November 14, 2011
Evidence for PCI’s effectiveness in the fight against fraud
Despite the PCI Council's best efforts and laudable goals, the effectiveness of its data security standard, PCI DSS, is frequently questioned. This standard is sometimes disparaged as expensive and ineffective. One critic has even decried the standard as a "false god." Such criticisms have stuck in part because it is difficult to know how many breaches would have occurred if it weren't for the PCI standard, and supporters have essentially been left to argue a counterfactual. The PCI Council has long maintained that no organization that has been breached has been found to have been compliant at the time of the breach, but the claim has never been fully validated.
Contrary to the claims of PCI DSS critics, however, Verizon has collected some data that support the value of PCI. The Verizon 2011 Payment Card Industry Compliance Report provides evidence that PCI compliance is effective at preventing breaches, and that the most compliant organizations are the least likely to be breached. The Verizon report provides a detailed analysis of compliance and breach threats across their client portfolio. The report reviews the cases of annual audit clients to assess compliance across the 12 PCI DSS requirements. The report also lays out the authors' retroactive assessment of the compliance of organizations that used the firm's forensic services after they suffered a breach.
The report ends up offering two very different perspectives: that of organizations proactively pursuing PCI compliance and that of organizations reacting to a breach that may not have previously emphasized compliance. The study sample consists of more than 100 reports from primarily American and European companies, and is the second year that this study was published (see the 2010 report here.)
At first glance, the report's findings seem discouraging because only 21 percent of organizations are found to be fully compliant at the beginning of the audit. However, the researchers assessed each organization's compliance across each requirement, and found that a further 37 percent were compliant across 90 to 99 percent of requirements.
Verizon conducted these assessments to help clients identify gaps and prepare them for their annual audit process. Once Verizon issued their Initial Reports of Compliance, the organizations then worked to fill all gaps and achieve full compliance. Of course, achieving full compliance is not a simple task. Full PCI compliance is extremely complex and requires ongoing testing and updates, and many organizations succumb to complacency and fatigue between audits. They may not respond to changing circumstances, and in fact the researchers found that compliance levels sometimes deteriorated over the course of the year.
The complexity of achieving full compliance is one reason the PCI Council released the Prioritized Approach to compliance in 2009. These guidelines are intended to help firms with limited resources tackle the most effective security requirements first. Unfortunately, the researchers found no evidence that organizations had implemented this prioritization, which raises the concern that companies are not taking a strategic approach to the compliance process.
In the second half of the Verizon report, the researchers tried to tease out how breached companies are attacked and what characteristics made them most vulnerable. They found that breached companies were less likely to meet individual PCI requirements, and scored overall worse than nonbreached clients by a 50 percent margin on average. Additionally, every threat action identified by the forensic team could have been prevented with full PCI compliance.
Jen Mack, the director of Verizon's PCI Services, believes that the Verizon report shows that PCI is effective. She says, "It's clear the standards provide protection for card data if organizations implement them correctly and maintain them throughout the year." Verizon's report does provide strong evidence that PCI DSS is an effective tool for preventing breaches and combating fraud. Since data breaches are repeatedly recognized as a major threat to the payments industry, it is critical to leverage tools like PCI DSS. How can the PCI Council encourage increased compliance among merchants and other organizations? Will increased recognition of the standard's effectiveness lead to greater adoption?
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
November 14, 2011 in data security, fraud, payments risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c015436e05aa2970c
Listed below are links to blogs that reference Evidence for PCI’s effectiveness in the fight against fraud:
Comments
January 31, 2011
Payments Spotlight podcast: The evolving threat of corporate account takeovers as seen through a bank's lens
Play podcast (MP3 7:23)
Transcript
Last July, we spoke with Jane Larimer, executive vice president of ACH network administration and general counsel for NACHA, about fraud in the ACH network via corporate account takeovers. In the latest interview in our Payments Spotlight podcast series, we revisit the issue of corporate account takeovers—this time, from a bank's point of view. Tina Giorgio, senior vice president of operations for Sandy Spring Bank in Columbia, Md., and a member of the Atlanta Fed's Retail Payments Risk Forum's Advisory Group, offered some helpful tips for financial institutions on how to best deter corporate account takeover attacks. The podcast is one that financial institutions would benefit from hearing and one worth sharing with their corporate customers.
Addressing corporate account takeover threats
NACHA's Risk Management Advisory Group (RMAG) published a newsletter in April 2010 detailing how criminals target institutions and what institutions can do to prevent an attack. Tina told us that the RMAG has been actively engaged in addressing corporate account takeovers since they emerged in 2007.
Additionally, Tina said that NACHA's board of directors released a policy statement in October 2010 stressing the importance of implementing sound business practices to mitigate the risk of corporate account takeovers in the ACH network. The RMAG, Tina tells us, is currently working on developing resources to assist businesses and banks alike in assessing, establishing, and strengthening sound business practices.
Taking the first step in the fight against corporate account takeovers
The banking system has been combating large-scale phishing attacks for some time now. In recent years, we've seen more frequent reports of global cybercriminals' successfully stealing the credentials of bank customers through numerous low-value transactions or one-time, large-scale attacks against corporate bank accounts.
Tina said that from a bank's perspective, the first step in detecting and protecting against corporate account takeovers requires diligent risk management from the institution and its corporate customer. Educating business customers about sound and safe business practices is critical; essential educational components include the importance of daily account reconciliation and deployment of up-to-date security patches.
Using the bank's existing tool kit
Cybercriminals use sophisticated commercial online banking malware to attack computers that store sensitive banking credentials. Some of these malicious software programs are reportedly undetectable and capable of defeating multi-factor authentication systems. Tina said she believes that some of the best tools at a bank's disposal for combating these malwares include employing out-of-band authentication and alerts, as well as maintaining the payment file initiation under dual control. She also said that banks may also already have in place some low-tech tools to help prevent these takeovers—exposure limits, origination calendars, and prenotifications all provide added security layers.
Ultimately, Tina said, banks and their corporate customers must remain vigilant in protecting against corporate account takeovers. Otherwise, their risk for these takeovers increases exponentially, and it is each of their responsibilities to act safely and defend against these types of cyberattacks. Fraudsters' attacks will continue to become more sophisticated, but adopting these tips and measures can best prepare banks and its corporate consumers to defend against cyber attacks.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
January 31, 2011 in account takeovers, ACH, banks and banking, cybercrime, data security, fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0148c823e9d8970c
Listed below are links to blogs that reference Payments Spotlight podcast: The evolving threat of corporate account takeovers as seen through a bank's lens:
Comments
October 12, 2010
New study examines the effectiveness of U.S. payments security
As everyday citizens, we are all responsible for understanding the threat of identity theft and its potential to facilitate payments fraud. The proliferation of identity theft is not solely a by-product of the high-tech world in which we live; it has been around from time immemorial. In the pre-Internet era, identity theft and payments fraud were more commonly committed by a "familiar"—a family member or someone with access to the victim's home, office, or mailbox. This type of white-collar crime still exists today, of course, and its success rate, measured in terms of the number of fraud attempts that result in a monetary loss, remains high. But today's identity theft schemes are more complex and involve larger-scale data breaches, so they pose a more significant threat to the retail payments industry and demand stronger security management techniques.
This evolution has created the need for more sophisticated compliance initiatives to keep identity and payment information secure. Retailers are on the first line of defense, in many respects, since they are the receivers and keepers of payment card data used to facilitate purchases at the point of sale.
So, along those lines, how is the retail industry faring? A new study from Verizon—released Oct. 4—reports on how well the U.S. retail sector keeps payment card data secure.
PCI security compliance: A first line of defense
There is an industry-organized defense procedure, or set of procedures, created to guard against large-scale thefts of payment card data. This procedure is called the Payment Card Industry Data Security Standard, or PCI-DSS for short. The Verizon report notes a high correlation between an organization's PCI compliance and its resistance to data breaches.
Most large retail enterprises in the United States claim compliance with PCI-DSS, and they have their operational systems periodically audited to ensure continued compliance. Although many of the largest retailers are compliant—with some, like Heartland, even working now to go above and beyond the minimum requirements—the Verizon study reveals just how far U.S. retailers are from full PCI-DSS compliance.
The following table summarizes the findings of the Verizon report for PCI compliance rates.
|
|
|
|
Meeting the challenge—and going above and beyond
The study concludes that complying with PCI is a complex challenge for many retailers, but the outlook is good—the retail sector is heading in the right direction. On average, it reports, organizations meet 81 percent of the procedures required by PCI, and 75 percent of organizations meet at least 70 percent of the testing procedures required.
Some industry experts even contend that PCI-DSS compliance in and of itself is not enough, which is why Heartland Payment Systems—one of the largest U.S. card processors, and which in 2009 suffered a serious data breach—is raising the bar and requiring its merchants to use additional security measures for data encryption. All data messages must be encrypted when in transit and when at rest in temporary storage along the way. For now, organizations responsible for storing and transmitting this data will continue to be challenged with the responsibility for safeguarding its data from breaches that facilitate identity theft and payment fraud.
By guest blogger Dan Littman, Economist, Federal Reserve Bank of Cleveland
October 12, 2010 in data security, fraud, payments, payments risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01348822ec96970c
Listed below are links to blogs that reference New study examines the effectiveness of U.S. payments security:
Comments
September 20, 2010
Playgrounds and privacy: Finding the balance in protecting consumers and catching criminals (Part 2 of 2)
Last week, in Part 1, we took a conceptual look at the issue of balancing financial privacy interests with catching criminals. This week we look closer at the subject, with an eye on the legal landscape of financial privacy laws and law enforcement's ability to access financial records under the existing laws.
The legal battle between law enforcement and personal privacy in the United States is as old as privacy law itself, and maintaining a balance between the two has for years required continuous maintenance of financial privacy laws. One of the most recent changes occurred in 2001, with the introduction of the Patriot Act. While the Patriot Act gives law enforcement agencies easier access to financial information so they can intercept terrorist financing and prevent money laundering, the Patriot Act has also been used routinely to combat nonterrorist criminals.
But have we struck the right balance yet? Or are stronger financial privacy parameters needed to tip the scales in favor of either the consumer or law enforcement?
The financial privacy law landscape prior to the Patriot Act
Historically, customers have expected their bank records to be held in confidence, relying largely on their right to financial privacy based on their contractual agreement with the bank. But in 1970, the Bank Secrecy Act (BSA) became law, and turned that expectation upside down. The BSA began requiring financial institutions to maintain certain records on their customers and authorized the Secretary of the Treasury to require financial institutions to report certain financial transactions. That same year, the Fair Credit Reporting Act (FCRA) was passed, whose goal was to safeguard consumer financial information by limiting the availability of consumer credit reports only for specific "permissible purposes."
In 1978, the Right to Financial Privacy Act was passed, which generally precluded the disclosure of a consumer's individual financial records to a government authority without the customer's consent, absent a subpoena or other judicial order. In 1999, Title V of the Gramm-Leach Bliley Act addressed several additional issues relating to the protection of nonpublic personal information maintained by financial institutions. Since their enactment, each of these statutes has undergone several amendments, mostly in response to the competing interests between a consumer's right to financial privacy and law enforcement's legitimate need to access consumers' financial records.
The Patriot Act, enhanced law enforcement provide access to customers' financial records
The Patriot Act allows law enforcement to develop a strategy for catching the bad guys by virtue of significant changes in the regulatory scheme of financial privacy, including new "Know Your Customer" rules, and allowing the sharing of information between law enforcement and financial institutions. Specifically, section 314(a) of the Patriot Act allows law enforcement agencies to gather financial data about a person being investigated.
Under section 314(a), a federal law enforcement agency investigating either terrorist activity or money laundering may request that FinCEN (the U.S. Department of the Treasury's Financial Crimes Enforcement Network) provide certain financial information from a financial institution or group of financial institutions. FinCEN then turns to the financial institutions and asks them to search their records to determine whether they maintain or have maintained accounts for, or conducted transactions with, the individual or entity specified by the law enforcement agency.
If a financial institution has a record of dealing with the subject of the inquiry, it must report back to FinCEN, which in turn shares the collected financial information with the law enforcement agency. Financial institutions may not disclose that FinCEN or the requesting agency made such an information request. No search warrant or subpoena is required.
Section 314(a): Beyond terrorist financing and money laundering
According to FinCEN, investigations incorporating section 314(a) requests have included a Hawala operation, cigarette smuggling, arms trafficking, investment fraud, and an international criminal network. Anonymity stifles the ability of law enforcement to combat criminal activity. Consequently, one of the biggest challenges confronting law enforcement officials is connecting the dots when trying to catch the bad guys. However, given the delicate and often strained balance between the privacy laws and law enforcement’s need to access financial records, can a sacrifice in financial privacy result in a balancing benefit in more effective law enforcement, or does law enforcement have adequate tools today to intercept criminal activity?
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
September 20, 2010 in data security, privacy | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0133f465d944970b
Listed below are links to blogs that reference Playgrounds and privacy: Finding the balance in protecting consumers and catching criminals (Part 2 of 2):
Comments
September 13, 2010
Playgrounds and privacy: Finding the balance in protecting consumers and catching criminals (Part 1 of 2)
Many, many years ago, when I was an elementary school student, I experienced the excitement of that now-defunct practice called "recess." This outdoor break in the school day allowed students to blow off steam, get some exercise, and learn social playground skills. It also allowed weary teachers to have a break from us. One of my favorite things on the playground was the "teeter-totter," the simple, two-person balancing board affixed to a fulcrum. The boredom of just going up and down was interrupted by doing so with force and speed or by surprising one's partner by jumping off, thereby causing the other party to descend rapidly, sometimes causing his/her bottom to hit the ground before the feet. More challenging, however, was the concept of the two riders trying to position themselves so that the teeter-totter would actually balance itself in a way that both parties would be suspended off the ground. Great fun!
Balancing data privacy rights
Strangely, this activity bears a strong resemblance to what we find ourselves doing in the payments system today as we try to balance a consumer's right to data privacy with a service provider's responsibility to protect a customer from financial loss. Achieving this balance has become a time-consuming and expensive activity for the payments industry and for law enforcement agencies charged with catching bad guys after they breach protected files.
The responsibilities inherent in providing data privacy protection are complicated because data privacy laws today are set largely at the state level. Consequently, some variance exists in due diligence. Companies whose customers span multiple states struggle to deal with different requirements and remedial actions should a data breach occur. Frequently, a company adopts procedures that comply with the most rigid of the laws, in essence satisfying the "greatest common denominator," the effect of which is to gravitate toward a de facto national standard in federal laws on data privacy.
Responsibilities in managing data breaches
No fewer than 24 federal laws exist today that attempt to protect the privacy of some aspect of our personal and business lives. However, there is no overarching federal legislation in place that specifically addresses financial data privacy. Such bills have been drafted, but they are logjammed in Congress behind more pressing matters. At the state level, virtually all states have some form of financial data privacy legislation on the books. For the most part, the banking industry has looked at the construct and verbiage of the 2002 California law as the standard of care for all. In essence, the law requires a company to report any breach in which a customer's name is compromised in combination with a Social Security number, a driver's license number, or any bank account information, including debit and credit card numbers. More recently, in March, Massachusetts adopted a seemingly more stringent law that speaks less to the need for post-breach remedial action and more to the prevention of breaches in the first place. In this way, data privacy legislation seems to be converging with the "commercially reasonable" data security requirements of Article 4A of the Uniform Commercial Code.
Ultimately, trouble arises when organizations are forced to guess what standards are commercially reasonable. Trouble also arises when companies attempt to minimize exposure by extending the definition of protected data to include non-personal information, such as company names and other identifiers resident in payment transaction records. While courts will have to sort out the first issue, the practice of businesses adopting self-imposed, expanded data protection standards is another matter.
The problem here is twofold. First, excess caution will inevitably lead to higher costs that have to be recovered elsewhere in a bank's profitability formula. Frequently, this occurs through the institution of some form of account. Second, over-interpretation of laws creates barriers to effective industry controls and processes for detecting and mitigating fraud, as well as making the regulatory and law enforcement aspects of fraud mitigation more cumbersome and expensive. Where, then, is the balance point on this teeter-totter of financial privacy?
Where do we go from here?
Unfortunately, the answer may ultimately lie in creating some umbrella national legislation that tries to strike the right balance. Such legislation must allow for a cadre of "trusted parties" who bear the responsibility for protecting data as a price for collecting it so as to reduce financial crimes. As a consumer, I certainly don't want anyone misusing my personal information, but I also want those who do so to get caught and pay the price. It is only then that the cycle of improvement can take place—more forcible enforcement, more prison terms, fewer bad guys in the market, less privacy invasion, fewer sleepless nights. Inevitably, the balance point on a teeter-totter only occurs when one party pushes off first—and that may be the regulators and law enforcement.
By Rich Oliver, Executive Vice President of the Atlanta Fed and Director of the Retail Payments Risk Forum
September 13, 2010 in data security, privacy | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0133f42c1b29970b
Listed below are links to blogs that reference Playgrounds and privacy: Finding the balance in protecting consumers and catching criminals (Part 1 of 2):
Comments
March 29, 2010
Synthesizing the mobile ecosystem: Resolving customer problems in mobile payments clearing and settlement models
The folks engaging in the early stages of the mobile payments industry have coined the term "mobile ecosystem" to describe the environment into which they are trying to merge the traditional roles of telecommunications with those of payments and banking. While some in this fledgling industry are already becoming disenchanted with the grandeur of the "ecosystem" terminology, the concept does suggest a useful model for thinking about the challenges faced in this new arena.
A few weeks ago I received a new issue of National Geographic that contained a fantastic article (and even more fantastic pictures) of the unique ecosystem of the African island nation of Madagascar. The ecosystem of this large island, located off the southeastern coast of Africa, has yielded an extraordinary collection of plants and animals that live in a tropical setting interrupted by some truly anguished geological formations. The local ecosystem is, of course, actually a collection of subsystems (plants, animals, climate, topography, etc.) that have adapted over time to work seamlessly together. For example, large families of lemurs leap fearlessly and safely among knife-sharp rock formations because their hands and feet have developed coarse, leather-like padding over thousands of years.
In the mobile ecosystem, we see a similar makeup of subsystems that must work together. The technology and operational components, while not trivial, are clearly achievable, and many are in place today. The challenges that lie ahead, however, are in the sub-ecosystems of law, regulation, data security, data privacy, customer care, and profitability. Depending on the nature of some of the mobile payment solution alternatives, the banking and the telecommunications industries find themselves wondering if they can coexist on the same island. Is there enough value to the customer to generate the revenue necessary to fund a mobile payments initiative? Who gets or shares the revenue? Who is responsible for data security and authentication, and how does that credential or certainty get passed along the mobile payment supply chain? Who resolves the customer's problem if a mistake is made? What consumer protection rights exist in case of error or fraud, and do those rights change depending on whether a traditional payments system is used to settle the transaction? Are proven models in other countries transportable, or are the characteristics of the economics and user base too different?
With respect to customer care and protection, I recently asked an audience of representatives from the full span of the mobile payment value chain, "Who owns the customer in a mobile transaction?" Gratifyingly, they agreed they all did. However, the true ownership response may ultimately depend on the nature of the transaction and agreement on who is liable if anything goes wrong. Take the case of a person-to-person payment initiated by Consumer A (Barbara Buyer) to Consumer B (Gloria Girl Scout's Mom) for payment of six boxes of Girl Scout cookies (three Thin Mints and three Trefoils). In a telephone-based clearing model, Barbara would enter the requisite $21 in the payment instruction and designate the phone number of Gloria's mom in the recipient field, and both their phone bills would be adjusted accordingly. Now suppose that Barbara was distracted by her daughter's chiding that she really wanted Samoas and carelessly entered $210. Since the payment never went through the payment system, Barbara Buyer cannot rely on traditional banking regulatory protections or problem resolution processes. She must resolve the problem with her phone provider, who has already credited Gloria's mom. Alternately, given PayPal's March 16 announcement of an iPhone app to send money to another person, PayPal's resolution procedures could be in play.
If, however, Barbara's phone company clears the transaction through a mobile service ACH backend, or Barbara pays Gloria's mom through a P2P service offered by her bank, the error resolution process is likely through normal banking customer service channels, and the adjustment process may be managed differently, assuming an adjustment process is contractually spelled out in either case. In reality, Barbara would probably get Gloria's mom to write her a check for $189 to straighten things out. While this may seem like a trivial example, it does dramatize some of the issues that must be worked out in the new ecosystem of mobile payments to make such services work effectively for the customer's benefit.
Given these difficult challenges, it seems likely that various models will initially emerge within alliance groups (one phone company, one or more application providers, a few partner banks, etc.) before they begin to converge into one or more universal market models. Along the way, one hopes that the key participants can collaborate to anticipate the types of risk issues that could arrive in the real world so that the consumer's experience turns out to be one that encourages growth. In the age of e-mailing, twittering, and facebooking, it is increasingly clear to me that mobile banking and mobile payments are in our future and that they will be a very attractive service to some key sectors of our population. However, they will be extremely slow to develop if critical mass issues such as those mentioned above are not resolved up front. In fact, this would be a good place for banks to try new, customer-friendly approaches to consumer education and disclosure that match the payment channel being used and the customer demographic.
By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum
March 29, 2010 in authentication, data security, fraud, mobile banking, mobile payments, risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0133ec4d8601970b
Listed below are links to blogs that reference Synthesizing the mobile ecosystem: Resolving customer problems in mobile payments clearing and settlement models:
The fight against fraud is not an easy one and the fact that the number of breaches has been decreasing lately is down to the hard work from various parties, including the PCI Security Standards Council.
PCI DSS reassures consumers that cyber crime is taken seriously by the whole industry and that their card details will not be compromised.