Neil Cattermull delivers his perspective on the recent credit card breaches in a Two part blog series.
Over the years all of us have become to rely on pieces of plastic that will allow us to spend more money than we have. We all have one and many of us have 3 or more. Credit cards, have been with us since the 1980`s, starting with the traditional debit cards. We all know the main providers and to some people they are even status symbols for showing off the amount of wealth they have (Black, Platinum, Gold and others). It started with a signature required, then a memorable pin number (which most people keep the same across all of their cards) and recently the contactless verification systems.
Nothing new to tell you I hear you say? Yes you are right, this is not news. However, what is news is that the big players processing systems (based out in the US) have now been hacked, allegedly by a taxi cab parked in a car park, and according to the Daily Mail, affects over 10 million users of the cards. Yes I did say that correctly, 10 million. This reminds me of the Heartland Payment Systems Fraud a few years ago when 130 million credit and debit card records were stolen from their (and others) computer systems by having inadequate security principles and safeguards in place! One 29 year old hacker was sentenced to prison until 2025 and guess what, he had been doing it since 2003 and was only arrested in 2008!
So back to the latest security breach, Global Payments
Global Payments Inc (GPN on the NYSE) have been violated by hackers that very quickly today knocked off nearly 10% off their share value, and it would have been more if the stock hadn’t been frozen. So who are “Global Payments Inc” and why should that affect my Visa/MasterCard that’s in my wallet? We let me explain and try to shed some light on the subject.
I have a Visa card, I go to pay for that expensive lunch with said card. It gets processed, with a tip if I am feeling generous, and off it goes into cyberspace to be checked and debited against my name and account. At this stage my specific data from that transaction has been sent to a 3rd party that follows through that transaction on the behalf of the card provider – effectively executing that transaction. It is at this stage the fraud has begun with another hacker tapping into this data and capturing it. Now they have my card details, and my identification that belongs to that card, happy shopping!
The CEO of Global Payments Inc was strangely unavailable to comment and both Visa and MasterCard have stated “our own systems have not been breached and the account data may have been compromised at a 3rd party entity”. Neither firm specified how many customers may be affected. So that’s alright then, their systems are safe but just not the ones that actually carry out that transaction – due diligence springs to mind.
So what regulations are in place to stop this happening? Well there’s a regulation called PCI-DSS (Payment Card Industry Data Security Standard) compliance that puts the framework and rules down in place to ensure this exact situation does not happen. Now I am not sure what has happened in the US with Global Payments Inc`s security, but it seems to me that it may not have been quite up to standard or at least checked and audited regularly. But what really worries me is that the UK has not seen this wave as yet and further research uncovered (article published on the callcentrehelper.com website) that 37% of contact centres in the UK are judging themselves PCI-DSS compliant. If this wasn’t bad enough, the vast majority (89%) admitted to not understanding its requirements and penalties. This seems to me like a bomb waiting to go off. Imagine all of the times you have given your credit card details to the insurance, online stores and other contact centres when purchasing goods over the phone. Absolutely incredible isn’t it, and there’s all of us worrying about our own home PCs and protection!
When discussing this in more detail with various sources, only a few companies like to comment. Companies such as Firehost, a leading US and now UK based IT Hosting Company specialising in the secure hosted market. Jim Ciampaglio, Global SVP states
“Security is paramount for any company and needs to be tested regularly. So many times firms adopt really solid security policies at the start of their lifecycle, but over time policies get side–stepped and circumvented. Regular testing and compliance audits are critical. Without this in place big holes open up in rigid systems.”.
To be honest I totally agree with Jim and its satisfying that his company is now established in the UK. There is an absolute need for a company such as Firehost here in old blighty as I still think security is not taken seriously enough and they have a 100% record.
Another company I spoke to was PSTG ltd, an IT Solutions Provider in the Cloud Services sector. Dirk De Vos, one of the managing partners spoke out and told me “This breach highlights the huge risk with larger organisations that use third party companies to manage or deliver services using secure data. Visa & MasterCard hold extremely sensitive data and their partners need to be stringently checked to ensure lapses in security like this don’t take place.
Both Visa and MasterCard who spend 10’s of millions on their security infrastructure have been let down by their third party handler and hopefully they can learn from their mistakes and ensure this doesn’t happen again. If anything it reinstates the adage “Cash is king” and you should probably not be handing your Visa/MasterCard to random taxis drivers.”
So what can we do to limit our risk? Let’s face it, you, the individual with the card paying for that expensive meal cannot do very much to be honest. This is down to the chaps that hold your data and their security principles (the same in every industry). However there are some really basic things that you can do to limit your risk. For example, I have a credit card (4 to be exact) and I only use one specific card to conduct web based and “over the phone” transactions. This card has a very small limit (£250) and so I know with hand on heart that that’s my limit of fraud, simple. Or even better pay by good old cash but watch out at the ATM, there’s a long history of those being hacked too!