Monthly Archives: December 2006

News Update

Fraud Update

Fraud
update

PCI compliance is a problem for more than 85 percent of merchants, according to Paul Giardina, Senior Vice President for marketing for Protegrity, Stamford, CT, a company that provides data protection technology.
Giardina, who discussed these security issues at the 2006 Teradata Partners Conference, in late September in Orlando, Fl, says that companies should pursue “defense in depth,” adding different layers of security as risk and the value of the data to be protected increases.
PCI is one of several new laws that businesses have had to concern themselves with the last few years, according to Giardina. It incorporates some of the elements of Canada’s PIPEDA, HIPAA, several state laws and other international regulations.
Even though Visa and MasterCard have required the compliance for more than 18 months in order for merchants to protect themselves from fines in the event of a data breach. But less only 15 percent had met PCI standards by January, according to a Visa survey. A Protegrity survey showed similar results.
According to the Protegrity survey, less than 5 percent of merchants had passed the PCI assessment and a little more than 30 percent had started their assessment. Nearly 20 percent failed their initial PCI assessment, about the same percentage that said they were just starting the PCI compliance process. Fully one-quarter of merchants had yet to start their PCI compliance process.
Even the percentage from Visa’s survey has doubled in the last nine months; the large majority is still short of the standard, which includes 12 different steps (for more information, see www.pcisecuritystandards.org/pdfs/ pci_dss_v1-1.pdf).
Giardina recommends prioritizing projects based first on which security holes present the highest risk to the company (i.e., adding firewalls for personal computers) and then using ease of implementation as a secondary prioritizing factor.
So firms should first test themselves for each of the 12 PCI requirements and rate the risk factor from 1 (low) to 5 (high), and do the same thing for the difficulty of fixing the security deficiency. “Go for the low-hanging fruit,” Giardina says.
Following this approach also shows that a firm is taking a methodical approach to data security, one of the factors that different regulatory authorities use in determining the liability of an organization.

Visa USA and the U.S. Chamber of Commerce recently listed the following as the five top causes of data breaches and protection solutions:

Storage of magnetic stripe data

The most common cause of data breaches occurs when a merchant or service provider stores sensitive information encoded on the card’s magnetic stripe in violation of the PCI Data Security Standard. This can occur because a number of POS systems improperly store this data, and the merchant may not be aware of it.

Missing or outdated security patches

In this scenario, hackers are able to penetrate merchant or service provider’s systems because they have not installed up-to-date security patches, leaving their systems vulnerable to intrusion.

Use of vendor supplied default settings and passwords

In many cases, merchants receive POS hardware or software from outside vendors who install them using default settings and passwords that are often widely known to hackers and easy to guess.

SQL Injection

Criminals use this technique to exploit Web-based applications for coding vulnerabilities and to attack a merchant’s Internet applications (e.g. shopping carts). According to Protegrity’s Giardina, (see above item) SQL injection is one of the new popular security intrusion methods that hackers are using today.

Unnecessary and vulnerable services on servers

Servers are often shipped by vendors with unnecessary services and applications that are enabled, although the user may not be aware of it. Because the services may not be required, security patches and upgrades may be ignored and the merchant system exposed to attack. As part of its effort to help businesses keep their data secure, the U.S. Chamber is distributing the Visa security alert to its full membership of small and mid-sized businesses nationwide. In addition, the chamber will also be working with its national network of local chambers of commerce to further ensure this valuable information reaches as many businesses as possible. The Visa alert along with helpful answers to data security questions can be found at the Chamber’s web page www.uschamber.com/sb/security.

The Global ATM Security Alliance and the ATM Industry Association recently released “Best Practices for Protecting the Customer’s Personal Bank Account and Identity.” This international manual brings together best practices for both multichannel security for financial services and the prevention of identity theft. The publication represents the minimum security guidelines for fraud management within the retail banking environment.
The idea for the best practices arose when cross-channel fraud increased markedly last year, with compromises at one delivery channel, whether on POS devices or during Internet banking, leading to fraud committed at, say, the ATM. In 2005, for example, well over 50 percent of ATM fraud in the US originated in POS compromises.

News Update

It’ 2007 (Almost) Is Your Data Secure Yet?

It’s 2007
(Almost.)
Is Your Data Secure Yet?

by Heather Mark

From a security and privacy perspective, the payment services industry has seen a number of dramatic changes this year. From a new iteration of the Payment Card Industry Data Security Standards and the creation of the Payment Card Industry Security Standards Council to the increasingly active enforcement on the part of the Federal Trade Commission, the industry has had a number of new developments with which to contend. From a security practioner’s perspective, perhaps one of the most significant changes, if not the most apparent, has been growing focus on information privacy, rather than on security alone. The issue of information privacy has been prominently featured in the headlines of 2006. According to the Privacy Rights Clearinghouse (www.privacyrights.org/ar/ chrondatabreaches.htm), more than 93 million records containing personal data have been exposed since the beginning of 2006. The types of data compromised run the gamut from research study results to customer records.
Privacy of personal data has garnered so much media attention that one might be led to believe that data privacy is an issue completely removed from more traditional conceptions of privacy. As Justice Brandies defined it in 1890, the right to privacy is the “right to be let alone”. That definition has been further refined throughout the years to include, among other aspects, control over personal information. The issue of controlling personal information, though, has been a long-standing tenet of privacy, deriving from case law dating back to the late 19th century. The advent of technologies such as the internet and e-commerce has sped the proliferation of personal information and made the control of such information far more problematic than in years past.
In addition to the technological innovations that have made the sharing and dissemination of information easier, the development of new business models, affiliations, partnerships, joint marketing agreements and similar arrangements have made the sharing of customer information far more desirable than it may have been previously.
The terms information privacy and information security are frequently, and erroneously, used interchangeably. A previous article (April 2005) expanded on the differences between the two concepts. To reiterate the main differences security is largely concerned with the appropriate access to data using administrative, technical and physical protections, while privacy is primarily concerned with the appropriate uses of data given the circumstances. Certainly the two are related: one cannot have comprehensive privacy practices without a sound information security program to form the foundation. To use the terms interchangeably, however, is to potentially expose your company to extensive liability.
Just as ensuring security of information does not ensure privacy, securing the Primary Account Number (PAN) does little to ensure the protection of privacy. The Payments industry has made great strides in recognizing their obligation to protect sensitive data such as credit card account numbers. But that component may be only one facet of the sensitive information that is collected and stored by companies throughout the industry. Consider gift cards and loyalty programs. The amount of personal data that is stored in order to facilitate those programs goes beyond an account number. Frequently, service providers hold not just the account number, but name and address as well. That data must also be protected from unauthorized use and disclosure.
Most companies are by now familiar with the questions to ask to determine their level of security. Those same companies, though, may be much less familiar with the questions to ask to determine the level of privacy afforded by their information practices. Following is a brief list of questions that one can ask to gauge corporate privacy practices.
What data is collected and stored? Surprisingly, though many companies have addressed their PCI compliance obligations, they are still unsure as to the extent of personal information that resides within their network. Understanding exactly what data is stored is essential to ensuring the privacy of that data.
Is this data strictly necessary for the provision of services or products? Many companies collect more data than is strictly necessary to facilitate the business relationship. Though this may be convenient to enabling market research, direct marketing efforts and other secondary uses, it may expose the company to liability if that data should be compromised.
Who has access to the data in question? This question is essential to both security and privacy. Again, access to data should be granted only on the basis of “need-to-know.” Many companies have been negatively impacted by disgruntled employees that had been granted privileges that were not commensurate with their roles and responsibilities. In addition, employees should be trained on both security and privacy policies with respect to the data in question. There should be no ambiguity regarding their specific responsibilities to the data.
How does the data flow within my organization? Understanding your data flow can help you identify and remediate potential points of “data leakage,” or points at which unauthorized disclosure or access is most likely to occur.
With whom is the data shared? In today’s environment, companies have developed all manner of relationships with other companies. Inherent in those relationships is some level of data-sharing. Before sharing data with affiliates and partners, though, companies should contractually ensure that their partners will ensure a comparable level of security and privacy. If possible, companies should understand the roles and responsibilities of the individuals within those companies that will have access to the data. Does the publicly available Privacy Policy match actual practice? Most companies have posted a privacy policy on their website. It is vitally important that those policies match the actual practice of the company. In order to achieve a privacy policy that is consistent with the company’s practices, cooperation among all the teams that access and use the data is of paramount importance.
The above list is certainly not exhaustive, but does provide a starting point to begin evaluating privacy practices. In addition to asking these questions, and those in the same vein, a Privacy Impact Assessment may also be appropriate.
A Privacy Impact Assessment (PIA), according to the e-Government Act of 2002 which makes PIAs a requirement for government agencies, is defined as “an analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy, (ii) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system, and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.” Privacy Impact Assessments, though mandated for government agencies, can also be extremely useful in the private sector.
A PIA can help companies understand both their current privacy practices and be used to determine the impact of changes to the system. A PIA not only assures organizations as to the impact of change on their privacy practices, but through conducting a PIA organizations ensure that they have formalized a comprehensive privacy program. A typical PIA may include the following elements:

  • Responsibility for the data
    What roles and individuals are responsible for the systems containing private information? (i.e. Chief Privacy Office, Security Manager, IT Manager, etc.)

  • Information about the systems
    What are the methods and applications used to collect and store the information? What business functions or departments are supported by these systems?
  • Description of the types of information held
    Does it pertain to customers, employees, or other individuals? Does the individual have the ability to “opt-out” of the data collection? Are the requirements to opt-out reasonable?
  • Description of the controls used to protect data
    This includes a description of the security controls that are in place to protect against a breach of the data.
  • Access to the data
    Which individuals or applications have access to the data and why? How is the access determined (i.e. role-based access controls)? What other agencies or entities have access to the data and why?
  • Attributes of the data
    Is the data accurate, timely and reliable? Is the data relevant?

Increased privacy awareness on the part of the consumers is going to have an immeasurable impact on the information practices of those companies in the payments industry. In 2007, companies should expect to look on privacy the same way that they have looked upon data security for the past several years. Helping your customers ensure consumer privacy can become an important competitive differentiator. I’ve stated previously that the focus on security denoted an important paradigm shift for the industry as a whole. That shift, rather than being disrupted, is only complemented by the focus on privacy. In fact, the focus on privacy is a logical conclusion to the shift. Marrying the concepts of security and privacy is a business and regulatory inevitability.