Breach Of Trust - InformationWeek
Software // Enterprise Applications
11:32 AM

Breach Of Trust

Data breaches are a constant threat and put companies in danger of losing their most valuable asset: customer trust

Credit-card companies are ramping up efforts to combat identity theft at all its sources. They have a huge stake in combating data leaks and identity theft, since plastic is the quickest way for thieves to get access to money or goods. Visa USA and MasterCard International Inc. have been working on making sure data security at brick-and-mortar merchants and credit-card processors is up to the standards they've set for online commerce.

Both companies want to ensure that merchants securely store credit-card and customer information. Visa's Cardholder Information Security Program, which began in April 2000 and was mandated in June 2001, requires that merchants and banks comply with a set of security standards, including using firewalls, conducting proper software patching, and restricting access to a need-to-know basis.

John Shaughnessy

Merchants comply with Visa's security policy because of what's at stake, Shaughnessy says.
Visa initially mandated that only large Internet merchants comply with the policy, but it was extended to validating compliance among all E-commerce sites that take Visa. The company figured online transactions were most vulnerable to hacker attacks, says John Shaughnessy, senior VP of risk management at Visa USA. Now, Visa has once again expanded its program, saying in February that it wants to validate compliance among all types of merchants.

Merchants are largely cooperative with the program because of what's at stake, Shaughnessy says. They know that breaches and fraud anger customers, as well as hurt credit-card issuers and other merchants victimized by subsequent fraud after a breach. Data breaches that lead to fraud total 6 or 7 cents for every $100 in sales, Shaughnessy says. "When you look at our overall breach rate, it's pretty low," he says.

The first deadlines for demonstrating compliance with Visa's program come this September, when most larger merchants will have to document that they've met the requirements. Banks, which authorize merchants to accept Visa or MasterCard, face fines if any of their merchants can't provide validation. "Members are to work with the merchants to help them get the job done," Shaughnessy says. Visa has a roster of approved vendors that provide consulting to ensure compliance.

MasterCard has two primary programs to prevent customer-data breaches and credit-card fraud related to online transactions. One is a Web-site data-protection program that helps merchants and their banks protect against hackers and other electronic compromises by performing vulnerability scans to identify and plug holes in their security infrastructures. The program, which generally costs less than $2,000 a year, is mandatory for merchants and banks and is subject to a number of compliance conditions. The other is MasterCard's SecureCode, a software plug-in that merchants can add to their sites for use by their customers and the card issuer. At checkout, a pop-up box asks a customer to enter a personal identification code that is provided and verified by the card issuer, guaranteeing the transaction for the merchant. MasterCard also requires third-party vendors that might possess merchants' customer data to participate in breach-prevention education, says John Brady, VP of merchant fraud control.

If a breach occurs, MasterCard does everything it can to minimize the fraud and reduce the chances of having to reissue a card by bringing in a remediation contractor to assess the damage, Brady says. "Risk remediation is key for us. We go in with a professional third-party company, we look at the system to see what the vulnerability was, and everyone involved goes through the process with the info-security vendor to determine which risk-remediation option makes the most sense," he says.

Brady and Shaughnessy are well aware that breaches will occur despite the most ambitious efforts to prevent them. The key is reacting quickly. "We understand when one of these breaches happens," Brady says. "But if a security hole leads to the breach, the risk needs to be mediated quickly and effectively."

Avivah Litan, VP and research director of financial services at Gartner, says the credit-card industry's own research predicts triple-digit growth in compromises. "It's getting worse," she says. "Crooks are getting much more aggressive and sophisticated, and it's easy to breach the systems. Viruses, Trojan horses--there are all types of ways to get passwords and get into the system. Everyone is vulnerable." And there isn't an easy answer. Litan estimates that only 10% of companies encrypt credit-card data, but it's for a reason. "It's hard to encrypt data and then use it in an operational environment--its very resource intensive," she says.

3 of 4
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll