Understanding, experience and technology for success
With the burgeoning popularity of online shopping and banking, credit card transactions are flourishing. Consequently, credit card fraud is on the rise. Sample this:
To combat this growing menace, the Payment Card Industry Data Security Standard (PCI DSS) was developed. The standard is mandated by leading credit card institutions like Visa and MasterCard. It requires businesses that engage in card payments to protect cardholder data and maintain the highest levels of information security. Non-compliance can result in high penalty fees and termination of transaction facilities.
The Ubiquity of Card Fraud
TJX Companies, Inc., is a leading off-price retailer of apparels and home fashions in the United States and worldwide. In 2006, the company's unsecured wireless network was attacked by criminal hackers. Over 45 million credit card numbers were stolen. Forrester estimates that the total financial impact may be over $1 billion.
Security breaches in large companies are serious and sensational. But just as important are the ones those occur among smaller retailers. According to a 2009 study sponsored by the National Retail Foundation, 85% of payment card breaches happen in small businesses, and 81% of companies hit by a breach were not PCI compliant.
The reality of card fraud extends to the online world as well. Consider retail giants like Amazon.com and eBay who deal with millions of customers and products each year. Not only do they service different marketplaces, they also allow thousands of other retailers to sell through their websites. Customer information is at the mercy of a complex network of technology and people spanning continents. In such an environment, the risk of security breaches is always high. Dave Cullinane, Chief Information Security Officer of eBay marketplaces says, “We see over 4 million security attacks annually, not run-of-the-mill but sophisticated attempts to break in.”
The telecommunications industry is just as much at risk. With the recent boom in mobile commerce, more customers are using their cell phones to book tickets, download ring tones, shop online and pay bills – all, through their credit cards.
In the May 2010 U.S. Mobile Consumer Briefing (conducted by the Mobile Marketing Association (MMA) along with Luth Research), it was found that approximately one in five U.S. adult mobile phone owners used their cell phone for mobile commerce in the previous month. Fifty-six percent of mobile content purchases were made through a carrier, and 43 percent used a bank or credit card account for payment.
Clearly, carriers have access to a ton of personally identifiable customer information. Without adequate security, their networks are a ready target for hackers. Not only is customer information then at risk, but so is the carrier's reputation.
The risks are evident. So why don't more businesses hop onto the PCI compliance bandwagon?
The problem is that auditing can be a complex and expensive procedure. There are an overwhelming 180 individual PCI requirements in 12 categories, all written in the language of sophisticated information technology. Meeting these requirements calls for tremendous resources in terms of technology, personnel, time and effort which can be a burden on company finances.
Another problem is that businesses don't comprehend the intricate mechanics of card transactions and consequently, the likelihood of security breaches. Typically, when a card is swiped, transaction details have to be transferred to the acquirer and re-routed to the appropriate issuer, customer accounts have to be verified, and approvals have to be granted. Then begins the batching, funding and settlement process which follows a similar trend. It's a long and winding pathway involving multiple personnel, computers, network access programs, data encryption systems, numeric identifiers and approval codes - all of which have to communicate with each other seamlessly. In such a vast environment, confidential customer information is always at the risk of being accessed by hackers armed with sophisticated technology.
Becoming PCI Compliant
To begin with, merchants must abide by two mandates - quarterly PCI scans on all external-facing IP addresses and a yearly report on compliance. The requirements vary depending on the number of annual credit card transactions conducted by each company. Merchants that conduct more than six million transactions annually fall in Level 1, and require on-site security audits every year, quarterly PCI scans and the submission of an in-depth compliance report.
Merchants falling in Levels 2, 3 and 4 are those who conduct annual card transactions of 1,000,000 to 6,000,000, 20,000 to 1,000,000 and 1 to 20,000 transactions respectively. These merchants are required to submit annual Self-Assessment Questionnaires (SAQ) and perform quarterly PCI Scans.
The scope of the PCI program extends to IT processing systems, network infrastructure, data files, backups, employees and third parties that store or transmit card holder data on the organization's behalf. Compliance requirements include:
As technology becomes more multi-layered, security issues are becoming more pressing. Unfortunately some merchants adopt a reactive approach, waiting for the problem to arise before they scramble to implement controls. The risks involved are tremendous.
A better approach would be one that is proactive. Merchants who adhere to PCI requirements from Day 1 are far less likely to encounter security breaches. No doubt compliance is complex. However, proactive merchants can turn towards a solutions provider who will help them meet the requirements of PCI compliance through a range of applications and software.
MetricStream's IT GRC software solution allows organizations to adopt the PCI DSS framework and streamline their key processes for managing IT policies, IT risks, IT compliance and IT audits while enabling multiple stakeholders to have visibility and control.