February 7, 2007 by tim.

In the 2/6/07 edition of E-Commerce Times, Andrew Rolfe has published an article that discusses ways to use out-of-band authentication to secure online transactions. He defines this as “the use of two separate networks working simultaneously to authenticate a user.” The practice of two-factor authentication has certainly received much press, but out-of-band authentication is a relatively new concept.

Mr. Rolfe discusses the increased sophistication of criminals, particularly through the proliferation of malware and phishing. He describes how out-of-band authentication for activities such as online financial transactions can be used to thwart criminal activities. In particular, he describes how some financial institutions now use the telephone network as out-of-band authentication for certain types of transactions such as balance transfers. The article is a good read if you want to stay up on the latest ideas in this industry.

Posted in Electronic Payment Security - General | No Comments »

January 23, 2007 by tim.

Alice Snell has written an excellent article in the 1/22/07 issue of Network World entitled “IT Security Gets Personal.” She builds the case for conducting background checks on IT staff and cites interesting statistics related to background checks. For example, an estimated 7% to 12% of applicants are rejected due to results of background checks, with about 5% to 6% due to criminal issues and about 2% to 4% due to false information provided on resumes or job applications.

The article includes another astounding statistic: 75% of banking employees have stolen from their employers, according to U.S. Banker.

She concludes the article by stating: “Optimizing the IT background check process can improve accuracy, shorten turnaround time, and lower costs. Better quality screening results can safeguard both employees and employers.”

Posted in Electronic Payment Security - General | 1 Comment »

January 5, 2007 by tim.

In an article posted to www.TechNewsWorld.com on 1/4/07, Ed Moyle writes that there have now been roughly 100 million notifications sent to individuals in the US notifying them that their personal information has been compromised. He does point out that there is no way to know how many unique individuals have been impacted, since there could be some overlap. According to Mr. Moyle, “Looking ahead, it won’t be long before the majority of Americans will have been notified about a breach affecting their data.”

The article also provide practical tips for monitoring your personal records to watch out for fraud as well as action steps to take in the event that you receive a notification of a data breach.

Posted in Data Breach Regulations, Electronic Payment Security - General | No Comments »

December 17, 2006 by tim.

An excellent article appeared in the December 11, 2006, edition of Information Week entitled Insider Threats. The article starts with a description of the now infamous attack by an employee against UBS Paine Webber. What is surprising is the fact that UBS did not conduct a background check before he was hired nor before granting him the highest level of access to its computer systems. In this case, a background check would have revealed a criminal record. By the way, background checks to attain and maintain PCI compliance.

The article provides some interesting suggestions for reducing risks. One seemingly obvious one is to revoke a terminated employee’s access privileges BEFORE the termination. However, Dawn Cappelli, a senior member at the CERT Coordination Center at Carnegie Mellon, stated that about half of all insider attacks occur after an IT employee is dismissed but before his/her access privileges are revoked.

Another tip for IT managers is to watch for warning signs in the behavior of their employees, such as “insubordination, anger over perceived mistreatment, or resistance to sharing responsibility or training colleagues.”

The article also suggests informing IT employees that their system access will be monitored and their system changes will be tracked. Another IT policy should be to grant each IT employee just enough privileges to get his/her job done. “Usually, a person who does damage was given more access than they needed,” according to Bill Moylan, senior director of Aon Consulting’s IT risk group.

Good article — great tips — well worth reading.

Posted in Electronic Payment Security - General | No Comments »

December 12, 2006 by tim.

The 11/25/06 edition of The Green Sheet has a very interesting article entitled Card Associations Get Aggressive on PCI Enforcement. According to the article, Visa has publicly indicated its intent to begin levying fines for noncooperative level 1 merchants. Visa’s projection is that 65% of level 1 merchants will be compliant by year-end, according to Hector Rodriguez, director of Payment System Risk & Compliance for Visa. “Penalties may be levied to an acquirer if its merchants fail to comply with the PCI Data Security Standard, particularly in the event of a compromise or in cases where a merchant retains full track data,” according to Martin Elliott, vice president for Emerging Risk at Visa.

The article cites an interesting case involving a data breach at Chipotle Mexican Grill. “Prior to August 2004, the possible theft of patrons’ card data led to up to 2,000 incidents of fraudulent charges totaling $1.4 million, for which the restaurant became liable. … After the possible thefts came to light, [Chipotle] set aside $4 million to cover reimbursement of fraudulent charges, the cost of replacing cards, monitoring expenses, and fines imposed by Visa and MasterCard. … In its 2005 annual report, the company disclosed fines from Visa and MasterCard totaling a combined $1.3 million, which had been levied against the restaurant’s acquiring bank. Adding in legal fees, the chain’s total expenses related to its liability stand at $5.5 million….”

The article goes on to address the common misconception that fines are only levied by Visa and MasterCard when data breaches have occurred. “While Chipotle’s fines stemmed from an actual compromise, acquirers face potential fines of $10,000 to $100,000 monthly for their merchants’ failure to become compliant, according to Visa.”  Unfortunately, there are still some merchants and service providers that pretend that they are unlikely targets and that their risk is minimal – in effect, sticking their heads in the sand and ignoring compliance requirements.

According to Mr. Herman of Visa, Visa considers storage of full-track magnetic stripe data to be “an egregious violation, which is susceptible to fines ranging up to $100,000 per month until compliance is achieved.” The article also asserts that the Federal Trade Commission can “levy penalties that can go well beyond fines from the Card Associations.”

As has been noted in prior posts to this blog, there is a significant benefit for organizations that achieve and maintain compliance with PCI: safe harbor. According to the article, “Acquirers for all levels of merchants who are in full compliance with PCI at the time of a security breach would not be subject to Visa fines,” citing Mr. Elliott of Visa.

Given the investment that Visa and MasterCard have made in instituting the PCI standards, and given the scrutiny that Congress has imposed regarding data breaches and security, it would seem likely that articles like this will become commonplace in the near future.

Posted in Payment Card Industry / Credit Card Security, Electronic Payment Security - General | No Comments »

December 1, 2006 by tim.

In the November 20, 2006, edition of eWeek, Brian McCarthy, COO of the Computing Technology Industry Association (CompTIA), reports on results from the 4th annual CompTIA study of information security threats and responses. He states that this year’s study revealed that human error was responsible for nearly 60 percent of data breaches, up from 47 percent last year. Given the role of human error, the shocking revelation of the study is that only 29 percent of the 574 organizations participating in the survey have a required security training program for their IT staff.

With the plethora of news stories about data breaches, it is truly fascinating that such a small percentage of organizations have implemented security training. Mr. McCarthy also points out the value that such proactive training has: “Yet among those organizations that use security training, 84 percent said that it has resulted in a reduced number of major security breaches since implementation; typically through increasing awareness, giving staff the tools to better identify security risks, and improving security measures in general and response time of staff to problems.” You mean the training actually worked???

Posted in Electronic Payment Security - General | No Comments »

December 1, 2006 by tim.

In the November 20, 2006, edition of eWeek, Brian McCarthy, COO of the Computing Technology Industry Association (CompTIA), reports on results from the 4th annual CompTIA study of information security threats and responses. He states that this year’s study revealed that human error was responsible for nearly 60 percent of data breaches, up from 47 percent last year. Given the role of human error, the shocking revelation of the study is that only 29 percent of the 574 organizations participating in the survey have a required security training program for their IT staff.

With the plethora of news stories about data breaches, it is truly fascinating that such a small percentage of organizations have implemented security training. Mr. McCarthy also points out the value that such proactive training has: “Yet among those organizations that use security training, 84 percent said that it has resulted in a reduced number of major security breaches since implementation; typically through increasing awareness, giving staff the tools to better identify security risks, and improving security measures in general and response time of staff to problems.” You mean the training actually worked???

Posted in Electronic Payment Security - General | No Comments »

October 6, 2006 by tim.

Everybody knows that hackers focus their efforts on large e-commerce sites because of the huge treasure trove that these sites represent, right? Hackers aren’t going to waste their time going after small, virtually unknown e-commerce sites, are they? While this might be the conventional wisdom, Brian Krebs has a very interesting article in the 9/28/06 edition of The Washington Post that presents a totally different picture.

The article, titled ID Thieves Turn Sights on Smaller E-Businesses, describes how hackers penetrated a small e-commerce site and posted stolen credit card information “into an online forum that caters to criminals engaged in credit card and identity theft.” Mr. Krebs also exposes the sometimes false sense of security that is conveyed by security seals on sites.

I highly recommend this article as an expose’ of how this dark world operates. Certainly, it is good for a site to be tested by a security scanning vendor. However, as Mr. Krebs points out, this is not foolproof, and he cites examples of how hackers penetrated sites that were thought to be secure. Here is one particularly revealing line from Mr. Krebs’ article: “Jason Lam, who teaches a course on securing Web sites for the SANS Institute, a Bethesda, Md.-based security research and training group, estimated that Web site scanning services in most cases only identify about 60 percent of a Web site’s potential security problems.”

This article really exposes the need for all merchants and service providers to become fully compliant with the Payment Card Industry (PCI) Data Security Standard (DSS). Many merchants and service providers claim that they are secure because they use SSL, or because they pass all the tests from a scanning vendor, or because they have a firewall. Yes, these are all good measures, but they are just a small part of the rigorous requirements of the PCI DSS.

As a merchant, particularly a small- to medium-sized e-commerce site, the easiest way to comply with the PCI requirements is to avoid them altogether by outsourcing to a PCI-compliant service provider. But don’t just take their word for it — the only way to know if a service provider is PCI compliant is to find them in Visa’s official List of CISP Compliant Service Providers.

Posted in Payment Card Industry / Credit Card Security, Electronic Payment Security - General | No Comments »

September 22, 2006 by tim.

This blog is dedicated to providing the most up-to-date information about online payment security. Actually, it more broadly covers electronic payment security, because security requirements and regulations generally apply to all electronic payments – both online and offline. The convenience of electronic payments clearly has a price, as evidenced by the proliferation of credit card fraud, identity theft, and other crimes. Consider these statistics: 

• 27.3 million Americans have been victims of identity theft in the past five years, with more than $56 billion in damages  (see article in Transaction World)
• According to a report on consumer fraud and identity theft published by the Federal Trade Commission, internet-related complaints accounted for 46% of all fraud complaints in 2005
• The Privacy Rights Clearinghouse reports that data breaches since 2005 have involved more than 93 million consumer records

There is good news, however. Recently established industry requirements and government regulations, if properly followed, can alleviate and even eliminate the risks of fraud. What are these standards and regulations, and how can your organization comply with them? This site attempts to address many of the most common questions in familiar FAQ fashion. If you have a relevant question that is not addressed here, we will soon allow you to post a question about electronic payment security. We will do our best to have an industry expert respond to relevant questions and/or post a response on the site.   

Posted in Electronic Payment Security - General | No Comments »