Following the Epsilon breach in April, consumers became more aware of third parties managing personal consumer information, as it affected huge companies such as Target, Walgreens and Best Buy.  Many companies, including small mom and pop outfits, outsource functions, such as data storage and marketing, so they can concentrate on what they do best (even if it’s just managing retail sales).  Businesses love automated programs that help ease the burden of time consuming marketing tasks, but what they don’t realize is that any time a third party company has access to customer data, sensitive information could be at risk.  Hackers don’t just look to target single company databases anymore, as we might think.  They have gotten a lot smarter.  Why hit a single company when they can hit a conglomerate who manages large amounts of data for other companies?  Epsilon manages email marketing for roughly 2,500 clients.  Even if the hackers were able to obtain just email addresses, that information can be used for phishing to obtain more sensitive data.  What about old databases that have not been scrubbed?  Data sources on the Sony PlayStation Network breach stated that the initial breached information, affecting 77 million accounts, was contained in an outdated database.

Hackers don’t just look to target single company databases anymore…

PCI security guidelines, as well as credit card associations, stipulate rules and regulations for how sensitive data (i.e. credit and debit card numbers) is to be stored, not stored, encrypted, etc.  However, even the breach of non-sensitive customer data (email and mailing addresses) can foray into consumers voluntarily giving away their sensitive information and thereby becoming victims of fraud.

Customer data sharing adds more fuel to the fire.  While customer data storage practices might change, customer data sharing will not be going away – likely ever.  Data sharing amongst financial institutions and creditors is very common and recent privacy notices now communicate this information more clearly, telling card holders what data sharing they can and cannot limit.  Even if an account is closed, the consumer’s information remains available for at least seven years.

Cloud computing, as we can see being pushed by Google and Microsoft, is a contributing factor as well.  Using a web-based service to store personal data of customers may be convenient, but it also puts that data at risk.  Underneath it all is the need for consumers to share their basic sensitive data, such as credit card and social security numbers, to live and function in our world today.  It is very rare that someone uses only cash, doesn’t have a bank account or hasn’t provided at least their social security number for some purpose or another.

Additionally, breaches don’t just come from people accessing data through the internet or insecure firewalls.  Data being transferred on portable devices, printed material stored in insecure locations, disgruntled employees who have access to personal and/or secure data (even if it is names and email -addresses)  and personal information that is discarded without being shredded first can all be a target for fraud.

In addition to engaging practices to protect customer data, every business can learn from how affected businesses have responded to recent highly publicized data breaches.  Some followed up rather quickly with communication regarding the exposure and warned their customers of phishing emails and phone calls.  Financial institutions, such as WFNNB, which many merchants use as a credit card provider, issued new cards to their customers.  Sony took a more severe approach and has announced that their network will not be up and running again until the end of May.

The one good thing about these data breaches is the development of the next generation encryption technology.  Unfortunately, it will likely continue to be a cat and mouse game.  As far as best business practices, no matter what businesses do to protect customer data, those who communicate their privacy practices clearly and take precautions immediately following a breach (even if it did not affect them) will certainly keep more customers than lose them.

On a side note, if you want to read more about all the breaches that are reported, check out the Privacy Rights Clearinghouse chronology.  You just might be surprised.

Measures to protect consumers today involve both regulation and legislation.  There is a big difference between the two.  Right now, regulations exist regarding data security and breaches, but those regulations come from entities such as the card companies, industry associations, and councils (i.e., PCI Data Security Council – PCI DSC).  While some states have passed data breach notification laws, current federal legislation regarding data security only affects financial institutions, consumer reporting agencies, and data security procedures.

As the U.S. consumer protection agency, the FTC enforces several laws and rules regarding data security, but none so far have targeted data breach notification.  According to the FTC testimonial, the following legislation exists:

• The Commission’s Safeguards Rule under the Gramm-Leach-Bliley Act (“GLB Act”) provides data security requirements for financial institutions.
• The Fair Credit Reporting Act (“FCRA”) requires consumer reporting agencies to use reasonable procedures to ensure that the entities to which they disclose sensitive consumer information have a permissible purpose for receiving that information, and imposes safe disposal obligations on entities that maintain consumer report information.
• The Commission also enforces the FTC Act’s proscription against unfair or deceptive acts or practices in cases where a business makes false or misleading claims about its data security procedures, or where its failure to employ reasonable security measures causes or is likely to cause substantial consumer injury.

In line with other new consumer protection laws being instituted, data security legislation has been proposed requiring companies to adhere to certain data security policies.  The bill, also known as the Data Security and Breach Notification Act of 2010, S.3742, was introduced in August by Senators Mark Pryor (D-AR) and Jay Rockefeller (D- WV).  (Rockefeller, chairman of the committee on Commerce, Science, and Transportation was behind the post transaction marketing investigation, which was discussed in a previous blog last year.)  Last month, the FTC testified to a Senate Subcommittee on Consumer Protection, Product Safety, and Insurance that it supports the proposed legislation.  The subcommittee also heard testimony from Symantec CTO Mark Bregman and Maneesha Mithal, Associate Director of the Division of Privacy and Identity Protection at the FTC, who outlined three items the FTC would like to see included in the legislation:

• The provision that requires companies to notify consumers in the event of a data breach should not be limited to electronic information
• The proposed requirements should be extended to telephone companies
• The bill should grant the FTC rulemaking authority to determine the circumstances under which providing free credit reports and monitoring may be required

Companies who handle consumer data are guided against storing sensitive data, from a multitude of associations, agencies, and councils, such as the PCI DSC.  Violations to data security regulations usually result in financial penalties or fines from those entities, with not much automatic legal recourse.  However, since 2001, the FTC has been able to use its authority to bring 29 cases against companies who failed to protect consumer data.

Having business experience in the card and electronic payment industry makes those of us more aware of data security practices on a daily basis in places where we do business.  The FTC and consumer advocacy groups are doing a great job of providing consumers with information on various ways to protect their information.  It’s unfortunate that consumers are becoming more informed and businesses are learning lessons as a result of incidents, such as major fraud cases or class action lawsuits, instead of being more proactive about data security.  The FTC is trying to change that.

No matter what legislation or regulations are put into place, even if they are enforced, consumers still need to be vigilant about their own personal data security.  The new laws are being put into place because companies handling sensitive consumer data are not holding up their end of the bargain.

Other References

FTC Bureau of Consumer Protection

State Security Breach Notification Laws

In the UK, the migration to EMV technology has reduced fraud in face-to-face transactions since EMV adoption in 2003.  The EMV standard operates with EMV-compliant cards (which have embedded chips instead of magnetic stripes) and EMV-compliant POS terminals.  The chips require a PIN entry for a secure EMV transaction.  The acronym EMV is derived from the initial letters of Europay, MasterCard, and Visa, all of whom cooperated to create the technology standard.  MasterCard merged with Europay in 2002.  JCB and American Express have since joined the organization as well.

EMV is a perfect example of two-factor authentication, where two different factors are required to complete a transaction, and has been referenced as a key solution for secure, fraud-resistant transactions.   There is a strong push for EMV abroad and to encourage merchant acceptance, merchants are held responsible for fraud resulting from any non-EMV transactions.  As more countries adopt EMV technology, they are also banning signature transactions.  Australia will ban signatures by 2013.  Canada will not accept magnetic stripe transactions after 2015.  These added security layers will push payment card thieves to focus on easier targets, such as the U.S.  EMV employed as the only method for secure face-to-face transactions abroad is also altering how U.S. cardholders are conducting (or abandoning) transactions in these countries.  This could result in lost revenue for international merchants and will hopefully put the pressure on issuers and merchants in the U.S. to adopt EMV.

“Australia will ban signatures by 2013.  Canada will not accept magnetic stripe transactions after 2015.”

Ecommerce Data Protection

According to the U.S. Census Bureau, ecommerce sales in 3Q 2009 were estimated at $32 billion, 3.7 percent of total retail sales – an increase of approximately 2.1 percent from 3Q 2008 while total sales decreased in the same period.  Visa, MasterCard and JCB already have 3-D Secure protocols in place for online purchases.  Verified by Visa, MasterCard SecureCode and J/Secure (JCB) all require the cardholder to enter a password or unique ID to complete a transaction.  Cardholders must register with the programs for the extra layer of security to be added during a transaction.  Unfortunately, these programs have not been well received or implemented due to added costs to the merchant and low acceptance from cardholders.  In response – and to support EMV online – MasterCard has developed their Chip Authentication Program (CAP) and Visa has created their Dynamic Password Authentication (DPA), a different version of CAP.  To date, deployment has been minimal.  Last week, ArcotOPT was announced as the first solution using CAP on mobile phones for ecommerce and online banking.  Although the company, Arcot, is based in California, the product was released in Europe where EMV has a strong presence. We are not likely to see deployment in the U.S. until EMV takes hold here.

Going Contactless

As contactless card adoption grows (mostly in the small ticket market – fast food, convenience stores, etc.), so does the acceptance of the added security already in place.  Contactless cards include a unique CVV for each transaction.  If thieves were to obtain the payment card data from a transaction, the CVV could not be used for another transaction.  Additionally, contactless payments do not transmit the cardholder’s name and some also do not include the account number.  MasterCard teamed up recently with RIM to deploy MasterCard PayPass contactless stickers on Blackberry phones.  After each PayPass transaction, a confirmation email with the transaction information is sent to the Blackberry phone. Verifone has combined its end-to-end encryption solution, VeriShield, with EMV to support contactless payments beginning this spring in the UK and a few other regions.  End-to-end encryption does not supply any usable cardholder data to a merchant’s POS device or network, thereby reducing fraud risk.

How About Mobile Shopping?

Smartphone technology, not to mention the iPhone, has significantly increased the interest in mobile payments.  Presently, contactless stickers can easily satisfy this demand (as mentioned above with MasterCard and RIM).  Some major card companies have also tested near field communication (NFC) as a contactless payment option. NFC is a short-range wireless technology which enables the exchange of data.  Payments using NFC also require a PIN to complete the transaction.

It is apparent that various options for added payment security are already available. As to why these new security options are not yet deployed in the U.S. rests on the concern for cost and revenue stream.  Mobile carriers want a piece of the pie when transactions are made using devices over their networks, thereby slowing the adoption in carrier channels.  EMV would certainly incur costs for merchants (new POS devices) and card issuers (new cards with chip technology).  Despite these new security protocols, a strong fraud risk still exists with merchants, processors and companies storing sensitive data (against PCI compliance), as well as physical cards being cloned or skimmed.  Costs associated with fraud in the U.S. today are written off as a cost of doing business. Pending government legislation, card association guidelines and PCI compliance appear to be the only factors pushing for faster adoption of stronger security measures.

Here are some tips to help prevent identity theft:

1. In Part I of this series, I discussed the importance of generating secure and strong passwords. Make sure your corporate files are safe and all passwords are required to be at least 8 characters long. Make sure they have a random mixture of characters and numbers.
2. One way to ensure your computer is secured is to drop it in a vat of concrete and build a 10-foot tall statue over it. But of course this would make your computer very difficult to use. Keeping your computer safe is much easier than that. First, make sure only authorized people have access to your network. Use a secure network router between your computer and network connections so hackers will have a tougher time finding the computer.
3. Make sure you are keeping your website, software and operating systems updated with the latest patches. You may want to consider purchasing hard drive data encryptors.
4. You should know who has access to your mail (personal and company’s). Access to bank statements, social security numbers, insurance statements, utility bills, and any other mail that may contain financial information. It is also important to protect your trash by always asking yourself the question “Is there any personal information written on this document?” Make sure to shred all important documents, as well as seemingly innocent items like credit card offers and sky miles statements.
5. Order free credit reports to monitor your score and activity every year.

There are ways to fight back if your site has been compromised or your identity has been stolen. You may find local police unable to assist because of the complexity of these types of crimes, as well as their lengthy investigations. But if you persist, you can get a report filed. Make sure to keep adequate records of all occurrences, police filings, and contacts.

Part one of this series talked about identity thieves wanting your password, and we discussed ways to protect against having your passwords compromised. Securing your password seems to be only 25 percent of the battle these days. Many network security breaches, like the Heartland Breach, occurred from within. So it is important to be PCI Compliant internally and know who is working for you.

I wish there were a specific set of characteristics I could post to detect an identity thief, but unfortunately they are as broad as the criminal population itself.  I like to divide attacks by criminals into two categories: internal attacks and external attacks.

Internal attacks are usually traced back to disgruntled, dishonest, and/or careless employees. Some common characteristics of an internal attack are:

1. Computer and data theft:  An employee stealing a PC, laptop, memory stick, or external hard drive.
2. Desk snooping: Look out for employees snooping around a co-workers’ desk for reminders and notes. Sometimes they might even ask a coworker to look something up to see if they should happen to keep a sticky note under a tissue box with their password.
3. The roaming employee: This employee typically wanders around looking over cubicle walls and observing keys that other employees type.

External attacks are usually done by a person that has no direct access to the company or its website. These types of thieves are crafty. They come in many different forms and are always coming up with new ways to get into a website. Some examples of theft to look out for are:

1. Bogus websites: I have only recently learned about how these actually work. These website ape legitimate sites. The design is so similar it can often fool the website owner himself. Consumers enter in their personal information and the thief captures it for their own use.
2. Forceful attacks: The techies call this a brute force attack. This is where a computer is set up to methodically try every combination of letters, numbers, and symbols to break a password.
3. Web page hijackers: These savvy criminals load malicious code on to your computer. The code is designed to redirect your typed web address to another site. This also can cause you to be redirected to one offensive site after another.

Protecting your network and website against identity theft can be costly, but there are many cost effective ways to secure your network. Privacy protection laws must inform customers that their private information has been compromised. This notification alone can cost around $20 per customer. Better to be safe and secure now, than pay the price later.

It is important to first understand what different types of identity theft occur, and then you can find out how to get protection.

The easiest item for a criminal or hacker to obtain is your password. Some common mistakes made when setting up passwords is using names of kids, birthdates, or hometowns. Spelling your child’s name backwards is another frequent mistake. I have even seen people write their passwords on a sticky note, in a notebook or in your PDA. Do not give office assistants your passwords. Remember passwords are used in more than 90 percent of all online network security practices. People use passwords for online banking, shopping, stock trading, and network logons. It is imperative to create a strong password. 

A password alone may not secure your online purchases. Many are turning to smart card security and Power LogOn. Power LogOn combined with Smart Card technology provides the ability to securely store your passwords in a smart card chip, like an electronic safe. This can help prevent a criminal from getting your passwords and personal information. A smart card is a plastic card with an embedded chip that can offer advanced security features to prevent unauthorized access to retrieve and modify stored data.

Power LogOn provides many security benefits such as:

• Passwords can be created by using 20 out of 96 available keyboard characters.
• PIN protected smartcard technology locks the data after three wrong authorization attempts.
• The software works with your PC or network logon, password protected data files, windows-based applications and web accounts.

Password security, without convenient implementation, is not free to the company or website that lacks it. Resetting passwords can take 20 to 50 percent of IT support’s time and costs approximately $70 per incident. This is time and money that could be more wisely used to increase other aspects of a company’s network security.

This decision to extend is said to be largely due to complaints from creditors that they were unaware of the existence of the new regulation and some say they only found out after the deadline had passed. This deadline according to the official press release only applies to organizations that are not under the jurisdiction of any of the other regulatory agencies other than the Federal Trade Commission. FACTA requires financial institutions and creditors to implement a written identity theft prevention program that should help detect identity theft, hopefully before any damage is done. If identity theft is not detected, the regulation calls for the financial institution or the creditor to reduce the risk to the consumer and the organization.

Many creditors have complained that there is not a clear cut way of indicating how they will be audited, and it has not been indicated how penalties will be assessed. The FTC Enforcement Policy now clearly defines all the parameters for creditors to follow. Going forward there will be no question that if you fit into the category of “creditor” you will be required to comply with Red Flag Rules. Still many organizations feel they are flying under the radar or won’t be caught. What does a company have to gain by allowing identity theft to occur?

Rules to be followed range from watching for suspicious social security numbers that may be on the Security Administration’s Death Master File to suspicious, or repeated, address or phone number tracking. Plain and simple, following Red Flag Rules will reduce identity theft and every business should want to participate in keeping our personal information safe.

Illegitimate chargebacks are costing business owners, and it’s time to fight back against dishonest customers and fraud. I have surveyed 50 of my online merchants and found that most of their chargebacks come from people who order items online, and then in an attempt to keep the product without paying for it, dispute it. I consider this shoplifting.

Part of the problem seems to stem largely from regulations put in place stating anyone can dispute any charge for any reason. Naturally, crooks will use these regulations to their full advantage.

Many online merchants are losing the battle against chargebacks and feel there is nothing they can do. Online merchants should not give up; not all chargebacks are final. The best option is to respond to the chargeback letter immediately. Keep in mind that if your bank still honors the chargeback, you have the right to go after the consumer plus any costs you incur as a result.

Some key tips for combating against chargebacks are:

1. Use a trackable shipping service and require signature on delivery. This provides you with documentation if a dispute should arise. If you sell e-books or other downloadable items, it is a good idea to add something tangible for tracking purposes.
2. Make sure your return policy is clearly posted on your website. Post time limits for refunds and associated fees, such as restocking fees. Also note the condition of the product.
3. Post a chargeback policy on your website. Don’t be afraid to report customers to collection agencies for excessive chargebacks.
4. Make sure to pick a gateway that has a chargeback support feature. These gateways can help you find the best way to combat chargebacks and the correct way to respond to chargeback notices.

It is better to be safe than sorry. If you have specific chargeback issues and are looking for the best way to respond to your notices, feel free to comment. We would love to help.

With hand-keyed transactions you run a greater risk of fraud because the magnetic strip information is not available. If you are in a retail environment you can do the following:

1. Check your terminal and make sure it is working properly. You can try to swipe your own card to ensure the issue is not with your equipment.
2. You can also check to see if the number embossed on the front of the card is the same as the number indented on the back. There are scams where thieves will shave the numbers to alter the embossed numbers on the front of a card.
3. Look at the expiration date and make sure it is valid.
4. It is important to get an imprint of the card and have the customer sign the imprint slip. This way you can confirm the signature matches the back of the card.

If you take cards over the internet, make sure you are following Payment Card Industry Data Security Standards. Seeking out proper fraud control software is a key element to keeping your transactions safe and keeping site secure.

Most people that are going to use fraudulent stolen cards follow the same patterns. Some key things to look out for are people making large purchases without any regard for size, color, or price. Some will try to distract you or rush the sale by asking questions about other items while they are at the register being rung up. Many will make a purchase then return to the store to make another purchase shortly after.

Visa and MasterCard both have security features in place on their cards that I believe all retail sales people should be trained on. For example, all Visa Cards have a Dove or Flag Hologram on the front, or a mini Dove on the back.  It is important to become familiar with the items (or lack thereof) that can easily signal an instance of fraud. 

Visa requires that every sales associate check card security features, request an authorization, and obtain a signature.  Below are some steps to follow so you can minimize fraudulent purchases:

1. Make sure the card has not been tampered with or altered. Look for a scratched magnetic strip or shavings on the numbers.
2. Run every card through your point of sale terminal in one direction only. Needing to run the card repeatedly or in multiple directions can be a sign that the card has been tampered with.
3. If you get an “Approved” response after swiping a card, make sure to get the card holder’s signature on the sales receipt. It is important to check that the card holder’s signature matches that of the signature on the card. Keep in mind that it is against Visa and MasterCard’s rules and regulations for a merchant to make a picture ID a condition of purchase.
4. If you receive the response “Pick up” you should confiscate the card. Inform the customer that the card has been reported lost or stolen, and you have been instructed to take it. Only attempt to take the card if you feel safe doing so.

If you suspect fraud, you can make a Code 10 call. A Code 10 authorization request alerts the card issuer to suspicious activity without alerting the customer. You would call your voice authorization number and tell them you have a code 10. You will be transferred to the issuing bank to answer a few questions and await instructions.

If a card’s magnetic strip appears to be worn, and it needs to be key-entered, make sure to be extra cautious. Make sure to get an imprint of the card, as well as a signature. Also check the expiration date.  With the fast pace of the holidays and the number of customers, it can be easy to miss fraud, but if we all do our part we can enjoy the holiday season.