PCI-DSS & online fraud

PCI-DSS & online fraud

PCI-DSS & online fraud

Introduction

What is clear is that card fraud continues to pose a significant threat to the credit card companies and the merchants who accept those cards. According to the UK payments association, APACS, credit and debit card fraud losses increased by 26 per cent in the UK in the first half of 2007 compared with the same period in 2006 and almost half a billion pounds is being lost every year in credit card fraud. Although there have been several reports pointing to a decrease in overall card fraud figures in 2007, instances of online fraud are rocketing. In 2006, Internet fraud reached £154.4m, accounting for 73% of card-not-present fraud. As a result of the introduction of Chip & PIN technology two years ago, many fraudsters are becoming more sophisticated and are moving to other areas such as the online environment.

According to a recent MasterCard report, cyber crime is growing in diversity as well as sophistication and integrated Point of Sale (POS) systems are increasingly being targeted. In most cases, magnetic stripe data is stolen from log files as opposed to traditional databases. The fact that this sensitive data is often unknowingly stored adds to the challenge of protecting stored cardholder data. Protecting stored cardholder data has become not just an issue found in the online environment as hackers are also targeting centralised servers with Internet connectivity. SQL-injection is another common attack method as criminals can directly extract information from a database including log-in credentials or payment card information. In late January 2008, the Recording Industry Association of America (RIAA) was exposed to a series of SQL-injection attacks that managed to wipe the entire database. Although no credit or debit card details were stolen, the incident once more highlights the potential vulnerabilities of data stored on a website that some merchants might not be aware of (searchsecurity.techtarget.com).

With some high-profile cases in the past 12 months highlighting the challenges of combating card fraud, banks and merchants will have to consider ways of how cardholder data can be better protected and securely stored, as card fraud has now become a global multi-billion pound industry. The call for enhanced security methods to protect card details, wherever they are held, is growing louder and louder.

Reasons for data theft

In many instances, data theft is down to weak network security, a lack of real-time security monitoring or security scanning as well as ineffective patch management. TJ Maxx is only one example of weak network security resulting in tens of millions of credit and debit card owners being exposed to fraud as hackers stole data which was being transmitted wirelessly.

Card fraud is an international business where no individual country is protected and with fraudsters becoming increasingly sophisticated, their attacks easily migrate to the least secure area. In order to counteract this trend, numerous protection systems have already been put in place by banks and other credit card schemes to monitor and prevent ...