Logo

Site non disponible sur ce navigateur

Afin de bénéficier d'une expérience optimale nous vous invitons à consulter le site sur Chrome, Edge, Safari ou Mozilla Firefox.

adnews

Data Theft: Securing Card Data

  • According to the Identity Theft Resource Center (ITRC), the overall numbers of breaches in the US has declined, and cases in the financial sector accounted for less than 4% of all breaches in 2011. However companies relying on card transactions still have efforts to make.
  • In fact, the ITRC notes that 26.5% of all breaches disclosed in 2011 implied debit or credit card data (these figures are relatively close to the 2010 ones). Between 2010 and 2011, the financial sector witnessed an 18.6% decrease in card compromising-related cases, yet, merchants and corporate witnessed an increase from 4.3% in 2010 to 12.9% in 2011.
  • Very often, the companies impacted by these kinds of threats do not dispose of fraud detection tools and do not have any communication policy for security incidents.
  • In 2011, serious cases have been heard of and largely relayed in the press, including the PSN hack (see May 2011 Insight), or Epsilon’s and security specialist RSA’s breaches (in April 2011), but also Citi’s (see June 2011 Insight): these incidents have heightened customers/cardholders concerns.
  • The ITRC recommends that a certain number of measures be implemented to limit these problems, for instance:
  • improved risk assessments (storage relevance),
  • improved authentication processes, including drop off of simple identification to favour two-factors authentication and no more use of sensitive data (birthdates, SSNs, etc.) in authentication contexts,
  • improved storage (required? how long? storage mode?) and definition of appropriate lifecycles for the data (how paper and digital data should be destroyed).
  • Finally, the ITRC also recommends that the means to report on breaches and/or incidents be harmonised from one State to the other. For now, in place measures would not allow for proper reporting on these incidents.
  • These recommendations are reflecting needs already expressed by the PCI Council on card data protection and storage. Regulators are now focusing on customers’ data protection and a guideline describing the part to be played by third party processors in handling and implementing best practices has also been released end January by the Federal Deposit Insurance Corporation. This document is an update of previous recommendations on strong authentication listed in June 2011 by the Federal Financial Institutions Examination Council.
  • According to Gartner, most financial institutions are now trying to comply with ISO 27001, however, implementing PCI-DSS could be an asset for them.