Payment Card Security & IT Controls Explained

An interesting phenomenon has occurred in the world of privacy data breaches, and specifically PCI DSS card holder data breaches, in that fraud (acts committed intentionally by insiders or through thefts that are suspected of fraud) has almost completely been forgotten. Not to say that one does not consider fraud generally in an organization’s basic risk register, but more so realizing that perhaps a level of perception bias may have enveloped the world. This perception bias is truly an example of a complacency effect that arises in most risk manager’s minds. This complacency bias is reinforced by the overwhelming amount of successful hack attacks on organizations. To business this is an important risk that must be addressed prudently throughout the organization.

An excellent set of resources is available through the Association of Certified Fraud Examiners (ACFE) where there are numerous articles and guides addressing many kinds of threats in an organization. I raise this issue, as I recently conducted a research effort that evaluated the threats to organizations, retailers specifically, and how the control environment should be appropriately tuned. A thorough analysis (using in part the excellent Privacy Rights ClearingHouse Data Breach Data) highlighted that although online attacks are more fruitful to attackers, there are nearly three times as many incidents under the fraud umbrella. The implications of this data is different for each organization, but must be considered with each risk management effort. As part of a fraud strategy, organizations should take serious consideration of SAS 99. Below is a table from the research:

PCI DSS specifically requires controls that align with ACFE and AICPA fraud prevention practices. The usage of PCI DSS control - Access Authorization, Separation of Duties, and clear job responsibilities all support the prevention of fraud in an organization.

Over time I will expand this article, as I find more data and expand on what core controls of PCI are beneficial for preventing Fraud. There is also a richer breakdown on SAS 99 at IT Compliance and Controls for those interested.

I would be interested to hear examples where Fraud played a role in a data breach, and what areas of the PCI DSS standard were critical in the detection or mitigation of the fraud.

Best,

James DeLuccia IV

On December 6th I presented on a teleconference with Prat Moghe from Tizor. Prat presented some new analysis on the source of data loss. He considered not only the source, the intent, and the volume of data breached per category. To not steal his thunder - there were surprising findings in the results when different lenses are applied to actual breaches.

The best part of the presentation is the Q&A session of the presentation. Which when you listen to the archived version you will find them starting around 12 minutes into the slide deck. As you can tell with an hour teleconference, there is only a short bit of time spent on the introductions. I advise any retailer dealing with PCI DSS to listen to this teleconference.

Top points I want to highlight:

• Business usage of data commands appropriate controls - methods of satisfying these needs to be aligned with the company, and are raised during the teleconference
• Internal versus External attackers is not the true threat, but the threat is only who has access - applications, users, partners, etc.
• Avoid complexity through segmentation and business functions that align with access rights
• For more information on topics such as - are your encryption technologies adequate, how do you handle multiple users accessing systems, managing online interconnected systems, and more please give a listen.

Link to the Teleconference Archive HERE (Registration required, gotta cover those costs) As always - add comments or send feedback Best,

James DeLuccia IV