Most of today’s payment card fraud stems from lost or stolen backup tapes or laptop computers that contain sensitive payment card information, and from skimming, according to Bryan Sartin, Managing Principal, Security Consultant for investigative response for CyberTrust, Herndon, Va.
    In an interview with Transaction World Magazine, Sartin said that such breaches are much more common today than someone internally or externally hacking into a database. That’s not to say hackers don’t continue to be a threat–they tend to target the “softer” targets, according to Sartin.
    Therefore, Sartin says, it’s important for merchants to know where customer payment card data is stored and who has access to it.
    “Companies need to have a data retention plan and a data control policy in place,” Sartin said. These plans must also be enforced.
    It’s also important that merchants achieve Payment Card Industry (PCI) compliance. Even though merchants were to have been compliant nearly 18 months ago in order to avoid fines in event of a data breach, many still have yet to achieve this level.
    “There’s no record of any merchant being compromised who’s PCI compliant,” Sartin says.
    Sartin also recommended that merchants install scanning equipment that looks for evidence of data breaches, then carefully read those reports. Though some of the recent data compromises were in companies that had these scanning systems, in 16 of 17 of the incidents, the reports were never read, according to Sartin.
    “A lot of merchants don’t have a deep IT staff to help with this,” Sartin admitted. So he recommends that merchants work with security partners to help ensure they have the proper fraud-fighting precautions and that equipment is properly certified.
    In September, American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International formed an independent council designed to manage the ongoing evolution PCI standard.
    The PCI Security Standards Council will serve as an advisory group and manage the underlying PCI security standards, and each payment card brand will remain responsible for its own compliance programs.
    “The payment brands that founded the council are committed to ensuring the ongoing development of data security standards that are both efficient and effective,” said Seana Pitt, Chairperson, PCI Security Standards Council.
    By establishing the independent council to manage the PCI Data Security Standard for the payments industry, the founding members are developing a system that is more accessible and efficient for all stakeholders including merchants, processors, POS vendors and financial institutions.
    The council will develop and maintain a global, industry-wide technical data security standard for the protection of accountholder account information; provide a list of globally available, qualified security solution providers via its website to help the industry achieve compliance; lead training, education, and a streamlined process for certifying Qualified Security Assessors and Approved Scanning Vendors, providing a single source of approval recognized by all five founding members; and provide a transparent forum in which all stakeholders can provide input into the ongoing development, enhancement and dissemination of data security standards.
    Participating organizations will be able to recommend changes, provide input on future initiatives, have access to, and the ability to comment on, drafts of potential changes to security standards in advance, as well as influence the organization’s overall direction. In addition, participating organizations will be able to elect members to the PCI Security Standards Council’s Board of Advisors.
    As its first action, the PCI Security Standards Council recently announced PCI Data Security Standard version 1.1. The new standard addresses evolving security threats and recommends that merchants and vendors take action to fortify application and network level security.
    These requirements are applicable if a primary account number is stored, processed or transmitted.
    Version 1.1 requires that network components, services and applications that contain cardholder data be protected by a firewall and that systems do not use vendor-supplied defaults and system passwords (which are well known and easily compromised). There is also lengthy information about what cardholder information should be stored, how it should be stored and how it should be protected. Any transmission of cardholder data across public networks must be encrypted.
    Version 1.1 also requires regular use and updates of anti-virus software and programs and maintenance of secure systems and applications as well as the restriction to cardholder access to authorized personnel, regular monitoring and testing of networks and maintaining a security policy that address information security for employees and contractors.
    For more detailed information, go to www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf.