Retail Payments Risk Forum
Font Size: A A A

Portals and Rails

March 10, 2014

Who Is Responsible for Consumer Security Education?

A theme that consistently appears in our Portals and Rails blogs is the continual need for consumer education when it comes to protecting account access credentials. Financial institutions have generally taken this responsibility seriously, running frequent verbal and print campaigns reminding customers to safeguard their payment cards, monitor account activity frequently, and adopt strong password and PIN access practices.

But as payment channels and access devices expand outside the bank-controlled environment, who then becomes responsible for customer education? The representatives of mobile phone carriers and handset manufacturers, for example, are often in sales mode. The last thing they want to do is scare off a potential sale by identifying the potential for fraud with their product or service.

When I recently went to purchase a new mobile phone that was equipped with a number of strong security safeguard options, the sales representative was more interested in selling me high-margin accessories than telling me how to safeguard the phone and its contents. While I understand the motivation of the sales representative, especially if he works under a sales incentive compensation plan, wouldn’t it easy for the carrier or phone manufacturer to provide a brochure promoting safe practices?

Unfortunately for the financial institutions, the stakes are high. For them, the financial impact of fraudulent activity on a customer's account is often a one-two punch. First, various regulations and rules are in place to protect consumers from liability, so the financial institutions generally write off the fraud loss. Second, and perhaps more painful, victims of fraud often move their accounts even though their financial institution is not at fault. The challenge of consumer education by the bankers is becoming more and more difficult as the opportunity for direct contact with the customer lessens with every new payment transaction product or service.

As we've seen before, in the aftermath of recent card transaction and customer data breaches, the negative reputational and financial impact from fraud is felt not just by financial institutions but also by the retailer or company that was breached. Will such events cause these other stakeholders to take a more proactive role and join financial institutions in educating their customers?

Portals and Rails is interested in hearing from you as to how the payments industry might best address customer awareness and education regarding security.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 10, 2014 in banks and banking, consumer fraud, consumer protection, data security, mobile payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a51180c012970c

Listed below are links to blogs that reference Who Is Responsible for Consumer Security Education?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 10, 2014

Chip-and-PIN, or Chip-and-Choice?

If the comments that legislators and industry representatives made at the recent congressional hearings on data breaches were any indication, any card issuer advocating or adopting a chip-and-signature approach to EMV smartcard implementation would appear to be incautious. Unquestionably, chip-and-PIN is more secure than chip-and-signature because it represents two forms of authentication—something you have (the card) and something you know (the PIN). However, chip-and-signature could be a reasonable first step in that it would generate less friction for the consumer, merchant, and card issuer. Let me explain why.

Most consumers don't know their credit card PINs
Although most people know their debit card PINs—you need one to use an ATM—few U.S. consumers know their credit card PINs. Various studies place consumers' knowledge of their credit card PINs in the 5 to 10 percent range. It would therefore be an educational as well as logistical effort to get consumers to begin using their credit card PINs if the industry moved to a chip-and-PIN-only environment.

Merchants would incur a big expense for the equipment
Only about 25 percent of the 8 million POS terminals operating in the United States are equipped with a PIN pad, according to data provided to the Federal Reserve. Before Regulation II, merchants had a financial incentive to encourage PIN-based debit transactions because the interchange rate was lower than for credit card transactions. However, Reg II eliminated this differential. (This despite the fact that PIN debit transactions have less than one-third of the fraud loss rate of signature debit transactions, according to the 2013 Fed Payments Study Summary.) Although a representative of the National Retail Federation endorsed a chip-and-PIN-only strategy at a congressional hearing, it's difficult to know if merchants will want to make the additional investment required to equip, program, and maintain their POS systems to support PIN transactions. Most merchants have not yet taken this step, so what has changed?

Customer experience would change
A PIN-based transaction, with its single-message authorization and settlement process, creates problems for certain merchants—like car rental and lodging companies—that must run preauthorization transactions before the final amount of the transaction is determined. The separate authorization and settlement process provided by the dual-message format of a signature-based transaction is more conducive to the business needs of these merchant segments. Are fine dining restaurants going to install the even more expensive mobile payment terminals so customers can pay at the table as they currently do? Or will they require the customer to go to a checkout and pay there? These merchants especially will have to consider the impact on their customer experience.

Backup method needed
With debit cards now, a signature authentication can be a backup method of acceptance. But in a chip-and-PIN environment, how high will the rate of incomplete transactions be when cardholders can't remember their PINs and they have no other method of payment?

As with any change, there are a number of positives and negatives to be considered. To avoid unintended consequences, we at Portals and Rails believe that issuers, merchants, and consumer groups should carefully evaluate all the issues to determine the best way to migrate to EMV payment cards. What do you think—chip-and-PIN only or chip-and-choice?

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 10, 2014 in chip-and-pin, data security, debit cards, EMV | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73d743754970d

Listed below are links to blogs that reference Chip-and-PIN, or Chip-and-Choice?:

Comments

All issuers should support a well communicated and simple PIN change process (IVR, ATM or inbranch for example) for EMV cards. If cards are activated through an IVR; PIN selection could be added to the process. Cards can also be issued with unassigned PINs (the PIN is not sent to the cardholder) where the cardholder is forced to select a PIN; this process may encourage cardholders to proactively select a PIN they can remember. Re-issued cards can support PIN continuity (same PIN as previous card).

Support for PIN as the only permitted CVM will be more successful if ALL the card associations follow this practice. If one or more of them allow for signature CVM then cardholders may select the signature card and not bother to learn/select a PIN for the PINned card. This in turn leads to an uneven playing field and all chip cards may eventually revert to signature cards which would certainly be a step backwards.

As long as fallback to magstripe is supported, any cardholder that forgets their PIN can usually have the terminal revert to mag stripe (at least in Canada) by inserting the card backwards (you may have to do this three times). The terminal will attempt to read the chip (but can't because there is plastic where a chip should be) then ask for a mag stripe read while ignoring the service code (chip on board) info.

Posted by: M Ryan | February 11, 2014 at 12:49 PM

Your points are all valid, but I'd like to comment.

You are correct that most consumers don't know their credit card PINs and this would be a learning experience. Some POS application developers are putting in "PIN Bypass" functionality for this reason, although I believe that defeats the purpose of allowing the issuer to prefer PIN.

Merchants will incure some expense for migrating to EMV, but most EMV Card Readers are built into PIN pads, so with or without PIN, the expense is the same.

PIN based Credit transactions will continue to be dual message. PIN Debit transaction sre single message because they are "full financial" transactions that don't require a separate message.

EMV works perfectly fine with Hotels in the rest of the world, with incremental transactions after the original with PIN.

Yes, in Canada and Europe it is common for the customer to pay at the table with a wireless terminal. This supports the philosophy of "not handing your card to a stranger" that was promoted in those countries to support the implementation of EMV.

Yes, there will be a period of adjustment, perhaps painful - but not really much different than when PIN Debit at the POS was first introduced, just a larger scale.

Unfortunately, the more secure a process is, the less convenient it is. The U.S. has chosen convenience in the past, and we are seeing the repercussions of that approach.

Posted by: Allen Friedman | February 10, 2014 at 02:13 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 12, 2013

Is Consumer Privacy Possible?

In January 1999, Scott McNealy, then chief executive officer of Sun Microsystems, told a group of analysts, "You have zero privacy anyway. Get over it." His comment caused quite a stir—at the time, most people had not yet heard the terms "big data," "data warehousing," or "data analytics."

I recently attended two conferences that had sessions on consumer privacy and data collection. All the panelists suggested that there is little data privacy for consumers anymore. And all agreed that "privacy is dead."

Four major forces have brought us to this point: technology advances, emergence of data aggregators, lack of transparency with consumers, and consumer complacency. The first force—advances in the technology of data storage—has created the environment for the other elements. The capacity of hardware to collect and store data has grown at exponential rates at the same time that the cost of that technology has plummeted. A cost analysis from Statistic Brain shows that the cost of storage per gigabyte of memory has dropped 50 percent every 14 months since 1980. Back then, a gigabyte of data storage was priced at about $438,000. Today, the price for storing a gigabyte is a mere nickel.

With the ability to store vast amounts of data so inexpensively, companies have built data warehouses to collect all types of data, ranging from government records to of consumers' product purchases at merchant locations Proponents of the data analytics business emphasize how their work can help identify fraudulent transactions through behavior anomalies and how it can help a company market more effectively. Privacy advocates express concern over how the information is used and the adequacy of safeguards to protect the data from unauthorized access.

Privacy advocates contend that most consumers have no real understanding of the information that is collected and how it is used. Indeed, disclosures are often hidden in fine print. Consumers often must accept the terms of a transaction to receive the product. How often do you click the accept box without reading the disclosure?

With support from the Federal Trade Commission, advocacy groups are working to get companies to make their consumer disclosures clearer so consumers will know exactly what information is being collected, how long it is retained, and who it is being shared with. They also want these data collectors to disclose how consumers can verify the accuracy of the information.

Are you interested in knowing what information the largest data aggregator company in the United States has on you? If so, go to Acxiom's website and scroll to the bottom of the page. You will need to register to look at your profile.

Although consumers themselves are the major source of the data being collected, many may not understand that the information they voluntarily provide on social media sites and through online browsing and purchasing activities is being tracked and collected. And consumers have consistently demonstrated a willingness to provide personal information to secure a coupon or discount.

In addition, with the increased deployment of smartphones, merchants are looking to use the mobile channel for one-to-one marketing. The success of this effort largely depends on knowing the interests of the phone owner. Such determination is made only through data collection and analytics—and these efforts are only going to intensify. This marketing element available through the mobile phone is seen as an advantage over other payment methods, and many are studying how to monetize it.

Even if the most transparent disclosures were available, do you think consumers would dramatically change their information-sharing behavior, especially when doing so would come at the expense of incentives? Or of not expressing their personal interests and posting events on social media sites? Personally, I do not think so. I believed McNealy back then and took his advice to get over it. What about you?

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 12, 2013 in consumer protection, data security, privacy | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019b00fb33fb970b

Listed below are links to blogs that reference Is Consumer Privacy Possible?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 21, 2013

Is Knowledge-Based Authentication Still Effective?

"What is your mother's maiden name? Your oldest daughter's middle name?" Online help sessions or call centers often ask the user to provide answers to a "secret" question or set of questions most often when the user has forgotten an account password and needs to retrieve it or select a new one. This authentication process is called knowledge-based authentication (KBA). The assumption is that if the person knows the correct answers, then that person is the authentic accountholder.

I recently attended a security conference where a panel of security authentication experts all stated that any extra protection KBAs provide is minimal. The high-profile data breaches that we've read about, along with the over-disclosure of personal information on social media sites, often make the answers to these questions easily available. These experts called for the abandonment of KBAs. In further support of this position was a recent article by Brian Krebs (Krebs on Security) that detailed how an identity theft service had hacked into some of the country's largest aggregators of consumer and business information. This service then tried to sell the data over the Internet, compromising the effectiveness of KBAs.

KBA questions can be either static or dynamic. Those that are static instruct the user to select from a list of preformulated questions—such as "What is your mother's maiden name?" Some sites allow users to create their own questions. In either case, the Q&A process is normally done when the user creates the account and selects the password. Dynamic KBAs are created by the website entity and generally request a response to a series of multiple-choice questions created from data not readily available in the public domain—for example, "Select a previous address from the list."

The formulation of KBA questions requires a careful balancing act between making answers easy enough for the authentic user to retain and making them difficult for an outsider to find the answer by looking through public databases and social media sources.

The June 2011 Federal Financial Institutions Examination (FFIEC) supplemental guidance on authentication for Internet banking states about KBAs that "institutions should no longer consider such basic challenge questions, as a primary control, to be an effective risk mitigation technique." The guidelines support the more sophisticated dynamic KBAs, adding this caution: "Although no challenge question method can mitigate all threats, the Agencies believe the use of sophisticated questions as described above can be an effective component of a layered security program." But we have to ask, have the breaches of the data sources often used to create the dynamic KBAs that have taken place since the issuance of this guidance so weakened them as to negate their value?

To enhance dynamic KBA programs, institutions can time the answer input intervals, tally missed questions, and employ other factors to essentially score the KBA session, which could signal that a criminal is posing as the legitimate customer.

No matter how many questions there are, KBAs are just one identification form factor—the "something you know" part of three-factor authentication. The FFIEC recommends that multiple form factors—including the "something you have" and "something you are" components—be used with higher-risk transactions. These should be used to support a stronger security process under a layered security approach.

Portals and Rails is interested in knowing how your institution currently uses KBAs, and if recent events will change their use.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 21, 2013 in authentication, data security, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019b00310712970d

Listed below are links to blogs that reference Is Knowledge-Based Authentication Still Effective?:

Comments

The FFIEC is right. Basic challenge questions will no longer cut it. Device identification is a newer technique that fraud analysts have begun to incorporate into their strategy, but even this innovation may not be enough. As consumers demand further online and mobile platforms for banking and payments, and as fraudsters continue multiplying and focusing their efforts on these very platforms, we need to start looking for more sophisticated strategies.

Posted by: Eric Lindeen | January 07, 2014 at 01:26 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 22, 2013

Fighting the Enemy Within

Portals and Rails frequently focuses on external threats that pose risk for financial organizations and others involved in the payments value chain. However, insider threats can pose just as large of a risk as external threats. One need look no further than the recent National Security Agency (NSA) information leak to understand the magnitude of insider risk. These risks can be reputation-damaging and cause significant financial harm.

Although security and control procedures can mitigate the risk of insider threats, it is extremely challenging to thwart a rogue insider committed to stealing or leaking sensitive information or implanting malicious software. The following access and security management principles, while not exhaustive, provide a solid base for any organization maintaining sensitive data to mitigate the risk of an insider letting this data out the door.

  1. Never-alone: Certain sensitive and critical functions and procedures (such as modifying hardware and security software) should be carried out by more than one person, or they should be performed by one person then automatically reported and immediately checked by another.
  2. Access rights: Data access rights and system privileges should be based on job responsibility and the need to perform job duties properly, and should be kept current.
  3. Limited tenure: Employees with access to sensitive data or in security-related positions should never believe their position is exclusive or permanent. Some ideas for implementation include: employees in these roles should be randomly rotated and required to take mandatory leave without having access to the systems during their absence.
  4. Concurrent access: An employee should not have simultaneous access to production systems and backup systems, particularly data files and computer facilities.
  5. Close supervision: Employees with system and data access entitlements should be closely supervised and have all their system activities logged. Access to these logs should be off-limits for these employees. Changes to highly sensitive data records should be immediately reported through messaging to supervisors for immediate review.

On the heels of the leak, the NSA director stated that the agency would institute the "never-alone" policy going forward. This approach may be better late than never, but perhaps it is a signal that the leadership of this organization recognizes and values the importance of data security, an important overarching principle in the Risk Forum's opinion.

Has your organization incorporated all or some of these principles into data access and system security procedures? What other principles has your organization put into place to mitigate insider threat to data security?

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 22, 2013 in data security | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01901e62c5d4970b

Listed below are links to blogs that reference Fighting the Enemy Within:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 22, 2012

Ignorance Is No Excuse--Or Is It?

Last time I got a speeding ticket (just for the record, it's been a very long time), the officer didn't care that I didn't realize the speed limit was only 35 mph. As he told me, ignorance of the law is no excuse for breaking the law. Contrast that with consumer payments protections. Consumers can practice unsafe computing and expose their account information, yet regulations still protect them if an unauthorized payment is made using the information the consumer revealed. Although an unauthorized payment is transacted by someone else, the consumer, through his or her own behavior, may be aiding and abetting the lawbreaker.

As we study different payment types and channels here at the Retail Payments Risk Forum, a consistent theme has emerged: consumer behavior plays a significant role in payments issues, and consumer education is the antidote. Although the consumer may be protected from financial consequences even when they engage in unsafe online behavior, it is in everyone's best interest, including the consumer's, if the consumer is armed with enough information to behave safely and responsibly.

Take card payments and the conversion under way to EMV standards. As the cards are converted to a chip and reissued to consumers, the consumer will need to understand where and how the card can be used. Education will be critical if the chip implementation also includes the use of PINs. A recent analysis by DataGenetics shows that nearly 27 percent of PINs can easily be guessed by attempting 20 simple combinations such as "1234" or "0000." PINs can be an effective authentication method, if only the consumer is thoughtful in choosing a hard-to-guess PIN.

Consider ACH payments and the dreaded account takeover. The information used to perpetrate an account takeover is sometimes gained through malware that enables key logging. The malware is installed on the consumer's computer most likely because of the consumer's unsafe computing practices, such as clicking on unfamiliar links and opening attachments sent by suspicious or unknown sources.

The same is true for the emerging mobile channel, essentially a handheld computer with security considerations similar to the online channel. The September 2012 GAO report on Mobile Device Security concludes, "Mobile devices face an array of threats that take advantage of numerous vulnerabilities commonly found in such devices. These vulnerabilities can be the result of inadequate technical controls, but they can also result from the poor security practices of consumers." The report recognizes that many education and awareness efforts, both public and private, have occurred or are underway, but it remains unclear whether those efforts have raised consumer security awareness or had any beneficial effect on the security of the mobile device.

Diagnosing is the easy part...
While it's easy to recognize that consumer behavior is a problem in electronic payments, the solution of providing consumer education is elusive. As it turns out, financial institutions are in a good position to provide education. For one thing, consumers tend to trust their financial institutions, with their financial information and with their privacy. From a practical standpoint, financial institutions are commonly the connection point between the consumer and these payment types. However, the traditional connection point of the branch is evolving to the online and mobile channels.

So what can financial institutions do to better educate consumers in the new digital and mobile environment? They already devote significant resources to providing education, but the effectiveness of these efforts can be questioned as the incidences of fraud appear to be rising. Are there best practices for consumer education in the non-face-to-face environment that financial institutions should employ to positively impact fraud?

Mary KeplerBy Mary Kepler, vice president and director of the Retail Payments Risk Form at the Atlanta Fed

October 22, 2012 in cybercrime, data security, identity theft, mobile banking | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017ee45b228f970d

Listed below are links to blogs that reference Ignorance Is No Excuse--Or Is It?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 04, 2012

Pointing to the Future: Biometrics Crucial for Data Protection

Experts are escalating their call for aggressive measures to improve customer authentication as phishers, malware authors, and other criminals develop increasingly complex schemes to gain access to personal credentials. As we discussed in a previous post, the use of biometrics is gaining more attention as technological advances are bringing low-cost, high-quality solutions. In a recent paper ("The Case for Replacing Passwords with Biometrics"), authors Markus Jakobsson and Sebastien Taveau assert that biometric methods such as fingerprinting methods could address a large part of the looming cyber fraud problem.

Matching fingerprints to protection
Fingerprints as a means of identification have actually been used for more than 150 years. However, Jakobsson and Taveau note that lower technology costs may allow fingerprint authentication to become a mainstream risk mitigation solution, in concert with other backup authentication methods. (The Federal Financial Institutions Examination Council's 2011 Supplement to Authentication in an Internet Banking Environment reports that layered security controls go a long way to protecting consumer credentials and high-risk transactions from cyber threats.) According to Jakobsson and Taveau, the convergence of methods used by cybercriminals is driving fraud into the mobile arena, with an increased incidence of dual platform attacks targeting both PCs and mobile handsets. The authors describe how fingerprint authentication can improve authentication effectiveness and enable better risk management.

As more and more data are stored in personal clouds—remote data servers that store digital content for consumers—the security paradigm becomes more critical. Jakobsson and Taveau describe cases whereby fingerprints could effectively serve as a "key" to consumer information. Just authenticating users by asking who they are and what they know—in other words, prompting for name and password—is inadequate in such "remote" data storage environments. Essentially, "the cloud is a storage area with a door, the handset or other device is the lock and the fingerprint is the key."

The authors also describe the challenge of "BYOD"—that is, "bring your own device" to work. Many companies today permit employees to use their own devices. The use of multiple passwords and other protocols can create confusion that can tempt employees to circumvent authentication protocols designed for their protection. As we noted in a June post, one out of every 11 wallets contains easily discovered PINs. The use of the biometric tool of fingerprinting permits a simple authentication method that can be used across applications and devices, with greater assurance that the account or device owner and the device are in the same physical space.

I can't put my finger on it
Despite the promise of fingerprinting as an effective biometric risk management system, a number of concerns remain, according to the authors. Device sharing can be a problem when the device is secured with a biometric unique to a single user. An issue of a more violent nature is the potential of a criminal stealing someone's finger to facilitate a transaction. Jakobsson and Taveau aptly remark, "It is much better to have one's password stolen!"

In the final analysis, the authors note that the benefits of biometric authentication methods outweigh their deployment challenges. Furthermore, their authentication architecture using a "biometrically unlocked password manager" could provide significant protection against phishing and malware attacks—the primary tools of cybercrime. As the incidence of data breaches and account takeovers continues to rise, the argument for more secure authentication methods will continue as well.

Cynthia MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

September 4, 2012 in biometrics, data security, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017d3bd3adfa970c

Listed below are links to blogs that reference Pointing to the Future: Biometrics Crucial for Data Protection:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 14, 2011

Evidence for PCI’s effectiveness in the fight against fraud

Despite the PCI Council's best efforts and laudable goals, the effectiveness of its data security standard, PCI DSS, is frequently questioned. This standard is sometimes disparaged as expensive and ineffective. One critic has even decried the standard as a "false god." Such criticisms have stuck in part because it is difficult to know how many breaches would have occurred if it weren't for the PCI standard, and supporters have essentially been left to argue a counterfactual. The PCI Council has long maintained that no organization that has been breached has been found to have been compliant at the time of the breach, but the claim has never been fully validated.

Contrary to the claims of PCI DSS critics, however, Verizon has collected some data that support the value of PCI. The Verizon 2011 Payment Card Industry Compliance Report provides evidence that PCI compliance is effective at preventing breaches, and that the most compliant organizations are the least likely to be breached. The Verizon report provides a detailed analysis of compliance and breach threats across their client portfolio. The report reviews the cases of annual audit clients to assess compliance across the 12 PCI DSS requirements. The report also lays out the authors' retroactive assessment of the compliance of organizations that used the firm's forensic services after they suffered a breach.

The report ends up offering two very different perspectives: that of organizations proactively pursuing PCI compliance and that of organizations reacting to a breach that may not have previously emphasized compliance. The study sample consists of more than 100 reports from primarily American and European companies, and is the second year that this study was published (see the 2010 report here.)

Figure 3: Distribution of testing procedures met at IROC

At first glance, the report's findings seem discouraging because only 21 percent of organizations are found to be fully compliant at the beginning of the audit. However, the researchers assessed each organization's compliance across each requirement, and found that a further 37 percent were compliant across 90 to 99 percent of requirements.

Verizon conducted these assessments to help clients identify gaps and prepare them for their annual audit process. Once Verizon issued their Initial Reports of Compliance, the organizations then worked to fill all gaps and achieve full compliance. Of course, achieving full compliance is not a simple task. Full PCI compliance is extremely complex and requires ongoing testing and updates, and many organizations succumb to complacency and fatigue between audits. They may not respond to changing circumstances, and in fact the researchers found that compliance levels sometimes deteriorated over the course of the year.

Table 3: Percent of organizations meeting PCI DSS requirements

The complexity of achieving full compliance is one reason the PCI Council released the Prioritized Approach to compliance in 2009. These guidelines are intended to help firms with limited resources tackle the most effective security requirements first. Unfortunately, the researchers found no evidence that organizations had implemented this prioritization, which raises the concern that companies are not taking a strategic approach to the compliance process.

In the second half of the Verizon report, the researchers tried to tease out how breached companies are attacked and what characteristics made them most vulnerable. They found that breached companies were less likely to meet individual PCI requirements, and scored overall worse than nonbreached clients by a 50 percent margin on average. Additionally, every threat action identified by the forensic team could have been prevented with full PCI compliance.

Jen Mack, the director of Verizon's PCI Services, believes that the Verizon report shows that PCI is effective. She says, "It's clear the standards provide protection for card data if organizations implement them correctly and maintain them throughout the year." Verizon's report does provide strong evidence that PCI DSS is an effective tool for preventing breaches and combating fraud. Since data breaches are repeatedly recognized as a major threat to the payments industry, it is critical to leverage tools like PCI DSS. How can the PCI Council encourage increased compliance among merchants and other organizations? Will increased recognition of the standard's effectiveness lead to greater adoption?

By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

November 14, 2011 in data security, fraud, payments risk | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c015436e05aa2970c

Listed below are links to blogs that reference Evidence for PCI’s effectiveness in the fight against fraud:

Comments

At a time when consumer trust of financial institutions is at an all time low, companies that deal with consumer information should be taking a proactive approach to their security. The protection of consumer data is of utmost importance and the reputation of their brand hangs in the balance. Conducting audits internally or hiring a third party do do so on a regular basis to ensure companies are meeting PCI standards will help them stay vigilant about their security and regain their customers' trust.

Posted by: Cassie Fulton | December 06, 2011 at 05:10 PM

Whether PCI is effective in reducing fraud or not is not the issue. The question is whether it is COST EFFECTIVE. More specifically: Could a different approach achieve the same or better results, at lower cost?
Many experts consider PCI to be too expensive and difficult to implement for what it has achieved--and much less effective than could be accomplished using a more practical "risk based" approach.
The PCI program was poorly planned and is poorly managed, and has been co-opted by the QSA industry, which generates immense revenues from the ever-expanding scope and complexity.
The card brands do not seem to care about the expense, however, as the vast majority of the cost for PCI must be borne by the merchants.
The fact that "no organization has been found to have been compliant at the time of a breach" only underscores the problem, and speaks to the fruitlessness of merchants' efforts toward PCI compliance.

Posted by: Security Sam | November 16, 2011 at 04:37 PM

The fight against fraud is not an easy one and the fact that the number of breaches has been decreasing lately is down to the hard work from various parties, including the PCI Security Standards Council.
PCI DSS reassures consumers that cyber crime is taken seriously by the whole industry and that their card details will not be compromised.

Posted by: PayPoint.net Merchant Services | November 15, 2011 at 09:26 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 31, 2011

Payments Spotlight podcast: The evolving threat of corporate account takeovers as seen through a bank's lens

Play Play podcast (MP3 7:23) TranscriptTranscript

Last July, we spoke with Jane Larimer, executive vice president of ACH network administration and general counsel for NACHA, about fraud in the ACH network via corporate account takeovers. In the latest interview in our Payments Spotlight podcast series, we revisit the issue of corporate account takeovers—this time, from a bank's point of view. Tina Giorgio, senior vice president of operations for Sandy Spring Bank in Columbia, Md., and a member of the Atlanta Fed's Retail Payments Risk Forum's Advisory Group, offered some helpful tips for financial institutions on how to best deter corporate account takeover attacks. The podcast is one that financial institutions would benefit from hearing and one worth sharing with their corporate customers.

Addressing corporate account takeover threats
NACHA's Risk Management Advisory Group (RMAG) published a newsletter in April 2010 detailing how criminals target institutions and what institutions can do to prevent an attack. Tina told us that the RMAG has been actively engaged in addressing corporate account takeovers since they emerged in 2007.

Additionally, Tina said that NACHA's board of directors released a policy statement in October 2010 stressing the importance of implementing sound business practices to mitigate the risk of corporate account takeovers in the ACH network. The RMAG, Tina tells us, is currently working on developing resources to assist businesses and banks alike in assessing, establishing, and strengthening sound business practices.

Taking the first step in the fight against corporate account takeovers
The banking system has been combating large-scale phishing attacks for some time now. In recent years, we've seen more frequent reports of global cybercriminals' successfully stealing the credentials of bank customers through numerous low-value transactions or one-time, large-scale attacks against corporate bank accounts.

Tina said that from a bank's perspective, the first step in detecting and protecting against corporate account takeovers requires diligent risk management from the institution and its corporate customer. Educating business customers about sound and safe business practices is critical; essential educational components include the importance of daily account reconciliation and deployment of up-to-date security patches.

Using the bank's existing tool kit
Cybercriminals use sophisticated commercial online banking malware to attack computers that store sensitive banking credentials. Some of these malicious software programs are reportedly undetectable and capable of defeating multi-factor authentication systems. Tina said she believes that some of the best tools at a bank's disposal for combating these malwares include employing out-of-band authentication and alerts, as well as maintaining the payment file initiation under dual control. She also said that banks may also already have in place some low-tech tools to help prevent these takeovers—exposure limits, origination calendars, and prenotifications all provide added security layers.

Ultimately, Tina said, banks and their corporate customers must remain vigilant in protecting against corporate account takeovers. Otherwise, their risk for these takeovers increases exponentially, and it is each of their responsibilities to act safely and defend against these types of cyberattacks. Fraudsters' attacks will continue to become more sophisticated, but adopting these tips and measures can best prepare banks and its corporate consumers to defend against cyber attacks.

Photo of Ana Cavazos-WrightBy Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

January 31, 2011 in account takeovers, ACH, banks and banking, cybercrime, data security, fraud | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0148c823e9d8970c

Listed below are links to blogs that reference Payments Spotlight podcast: The evolving threat of corporate account takeovers as seen through a bank's lens:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 12, 2010

New study examines the effectiveness of U.S. payments security

As everyday citizens, we are all responsible for understanding the threat of identity theft and its potential to facilitate payments fraud. The proliferation of identity theft is not solely a by-product of the high-tech world in which we live; it has been around from time immemorial. In the pre-Internet era, identity theft and payments fraud were more commonly committed by a "familiar"—a family member or someone with access to the victim's home, office, or mailbox. This type of white-collar crime still exists today, of course, and its success rate, measured in terms of the number of fraud attempts that result in a monetary loss, remains high. But today's identity theft schemes are more complex and involve larger-scale data breaches, so they pose a more significant threat to the retail payments industry and demand stronger security management techniques.

This evolution has created the need for more sophisticated compliance initiatives to keep identity and payment information secure. Retailers are on the first line of defense, in many respects, since they are the receivers and keepers of payment card data used to facilitate purchases at the point of sale.

So, along those lines, how is the retail industry faring? A new study from Verizon—released Oct. 4—reports on how well the U.S. retail sector keeps payment card data secure.

PCI security compliance: A first line of defense
There is an industry-organized defense procedure, or set of procedures, created to guard against large-scale thefts of payment card data. This procedure is called the Payment Card Industry Data Security Standard, or PCI-DSS for short. The Verizon report notes a high correlation between an organization's PCI compliance and its resistance to data breaches.

Most large retail enterprises in the United States claim compliance with PCI-DSS, and they have their operational systems periodically audited to ensure continued compliance. Although many of the largest retailers are compliant—with some, like Heartland, even working now to go above and beyond the minimum requirements—the Verizon study reveals just how far U.S. retailers are from full PCI-DSS compliance.

The following table summarizes the findings of the Verizon report for PCI compliance rates.


Percent of organizations meeting PCI compliance requirements
Enlarge Enlarge


Meeting the challenge—and going above and beyond
The study concludes that complying with PCI is a complex challenge for many retailers, but the outlook is good—the retail sector is heading in the right direction. On average, it reports, organizations meet 81 percent of the procedures required by PCI, and 75 percent of organizations meet at least 70 percent of the testing procedures required.

Some industry experts even contend that PCI-DSS compliance in and of itself is not enough, which is why Heartland Payment Systems—one of the largest U.S. card processors, and which in 2009 suffered a serious data breach—is raising the bar and requiring its merchants to use additional security measures for data encryption. All data messages must be encrypted when in transit and when at rest in temporary storage along the way. For now, organizations responsible for storing and transmitting this data will continue to be challenged with the responsibility for safeguarding its data from breaches that facilitate identity theft and payment fraud.

By guest blogger Dan Littman, Economist, Federal Reserve Bank of Cleveland

October 12, 2010 in data security, fraud, payments, payments risk | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01348822ec96970c

Listed below are links to blogs that reference New study examines the effectiveness of U.S. payments security:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in