by Bob | Jul 5, 2016 | Views
We recently attended a seminar in London that included a sobering presentation by Mike Haley, the Deputy Chief Executive of CIFAS – the Credit Industry Fraud Avoidance System. CIFAS reported that the number of victims of identity theft rose by 57% last year – from 94,500 in 2014 to to 148,000 in 2015. A report out earlier this year estimated the annual cost of fraud in the UK was £193bn – equal to nearly £3,000 per head of population. The introduction of ‘Chip & Pin’ in the UK since 2003 has driven ‘Card Present’ fraud down dramatically, but forced fraudsters to ever more subtle methods of fraud. CIFAS suggests that fraudsters harvest details from social media accounts to gather enough information to create a fraudulent, duplicate identity of a person, and then commit fraud using that identity; only a small percentage of frauds use wholly fictitious identities. CIFAS recommend that people check their social media settings, and think twice before publicly posting information online that could be useful to a fraudster – names of schools, pets, and so on. There’s a link to an article on the BBC website...
by Bob | Jun 21, 2016 | Views
My old mother had a phrase that she would use if I ever did anything particularly stupid; which was perhaps more frequently than I remember. The phrase was ‘God loves a tryer’, and while it was evident from my lack of success in many foolhardy ventures that God might indeed ‘love a tryer’, he didn’t necessarily encourage them. The phrase came to mind when I saw this picture posted on social media, and at least one ill-advised person on my media feed had fallen for it and posted the keys to their wallet on FaceBook for all to read and – in theory – exploit. Much like my recent post showing somebody allegedly harvesting card data from contactless cards (here), I doubt that many people fell for this gambit, but it highlights Compliance3’s message of ‘devaluing data’ – the information that this meme was attempting to harvest was undeniably valuable data – ‘Sensitive Authentication Data’ in the words of the PCI Standards Council. There’s a world of bad people ‘out there’ and they’re trying to get card details, by any means they can. We work with companies to ‘take risk off the table’. If card data doesn’t enter a business’s environment then they can’t be storing it – whether deliberately or innocently – and if they’re not storing it then it can’t be...
by Bob | May 25, 2016 | Views
We’ve written in the past about data breaches, where customers’ card details are stolen, and while the press tend to dwell on the ongoing risks to customers as a result of their data being compromised, it’s rare for the subsequent exploitation of data breaches to make news. This week, however, saw the news of an audacious and sophisticated attack using stolen account data to create 1,600 fake payment cards and then steal nearly $13 million dollars from South Africa’s Standard Bank. The thieves exploited the high maximum withdrawal amounts allowed in Japan, where the maximum amount that can be withdrawn from an ATM is ¥100,000 (or about £630), and withdrew that maximum amount 14,000 times from 1,400 machines. The targeted machines were installed in 7-11 stores across Japan, unusually for Japan these particular machines accept international cards. The thefts took place over a three hour period, early on the morning of Sunday May 15th, that would be late Saturday night in South Africa. While customers have not suffered any losses, Standard Bank estimate their total losses to be close to $19 million. Standard Bank described the heist as “a sophisticated, co-ordinated fraud incident” involving what it said was a “small number” of fake cards from account data belonging to...
by Bob | May 9, 2016 | Views
The UK Government yesterday published some worrying new statistics about the state of cybercrime affecting British business. The headline – which the BBC reported on the breakfast news – was that “Two thirds of large UK businesses hit by cyber breach or attack in past year.” The Cyber Security Breaches Survey also reported that a quarter of four large firms experienced data breaches – often involving viruses, spyware or malware – on a monthly basis. But that only half of all firms have taken any recommended actions to identify and address vulnerabilities. Scarier still, only a third of all firms had formal written cyber security policies and only a tenth had an incident management plan in place. As these are prerequisites for the PCI DSS, one hopes that those companies who have their act together are those that process card data for their customers. The survey found that almost half of the top FTSE 350 businesses regarded cyber attacks as the biggest threat to their business, up from just 29 per cent in 2014. The Government will be publishing a new national cyber security strategy later in the year, but with cyber attacks and data breaches becoming more prevalent, why wait? We work with companies to help them reduce the risk of expensive and embarrassing data breaches. If the bad guys do manage to hack your organisation and you’re not storing card data then you’ve protected both your customers from potential fraud and your business’s reputation. We also help companies put together standards, policies and procedures to help protect data, and to develop incident and data breach response plan....
by Bob | Apr 28, 2016 | Views
The Payment Card Industry Data Security Standard – PCI DSS – is fundamental to much of the work we undertake with clients. First published in December 2004 in the wake of the Enron scandal, PCI DSS consolidated the security standards being enforced by Visa, MasterCard, American Express, JCB and Discover. It is applicable to all businesses that Store, Process or Transmit payment card data, and compliance is enforced by the card schemes, through Payment Service Providers. Failure to comply can result in the card schemes levying unfavourable or punitive transaction rates on non-compliant merchants, or ultimately the card schemes could withdraw payment capabilities. Version 3.2, published today, places increased emphasis on rules for data access, criteria for ongoing compliance programmes, and a renewed emphasis on the need to migrate to a more secure web protocols. The old standard – Version 3.1 – will be retired in December 2016 and after that date all PCI DSS assessments will be made against the new standard. The major changes that the new standard bring in are: Data Access The new data access rules will mean that enhanced, multi-factor, authentication will be required for all employees who can amend systems that contain card data – User ID and Password will no longer cut it. There’s a direction here, how long before all access to the Cardholder Data Environment will require such credentials? Ongoing Compliance Programmes The new standard incorporates “Designated Entities Supplemental Validation” (DESV) – which Troy Leach of the PCI Security Standards Council describes DESV as “a set of criteria that can help service providers and others address key challenges in maintaining ongoing security efforts to protect payments....
by Katrina Greenwood | Apr 26, 2016 | Views
The EU’s General Data Protection Regulations (GDPR) are some of the most important regulations in terms of data security. Christopher Graham, The UK Information Commissioner, stated the following at the ICO’s annual Data Protection Practitioners’ Conference in March 2016. “The EU data protection reforms promise to be the biggest shake up for consumers’ data protection rights for three decades.” The regulations are expected to harmonise data protection legislation across Europe, as well as increasing the shock of failing to comply. The GDPR will raise the level of fines for companies who have data breaches to heights of €20m or up to 4% of annual global turnover. These regulations are a way off however, they have been released now and are given a 2year transition period, which means they are not becoming legally binding until latest summer 2018. This is to allow companies to adjust and prepare before these fines could blow up businesses that fail to comply. “Now, now,” you might be saying, “What if we leave Europe?“. What will they have over British companies then? Unfortunately we won’t be escaping that easily. Any company that engages with European customers will be forced to comply with European legislation. So the choice is to exclude one of the most accessible markets to us today, or to abide by these regulations. Luckily for businesses that handle card data there are some simple solutions to compliantly handling payment card and personal data. If you are worried how these regulations will affect your company then feel free to get in touch with us at Compliance3. We are here to guide you through every step of the...
