The Green Sheet Online Edition
July 26, 2010 • Issue 10:07:02
Insider's report on payments
Securing a place for electronic payments
When it comes to security, perception is 90 percent of the process. Years ago, when I resided in a suburb of Washington, D.C., I installed a brand-name security system following a spate of break-ins in the neighborhood. As part of the package, I received several decals to place on windows and doors, to indicate the house was in the security company's program.
Within days of placing the decals I was inundated with requests from neighbors looking to buy leftover stickers. "Do you really think a couple of window stickers will protect you?" I asked one neighbor. "Not really, but chances are good they will make robbers think twice about breaking into my place, and maybe they'll choose another house."
I was reminded of this recently as I reviewed a report from database security vendor IBM Guardium, Information Security: Changing Perceptions and Changing Realities. Among the trends reported: Americans believe they are more likely to have their identities stolen than their automobiles.
It's a telling commentary on how critically valuable data security has become in the 21st Century, as well as on the bad rap banks and retailers are getting for playing fast and loose with customer data.
"The number of people who have experienced identity fraud due to data breaches pales in comparison to the number of people who fear it," wrote Phil Neray, Vice President for Security Strategy at Guadium and author of the report.
Yet, there's plenty of evidence to suggest financial data theft is big business. In 2008, the communications carrier Verizon Wireless investigated data breaches involving a total of 285 million records; 80 percent of those records contained payment card information. Verizon also revealed 91 percent of compromised records were linked to organized crime gangs.
Consumer concerns run high
Guardium queried consumers in four countries - Germany, France, the U.K. and the United States - to gauge concerns about the security of personally identifiable information and credit card data.
Eighty percent of Americans surveyed said they were either "concerned" or "very concerned" about the security of their credit card information. In the U.K., 72 percent of consumers expressed concerns about the ability of banks to safeguard personal financial data; in France 70 percent were most worried about the security of information accessible through their national health insurance cards.
As Neray wrote, "We're also currently witnessing a boom in the public's technological literacy. With each RockYou, TJ Maxx or Hannaford breach, consumers are gaining new information about the potential dangers to their data."
Furthermore, about 16 percent of all consumers polled by Guardium had been victims of fraud already; Americans had been especially hard hit. For more than 55 percent of U.S. fraud victims, the money involved exceeded $1,000; for 3 percent, the amount exceeded $10,000, Guardium reported.
The costs of data breaches at banks, retailers, processors and other organizations that deal in consumer financial data are substantial.
The Ponemon Institute, a security think tank, reported that it cost breached U.S. companies $204 per compromised record in 2009, up from $202 in 2008. The average total per-incident cost to breached organizations was $6.75 million in 2009, compared to $6.65 million in 2008.
The most expensive incident cost the breached company $31 million to resolve; the least expensive cost $750,000, according to Ponemon's latest U.S. Cost of Data Breach Study.
According to the Lexis/Nexis 2009 True Cost of Fraud Report, U.S. banks spent more than $11 billion dealing with data breaches last year.
Retailers spent more than $100 billion on fraud losses, fees and costs related to chargebacks on fraudulent transactions, the report said.
Cyber-thieves attack databases for the same reason Willie Sutton robbed banks: because that's where the money is. (Sutton stole an estimated $2 million in his criminal career.) But unlike in Sutton's day, it's not easy to tell who the bad guys are and when a bank is under attack by cyber-criminals.
That's why it's a really good idea for retailers not to store data on company systems. "The optimal solution is to purge your systems of data and partner with a third party that can store the data in such a way as to enable clients to interact with it," said Aaron Bills, founder and Chief Operating Officer of 3Delta Systems Inc.
Based in Chantilly, Va., 3DSI has developed a set of products, known as CardVault, that rely on encryption, off-site data retention, and randomly generated codes, or "tokens," to secure real-time, business-to-business card payments. Data is stored in off-site centers that have been deemed Payment Card Industry (PCI) Data Security Standard (DSS) compliant for six years running, according to company statements.
As the name implies, CardVault works like a bank safe deposit box. Companies can access stored information as they need, with no risk of loss, Bills said.
And he claims that businesses using 3DSI's CardVault qualify for the lowest possible Level 3 interchange rate.
Tokenization isn't a new idea. It's typically used with encryption; now it's beginning to look like the next big step in securing payment data.
"Where properly implemented, tokenization may help simplify a merchant's payment card environment," said Eduardo Perez, Head of Global Payment System Security at Visa Inc. But Perez is quick to add that it's not a perfect solution, since it may be possible for cyber-crooks to manipulate tokenization systems undetected.
Visa views tokenization as complementary to the PCI DSS, Perez explained.
So does George Peabody, Director of Emerging Technologies at Mercator Advisory Group.
"Tokenization is one more element in a merchant's anti-fraud and PCI compliance tool kit," he said.
"Particularly valuable for card-not-present and recurring payment applications, tokenization also retains the merchant's ability to perform marketing and fraud analytics while getting card number data off the merchant's systems and easing some of their [PCI] obligations," Peabody added.
In early July 2010, Visa released a set of best practices for card data tokenization, explaining that the document grew from industry and investigative insights regarding past data compromises. Visa has also clarified existing rules to ensure acquirers and issuers permit merchants to present truncated or masked card numbers for dispute resolution purposes.
It remains to be seen whether perceptions of card data security fall in step with this changing reality.
Patti Murphy is Senior Editor of The Green Sheet and President of The Takoma Group. Email her at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.