With high profile data breaches affecting millions so far this year, Jeremy King, European director of the PCI Security Standards Council looks at the impact upon users and what merchants can do to prevent and protect.
Recent figures from the UK Cards Association showed that banking industry initiatives, including PCI, have been successful in decreasing the volume of card and bank account fraud. Of particular interest to us at the PCI Security Standards Council was the finding that payment card fraud losses in 2010 reached their lowest levels since 2000 and have made significant improvement from their all-time high just three years ago in 2008.
Overall, they suggested that total fraud losses on UK cards fell by 17 per cent alone over the preceding year. While significant progress has been made in the reduction of card fraud, more can be done. The unfortunate news is that we still saw £365.4 million in card fraud in 2010, or £1 million per day.
Why? Well the threat landscape has shifted tremendously since the last time we had lows in total card fraud. This is no longer juvenile delinquents defacing a website for fun. This is organised criminal gangs that use card fraud as a major source of income.
While last year we saw a drop in fraud losses, where will we end up? We are only half way through the year and already we are plagued by a series of global, massive data breaches. What these events prove is that merchants, processors and others involved in the payment chain must take direct action to place security soundly into their day-to-day business efforts.
Let's take a look at compromised data in Europe. In a presentation at our 2010 European community meeting, Trustwave presented some statistics outlining some of the challenges we have had securing card data in the world. From the meeting in Barcelona, they shared a number of interesting items from their investigation of breached entities from European countries.
More than half (55 per cent) of the data breaches they investigated were originated by remote access application and another 27 per cent by SQL injection. These incidents are due to someone from the outside hacking into your computer and stealing card data.
The good news is that the PCI Data Security Standard (PCI DSS) addresses ways to prevent these methods of entry, but in order to protect against these types of attacks, you need to be adhering to the DSS and that is where many of these organisations have failed, resulting in the breaches seen.
Even if a persistent hacker makes it into your system, you need not suffer a major breach. The DSS isn't just about preventing an intrusion, but also has many controls that should alert you to the exfiltration of data, if proper monitoring is in place.
You may not prevent ten records from going out, but the likelihood of preventing it before it reaches 75 million is definitively increased through the adoption and use of PCI DSS.
A number of UK organisations have exclaimed ‘but we have EMV' when pressed about their card security efforts and yes, it is true, counterfeit card levels have indeed decreased by 41 per cent over the last year. This is to due to the fact that chip and PIN has made it much harder for criminals to use fake cards in cash machines and shops in the UK.
However, there are two points to make when we speak of the effectiveness of EMV alone in preventing card fraud: EMV by itself does not protect the confidentiality of, or inappropriate access to, sensitive authentication data and/or cardholder data; and fraudsters are now targeting those environments that do not yet use chip and PIN, such as the internet or other ‘card not present' settings.
Most environments processing EMV transactions today are hybrid environments, handling both EMV and non-EMV transactions. In addition, in EMV environments the primary account number, expiry date and other cardholder data is transmitted in clear text, exposing it for fraudulent use both in face-to-face and card-not-present channels.
Unfortunately, malicious attacks are not preventable by the EMV standard and they wouldn't have stopped any of the major breaches we've seen in 2011. So knowing that EMV is effective in some circumstances, please remember it doesn't secure all payment transactions and doesn't prevent all card fraud.
Remember, we cannot simply rely on a single technology to solve the problems of data breaches in today's threat landscape. The unfortunate truth is that while we are making significant strides in increasing payment card security, more needs to be done and it is likely to remain that way for some time.
We need to continually examine the people, processes and technology we have in place to prevent future card fraud and our hope is to provide you with the resources and guidance to help enable this ongoing self-examination.