given the role of human error, the shocking revelation of the study is that only 29 percent of the 574 organizations participating in the survey have a required security training program for their IT staff.

With the plethora of news stories about data breaches, it is truly fascinating that such a small percentage of organizations have implemented security training. Mr. McCarthy also points out the value that such proactive training has: “Yet among those organizations that use security training, 84 percent said that it has resulted in a reduced number of major security breaches since implementation; typically through increasing awareness, giving staff the tools to better identify security risks, and improving security measures in general and response time of staff to problems.” You mean the training actually worked???

Average data breach costs $5 million

November 16th, 2006

Network World’s 11/6/06 edition features an article that focuses on the costs of data breaches. The headline is “Average data breach costs companies $5 million” which clearly summarizes the entire article. The article is based on results from a study conducted by the Ponemon Institute.

According to the Privacy Rights Clearinghouse, there have been 254 data-breach incidents this year. The Ponemon study found that it costs an average of $182 for each compromised data record, which is up from $138 last year, an increase of over 30%.

At first glance, these numbers seem exorbitant. According to Andrew Krcik with PGP, “By not connecting the dots, companies are not seeing the true costs and, therefore, the true value of preventative measures.” So the old adage, an ounce of prevention is worth a pound of cure, certainly rings true regarding data security.