Most people are aware that credit card fraud is a real concern, but how many know just how extensive a problem it is? Do they know, for example, that more than half of the largest security incidents ever recorded have involved card data? Take the Heartland breach in 2009 which compromised up to 100 million cards and more than 650 financial services companies. Or the Home Depot breach in 2014 involving a five month attack on the retailer’s payment tills that is estimated to have compromised as many as 56 million credit cards.
[easy-tweet tweet=”More than half of the largest security incidents ever recorded have involved card data” via=”no” usehashtags=”no”]
Credit card fraud is also widely targeted, affecting a number of different sectors. The Trustwave 2014 Global Security Report found that most breaches last year targeted the retail (38%), food and beverage (18%), hospitality (11%), finance (9%) and professional services (8%) sectors. The bulk of those attacks were aimed at those organisations’ e-commerce platforms (54%), point of sale (33%) and data centres (10%).
There has also been a dramatic shift in the type of credit card fraud over the past few years, according to Financial Fraud Action UK 2013 stats. In 2002, 35% of fraud losses were from counterfeit cards and 26% from card-not-present fraud. By 2012, the figure for counterfeit cards had declined to 11% but losses from ‘card-not-present’ fraud accounted for 65% of the total. The reasons for this is the emergence of chip and pin, which has made it harder to commit fraud with counterfeit cards in tandem with a huge increase in e-commerce activity that has made card-not-present fraud more attractive.
The fight against credit card fraud has been spearheaded by the PCI SSC
Relying on PCI
That’s why the payment industry has taken a standards and compliance approach to the problem, asking the industry as a whole, and retailers who rely on it, to formalise their approach to security. The fight against credit card fraud has been spearheaded by the Payment Card Industry Security Standard Council (PCI SSC), which was established to help businesses process card payments securely and reduce card fraud. The organisation developed the worldwide PCI Data Security Standard (PCI DSS), a set of requirements designed to ensure merchants and service providers adequately protect cardholder’s data.
PCI DSS requirements apply to all payment channels, including retail shops, mail/ telephone order companies and e-commerce businesses. There are different requirements depending on a range of criteria, such as cardholder data storage, processing channels, security protocols transaction volumes and so on.
For example, merchants processing more than six million transactions a year are subject to an annual on-site audit and a quarterly vulnerability scan. Those with fewer transactions need to take part in an annual self-assessment questionnaire and a quarterly vulnerability scan.
Organisations are required to install and maintain a firewall to protect cardholder data, encrypt the transmission of cardholder data across open public networks and develop and maintain secure systems and applications. They also need to restrict access to cardholder data on a ‘need-to-know’ basis (when access rights are granted to only the minimum amount of data necessary to perform a task), track and monitor all access to network resources and cardholder data, regularly test security systems and processes and maintain a defined formal information security policy. Enforcement measures such as audits and penalties for non-compliance may be necessary.
[easy-tweet tweet=”Security is only as strong as the weakest link” user=”comparethecloud” usehashtags=”no”]
Security is only as strong as the weakest link
For most retailers, the security challenge goes well beyond their own internal systems and efforts to comply with important standards such as PCI. The increasing importance of cloud computing, , means that retailers need to look towards their technology partners and suppliers to ensure there are no weak links in their security chain.
But closing the loop internally and working to the highest of security standards will ultimately stand for very little if vulnerabilities exist within technology partners. In the case of the Target breach, for example, it’s thought by many to have originated via a third party vendor linked to Target. It’s perhaps the most high profile illustration of the need for retailers to also draw their partners into their security circle, and to ensure consistency of approach.
Retailers can’t just build a virtual ‘wall’ around their own systems
Retailers can’t just build a virtual ‘wall’ around their own systems and rest easy believing their defences are strong. As the importance of third party technology partners grows – particularly in areas such as cloud computing – retailers need to understand and trust the security standards of every partner providing a link to the outside world.
PCI DSS compliance can be a complex, time-consuming and expensive business, especially for smaller companies that have enough on their hands trying to meet the obligations of running their day-to-day operations. In many instances, they might be better served working with a service provider that is already PCI compliant and can take away a lot of the burden associated with achieving the PCI DSS requirements.
This can provide organisations with access to secure networks that protect cardholder data and meet the key security requirements of PCI DSS while guaranteeing best practice in the face of an unwelcome increase in external threat to data – and customer – security.