|
The Internet is full of dangers for the unsuspecting and the unprepared. Identity theft and phishing attempts are everyday events—every hour events for some of us, it seems—and the consequences of succumbing can be devastating. To protect vulnerable users from these kinds of attacks, companies such as VeriSign have developed encryption technologies (Secure Sockets Layer or SSL Certificates) for protecting the data that identity thieves crave, especially credit card numbers, payment information, social security numbers, passwords, and confidential personal data. And, since no amount of encryption can protect against a gullible individual giving away prized information to an imposter, the Certificate Authority/Browser Forum, an organization of leading certification authorities (CAs) and vendors of Internet browser software and other applications including VeriSign and others, have also developed another level of technology called Extended Validation (EV) SSL, for providing reassurance that the author of a Web site is indeed who it claims to be.
In the past, it was up to businesses to choose whether to take advantage of these technologies. While many did, some did not—and the consequences fell not only to the victims themselves, but also to institutions that often have to pay directly or indirectly for their mistakes, institutions such as credit card issuers. In order to protect themselves, these institutions, along with governments at various levels and their related standards bodies, have created standards and/or regulations that mandate the use of security and protection technologies in a variety of circumstances. As a result, for institutions naive or careless enough that the danger itself is not a sufficient motivator for using encryption and related technologies, now there is another excellent reason to employ them—because to do otherwise may violate a standard or regulation and risk often-dire consequences. This white paper explores these standards and regulations—some firmly in place, some emerging, others in the formative stage—and describes the recommendations or requirements they impose for using encryption and related technologies. The reader should bear in mind that this area is a fast-moving target. Today’s recommendations are tomorrow’s requirements, and new standards are arising all the time. The sooner an enterprise complies, the better positioned it is for the future.
+ Payment Card Industry Data Security Standard (PCI DSS)
There are many ways to steal credit card numbers, but scavenging through garbage cans in search of receipts has given way in recent years to intercepting transmissions between customers making online purchases and their suppliers—a method that is much easier, not to mention cleaner. Since using credit for payment is a very popular way for commerce to be conducted online, the buyer’s credit card number must at some point be transmitted electronically to the seller; and if it is unencrypted or inadequately encrypted, stealing it can be easy.
Of the approximately 650,000 complaints about fraud that the U.S. Federal Trade Commission received each year in the period 2004 to 2006, identity theft was the subject a consistent 35% to 36% of the time. 21% of banking institutions have either suffered a security breach during the past two years, or don’t if they have. Another 35% have been victims of a phishing attack during the past year.1 The rampancy of these destructive practices gave rise in years past to a clamor for government regulation of electronic commerce, but the credit card companies that generally had to foot the bill for all the online carelessness felt they could not afford to wait. They knew that SSL Certificates provided the necessary protection for sensitive information and that they can be easily implemented by e-commerce companies and other institutions that transmit and receive credit card information over the Internet. They also knew that without pressure to act, many of these companies would be slow to adopt the technology.
|
