Sunday, January 07, 2007

With all the data breaches - something needs to be done!

There have been a lot of large data breaches in the past year, where anonymous sources pointed to a retailer (merchant) as the point-of-compromise. Of course - as in most data breaches -rumors are often "downplayed" and in some instances, denied.

Card processors have been accused of maintaining information they shouldn't have, also.

The Privacy Rights Clearinghouse maintains a chronology of these incidents data breaches since 2005, which can be viewed, here.

And a business would have good reason not to disclose everything. It could create a lot of negative publicity, which would have a negative impact on their bottom line.

This is probably one of the better arguments for legislation requiring full disclosure, when people's personal information is compromised.

Could it be that a lot of these data breaches are being enabled by storing too much information in point of sale systems, which is poorly protected, and therefore - easily compromised (hacked) by criminals?

Last month, Visa International issued a press release offering $20 million in incentives to what they term Level 1 and Level 2 merchants to assist them in becoming compliant with the existing standard. It also mentions sanctions (fines) that will be imposed on merchants, who decide they aren't going to conform.

The press release states:

Locking down cardholder data is an important security component that will benefit financial institutions and merchants, and is equally important to maintain consumer trust in Visa," said Michael E. Smith, senior vice president of Enterprise Risk and Compliance at Visa USA. "By combining both incentives and fines, we expect acquirers to increase their efforts with merchants to accelerate their progress toward becoming PCI compliant and eliminating the storage of sensitive card data. Nothing is more important to Visa than securing commerce."

According to the press release, "current PCI compliance among Level 1 merchants is at 36 percent and 15 percent among Level 2 merchants, with the majority in both levels actively working toward compliance."

The bottom line is that it appears the card issuers (themselves) are getting pretty sick and tired of all the data breaches. My guess is that the banks -- who deal with the customer fall-out -- are getting pretty tired of it, also.

After one of the many posts, I've written about data breaches, I came into contact with a company called Security Metrics. Security Metrics provides a service to assist merchants in protecting their information.

Wen Free (Director of Business Development) told me that he believes breaches at the merchant level are becoming an "all too common" problem. Wen also told me that I would be shocked at how many merchants aren't in compliance, and are storing information - which isn't protected properly.

Wen pointed me to a tool developed by SecurityMetrics and MasterCard, where a business can run a Free-Scan (https://www.securitymetrics.com/eval_scan.adp) of their systems, to determine how compliant they actually are.

If these deductions are correct, it makes these merchants lucrative targets for hackers in search of people's financial information.

The fact that only 36 percent of the level 1 merchants and 15 percent of the level two merchants at Visa are "compliant" supports his contentions. And we have to remember that Visa isn't the only major issuer in the game and that most merchants offer multiple ways to pay for their goods and services.

With all the recent large-scale attacks on payment systems, it's going to be harder and harder for businesses to absorb losses from data breaches. Recent stories of carder forums - where this information is bought and sold on the Internet - point to the fact that there seems to be an abundance of (already breached) information available.

How the losses are allocated is normally kept pretty quiet, but my guess is that if the banks can charge back a merchant, they are doing so. But if the truth were to be told, these losses are eventually being charged back to all of us in the form of higher prices.

There are also customers stating that their fraud claims have been denied, and they are stuck with the loss. This can be especially true with debit-cards, if the loss isn't reported promptly.

Should everyone involved fail to solve this problem by themselves, my guess is that legislation will be the next step. After all, one of the most important asset in any business is the "trust and confidence" of their customers.

Here is a previous post, I wrote on this subject:

Is it a Lack of Security at Retailers Causing the Debit/Credit Card Breaches?

2 comments:

Datasecurity said...

I highly urge everyone who is dealing with PCI compliance to educate themselves about it.

One can talk statistics all day long, but the reality is that we need to protect credit card (and all personal) information. We can do this by understanding the compliance requirements, their intent, and surrounding fact.

Our blog tries to do that.

Datasecurity said...

I highly urge everyone who is dealing with PCI compliance to educate themselves about it.

One can talk statistics all day long, but the reality is that we need to protect credit card (and all personal) information. We can do this by understanding the compliance requirements, their intent, and surrounding fact.

Our blog tries to do that.