Banks and other financial firms that deal with consumer credit card information are lacking proper security measures despite meeting industry standards, according to an investigative report from the Associated Press on Monday.
When it comes to credit card security details, it is up to the banks and other financial firms to ensure that proper precautions are being taken. However, an AP investigation of security breaches dating to 2005 found that rules are “cursory at best and all but meaningless at worst.”
From the moment a consumer’s credit card is swiped, hackers have a handful of opportunities to gain access to critical data.
Since 2006, more than 70 retail firms and credit card processors have reported data breaches leaving millions of credit card owners vulnerable to fraud, according to a “Chronology of Data Breaches” from the Privacy Rights Clearinghouse, a nonprofit consumer advocate group.
Additionally, other firms are likely to have been impacted by security breaches without knowing it, said the AP.
Privacy Rights Clearinghouse noted that its report is not a complete listing of breaches, and that the number is likely to be much higher.
“The list is a useful indication of the types of breaches that occur, the categories of entities that experience breaches, and the size of such breaches. But the list is not a comprehensive listing,” said the group.
“Many breaches (particularly smaller ones) may not be reported. If a breached entity has failed to notify its customers or a government agency of a breach, then it is unlikely that the breach will be reported anywhere.”
The group gained most of its data from the Open Security Foundation list-serve.
What’s more, processors that comply with official Payment Card Industry (PCI) security standards are still susceptible to hacking activity resulting in credit fraud.
Other firms that do not measure up to PCI standards will monthly face fines of $5,000 for smaller companies or $25,000 for larger firms in the event of a data breach, but are free to process credit and debit payments.
“Credit card providers don’t appear to be in a rush to tighten the rules,” according to AP investigators. “They see fraud as a cost of doing business and say stricter security would throw sand into the gears of the payment system, which is built on speed, convenience and low cost.”
The AP reported of a massive data breach that took place at a supermarket chain. Hackers installed software on Hannaford’s servers that stole critical consumer data that was en route to the banks after making purchases.
Two major breaches have taken place since then, both of which involved companies that met PCI standards ““ Heartland Payment Systems and RBS WorldPay Inc.
WorldPay lost more than 1 million Social Security numbers to hackers.
Avivah Litan, a Gartner Inc. analyst, told the AP that retailers and payment processors have invested more than $2 billion in order to meet PCI standards. The industry claims that about 93 percent of large firms and 88 percent of mid-sized firms in the US are compliant with PCI security standards.
But PCI standards only give a false sense of security, said computer security analysts. Those who meet PCI standards are only required to undergo hacker simulations once a year.
“It’s like going to a doctor and getting your blood pressure read, and if your blood pressure’s good you get a clean bill of health,” Tom Kellermann, a former senior member of the World Bank’s Treasury security team and now vice president of security awareness for Core Security Technologies, told the AP.
“PCI compliance can cost just a couple hundred bucks,” said Jeremiah Grossman, founder of WhiteHat Security Inc., a Web security firm. “If that’s the case, all the incentives are in the wrong direction. The merchants are inclined to go with the cheapest certification they need.”
Additionally, the report noted that two years ago, Visa began phasing out inspection reviews to only include payment processors that are directly connected to its computer network.
That amounts to less than 100 out of 700 Visa-related payment processors upholding PCI security standards.
Eduardo Perez, who heads Visa’s global data security, told the AP that the company decided to weaken its oversight efforts because PCI standards were becoming more effective.
“I think we’ve made a lot of progress,” he said. “While there have been a few large compromises, there are many more compromises we feel we’ve helped prevent by driving these minimum requirements.”
PCI is in the process of tightening control by applying yearly audits for companies that make sure processors meet PCI standards. Smaller firms will be examined once every three years, said Russo.
However, the AP noted: “Only three full-time staffers are assigned to the task, and they can’t visit retailers themselves. They are left to review the paperwork from the examinations.”
—
On the Net:
Comments