is the online magazine of BSI Group, highlighting the vital role that standards play in today's business environment by helping organizations improve quality, save money, reduce risk and be more sustainable. Features include interviews with leading business figures, as well as news on the latest developments in management systems, standards, testing, healthcare and certification.
Combating plastic crime: card payment security is fighting back
15 Aug 2011
Topics: Card payments, card crime, payment security, PCI DSS
Incredibly, up until 2005, individuals could log on to the website of the International Association for the Advancement of Criminal Activity (IAACA) and openly buy or sell stolen credit and debit card details. Later that year, IAACA even changed its name to the more easily understood Theft Services.
The US Department of Justice published a reported on this site and closed it and several other "carding forums" down. Such sites usually provide a range of services to members, including tutorials on how to defraud; message posting to enable members to buy and sell blocks of stolen account information; hyperlinks for hacking tools; and, hilariously in the circumstances, areas designated for naming and banning individuals who steal from other members.
The existence of such sites proves that criminals are highly organized in trafficking the fruits of large-scale data theft. As the US Department of Justice noted: "Such large-scale data breaches have revolutionized the identity theft landscape, in particular as it relates to fraud on existing accounts by use of compromised credit and debit card account information."
The impact of this is very real for those businesses that are hacked. Take TJX Companies Inc, the parent company of retail brands T.J. Maxx, Marshalls and HomeGoods, among others.
In January 2007, TJX initially identified 45.7 million credit and debit cards that had been compromised. In due course, that number grew to over 94 million affected accounts. By August of 2007, TJX admitted that the data breach had already cost it $256m, with some analysts predicting the total bill for the retailer could top $1bn.
Extent of fraud
In Britain, one-third of us have been the victim of card fraud in the past five years, according to payment software group ACI Worldwide. This puts Britain second only to China for card crime.
A report by the UK Cards Association suggests things are improving, with a 20 per cent reduction in card fraud losses in the first half of 2010 compared with the same period of 2009. However, that still left a total reported loss of £186.8 million between January and June 2010 - crudely calculated, likely to be more than £370 million last year. In Europe, the picture varies widely: the French pioneered smart cards and the Germans still prefer cash, so levels of fraud are much lower than in the UK.
Total fraud loss figures for the US are hard to come by, but a 2010 report estimated a figure of around $3,718 billion in 2006.[1]. In Latin America, Brazil experiences the highest amount of credit card fraud, twice that of Chile and five times more than Argentina. Mexico was considered a black-spot until the introduction of more secure verification procedures, which led to an 85 per cent decrease in online credit card fraud in some areas.
Ironically, because of the prevalence of organized crime rings, sophisticated anti-fraud technology is more widespread in Asia. Credit cards are also used less - only about 14 per cent of the Chinese population, for instance, has a credit card, but that number is growing.
Fighting back
The industry has responded to the problem of payment card crime with a number of major initiatives, with evident success. Sophisticated fraud screen detection tools are helping banks and retailers to tackle phone, internet and mail order fraud, while card security measures like MasterCard SecureCode and Verified by Visa are also working.
Meanwhile, statistics show that chip-and-PIN payment cards have been very successful at reducing fraud in face-to-face transactions, ATM withdrawals, and lost and stolen cards, as they make it very difficult to counterfeit a payment card. These cards are currently being adopted in many countries around the world.
Continual investment in technology is also raising the technical defences that help prevent criminals from "skimming" the magnetic strip details from cards. And the forces of law and order are becoming more organized in dealing with this type of crime.
In addition, and to specifically address large-scale hacking, a growing number of retailers are implementing the cardholder data protection processes, required of them through the Payment Card Industry Data Security Standard (PCI DSS).
Industry standard
The PCI Data Security Standard is the product of a unique collaboration between the world's major payment brands: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Together, they founded the PCI Security Standards Council, which developed and manages the PCI DSS (and a couple of other related standards).
While the Council looks after the standards, each of the payment brands is responsible for how the standards are applied. However, all have made it mandatory that any entity storing, processing or transmitting cardholder data - everything from major corporations to the smallest online store - must be compliant with the PCI DSS.
For the most part, the card payment companies also operate a four-tiered system of compliance requirements. Merchants that process fewer than 20,000 transactions a year (Mastercard or Visa transactions Level 4) need to self-certify their compliance. Those at Level 1, with more than six million transactions (Mastercard and Visa transactions), need to submit an annual compliance report, audited by either an internal or third-party Qualified Security Assessor (QSA). They must also carry out a quarterly network scan by an Approved Scan Vendor. BSI Group is accredited in Japan as a QSA.
Compliance requires that organizations follow the standard's requirements for security management, policies, procedures, network architecture, software design and any other critical protective measures. Organizations need to assess what cardholder data they handle and analyze their procedures for any vulnerabilities. They must fix any weaknesses; ensure they're only holding details deemed necessary; and submit compliance reports as required.
Putting it into practice
The good news is that a recent survey, published in February 2011, found security compliance measures actually reduce long-term expenses for organizations. Moreover, the 160 companies interviewed said that out of the many compliance initiatives the survey reviewed, the PCI DSS is the security compliance measure they focus on the most. The study found that the most compliant companies and agencies spend, on average, $3.5 million annually on security, while non-compliant companies spend an estimated $9.4 million.
Not such good news is that, so far, compliance with PCI DSS is patchy. Toshi Yonezawa, product manager of PCI DSS for BSI Japan, notes, for example, that, "At this point, PCI DSS is seen as an industrial standard for service providers and merchants with heavy traffic, so it's not well known yet."
Lisa Dargan is the Business Development Director of Ultima Risk Management (URM), a UK-based information security consultancy and an accredited PCI QSA. URM is also an Associate Consultant for BSI Group in the UK. Dargan feels that compliance in the UK is far from universal.
"Even major retailers are not yet compliant," she says, "because it's not easy." She explains that when a number of high street stores are sending transaction data to head office, each store, the company's network, its head office and its backup network will all fall into scope. The whole environment needs to be implemented with the requirements of PCI DSS in place, which can make compliance a very expensive exercise.
Pragmatically, some are setting the cost of compliance against the likely cost of fines for non-compliance or breaches, and are working towards becoming compliant at their own pace.
The difficulty is not lost on the card payment organizations. In theory, they could simply refuse to process transactions coming from non-compliant organizations, but that point does not seem to be imminent.
Visa Europe, for instance, told Business Standards that, while it sees PCI DSS compliance as vital for retailers to help them protect sensitive cardholder data, "... we understand that Level 1 merchants will typically have large and complex systems to secure, potentially multinational and across a number of payment channels. As a consequence, we have moved to a risk management approach, based on the PCI DSS prioritised approach, to help our members and merchants manage their compliance programmes."
It adds: "We continue to work with Visa Europe members who provide security remediation plans and anticipate compliance dates for all Level 1 merchants." Adding, "Visa Europe will continue to challenge plans that extend too far into the future or that do not address risks in an appropriately prioritised fashion."
The future for PCI DSS
It seems that all parties are working towards closing down the opportunities for card fraud and, indeed, levels are beginning to reduce. Moreover, PCI DSS can play a significant role in saving organizations money.
For now, Dargan sees many more organizations being driven by their acquiring banks to become PCI compliant. "Certainly, the adoption and the level of PCI DSS compliance is increasing," she says.
She predicts that, in future, it may largely be a question of critical mass. "I think the payment card companies need to get to the point where they can actually say, 'If you're not prepared to protect cardholder data in the way that we and the majority of our industry feel is appropriate, then we're not going to process your transactions, because we can't guarantee to our end customers that their information will stay secure." When that might happen, Dargan doesn't want to speculate. It may vary by industry and territory, with the US likely to go first.
Nevertheless, it's Dargan's view that compliance and awareness of the standard are growing. In due course, PCI DSS will increasingly be good news for the consumer and organizations handling credit cards data, and bad news for the thieves.
[1] http://weis2010.econinfosec.org/papers/panel/weis2010_sullivan.pdf
Business Standards © 2010. Editorial produced by Caspian Publishing in association with The British Standards Institution. Editorial opinions expressed on are not necessarily those of BSI Group or Caspian Publishing. Neither Caspian Publishing nor BSI Group accept responsibility for advertising or editorial content, nor for that appearing on linked third-party websites. Reproduction in whole or in part is forbidden without written permission from BSI Group or Caspian Publishing.
OCS, an international facilities services group based in the UK, has achieved triple certification to ISO 9001 Quality management, ISO 14001 Environmental management/ and BS OHSAS 18001 Health and safety management with BSI.
How do you put a price on a brand? An international standard in the making will provide a consistent, reliable approach to brand valuation.
A little bit extra for Kitemark® bodyshops and garages
It's all well and good for an automotive bodyshop to earn the Thatcham BSI Kitemark® for Vehicle Body Repair, but it won't have as much impact if potential clients don't know about it. As a consequence, BSI decided to offer an Extras marketing toolkit to bodyshops and garages that have earned the Kitemark.
Airbus in the UK has achieved certification to BS 25999, the Business Continuity Management (BCM) standard, following an audit from BSI. The certification covers Airbus? wing manufacturing site in Broughton, North Wales and becomes the first aerospace manufacturing company to receive certification to this standard by BSI.
Rising waters: revising PAS 1188
For those living in areas that are prone to flooding, having the right protection resources available is essential. While images of emergency sandbags holding back rivers of water may fill the media, there is a much wider range of products available for flood protection.
Question: Are health and safety issues at risk of being lost in the current financial turmoil?
When business isn't going well - whether it's due to a recession or simply because a company is going through a slow patch - there is a temptation to cut costs by cutting corners. Instead of treating an issue like product and consumer safety as vital to a organization's growth and reputation, it can become just another expense or regulatory requirement.
Have a standards-related question for BSI or a comment on the website? We'll find the right person to answer.
