|
Addressing the Payment Card Industry Data Security Standard (PCI DSS)
Major credit card companies are pushing hard to stop the financial fraud incidents that have affected numerous organizations and their consumers. Consequently, organizations that accept payment card transactions are duly bound to comply to PCI DSS by end of 2007. Organizations that fail to comply, risk not being allowed to handle cardholder data and fines of up to $500,000 if the data is lost or stolen. This white paper examines the necessary requirements to adhere to PCI DSS, the implications of non-compliance as well as how effective event log management and network vulnerability management play a key role in achieving compliance.
Credit cards are widespread and their use for online payments is increasing dramatically. There were 1.3 billion credit cards in circulation in the U.S. in 2004, with 76% of Americans having at least one credit card. Retail U.S. e-commerce sales in the fourth quarter of 2006 were $33.9 billion, a 25% increase over the same quarter in 2005.
There is bad news however: Credit card fraud (25%) was the most common form of reported identity theft in 2006. Considering that more than $48 billion was lost by financial institutions and businesses in that year due to identity theft, and $5 billion lost by individuals, it can be said that credit card fraud is digging deep into everyone's pockets! E-commerce fraud is also on the rise, reaching $3 billion in 2006 with an increment of 7% over 2005. This white paper examines the consequences of cardholder data theft and addresses the following key questions:
- What is the PCI directive?
- Why is it important for your business to comply? - What are the consequences of not complying?
- What solutions are available to address the PCI directive?
Cardholder data theft and fraud - some real cases
- February 18, 2005 - Bank of America claimed that it had lost more than 1.2 million customer records - though it said there was no evidence that the data had fallen into the hands of criminals.
- June 16, 2005 - CardSystems, a merchant payment-processing provider, was sued in a series of class action cases alleging that it failed to adequately protect the personal information of 40 million customers. CardSystems' business faced collapse as VISA and
American Express cut their ties with the company, prohibiting it from processing their card data. CardSystems was subsequently acquired by another company.
- February 9, 2006 - It was estimated that around 200,000 debit card accounts were disclosed by unknown retail merchants, apparently OfficeMax and others. These included accounts related to bank and credit union acquirers nationwide such as CitiBank and Wells Fargo.
- January 31, 2006 - Boston Globe and The Worcester Telegram & Gazette unwittingly exposed 240,000 credit and debit card records along with routing information for personal checks printed on recycled paper used in wrapping newspaper bundles for distribution.
- January 12, 2007 - MoneyGram, a payment service provider, reported that a company server was unlawfully accessed over the Internet last month. It contained information on about 79,000 bill payment customers, including names, addresses, phone numbers, and in some cases, bank account numbers.
- January 17, 2007 - TJX Companies Inc. publicly disclosed that they had experienced an unauthorized intrusion into the electronic credit/debit card processing system. In what is considered the most glamorous security breaches to date, as much as 45,700,000 credit/debit card account numbers and over 455,000 merchandise return records (containing customer names and driver's license numbers) were stolen from the company's IT system.
Large online retailers are not the only organizations being targeted. Public attention may be fixed on high-profile data losses, but experts studying financial fraud say hackers increasingly are targeting small, commercial websites. In some cases, criminals are able to gain real-time access to the websites' transaction information, allowing them to steal valid credit card numbers and quickly effect large numbers of fraudulent purchases. Small e-businesses offer fewer total victims, but they often present a softer target, either due to flaws in the software merchants use to process online orders or an over-reliance on outsourced website security.
|
