cl-nz logo
Story image

Secure me: credit card fraud

01 Oct 2011

Credit card fraud is one of the most profitable security exploits and well on the rise globally. Reports have placed the total losses from card fraud in the trillions of dollars per year, exceeding even the drug trade in profitability and scope by some estimates. Here in New Zealand, most business owners and consumers feel relatively safe from the threat of fraud. But the fact is that we’re not immune. The vast majority of card fraud incidents in New Zealand go unreported. With no disclosure laws, companies who lose card data or experience a security breach are not compelled to notify the public. We’re left with a ‘hear no evil, see no evil, speak no evil’ understanding of local card fraud. But the fact is it does happen – and often. In late 2009 a significant card fraud incident at a downtown Auckland carpark saw thousands of Kiwis, credit cards cancelled after it was found that the garage payment terminals had been compromised and cardholder data was being harvested. The Opportunity Most business owners are interested in reducing risk. But there’s a fine line between offering customers a solution which can protect their operation, versus scaring them into a purchase under the threat of crime. Holistic security should be part of every business, so they’re not reliant on any one system for protection. While physical security systems are a start, and firewalls are a better step yet, a total network security solution is one that will actually protect businesses from the threats they face and reduce their overall risk profile. Network management is one service which can simultaneously protect businesses and deliver revenue for resellers. By taking the day-to-day operation and management of a network out of the hands of a customer, resellers can offer a layered plan that is resilient enough to protect a business and still delivers value for a monthly service fee. This approach can substantially reduce an organisation’s risk exposure in the form of penalties and fees in the event of a data loss or breach. Network management offers a ‘sticky’ solution for customers and opens the door to recurring revenue streams for resellers. Once a business is protected, chances are good they’ll never be without security protection again and incur the same risk as before. The opportunity and challenge for resellers is to be the first to institute a solution that secures their customers. Businesses which accept credit cards must have network security that is continuously kept up to date as part of the mandated Payment Card Industry Data Security Standards (PCI DSS) Card Standards In 2006, the five major credit card companies – Visa, MasterCard, American Express, Discover and JCB – developed a set of common guidelines to help reduce the risk of credit card fraud. They created the PCI DSS, which set a minimum standard of security practices which must be met by any company which processes, stores or transmits credit card data. While these rules can be very effective in reducing the threat of fraud, they’re notoriously difficult for most small businesses to meet on their own. The PCI DSS consist of 12 categories of security protocols, totaling 212 individual criteria that must be met by businesses each year. Many of these criteria are also quite technical and specific, well beyond the knowledge and expertise of most small business owners. Yet PCI DSS mandates that the criteria must be audited annually, supplemented by regular network testing, patching and updating to keep everything up to snuff. For example, passwords must be changed at least every 90 days, and all system changes must be carefully recorded and logged. It all adds up to a lot of time, trouble and effort. That’s why many businesses simply ignore the obligations of PCI DSS, continuing their path of non-compliance. Others use the expertise of consultants to achieve PCI DSS compliance, but often at great cost. The penalties of non-compliance are significant. If card fraud occurs at a business, unless the owner can prove that they were PCI DSS-compliant, merchants can be held liable for the cost of the fraud, an investigation to determine how the fraud occurred, remedial costs to become compliant and an additional punitive fine for non-compliance. That’s to say nothing of the cost of reputational damage and loss of customer confidence, two effects that can linger for years afterward. That is why compliance as a managed service presents enormous opportunity for resellers. Using new tools and technologies, resellers can help businesses achieve and maintain compliance for a reasonable, recurring monthly fee that’s well below the cost of hiring an independent consultant. Networking for Payments While payment networks and standard computer networks operate on the same basic principles, there are distinct differences that warrant special attention and scrutiny. For starters, let’s look at the two primary access methods. Until recently, most merchant payment systems connected to banks using a dial-up connection, just the same as you used at home 10 years ago to get online. There’s a delay to dial an access number, time to establish a connection, and then the data exchange actually occurs. That’s starting to change with payment networks finally making the change to broadband connections as well. Earlier this year merchants had to upgrade their Eftpos terminals to accept the new EMV cards. These cards, commonly known as chip-and-PIN, are much more secure than traditional swipe-style ones. Each contains a tiny microchip with encrypted information, which is decoded and used to authorise the transaction when inserted or ‘dipped’ into the terminal. But the extra security and smarts in EMV cards require more data to travel across the payment network and to the authorising bank. There’s enough data that it can substantially slow down transactions over dial-up connections, to as long as 40 seconds per authorisation. Broadband connections operate at far higher speed because they can carry much more data, reducing that lag time to only a second or two. Moreover, each dial-up terminal requires a separate phone line, incurring a monthly charge for each connection. Broadband can consolidate the terminals into one connection, reducing costs for customers. So for merchants and resellers, there’s serious incentive to swap to a faster, always-on broadband connection. But as most savvy Internet users know, the instant you connect to the Internet, you’re also open to the threats it contains. Viruses, hackers and other nasties can now access your machines if they’re not protected. If it’s a payment network with credit card data flowing though it, the stakes are much higher. Connections need to be secured using a layered approach so there’s no single line of defence. It starts with robust firewalls to keep out unwanted traffic, but payment security needs to go several steps further to meet the PCI DSS standards we‘ve talked about. Opportunities ahead Security can be a difficult solution to sell, and requires commitment on behalf of channel partners to stay updated regarding current regulations and compliance requirements such as PCI DSS. But for those who accept the challenge, the opportunity is great: there are several thousand merchants in New Zealand who are yet to meet the requirements of PCI DSS, waiting for a partner like you to help them achieve total network security.