Posts Tagged ‘identity theft’

When There’s Blood in the Water…

Wednesday, March 24th, 2010

You know they’re out there – predatory hackers working to breach your payment system and release a flood of card numbers to who-knows-where. The bottom line is that every time you process, transmit or store cardholder data, you are putting your company – and your job – at risk. These risks, if exploited by you-know-who, can have a disastrous effect on your business, your employees and your customers.

  • Taking credit cards as a payment method is not an option – it’s just a part of business. And there are huge liabilities that come with that – click here for an up-to-date rundown of data breaches from the Privacy Rights Clearing House.
  • In a typical credit card transaction, cardholder data is passed multiple times, heightening the risk of theft – click here for an animated representation of the traditional payment process.
  • Storing cardholder data is extremely risky – and very unnecessary, yet it happens more often than not. In fact, since 2003, the number of online credit card fraud cases has increased from 2.3 to 3.2 billion – a 30 percent spike.

Tags: , , , , , ,
Posted in Uncategorized | No Comments »

EPX Protects Payment Data During the Transaction Lifecycle, But Consumers Must Safeguard their Credit Cards and Debit Cards at All Times

Tuesday, January 12th, 2010

Electronic Payment Exchange’s industry leading tokenization and encryption technologies protect payment data throughout the transaction lifecycle. Independent of EPX however, identity theft occurs constantly as a result of insecure consumer practices before any card data enters the transaction lifecyle. Therefore, it is important for credit and debit card users to practice high levels of safety when performing transactions.

Below is a list of important safety tips for credit and debit card users to follow:

  • If you have applied for a new/replacement card, and have not received it within 14 business days, immediately contact your financial institution.
  • Activate your new/replacement card once you receive it in the mail. Be sure to remove the sticker from the card once activated.
  • Sign the back of the credit/debit card as soon as you receive it.
  • Memorize your Personal Identification Number (PIN). Never write the PIN on the back of the debit card, or on a piece of paper and keep it in your wallet.
  • Never share your PIN with anyone. No one from a financial institution, police, or any merchants should ask for your PIN.
  • Never lend your credit/debit card to anyone. No one else should have access to it.
  • Protect your credit/debit card as if it were cash! Never let your card out of your sight.
  • Do not leave your credit/debit card in your vehicle.
  • Report lost or stolen credit/debit cards immediately! During business hours, contact your local bank branch. Once you have received your new card, notify all merchants with whom you have set up automatic billing payments of the new card number.
  • Be aware of others nearby when entering your PIN. Shield the screen or keyboard of the POS terminal or ATM machine to prevent those nearby from viewing your PIN entry or transaction amount.
  • Do not volunteer any personal information when using your credit/debit card.
  • Do not give you social security number, credit/debit card number, or any bank account information over the phone unless you have initiated the call, and you know that the business you are dealing with is reputable.
  • Before leaving the cashier, make sure you receive your credit/debit card back after every purchase.
  • Be careful with any receipts; do not leave them behind.
  • Always check your sales receipt for the correct purchase amount prior to signing. Keep copies of your sales and ATM receipts for future reference.
  • Verify the purchase amount on each receipt with the transaction amounts on the bank statements.
  • If you do not receive your monthly statement within a timely manner, contact your financial institution.
  • Contact your local financial institution for any changes made to your address or phone number. Keep your contact information current at all times so that your bank can contact you when necessary.
  • Shred all credit/debit card receipts or confidential information prior to placing it in the trash.
  • If you receive credit card applications in the mail, shred them before placing them in the trash. This prevents anyone from filling out the application in your name and receiving the card. If you choose to fill out an application, make sure the application is from a reputable financial institution.
  • Shred all expired credit/debit cards before placing them in the trash. Some paper shredders are capable of shredding the cards, or use a pair of scissors to cut the cards up into small pieces.
  • Keep track of every credit/debit card owned. Keep a confidential list of issuer telephone numbers in a secure location.
  • Avoid carrying extra credit/debit cards in your wallet or purse. Carry only the cards that you use frequently.
  • Never send payment information via email. Go directly to the web site and log into your account.
  • When making a purchase online, make sure you are using a secured browser. All reputable merchant web sites use an encryption technology that protects your personal data from being compromised by others while conducting online transactions.
  • Never provide your credit/debit card as proof of age. A credit/debit card does not contain information that verifies the card holder’s age. Some merchants my request the card number, show them your driver’s license instead.
  • Avoid using your PIN when using your debit card to make a purchase. It is best to just run the debit card like a credit card.
  • Be aware of emails that request personal data such as: PINs, Social Security Number (SSN), personal passwords, mailing address, or phone numbers. Plus emails that send you to a web site that request such information. Best thing to do is to delete the email.
  • Be aware of solicitors posing as representatives from a credit card or financial institution, calling to tell you that there has been some fraudulent activity on your account and requests your account number, PIN number, social security number or the three digit code located on the back of your card. If a financial institution contacts you due to suspicious activity, they would never ask for personal information to verify your transaction. Best thing to do is hang up and contact your bank institute to verify the status of your account.
  • When using an ATM machine, observe the surrounding area. If the machine is obstructed from view, or poorly lit, locate another ATM machine to perform your transaction. Report the condition to the financial institution responsible for that ATM machine.
  • Prior to using an ATM machine, be sure to inspect the card reader area for evidence of tampering. If there is evidence of tampering, contact the owner of the ATM to report the problem.
  • When using a drive-through ATM machine, make sure that all passenger windows are closed, and the doors are locked. This will prevent anyone form accessing your card while performing a transaction.
  • If using an indoor ATM machine that requires you to use a card to gain access, do not allow any unknown individuals in with you.

If credit and debit card users would perform at least half of these suggested security tips, the number of identity thefts and fraudulent transactions happening each day would be reduced.

For additional information about identity theft, click here.

Tags: , , , , , , , , , , , , , ,
Posted in EPX Commentary | No Comments »

In Search Of A Quick Fix For Cardholder Data Security, Merchants Need Not Look So Far

Friday, December 18th, 2009

By: Charles Crawford

In a by-lined piece published in cio.com, well-respected security expert and author Ben Rothke wrote “…people don’t want to invest in long-term security plans. They want their security band-aid now, despite the fact they have never built security into their designs or processes.”  He went on to praise the PCI Security Council’s vision: “The genius of the PCI DSS (and when PCI is compared to regulations such as SoX and GLBA, genius is indeed an appropriate term) is that it has sensible concepts such as an open formal feedback process, trend analysis, impact evaluation, guidance and much more built into the very fabric of the standard.”

I find myself usually agreeing with Rothke’s well-reasoned perspectives.  Indeed, it is especially easy to agree that businesses should have a culture that promotes holistic security, must not consider compliance an end unto itself, and that the processes of security must evolve ahead of the threats.

Where I take issue with Rothke’s article, “PCI Debate Ignores Planned Improvement Cycle,” is in the apparent limitation of his perspective to traditional security remediation solutions.  If the path to sufficient cardholder data security certainty can be achieved only through ratcheted, ever-more-effective and pervasive layers of encryption, firewalling, intrusion prevention and other hardening, then I suppose Rothke’s point is well taken, albeit worrisome. What follows logically is that merchants should “man up” and embrace a future of never ending “improvement cycles” that require lots of money, effort, time and discipline (notably external discipline) in their quixotic journey toward “breach-proof” data.

What is taken too lightly is the role innovation already is playing.   Less costly and pragmatic ways of avoiding data compromise are fast gaining acceptance as viable alternative among recession-weary merchants.

The PCI Council got it right when they set as milestone #1 of their Prioritized Approach to Pursue Standard Compliance Remove sensitive authentication data and limit data retention.” EPX, for one, provides merchants a pre-emptive solution with exactly that purpose: total elimination of cardholder data from merchant systems so that it can’t be lost or stolen.

Conventional thinking is for merchants to use matrix of remedial techniques, gambling that the data they hold will so be perfectly  sequestered and disguised it might not get compromised – at least, if everything works as planned and criminals don’t get any more clever.

EPX, on the other hand, concluded that the surest way to avoid data loss is for the merchant never to have the data in the first place. Instead of keeping card data, EPX merchants operate normally using GUID transaction reference codes called BRICs.  BRICs are used as card numbers would otherwise be, for transaction receipts, customer service returns, refunds, chargeback responses, follow-on purchases and all other operational and financial purposes.   BRICs are not encryptions and not derived from credit card numbers, therefore have no street value if lost or stolen from the merchant.

For EPX, tokenization comes as no band-wagon initiative like we now are seeing from Paymentech, First Data and others. In fact, EPX started routinely processing with “replacement values codes” in 2001 …three years before the first PCI Standards were published.  Our processes evolved over the years into the comprehensive, patent-pending suite of cardholder data security technologies we now call BuyerWall™.

As the Council and many others have said, there is no “silver bullet,” no single solution – even tokenization.  We make no claim that EPX BRICs are such.  Yet, properly constructed and managed tokenization also is no “band-aid” that Rothke so wisely mocks. When the card numbers are gone, they’re gone. There’s not much left for the merchant to safeguard. And, once implemented, EPX requires no extraordinary “improvement cycles” or investments to maintain the security of the data.  In fact, security of the data becomes a responsibility for which EPX is well prepared, since, as a processor, we have always had to take special care with data and are subject to the PCI SCC’s most rigorous compliance requirements (Level 1).

Is it so, that “people want their…security now No doubt about it. But, I say “why not?” Merchants deserve pragmatic solutions that can achieve even a higher standard of security without costly and cumbersome techniques that may or may not ultimately prove effective enough.

Rothke says there is genius in the PCI’s process of ever-evolving standards.  I think their real genius of the Council is its professed technologic agnosticism which, generally, is supposed to allow merchants to achieve card data security with whatever technology and processes work best for them.  In that spirit, merchants have more to choose from than Rothke seemed to acknowledge.

—————————–

Charles Crawford is EVP of Strategic Development for EPX

[1] http://www.cio.com/article/495093/PCI_Debate_Ignores_Planned_Improvement_Cycle?taxonomyId=3000; June 2009

Tags: , , , , , , , , , , , , , , , ,
Posted in Uncategorized | No Comments »

Welcome Data Breach Legislation in the Works

Tuesday, November 10th, 2009

In an upcoming article for a major trade magazine related to payment security, EPX COO and Chief Security Office Matt Ornce makes some predictions about increased legislation for the payment card industry in 2010.

Ornce asks if 2010 is the year for state level breach notification laws to be aggregated into federal law. He says that there could be some welcome legislation for those organizations that unfortunately need to struggle with the 46 different state laws. Such legislation could also help streamline the time-sensitive notification process for breached entities. Beyond the financial fraud perpetrated for personal gain, the use of breached cardholder data as a funding source for terrorist activities has been clearly established by the Criminal Division of the Department of Justice, the FBI, the U.S. Secret Service and others, providing a clear impetus for federal regulation of cardholder data security.

It seems that Ornce’s prognostications are coming true.

Recently, the U.S. Senate Judiciary Committee approved two bills (the Personal Data Privacy and Security Act and the Data Breach Notification Act) that require organizations who suffer data breaches to report them to potential victims.

The Data Breach Notification Act would require U.S. agencies and businesses involved in interstate commerce to report data breaches to victims whose personal information “has been, or is reasonably believed to have been, accessed, or acquired.” The bill also requires businesses to report large data breaches to the U.S. Secret Service.

The Personal Data Privacy and Security Act would also require that breached organizations give notice to potential victims and authorities. The Act would increase penalties for data theft and provide people the ability to access and correct personal data held by commercial data brokers.

While it doesn’t eliminate the state laws, it’s the first step solidly in the direction of replacing those laws with a federal standard.

Tags: , , , , , , , , , , , , ,
Posted in Uncategorized | No Comments »