Three years to catch up on payment security standards

Payment card companies have announced that they will toughen security standards for financial institutions, merchants and consumers in 2010 in an attempt to stop the growth of identity theft and other forms of payment system fraud.

The Payment Card Industry Security Standards Council, whose members include Visa, MasterCard, American Express, Discover Financial Services and JCB International, is pushing to have a broader group of merchants and service providers comply with the Council's security standard (PCI DSS).

And Visa has announced that it will start moving to universal chip and PIN technology for credit, debit and ATM transactions next year.

The industry accepts that it has a serious problem, with criminal activity directed at online payment data growing fast. But there is plenty of debate about whether the self-regulatory moves being made by bodies like the Payment Card Industry Security Standards Council are adequate.

Speakers at last week's Payment Card Industry Data Security Standard Compliance Conference in Sydney described the online payments market as "the wild west when it comes to security", a sector under "unprecedented attack" and one where "the cybercrime industry is doing really well".
 
The managing principal for investigative response at Verizon Business Security Solutions, Mark Goudie, said his team carried out forensic investigations of 285 million individual data breaches in 2008 - all confirmed thefts of card details. Most of these thefts were from US-based payment processors.

Goudie said:  "Online data accounts for 99 per cent of those cases and payment card data is 98 per cent of the total."

He said 2008 was a milestone year, with the number of compromised records in breaches investigated by Verizon up from 39 million in 2007 and 75 million in 2006.

"The reason 2008 is such an anomaly is the result of five very large breaches, which account for more than 90 per cent of the records compromised."

He said the crimes were becoming more sophisticated all the time. In one recent case a criminal was negotiating to sell access to retail terminals with skimming devices in them supplying live data.

Visa Australia director of country risk management, Ian McKindley, said the industry was taking a number of steps to address the problem.

Visa announced last month that from January 2010 all new Visa cards issued in Australia will feature smart chips to give higher security. Changes to debit and prepaid cards will follow in 2011. At the same time all non-chip cards currently in use will be replaced so that by 2013 the use of signatures in transactions will be phased out.

Other projects include introduction of chip technology into ATMs. By 2012 card issuers must enrol all cards for Verified by Visa or its equivalents (such as MasterCard's SecureCode), which provides a password for online shopping. These systems have been voluntary up to now and some financial institutions have reported that take-up has been low.

McKindley said that for organisations, the PCI data security standard was "the best defence against theft of payment data." By July next year all merchants taking online payments will have to use software that is PCI DSS validated.

Compliance with the standard is being pushed out to small merchants and service providers. McKindley said a big project was to get card acquirers to work with merchants to remove vulnerable data from their files.

Compliance with the PCI data security standard has 12 requirements, including installation and maintenance of a firewall, protected storage and encrypted transmission of cardholder data, regular updating of anti-virus software, strong user access control systems and regular monitoring and testing of systems.