Although the use of the Internet to buy and sell online has introduced a slew of security concerns within the payment services industry, Visa USA president and CEO John Philip Coghlan insists that technology is the solution to combating fraud -- not the cause of it. Coghlan also pointed out during Visa's security summit in Washington, D.C., Thursday that data breaches are neither random nor inevitable if proper security measures are taken.
The TJX data breach "was a stark reminder to all of us that such events can have vast reach and consequences," Coghlan said. Such breaches create mistrust and can undermine efforts make to build a good brand image. But, he made clear, "the majority of compromises come from storage of prohibited data and using vulnerable systems to process data."
TJX, the parent company of retailers T.J. Maxx, Marshalls, HomeGoods, and others, made headlines in February when it revealed an attack on its systems had resulted in the theft of customer information. Just as the headlines were threatening to die down, TJX announced a few weeks later that intrusions into its system actually began as early as July 2005, rather than beginning in May 2006 as the company had originally reported.
While the exact nature of the TJX data breach has not yet been revealed, in general, financial information is stolen in a number of ways, including the physical theft of a wallet, checkbook, or credit card; theft of information from one's home from friends, relatives, or in-home employees; phishing messages that trick people into divulging information to fraudsters; hacks, viruses, and spyware on a PC or ATM machine; and a corrupt business employee with access to your records.
But data theft is not random. Instead, it's perpetrated against businesses with the weakest security and the most valuable information, Coughlin said Thursday, adding, "More than 80% of all dollars lost come from 20% of fraudulent transactions."
Visa posits the Payment Card Industry data security standard that it created with MasterCard and emerging dynamic data protection technologies as a solid way for companies to avoid becoming a target of data theft. PCI standards require banks and merchants to build and maintain secure networks that include firewalls and don't use vendor-supplied defaults for system passwords and other security parameters. Also required is the encryption of cardholder data and sensitive information that travels across open public networks like the Internet. Updated antivirus software is a must, as is the tracking and monitoring of all access to network resources and cardholder data.
In the past year, compliance to the PCI data security standards has doubled from less than 15% to about one-third among Level 1 merchants, those that process more than 6 million transactions annually, Coghlan said. Obviously, that leaves a lot of large merchants non-compliant. To correct this, Visa in December announced it would this year hand out more than $20 million in incentives to merchants to encourage them to become PCI compliant. Part of this comes from charging merchants lower interchange fees for doing business with Visa. Coghlan said Visa would offer its lowest fees to merchants that validate PCI compliance by Sept. 30, 2007, a savings that can vary from $250,000 to $20 million annually, depending upon the volume of business the merchant does with Visa.
Level 1 merchants are the only ones required to have an annual on-site PCI security audit. In addition to measuring this designation by transaction volume, Visa also can designate a merchant as Level 1 if that merchant has suffered a data breach that resulted in account data being compromised, if a competing payment card brand identifies that merchant as a Level 1, or if Visa determines that merchant should meet Level 1 standards to minimize risk to the Visa system as a whole.
Department store chain Nordstrom, a Level 1 merchant, in 2005 increased its security efforts as Visa began emphasizing compliance with its PCI rules. "We didn't have a cohesive strategy to pull security together," Nordstrom executive VP Daniel Little said Thursday at Visa's security summit. That's not to say Little agrees with all aspects of PCI. He'd like to see Visa, MasterCard, and the other card companies directing the PCI standards to improve guidance for how companies should rank risks to their data. "That would help us identity the highest priority issues," he said.
Overall, Nordstrom finds most of the PCI standards valuable and have embraced them. In fact, Little and his team conduct weekly meetings related to PCI compliance, and he provides quarterly reports to the company's board. "Information security and privacy are in the top five of our risks," he added.
The consensus at Visa's security summit is that PCI compliance greatly reduces the likelihood that a company's customer data will be compromised. "I've never seen an organization that's compliant with PCI that was at risk for a breach," says Bryan Sartin, VP of investigative response for security service provider Cybertrust.
In addition to the security blocking and tackling that PCI advocates, Visa and other payment providers are beginning to use emerging technologies to improve customer data integrity. While many people are wary of using the Internet to do their banking or shopping, "only by using the Internet can you get rid of the papers that meth addicts like to pull from your trash," James Van Dyke, founder and president of Javelin Strategy & Research, said Thursday. In fact, according to Javelin research, only 2% of those who steal identity information do so over the Internet. It's much more likely that the theft will be committed through more traditional means by someone the victim knows.
One promising approach is the use of dynamic card verification values, or CVVs, which are three- or four-digit codes both on a card and stored in a card's magnetic strip used to verify the card's authenticity. With a dynamic CVV, each user account is assigned a code. Each transaction performed by that user account is assigned a code as well, but it's a different code with each transaction. If a thief captures user account and CVV information used for a particular transaction and tries to use this information to commit a fraudulent transaction, not only will Visa's network flag this re-use, it also can pinpoint where the first use occurred and identify where the breach occurred.
Visa's looking to pilot the use of dynamic card user information swipe-based card purchases, but has not set a schedule to do this. Let's hope the people searching for new and creative ways of stealing customer data don't figure out how to beat this new technology before it debuts.