Protecting card data

by Tim Smith | ASM Jul-Aug 2010

With organised e-crime growing increasingly sophisticated, Bridge Point’s Tim Smith urges businesses to comply with the Payment Card Industry Data Security Standard.

The thriving business of buying and selling zero-day vulnerabilities has been well documented, as well as the investment in paying developers to develop the malicious code. Although this level of sophistication in compromising systems has increased dramatically, it’s the same fundamental personal data that the perpetrators of these crimes are after: online banking details, personally identifiable information and credit card details.

Modern business depends a great deal on credit card transactions, providing convenience to consumers and more sales opportunities for merchants. With enormous amounts of business deals occurring in this way, it is no surprise that credit card fraud amounts to billions of dollars globally.

Data released in June by the Australian Payments Clearing Association (APCA) shows that although credit and charge card fraud (signature-permitted debit and credit card, and card-not-present transactions) dropped from 60.4 cents to 57.2 cents in every $1,000 transacted, the incidence of credit and charge card fraud has risen from 24 to 32 in every 100,000 transactions.

Debit card fraud (point of sale and ATM PIN-only card transactions) increased from 5.8 cents to 9.4 cents in every $1,000 transacted. The incidence of debit card fraud has risen from 1.6 to 2.5 in every 100,000 transactions.

Credit cards were hardest hit by card-not-present (CNP) fraud, relating to transactions such as internet, phone and mail purchases. CNP fraud has increased from $72.7 million to $88.6 million.
The biggest CNP threat comes from data security breaches or data theft. Better implementation of the Payment Card Industry Data Security Standard (PCI DSS) to tighten control around card information, as well as improved authentication, is a critical first step in helping to reduce this type of fraud.

The PCI DSS is a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, including MasterCard Worldwide, Visa Inc. International, American Express, Discover Financial Services and JCB International, to help facilitate the broad adoption of consistent data security measures on a global basis. It provides best practices for securing IT systems and establishing processes for the use, storage and transmission of credit card data in e-commerce.

The PCI DSS applies to all merchants and service providers where a “Primary Account Number (PAN) is stored, processed, or transmitted”. It is only applicable to cards which include the brand of any of the five PCI members, typically credit cards but increasingly including debit cards as the card schemes expand their service offerings. By being PCI DSS-compliant, merchants are helping to protect the confidentiality, availability and integrity of customer data.
PCI DSS consists of six categories:

  1. Build and maintain a secure network
  2. Protect cardholder data
  3. Maintain vulnerability program
  4. Implement strong access control measures
  5. Regularly monitor and test networks
  6. Maintain an information security policy.

Safeguarding your customers’ credit card data is essential to mitigating the risk of unauthorised use or disclosure. A sound layered security model is paramount in achieving this goal. To comply with the standard, merchants and other service providers holding cardholder data need to do 12 things:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters (wireless supplement).
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update antivirus software or programs.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business on a ‘need to know’ basis.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security for employees and contractors.

The standard continues to grow and move with changes to technologies. There are now more than 900 individual checks and associated evidence that have to be addressed as part of a report on compliance (RoC) program. With virtualisation becoming commonplace, the PCI Council moved quickly to form a working group to determine a stance on virtualisation and its impact on the security of the Cardholder Data Environment (CDE). We expect the first release of the latest guide before the end of the year.

The standard, although not a panacea, is a vast improvement on most organisations’ security posture. It has done a great job in highlighting these inadequacies and bringing much more focus, and hence risk reduction, to their overall security exposure.

About the author: Tim Smith is a director of Bridge Point Communications and is responsible for its Information Security Consulting Practice Group. 

Article Added: 04/08/2010

« Back