There's no doubt companies are going through misery trying to
comply with such mandates as the Payment Card Industry's Data
Security Standard (PCI DSS). But easing the rules would be a bad
idea given the steady rise of identity fraud, financial services
practitioners said during a panel discussion at RSA's eFraudNetwork
Live event.
 | | | | | On the one hand, the retailer
must do their job. But the point-of-sale vendor and service
providers must also work together to protect people.
Baron Unbehagen,
vice president of marketing and alliancesPostilion
Inc. |
| | | | | |
| |
|
RSA, the security division of EMC, held the event at the
Roosevelt Hotel so customers could gather to share their
experiences and offer tips. The event is named after
RSA's eFraudNetwork, a database of known fraud
on the Internet. During a roundtable discussion on identity fraud,
panelists were asked if industry standards and government
regulations should be relaxed to help more companies comply.
During a recent conference focused on PCI DSS, First Data CISO
Phil Mellinger, who developed the precursor to the current rules,
called for an overhaul of PCI DSS to eliminate subjectivity and
ease restrictions to help more merchants comply.
But the panelists at RSA's event said too much is at stake to
relax some of the rules just because heeding them is hard. Whether
it's PCI DSS or any number of government regulations, simply
striving for compliance will lessen the likelihood of attackers
pilfering credit card data from corporate networks, they said,
citing such incidents as the
data breach at TJX Companies. In that incident, at least 45.7
million credit and debit card holders were exposed to identity
fraud.
 |
| PCI DSS: |
First Data security chief calls for PCI DSS changes: Phil
Mellinger, CISO of credit card processing giant First Data Corp. is
calling for changes to the standards to speed adoption, ease
restrictions and eliminate ambiguous language.
Visa hopes encouragement improves lagging PCI DSS adoption:
With deadlines looming, Visa is launching an education campaign to
address the more than 60% of merchants that fail to meet the PCI
Data Security Standards.
PCI compliance after the TJX data breach:
The massive TJX data breach reinforced the need for stricter
controls when handling credit card information. In this tip,
Joel Dubin reexamines the need for the PCI Data Security
Standard and advises how to ease the PCI compliance
burden.
PCI DSS auditors see lessons in TJX data
breach: Following the recent TJX data breach, several PCI
Data Security Standard auditors say the retailer violated basic
requirements of the PCI DSS. But they say there are lessons to
be learned from TJX's
mistakes. |
|
| |
|
Kevin Dougherty, senior vice president of information services
at Orlando, Fla.-based CFE Federal Credit Union, and Baron
Unbehagen, vice president of marketing and alliances at Postilion,
a Norcross, Ga.-based vendor of integrated solutions for
self-service banking and payment processing, agreed it's easy for
companies to complain when they're forced down the path to
compliance. But, Dougherty said, "It's our responsibility to meet
the bar that's been set."
From a service provider standpoint, Unbehagen said, "Priority
one is for the provider to do as much as possible to deliver
solutions that are compliant out of the box with PCI DSS and other
standards."
Dougherty has seen the impact of identity fraud up close. He
said his credit union turned to RSA for help last year after it
suffered a "vicious" phishing and denial-of-service attack.
Cleaning up the aftermath has been a painful process, he said. For
example, the organization has had to spend about $100,000 to
re-issue compromised credit cards. It was the right thing to do,
Dougherty said, but it was a big financial drain.
"It was a scary time," he said. "Until you're living and dealing
with it, you don't know what it's like."
He said the experience has taught him that companies need to
vigorously monitor transactions and have the necessary security
tools in place to detect fraudulent activity. He warned that the
problem will keep getting bigger. And if companies can't detect
when large amounts of money are being sucked out of a customer's
account, nobody will trust them enough to do business with
them.
"Trust is everything," Dougherty said. "The customer trusts us
to protect them."
Unbehagen acknowledged that while retailers need to do their
part in protecting customer data, companies like his must bear
responsibility as well.
"It's a shared responsibility," Unbehagen said. "On the one
hand, the retailer must do their job. But the point-of-sale vendor
and service providers must also work together to protect
people."
Panelists agreed that working together means forging
relationships with such law enforcement agencies as the FBI, and
stepping up efforts to educate customers on the risks they
face.
"When we were hit with the phishing attack, 19-year-olds,
55-year-olds and senior citizens were affected," Dougherty said.
"We all need to do a better job educating the public on what the
criminals are doing to target them." He noted that retired senior
citizens are paying a heavy price from such attacks and that "we
have to educate them so the rug isn't pulled out from under
them."
He said his credit union is trying to help people by offering
seminars on Internet fraud.
One thing that will make people more aware and build more trust
is if more fraudsters are found and prosecuted, said Thomas Grasso
Jr., supervisory special agent with the FBI's National
Cyber-Forensics and Training Alliance.
"The more thieves we catch and prosecute, the better," he said.
"We've found that the same people tend to be involved in these
attacks and when they can steal money they'll keep coming back for
more. Our experience is that businesses really want to help us find
these guys."
Catching and prosecuting them, he said, is as important to
security as patch management.