Who’s in Your Wallet? Stemming Credit Card...

EDITOR’S NOTE STOPPING CARD-NOT- PRESENT SCAMS: CURRENT AND COMING SOLUTIONS

ANTI-FRAUD TOOLS TO RESCUE YOU FROM THE PLAGUE

WHAT THE PCI SECURITY STANDARDS CAN AND CAN’T DO

Who’s in Your Wallet? Stemming Credit Card Fraud Theft of credit card data is now epidemic. Is the cure better standards or better technology?

HOME

EDITOR’S NOTE

STOPPING

CARD-NOT-PRESENT SCAMS:

CURRENT AND COMING

SOLUTIONS

ANTI-FRAUD TOOLS

TO RESCUE YOU FROM

THE PLAGUE

WHAT THE PCI

SECURITY STANDARDS

CAN AND CAN’T DO

WHO’S IN YOUR WALLET? STEMMING CREDIT CARD FRAUD2

EDITOR’SNOTE

How to Keep the Bad Guys Out and the Good Guys Buying

It used to be that you feared having your credit card data stolen when the card was actu-ally lost or stolen. Today, though, the physical card doesn’t have to leave your wallet to have its data grabbed by thieves and used to make fraudulent purchases.

You probably know from your own experience this past holiday season: The number of online shopping transactions is skyrocketing. So too is credit card fraud. Today, the majority of fraud attempts happen via Web transactions, though that doesn’t mean we can be sanguine about mobile purchases. Indeed, no time can be lost in developing an awareness of, and responses to, credit card fraud. Efforts thus far include the Payment Card Industry’s standards and the development of new technology designed to root out fraudulent transactions and stop them, without turning away legitimate consumers.

The first two chapters of this Technical Guide examine online thieves’ current favorite

tactic—card-not-present fraud—and how technological tools can be used to thwart such fraud. The final chapter looks closely at what PCI has attempted thus far, what’s working and whether the cost of implementing its standards are offset by the benefits to businesses.

It’s a balancing act—stopping purchases made with stolen credit data without denying legitimate purchases. Hardening your system against cybercriminals can make it tough for consumers too—who may take their business elsewhere if an online site proves too frustrat-ing to use.

Read on, then, to get the latest info on credit card fraud, on industry guidance, and on how to make your system pleasant for consumers but not for criminals. n

Brenda L. Horrigan, Ph.D.Associate Managing Editor

Networking Media Group, TechTarget

HOME

EDITOR’S NOTE

STOPPING


CURRENT AND COMING

SOLUTIONS

ANTI-FRAUD TOOLS

TO RESCUE YOU FROM

THE PLAGUE

WHAT THE PCI

SECURITY STANDARDS

CAN AND CAN’T DO


CARD NOT

PRESENT

Stopping Card-Not-Present Scams: Current and Coming Solutions

In 2014, the U.S. Department of Commerce estimates, shoppers spent almost $300 billion dollars via the Internet (a number it expects will grow in future years).

There was a significant number of online fraud attempts, too—and about 78% of those were made through website applications. In contrast, only 3% of fraud attempts were made via mobile applications. “Card not present” fraud has become the tool of choice for cyber-criminals; because there is no need to steal the card itself (only its attributes), customers are typically unaware of the theft until after fraud-ulent transactions have occurred. Additionally, fraudsters’ ability to rapidly shift tactics among endless types of Internet transactions or phone orders makes this activity lucrative and diffi-cult to detect.

Yet payment card fraud is not merely a risk to the unsuspecting customer. Companies have skin in the game too, and many correctly see

transaction security as a way to reduce charge-back and fraud-related fees. Transaction secu-rity is also beneficial to consumers by giving them reassurance that they are safe when shar-ing their payment card data when purchasing products and services online.

In this chapter, we’ll review the current and emerging controls to thwart card-not-present payment card schemes, and how merchants should use these controls as part of their fraud-prevention programs.

CVCS AND FRAUD PREVENTION

Card verification codes, known more com-monly by their shorthand names CVC1 and CVC2 (or CVV1 and CVV2), were introduced in the late 1990s by card issuers to combat the card-not-present and card-cloning fraud schemes.

CVC1 is an encoded validation for a swiped

http://www.investopedia.com/terms/c/chargeback.asphttp://www.investopedia.com/terms/c/chargeback.asphttp://searchfinancialsecurity.techtarget.com/definition/card-verification-value

HOME

EDITOR’S NOTE

STOPPING


CURRENT AND COMING

SOLUTIONS

ANTI-FRAUD TOOLS

TO RESCUE YOU FROM

THE PLAGUE

WHAT THE PCI

SECURITY STANDARDS

CAN AND CAN’T DO


CARD NOT

PRESENT

card that is stored on track 2 of the magnetic stripe of a card; CVC2 is a validation number that is merely printed on the physical card. These innovations are designed to help reduce the overall value of digitally stored credit card information.

It is difficult to process an online transaction without the card number and the CVC2 value, and since merchants are not allowed to retain CVC2 data, stolen or leaked card numbers alone have minimal value without the accompany-ing CVC2 numbers. However, it should be noted that recent malware samples seen in the wild have been able to capture this informa-tion during point-of-sale transactions. This is exactly the process employed in major data breaches at retailers including Target Corp. and Home Depot Inc. Attackers aimed to steal mil-lions of payment card records, sell them on the black market and subsequently use the card data for fraudulent card-not-present online transactions.

Unfortunately not all merchants validate or even require the CVC2 code for online trans-actions, which is a key reason why card data theft is rampant: Fraudulent card-not-present

transactions are often both easy and profitable. Chip and PIN is an initiative that strives to

take security efforts a step further. Chip-and-PIN cards store payment data on an encrypted microchip, either instead of or in addition to the mag stripe data. It also requires a PIN number like an ATM card in order to process a transaction. It would be impossible to clone a card that uses the chip function, and if a card were lost or stolen, the PIN would prevent the card from being used fraudulently.

But even Chip-and-PIN technology would likely do little to thwart card-not-present fraud in the U.S.; since the PIN is designed to replace the signature verification in a point-of-sale transaction, future online transactions will likely continue to require merely a credit card number and occasionally a CVC2 (CVV2). The sad reality is that as Chip-and-PIN rollouts make point-of-sale fraud harder, criminals will see card-not-present fraud as the path of least resistance, increasing its prevalence.

PREVENTING CARD-NOT-PRESENT FRAUD

Effective business intelligence—that is, the

http://searchsecurity.techtarget.co.uk/definition/Chip-and-PIN

HOME

EDITOR’S NOTE

STOPPING


CURRENT AND COMING

SOLUTIONS

ANTI-FRAUD TOOLS

TO RESCUE YOU FROM

THE PLAGUE

WHAT THE PCI

SECURITY STANDARDS

CAN AND CAN’T DO


CARD NOT

PRESENT

technical implementation of common sense—is needed to further reduce a company’s expo-sure to online fraud. But implementing controls that are both effective yet not overly burden-some on the merchant is a difficult process.

For instance, a transaction that represents a significant deviation from a customer’s normal purchasing behavior (because of items pur-chased, value of the transaction, time of day and the like) is usually a reliable indication of fraud. But taking every conceivable situation or combination of attributes that would cause a transaction to stand out from a common sense perspective is limiting and expensive to imple-ment. New technology must be deployed into the process chain to not only detect potential fraud, based on common sets of rules, but also work inside a global intelligence network.

Ultimately enterprises should move toward a combination of automated transaction checks (also known as velocity checks) and regular manual review to reduce overall exposure to the problem of fraud. Business risk tolerance always varies from one merchant to the next; hence, organizations need to put the right stopgap measures in place that make sense to them. The

goal should be to ensure that systems are work-ing and that opportunities to reduce criminal activity are part of normal business processes.

From an automation perspective, the Address Verification System (AVS) has proven to be an effective tool. AVS is a widely used sys-tem managed by Visa and supported by all the major U.S. card brands. For many years, it has supported fraud prevention by verifying the address of cardholders prior to processing a transaction. Although not foolproof, accord-ing to Visa the immediate verification of billing address information can reduce a company’s fraud losses by 50%. This is because most sto-len credit-card data does not include billing information.

Other automated transaction checks sourced locally—that is, fraud-prevention controls—might include detecting multiple cards used from the same IP address or multiple cards being used to pay for goods shipped to a single address.

Manual review of transactions cannot be overlooked as a means to prevent fraud, and it is one of the easiest ways to prevent losses to and add value for customers. Detecting odd

https://www08.wellsfargomedia.com/downloads/pdf/biz/merchant/visa_avs.pdfhttps://www08.wellsfargomedia.com/downloads/pdf/biz/merchant/visa_avs.pdf

HOME

EDITOR’S NOTE

STOPPING


CURRENT AND COMING

SOLUTIONS

ANTI-FRAUD TOOLS

TO RESCUE YOU FROM

THE PLAGUE

WHAT THE PCI

SECURITY STANDARDS

CAN AND CAN’T DO


CARD NOT

PRESENT

transactions and performing manual reviews and validations helps identify a suspicious transaction (such as a rush or overnight ship-ping transaction disproportionate to the items purchased or big-ticket items purchased for shipment overseas). Performing what’s called a set-up authentication of a transaction, like calling customers to thank them for their orders, for particularly suspicious-looking transactions ensures that the cardholder indeed intended for the transaction to take place.

New breeds of technology are starting to enter the market to detect card-not-present fraud. They are designed to help companies make automated transaction-approval deci-sions by analyzing hundreds of data points collected from local transactions and also intel-ligence from other similar companies using

transaction data sharing services. However, as with any fraud-prevention control, businesses also need to weigh the protections put into place against the overall customer experience—that is, consumer satisfaction with the transac-tion process and cost.

A complete fraud-prevention program must use more than automated tools; it must take a layered approach that combines the latest technology, a close working relationship with payment processors and the ability to com-bine company data and manual processes in a fraud intelligence program. Automated tools will increasingly become essential for all types of Internet-based transactions and could be applied well beyond the moment of purchase. But nothing will replace sound business logic and implementing core risk-reduction prac-tices. —David Nathans

HOME

EDITOR’S NOTE

STOPPING


CURRENT AND COMING

SOLUTIONS

ANTI-FRAUD TOOLS

TO RESCUE YOU FROM

THE PLAGUE

WHAT THE PCI

SECURITY STANDARDS

CAN AND CAN’T DO


ANTI-FRAUD TOOLS

Anti-Fraud Tools to Rescue You from the Plague

There are new breeds of technology being placed into networks today that focus on the payment fraud epidemic. These badly needed innovations allow organizations to detect and monitor, and also stop, fraud in its tracks.

The good news is that these tools for banks, merchants and other high-transaction businesses begin to work almost before a transaction is ever made—in less than 40 mil-liseconds: That’s equivalent to the time it takes for sound to travel 20 feet. The area of advanced transaction analytics is perhaps the most promising of these technologies, and the emerging uses of analytics for fraud prevention is what we’ll discuss in this chapter.

Despite the exponential expansion of tech-nology to support global electronic commerce, fraud rates have remained extremely high. Overseas transactions allow organizations little-to-no opportunity to perform enhanced authentications or validation for potentially

high-risk transactions. Credit card companies are working hard to build new technology and replace the older Address Verification System with deeper analytical consumer authentica-tion services. The fact that payment fraud is a global problem makes the fraud harder to miti-gate, not easier as one might think; not every-one in the world uses the same type of credit cards, technology or even the same business models.

EMERGING FRAUD DEFENSE TECHNOLOGY

Vendors are developing new types of tech-nology to step-up the verification process and further validate or authenticate a transaction, because tried-and-true authentication meth-ods like reaching out to customers personally are cost prohibitive (and result in lost sales and frustrated customers). Not to mention in the world of high-volume transactions, such as

http://searchbusinessanalytics.techtarget.com/news/2240233651/Businesses-urged-to-put-big-data-and-security-analytics-togetherhttp://searchsecurity.techtarget.com/news/2240230627/Apple-Pay-security-Hope-abounds-but-questions-lingerhttp://searchfinancialsecurity.techtarget.com/info/problemsolve/Secure-user-and-consumer-authentication-methodshttp://searchfinancialsecurity.techtarget.com/info/problemsolve/Secure-user-and-consumer-authentication-methods

HOME

EDITOR’S NOTE

STOPPING


CURRENT AND COMING

SOLUTIONS

ANTI-FRAUD TOOLS

TO RESCUE YOU FROM

THE PLAGUE

WHAT THE PCI

SECURITY STANDARDS

CAN AND CAN’T DO


ANTI-FRAUD TOOLS

digital media downloads, businesses don’t have built-in time during the transaction to search far and wide for potential red flags.

Automated analytics can accelerate the authentication process of a transaction, and do it in the background without interrupt-ing the user’s experience or being intrusive in the transaction process. The technology relies on what’s known as velocity checks: These are checks that analyze the user’s online shopping habits, billing and shipping information and other relevant data points. Because a velocity check has the ability to look at that informa-tion and compare it to not only a local data repository but also a shared global intelligence network in near real time, it can give organiza-tions the power to see odd changes, previously declined transactions or recent rapid use.

This information and accompanying analyt-ics allow for the raising or lowering of con-fidence in a new transaction. Then, based on the analysis and the business’s risk tolerance, a decision can be made immediately and auto-matically to authenticate the user’s credentials, deny the transaction completely or simply accept and allow the transaction.

Transaction-confidence scores could be adjusted further by considering other vari-ables, such as the attempted purchase of cer-tain products that are more often bought in fraudulent transactions, the transaction his-tory of a particular credit card or IP address, a high volume of transactions taking advantage of extreme discounts or other types of relevant velocity checks. Businesses tapping into these types of near-network-speed analytics can elect to do an out-of-band authentication on only the riskiest of transactions or just reject a transaction outright.

THE WAY FORWARD:

IMPLEMENTATION AND STRATEGY

Applying fraud-detection analytics as a security control saves both time and money, not only by preventing fraudulent credit card transactions, but also by helping to raise customer confi-dence. The card issuer mostly covers the costs for losses from counterfeit cards that occur at the point of sale, while the merchant losses occur mainly on card-not-present transactions through the Web or via mail order. According

http://searchfinancialsecurity.techtarget.com/tip/Out-of-band-authentication-Methods-for-preventing-fraud

HOME

EDITOR’S NOTE

STOPPING


CURRENT AND COMING

SOLUTIONS

ANTI-FRAUD TOOLS

TO RESCUE YOU FROM

THE PLAGUE

WHAT THE PCI

SECURITY STANDARDS

CAN AND CAN’T DO


ANTI-FRAUD TOOLS

to fraud statistics, annual global losses are increasing exponentially, so it is in everyone’s best interest to put protections in place.

Employing the right technology today to protect your organization from fraud online will have a substantial return on investment now and well into the future. As chip-and-PIN technology comes to the United States, fraud-sters will move their focus to e-commerce, and the subsequent losses from fraud will move from the card issuers to the merchants.

The number one action that companies need to take is to implement e-commerce trans-action intelligence tools as soon as possible. Don’t wait. The threat is increasing daily; the sooner technologies to prevent fraud are imple-mented, the sooner they can save you money.

Common mistakes to look out for include setting too high a confidence threshold on the rules, which could cause an increase in the

decline of legitimate transactions. Also, often companies fail to properly train staff to use the technology to analyze the system for trends. Be sure to set your rules to change during holiday seasons or during sales to ensure you are not declining too many transactions and turning customers away.

Costs associated with the implementa-tion of these technologies vary depending on your transaction volume as well as the num-ber of transaction sources you need to protect. Be sure to evaluate the costs associated with chargebacks to ensure that the technology you implement gives you an appropriate return on investment.

Doing the proper implementation, inter-nal training and tuning of the technology will ensure that you are able to protect your valued customers, your brand and your bottom line.

—David Nathans

http://www.cardhub.com/edu/credit-debit-card-fraud-statistics/%5Dhttp://www.cardhub.com/edu/credit-debit-card-fraud-statistics/%5Dhttp://searchcio.techtarget.com/definition/e-commerce

HOME

EDITOR’S NOTE

STOPPING


CURRENT AND COMING

SOLUTIONS

ANTI-FRAUD TOOLS

TO RESCUE YOU FROM

THE PLAGUE

WHAT THE PCI

SECURITY STANDARDS

CAN AND CAN’T DO


STANDARDS SOLUTION

What the PCI Security Standards Solution Can and Can’t Do

The questions about whether the Pay-ment Card Industry’s Data Security Standard is working to protect consumer data have resurfaced in the aftermath of recent high-profile breaches. As a former risk auditor, I’ve questioned the value of PCI requirements and whether this baseline assessment is work-ing better than unsanctioned alternatives. It is unfair to make this assertion, however, without elaborating on how working is defined and what variables contribute to this approach.

The objective of PCI compliance is to reduce fraud by protecting debit and credit card infor-mation in retailers’ processing environments. There is a decent amount of conjecture on this topic, however. My approach is to take the objective at face value and to evaluate PCI DSS on its ability to reduce risk to the credit card ecosystem.

To determine whether PCI compliance is working, let’s assess the data security standard

based on its ability to reduce risk in organi-zations within the constraints of available resources and opportunity costs. The ques-tions implied by this “PCI economics” approach include the following:

1.Does PCI DSS reduce the likelihood or impact of a credit card data breach from occurring?

2.Are the costs of PCI compliance lower than the financial value at risk?

3.Are there alternatives to PCI compliance that could achieve the same benefit at a lower cost?

In wake of the Target Corp. breach, it is worth considering the broader question: Is PCI DSS “enough” to meet the interests of all parties?

http://searchsecurity.techtarget.com/feature/The-history-of-the-PCI-DSS-standard-A-visual-timelinehttp://searchsecurity.techtarget.com/opinion/A-call-to-action-for-technology-risk-management-professionals

HOME

EDITOR’S NOTE

STOPPING


CURRENT AND COMING

SOLUTIONS

ANTI-FRAUD TOOLS

TO RESCUE YOU FROM

THE PLAGUE

WHAT THE PCI

SECURITY STANDARDS

CAN AND CAN’T DO


STANDARDS SOLUTION

DOES PCI DSS REDUCE RISK?

The most important aspect of PCI DSS is its suitability to the task. Does applying the set of required controls make an organization less likely to have an incident or reduce the impact of one? On the surface, it’s easy to answer posi-tively, given the breadth and prescriptive nature of the data security standards. But we need to dig deeper.

All organizations (except brand-new ones) start with controls in place prior to imple-menting PCI DSS. Most enterprises do some-thing even if it isn’t required, so we first need to tease out the specific effect that PCI DSS has had on risk. In economic terms, this is defined as the marginal utility of PCI DSS, and here’s where things get tricky.

One way to determine whether PCI DSS is reducing risk is to see if incidents of credit card data loss have decreased since PCI controls such as encryption, access control and vulner-ability scanning were instituted. The beauty of this outcome-based approach is that it cuts to the heart of the matter—fraud incidents. (While credit card information disclosure is the focus of the risk described in this article, it

is worth noting that the “truer” risk is associ-ated with the actual fraudulent usage of this information. Only a fraction of disclosed credit cards are successfully used for fraud.)

If these numbers are going down, it is rea-sonable evidence that PCI DSS has reduced risk. But if fraud is increasing, this outcome-based approach isn’t fair, because it doesn’t account for growth in transaction volume.

A better way to determine the marginal util-ity of PCI DSS is to compare the number of incidents within a PCI-scoped population to a similar one that doesn’t fall under PCI DSS constraints. (See the back-of-the-envelope-style calculations in my blog “Is PCI Work-ing?”) If the percentage of organizations that experience incidents in the PCI-compliant group is lower than that in the non-PCI-com-pliant group, then PCI DSS does reduce risk. Unfortunately, it is difficult to find and define that non-PCI control group.

Another way to answer this question is to isolate the new controls implemented because of PCI DSS and evaluate their net effect on reducing risk. According to the Verizon 2014 PCI Compliance Report, “In 2013, companies

http://spiresecurity.com/?p=48http://spiresecurity.com/?p=48http://www.verizonenterprise.com/pcireport/2014/http://www.verizonenterprise.com/pcireport/2014/

HOME

EDITOR’S NOTE

STOPPING


CURRENT AND COMING

SOLUTIONS

ANTI-FRAUD TOOLS

TO RESCUE YOU FROM

THE PLAGUE

WHAT THE PCI

SECURITY STANDARDS

CAN AND CAN’T DO


STANDARDS SOLUTION

were compliant with an average of 85.2% of controls.” If this was the first year of PCI DSS we could assert that PCI-compliance is respon-sible for adding that extra ~15% of controls to an environment. But, it is not clearly specified that these measures reflect the initial audit and, ultimately, these companies must imple-ment 100% of controls in order to pass.

Since it is reasonable (albeit pessimistic) for advocates to suggest that businesses imple-ment at least some portion of the 85% of con-trols in preparation for the PCI audit, we must determine for ourselves what portion of the controls were implemented because of PCI-compliance goals. To gain insight into this, look at adoption rates for specific controls across all enterprises, not just PCI-regulated ones. Presumably, these overall numbers will be lower than the PCI-only population; if they are the same or higher, then the argument that PCI-compliance was responsible for the control is a specious one.

PCI requirements contribute significantly to increased adoption of encryption and moni-toring and have a positive impact on privi-leged accounts and separation. But the other controls in the regulation are already in place in organizations or required by other audits. These extra controls are unlikely to contribute to a reduction in incidents.

The challenge with all of the controls is that IT environments are so complex that apply-ing and managing these controls with enough breadth and depth to make a difference is close to impossible. However, it is reasonable to sug-gest that PCI DSS is reducing risk. Neverthe-less, there are still more questions to answer.

IS PCI COST-EFFECTIVE?

The second question is whether PCI-compli-ance is cost-effective. In order to determine this, we need to look at the cost of implement-ing the program and compare it to any net

IT environments are so complex that applying and managing controls with enough breadth and depth is close to impossible.

http://searchsecurity.techtarget.com/definition/PCI-DSS-12-requirementshttp://searchsecurity.techtarget.com/feature/PCI-Data-Security-Standard-12-step-program-for-compliancehttp://searchsecurity.techtarget.com/feature/PCI-Data-Security-Standard-12-step-program-for-compliance

HOME

EDITOR’S NOTE

STOPPING


CURRENT AND COMING

SOLUTIONS

ANTI-FRAUD TOOLS

TO RESCUE YOU FROM

THE PLAGUE

WHAT THE PCI

SECURITY STANDARDS

CAN AND CAN’T DO


STANDARDS SOLUTION

benefit. If you don’t believe PCI is reducing risk, then this question is moot.

Assuming PCI DSS reduces risk, the goal is to understand the costs associated with the PCI-compliance program. We evaluate marginal costs in the same way as marginal utility: Only

those costs that are associated with the regula-tion itself should be counted. These costs must be compared to the benefits or the amount of reduced risk. If costs are higher than the ben-efits, the PCI program isn’t working.

The key to measuring the benefits is to look at the anticipated losses due to the additional controls. Calculating losses is getting easier as more public information becomes available about response and recovery costs, and liability and notification costs, related to high-profile breaches. Of course, estimating the losses asso-ciated with a lower amount of future revenue

is much harder, but there is little evidence that incidents have long-term impact.

But just looking at the loss potential neglects the uncertainty of future events. The probabil-ity that the event may happen must be factored in. Contrary to the popular belief that “every-one is compromised,” some discounting must be done to align potential events with periods of time. This is no easy task.

Given the challenges of calculating risk out-right, we have to create a practical test that is not quite as good. In this case, we can perform a break-even analysis. When we spend money on technology, we affirm that the purchase is “worth it.” In the technology risk field, this means we’ve lowered risk by more than we are spending and we can evaluate scenarios that would either support or refute that notion: A $100,000 purchase is worth it when it replaces a 1% chance of losing $10 million, a 10% chance of losing $1 million and so on, up to a 100% chance of losing $100,000.

It is important to remember that these mar-ginal costs address marginal utility, which means we isolate the PCI-compliance spending and compare it to the incremental risk that is

With the public expectation of perfection, we are in a bind. Any credit card information lost through a breach is too much.

http://searchsecurity.techtarget.com/opinion/Return-on-security-investment-The-risky-business-of-probabilityhttp://searchsecurity.techtarget.com/opinion/Break-even-analysis-The-highs-and-lows-of-risk-and-ROSI

HOME

EDITOR’S NOTE

STOPPING


CURRENT AND COMING

SOLUTIONS

ANTI-FRAUD TOOLS

TO RESCUE YOU FROM

THE PLAGUE

WHAT THE PCI

SECURITY STANDARDS

CAN AND CAN’T DO


STANDARDS SOLUTION

reduced by this activity. Therefore, it is pos-sible to conclude that PCI compliance not only reduces risk but is also cost-effective. Ultimately, I have a hard time believing that all the money spent on PCI compliance is actually reducing risk by, at least, the same amount.

DOES PCI PROVIDE THE GREATEST RETURN?

If you thought questions No.1 and No. 2 were difficult, then question No. 3 is even harder. It brings up the possibility of opportunity cost: the idea that some alternative approach, which isn’t sanctioned by PCI DSS, could actu-ally reduce risk by more than a standardized control.

Say, for example, an organization is better off migrating from a signature-based antivirus technology to an endpoint container. At this point in the evaluation process, the sky’s the limit when it comes to reviewing and evalu-ating technology risk options for protecting credit cards. The only difficulty is that the PCI Security Standards Council may elect to levy a fine on companies that are not compliant.

This, too, must be factored into the costs of the alternative control.

A small but growing contingent of organiza-tions has decided that it is better off accepting the possibility of being fined than paying the up-front costs for control mechanisms that it believes are ineffective to address PCI require-ments. Question No. 3 is also the point where organizations that answered “yes” to questions No. 1 and No. 2 are unlikely to budge from their position, and those that answered “no” have better things to do—like protect their environ-ment (sorry, I couldn’t help myself).

Is PCI DSS enough? Regardless of the answers to the first three questions, the chal-lenge of determining whether PCI compliance is enough is huge, considering that the public-facing test revolves around a breach incident. With the public expectation of perfection, we are really in a tough situation. Any disclosed loss of credit card information because of a breach is too much. We can say PCI compli-ance was never intended to provide complete protection—we can even retroactively revoke passed audits—but we can never escape the expectations.

https://www.pcisecuritystandards.org/https://www.pcisecuritystandards.org/

HOME

EDITOR’S NOTE

STOPPING


CURRENT AND COMING

SOLUTIONS

ANTI-FRAUD TOOLS

TO RESCUE YOU FROM

THE PLAGUE

WHAT THE PCI

SECURITY STANDARDS

CAN AND CAN’T DO


STANDARDS SOLUTION

DIFFERENT MINDSET NEEDED

The true failure of PCI DSS is not in its attempt to attain perfection; it is the absence of proper cost-benefit analysis (instead of waving a magic wand). It appears that the PCI Security Standards Council is perfectly fine with using this same form of magic when determining the need for newer controls, such as chip-and-PIN cards.

Alternatively, the council has the authority, and the affected parties could gather the appli-cable information, to create metrics and mea-sures that would help determine appropriate levels of protection. This information should relate to the value of the transactions, the vol-ume of activity, the outcomes of controls, the

number of control failures and the magnitude of losses.

At some point, with the proper data, the credit card world could create a system in which organizations are responsible for their own security and—based on the level of risk these companies are willing to accept—set aside funds, or contribute to a reimbursement account, or purchase insurance, or create some other way to address the anticipated losses.

It seems more likely that the PCI Security Standards Council will attempt to strengthen the prescriptive, controlling nature of its requirements, still aiming for that perfection it cannot achieve. And that would be a shame.

—Pete Lindstrom

HOME

EDITOR’S NOTE

STOPPING


CURRENT AND COMING

SOLUTIONS

ANTI-FRAUD TOOLS

TO RESCUE YOU FROM

THE PLAGUE

WHAT THE PCI

SECURITY STANDARDS

CAN AND CAN’T DO


ABOUT THE

AUTHORS

PETE LINDSTROM is principal and vice president of research for Spire Security. He has held similar positions at Burton Group and Hurwitz Group. Lindstrom has also worked as a security architect for Wyeth Pharmaceuticals and as an IT auditor for Coopers and Lybrand and GMAC Mortgage. Contact him at [email protected], on Twit-ter @SpireSec, or on www.spiresecurity.com.

DAVID NATHANS is a consultant on enterprise security programs development, security operation centers and other cybersecurity topics. A former CISO for a defense contractor, he has also worked as a global security opera-tions center manager for a major managed security service provider. Prior to that, he was a cyber-operations officer for the U.S. Air Force.

This Technical Guide, Who’s in Your Wallet? Stemming Credit Card Fraud, is a Security Media Group e-publication.

Robert Richardson | Editorial Director

Eric Parizo | Executive Editor

Kara Gattine | Executive Managing Editor

Brenda L. Horrigan | Associate Managing Editor

Kathleen Richards | Features Editor

Sharon Shea | Assistant Editor

Madelyn Bacon | Assistant Editor

Linda Koury | Director of Online Design

Neva Maniscalco | Graphic Designer

Doug Olender | Senior Vice President/Group Publisher [email protected]

TechTarget 275 Grove Street, Newton, MA 02466

www.techtarget.com

© 2015 TechTarget Inc. No part of this publication may be transmitted or re-produced in any form or by any means without written permission from the publisher. TechTarget reprints are available through The YGS Group.

About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and pro-cesses crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.

COVER ART: THINKSTOCK
mailto:[email protected]://twitter.com/search?q=Spiresec&src=typd&mode=usershttp://spiresecurity.com/mailto:[email protected]://reprints.ygsgroup.com/m/techtarget

Who’s in Your Wallet? Stemming Credit Card...

Documents

Transcript of Who’s in Your Wallet? Stemming Credit Card...