Experts condemn plans to ease IT security standards

• 
  Bill Brenner
• Published: 10 May 2007 10:40

On the one hand, the retailer must do their job. But the point-of-sale vendor and service providers must also work together to protect people. Baron Unbehagen, vice president of marketing and alliancesPostilion Inc.

RSA, the security division of EMC, held the event at the Roosevelt Hotel so customers could gather to share their experiences and offer tips. The event is named after RSA's eFraudNetwork, a database of known fraud on the Internet. During a roundtable discussion on identity fraud, panelists were asked if industry standards and government regulations should be relaxed to help more companies comply.

During a recent conference focused on PCI DSS, First Data CISO Phil Mellinger, who developed the precursor to the current rules, called for an overhaul of PCI DSS to eliminate subjectivity and ease restrictions to help more merchants comply.

But the panelists at RSA's event said too much is at stake to relax some of the rules just because heeding them is hard. Whether it's PCI DSS or any number of government regulations, simply striving for compliance will lessen the likelihood of attackers pilfering credit card data from corporate networks, they said, citing such incidents as the data breach at TJX Companies. In that incident, at least 45.7 million credit and debit card holders were exposed to identity fraud.

PCI DSS: First Data security chief calls for PCI DSS changes: Phil Mellinger, CISO of credit card processing giant First Data Corp. is calling for changes to the standards to speed adoption, ease restrictions and eliminate ambiguous language. Visa hopes encouragement improves lagging PCI DSS adoption: With deadlines looming, Visa is launching an education campaign to address the more than 60% of merchants that fail to meet the PCI Data Security Standards. PCI compliance after the TJX data breach: The massive TJX data breach reinforced the need for stricter controls when handling credit card information. In this tip, Joel Dubin reexamines the need for the PCI Data Security Standard and advises how to ease the PCI compliance burden. PCI DSS auditors see lessons in TJX data breach: Following the recent TJX data breach, several PCI Data Security Standard auditors say the retailer violated basic requirements of the PCI DSS. But they say there are lessons to be learned from TJX's mistakes.

Kevin Dougherty, senior vice president of information services at Orlando, Fla.-based CFE Federal Credit Union, and Baron Unbehagen, vice president of marketing and alliances at Postilion, a Norcross, Ga.-based vendor of integrated solutions for self-service banking and payment processing, agreed it's easy for companies to complain when they're forced down the path to compliance. But, Dougherty said, "It's our responsibility to meet the bar that's been set."

From a service provider standpoint, Unbehagen said, "Priority one is for the provider to do as much as possible to deliver solutions that are compliant out of the box with PCI DSS and other standards."

Dougherty has seen the impact of identity fraud up close. He said his credit union turned to RSA for help last year after it suffered a "vicious" phishing and denial-of-service attack. Cleaning up the aftermath has been a painful process, he said. For example, the organization has had to spend about $100,000 to re-issue compromised credit cards. It was the right thing to do, Dougherty said, but it was a big financial drain.

"It was a scary time," he said. "Until you're living and dealing with it, you don't know what it's like."

He said the experience has taught him that companies need to vigorously monitor transactions and have the necessary security tools in place to detect fraudulent activity. He warned that the problem will keep getting bigger. And if companies can't detect when large amounts of money are being sucked out of a customer's account, nobody will trust them enough to do business with them.

"Trust is everything," Dougherty said. "The customer trusts us to protect them."

Unbehagen acknowledged that while retailers need to do their part in protecting customer data, companies like his must bear responsibility as well.

"It's a shared responsibility," Unbehagen said. "On the one hand, the retailer must do their job. But the point-of-sale vendor and service providers must also work together to protect people."

Panelists agreed that working together means forging relationships with such law enforcement agencies as the FBI, and stepping up efforts to educate customers on the risks they face.

"When we were hit with the phishing attack, 19-year-olds, 55-year-olds and senior citizens were affected," Dougherty said. "We all need to do a better job educating the public on what the criminals are doing to target them." He noted that retired senior citizens are paying a heavy price from such attacks and that "we have to educate them so the rug isn't pulled out from under them."

He said his credit union is trying to help people by offering seminars on Internet fraud.

One thing that will make people more aware and build more trust is if more fraudsters are found and prosecuted, said Thomas Grasso Jr., supervisory special agent with the FBI's National Cyber-Forensics and Training Alliance.

"The more thieves we catch and prosecute, the better," he said. "We've found that the same people tend to be involved in these attacks and when they can steal money they'll keep coming back for more. Our experience is that businesses really want to help us find these guys."

Catching and prosecuting them, he said, is as important to security as patch management.