Many may escape sanction in cards scam
After allegedly compromising the credit card details of 500,000 Australian bank customers, 16 Romanian nationals have been arrested in a global anti-fraud action driven by the Australian Federal Police.But other perpetrators in the affair may never be either identified or sanctioned - the merchants who allowed their customers' data to be disclosed.The 16 Romanians belonged to a group that allegedly accessed the computer systems of foreign companies operating petrol stations and grocery stores. They then installed computer applications that could intercept and transmit credit card identity and transaction data. The information was used to make counterfeit cards that were then sold.The Australian Federal Police said information from 30,000 of the Australian credit cards was used to conduct fraudulent transactions worth more than A$30 million.Reports yesterday said all the 100 Australian businesses caught up in the fraud have been told how their systems were hacked, and all have now installed security measures that will prevent them being exploited again.But the affected businesses appear not to have protected their customers' data with end-to-end encryption while sending the data to payment processors.Merchants' contracts with banks require that they encrypt customer data using the Payment Card Industry Data Security Standard (PCI DSS).The banks and credit unions that transferred money in the scam have reimbursed customers for their $30 million in losses. They have also publicly underlined the effectiveness of their systems for preventing fraud.In theory, these institutions could now take action against the 100 Australian businesses concerned for their failure to encrypt card information.To date, few if any Australian merchants have ever faced sanction over their lack of compliance with PCI DSS.The widespread lack of PCI DSS compliance, particularly among small businesses, is a well-known problem within the payments industry.A survey by AMR for technology company IP Payments, released in September, found that one in every 25 Australian companies has suffered a breach of customer financial data and that there is widespread management ignorance of payment card data security standards.IP Payments' technical director, Mark Lewis, said then that the research suggested the cause of the problem was management ignorance of payment card data security standards.And, just yesterday, US payment data security firm SecurityMetrics published its second annual Payment Card Threat Report claiming that more than 10 per cent of all US merchants store magnetic stripe data. SecurityMetrics' director, Gary Glover, was quoted in the firm's media release as saying that "hackers proactively search for unencrypted card data because it takes less effort to steal". This is exactly the kind of data that enabled the Romanian fraud.We know that Greco-Roman wrestling champion Gheorghe ''The Carpathian Bear'' Ignat was among those picked up in the Romanian raids. He even appeared in local media yesterday, his head shaven and his chest draped in medals.The Australians who made it so easy for him and his mates to steal people's credit card data are likely to get off much more lightly.