December 17, 2006 by tim.

An excellent article appeared in the December 11, 2006, edition of Information Week entitled Insider Threats. The article starts with a description of the now infamous attack by an employee against UBS Paine Webber. What is surprising is the fact that UBS did not conduct a background check before he was hired nor before granting him the highest level of access to its computer systems. In this case, a background check would have revealed a criminal record. By the way, background checks to attain and maintain PCI compliance.

The article provides some interesting suggestions for reducing risks. One seemingly obvious one is to revoke a terminated employee’s access privileges BEFORE the termination. However, Dawn Cappelli, a senior member at the CERT Coordination Center at Carnegie Mellon, stated that about half of all insider attacks occur after an IT employee is dismissed but before his/her access privileges are revoked.

Another tip for IT managers is to watch for warning signs in the behavior of their employees, such as “insubordination, anger over perceived mistreatment, or resistance to sharing responsibility or training colleagues.”

The article also suggests informing IT employees that their system access will be monitored and their system changes will be tracked. Another IT policy should be to grant each IT employee just enough privileges to get his/her job done. “Usually, a person who does damage was given more access than they needed,” according to Bill Moylan, senior director of Aon Consulting’s IT risk group.

Good article — great tips — well worth reading.

Posted in Electronic Payment Security - General | No Comments »

December 12, 2006 by tim.

The 11/25/06 edition of The Green Sheet has a very interesting article entitled Card Associations Get Aggressive on PCI Enforcement. According to the article, Visa has publicly indicated its intent to begin levying fines for noncooperative level 1 merchants. Visa’s projection is that 65% of level 1 merchants will be compliant by year-end, according to Hector Rodriguez, director of Payment System Risk & Compliance for Visa. “Penalties may be levied to an acquirer if its merchants fail to comply with the PCI Data Security Standard, particularly in the event of a compromise or in cases where a merchant retains full track data,” according to Martin Elliott, vice president for Emerging Risk at Visa.

The article cites an interesting case involving a data breach at Chipotle Mexican Grill. “Prior to August 2004, the possible theft of patrons’ card data led to up to 2,000 incidents of fraudulent charges totaling $1.4 million, for which the restaurant became liable. … After the possible thefts came to light, [Chipotle] set aside $4 million to cover reimbursement of fraudulent charges, the cost of replacing cards, monitoring expenses, and fines imposed by Visa and MasterCard. … In its 2005 annual report, the company disclosed fines from Visa and MasterCard totaling a combined $1.3 million, which had been levied against the restaurant’s acquiring bank. Adding in legal fees, the chain’s total expenses related to its liability stand at $5.5 million….”

The article goes on to address the common misconception that fines are only levied by Visa and MasterCard when data breaches have occurred. “While Chipotle’s fines stemmed from an actual compromise, acquirers face potential fines of $10,000 to $100,000 monthly for their merchants’ failure to become compliant, according to Visa.”  Unfortunately, there are still some merchants and service providers that pretend that they are unlikely targets and that their risk is minimal – in effect, sticking their heads in the sand and ignoring compliance requirements.

According to Mr. Herman of Visa, Visa considers storage of full-track magnetic stripe data to be “an egregious violation, which is susceptible to fines ranging up to $100,000 per month until compliance is achieved.” The article also asserts that the Federal Trade Commission can “levy penalties that can go well beyond fines from the Card Associations.”

As has been noted in prior posts to this blog, there is a significant benefit for organizations that achieve and maintain compliance with PCI: safe harbor. According to the article, “Acquirers for all levels of merchants who are in full compliance with PCI at the time of a security breach would not be subject to Visa fines,” citing Mr. Elliott of Visa.

Given the investment that Visa and MasterCard have made in instituting the PCI standards, and given the scrutiny that Congress has imposed regarding data breaches and security, it would seem likely that articles like this will become commonplace in the near future.

Posted in Payment Card Industry / Credit Card Security, Electronic Payment Security - General | No Comments »

December 1, 2006 by tim.

In the November 20, 2006, edition of eWeek, Brian McCarthy, COO of the Computing Technology Industry Association (CompTIA), reports on results from the 4th annual CompTIA study of information security threats and responses. He states that this year’s study revealed that human error was responsible for nearly 60 percent of data breaches, up from 47 percent last year. Given the role of human error, the shocking revelation of the study is that only 29 percent of the 574 organizations participating in the survey have a required security training program for their IT staff.

With the plethora of news stories about data breaches, it is truly fascinating that such a small percentage of organizations have implemented security training. Mr. McCarthy also points out the value that such proactive training has: “Yet among those organizations that use security training, 84 percent said that it has resulted in a reduced number of major security breaches since implementation; typically through increasing awareness, giving staff the tools to better identify security risks, and improving security measures in general and response time of staff to problems.” You mean the training actually worked???

Posted in Electronic Payment Security - General | No Comments »

December 1, 2006 by tim.

In the November 20, 2006, edition of eWeek, Brian McCarthy, COO of the Computing Technology Industry Association (CompTIA), reports on results from the 4th annual CompTIA study of information security threats and responses. He states that this year’s study revealed that human error was responsible for nearly 60 percent of data breaches, up from 47 percent last year. Given the role of human error, the shocking revelation of the study is that only 29 percent of the 574 organizations participating in the survey have a required security training program for their IT staff.

With the plethora of news stories about data breaches, it is truly fascinating that such a small percentage of organizations have implemented security training. Mr. McCarthy also points out the value that such proactive training has: “Yet among those organizations that use security training, 84 percent said that it has resulted in a reduced number of major security breaches since implementation; typically through increasing awareness, giving staff the tools to better identify security risks, and improving security measures in general and response time of staff to problems.” You mean the training actually worked???

Posted in Electronic Payment Security - General | No Comments »