Entries categorized as ‘audit’
Proper business practices are a necessity in business, and when dealing with other people’s money it is paramount. The FTC, again, has charged a fine against a business for not doing proper due diligence on new accounts within their operations. ChoicePoint, now owned wholly by Lexis-Nexis, was previously found guilty of such practices in their infamous “breach” where an account was setup and pilfered 100,000s of accounts records.
The latest fine is against a payment provider who did not properly follow its own guidelines for onboarding new merchants. The result was the fraudulent charges against consumers of more than $2.38 million. The business has been ordered by Federal Court to pay $1,779,000 in consumer redress and end the illegal practices.
…the payment processor did not follow its own guidelines for new merchants and did not check addresses, phone numbers, or references the bogus merchant provided. The FTC alleged that the defendants anticipated that the scam would generate high return rates, that they did not request or obtain proof that consumers had authorized debits to their accounts, and that they continued to process charges even after receiving complaints from consumers and banks and unacceptable explanations about unauthorized debits from the merchant. The complaint alleged that more than 70 percent of the merchant’s transactions were returned or refused by the consumers’ banks
What is interesting is – what type of risk management practices existed in the business to let this occur for so long, and what audit efforts were conducted that did not catch these deficiencies in existing controls?
Guidelines and proper business practices are NOT check boxes for the sole purpose of checking them, but to be adhered in a manner that ensures the operational integrity of the business and the fidelity of operations.
A great article on the power of “check lists” is available here at the New Yorker.
Best regards,
James DeLuccia IV
Categories: Compliance · IT Controls · Institute of Internal Auditors · audit · fraud · information security
Tagged: best practices, fines, fraud, ftc, merchant, payment processor, PCI DSS, sas 70
Discover has updated their validation requirements to be more explicit today. The press release states:
DISC is Discover Network’s compliance management program and was designed to support the requirements outlined in the PCI DSS. The PCI DSS is an industry security requirement for safeguarding payment cardholder data. It was developed to facilitate the broad adoption of consistent data security measures on a global basis to assist in the prevention of cardholder data compromises in the card payments industry. PCI DSS compliance is required of any organization that stores, processes or transmits payment cardholder data.
Discover’s merchant level framework enhancement helps bring network merchant categorization into closer alignment and each merchant level will have its own associated validation and reporting requirements. The merchant level framework is comprised of four levels:
Level 1 – all merchants processing more than 6 million Discover Network transactions per year; any merchant that Discover Network determines should meet level 1 compliance and reporting requirements; all merchants required by another payments network to validate and report as a level 1 merchant
Level 2 – all merchants processing 1 million to 6 million Discover Network transactions per year; all merchants required by another payments network to report compliance as a level 2 merchant
Level 3 – all merchants processing 20,000 to 1 million Discover Network card-not-present only transactions per year; all merchants required by another payments network to report as a level 3 merchant
Level 4 – all other merchants.”
Check out the Discover Validation Requirements here
The site is dynamic javascript so no direct links, but if you select Merchant / Service Provider / Acquirer and choose the link highlighted in the screenshot below you will see the validation definitions and requirements:
Overall a nice layout, in line with the other Card Brands, and a pleasent interface to research.
Kind Regards,
James DeLuccia IV
Categories: audit
Tagged: Compliance, PCI DSS, Security, Validation
This week I sat through undoubtedly the best education I have had surrounding the payment industry and specifically PCI DSS. The training was provided by the Aegenis group for the Society of Payment Security Professionals – who include note worthies such as Michael Dahn of PCI Answers.com, and Chris Mark. The training was three very full days and covered their two subject areas – the Auditor and Manager portions. There is a fourth day that is made up of just under 5 hours of testing, so not really a day of learning but demonstration.
To provide some context here I need to highlight that I have attended the Visa QSA training, ETA training sessions, RSA VISA conference hall sessions, third party PCI training, and have even delivered PCI training. The attendees were a diverse group that included QSA, Acquirers, Issuers, ISOs, Merchants, and a variety of others. The group made the breaks tremendously valuable and really added to the course. Despite being a very full room and a three solid days of material and learning, I was very pleased with the material, presentation, and experience.
A bit of detail for those that deal with payment card information and would like to minimize their risks and maximize their operating budgets:
Auditor section (CPISA)
- The training is broken out for technical and manager / operators
- The auditor portion was very technical, but not in the biased security way that some courses provide
- The auditor section provide great detail on what should be in place and how to ensure compliance with the payment industries concerns (not solely that of PCI DSS)
- The auditor certification exam was moderately difficult for me, but less than others given my experience. Of course, this is all just optimism given the results take several weeks to be calculated!
Manager section (CPISM)
- This section was tremendously valuable – focused on the macro effect of having sensitive data and what strategically needs to be done
- That isn’t to say this was fluff – there was a constant flow of practical details from current challenges
- There was plenty of detail around the contributing regulations ( a personal passion of mine) that impact PII and these businesses
I can’t say too much given I signed a privacy and confidentiality agreement, but the bottom line is simple. If your business stores, processes, or transmits credit cards OR your business makes sure companies do not have security concerns for those systems you must take this training. The certification exams are extremely tough, the material is based on thousands of pages, and the days of training are the primer for your further education. Those who showed up to this training without preparation weren’t able to dive into the deep problems.
Enough of the payment industry for me this week. For a bit of variety check out this new breach involving ‘entities’ trying to hack into the candidates’ systems looking for a leg up on policy.
Fresh from Dallas,
James DeLuccia IV
Categories: PCI DSS · audit
September 11, 2008 · 2 Comments
On September 10th I spoke at the CSO Conference on the PCI DSS with an impressive group of speakers and representatives from across the industry, including Chris Mark and numerous CIOs. The discussions focused on the current state of the union within the Payment Transaction vertical. There was plenty of focus on the usage of ERM, quantification of risk through trending of individual business experience, in addition the transitioning of risk ownership to executives within an organization.
In attendence there was a wide ranging of executives, but the primary population included the financial industry and mainly CIOs. The topics of the conference included “The State of PCI DSS”, Business Process First, Time Inc. ‘Time Goes Global with Compliance”, Best Practices from the PCI Knowledge Base, and of course a panel discussion. Attendees, and friends of CSO Magazine can see the archived presentations (some were VERY rich, more so than is commonly provided) starting today. While it is impossible to breakdown the great sessions and extensive discussions that I experienced, I do want to highlight a few points that stuck with me.
- Future of PCI DSS: PCI DSS is evolving into a risk based approach. It was both predicted by the attending experts that the council will transform to a pure risk based approach to adhere to the global practice.
- RISK Ownership: Success of PCI and compliance engagements partly depends on the ownership and visibility of the benefits of achieving PCI compliance. This was achieved uniquely by several organizations, but the most common was distribution of risk ownership.
- Conflicts of Interest: Separation of Duties – enforcing a mechanism to eliminate the conflicts of interest that exist – the assessment, implementation, and attestation. Specifically companies must put in a frame work (leverage your Internal Audit groups) to restrict individual parties from conducting all three phases.
- Crosswalk / Regulation Alignment / Shared Documentation: It is ideal to leverage the documentation across different compliance efforts – for example BITS. Usage of these must address the amount of overlap that actually exists (i.e., is the overlap sufficient to warrant the work to have a positive return), also is the scope of controls equivalent between the two approaches. Specifically each standard is focused on risks (PCI on Card Holder Data; BITS Financial data), and therefore only addresses those risks. Organizations have numerous risks, and therefore must manage these risks appropriately with each individual set of standards. Organizations should consider bringing together the documentation efforts, and the degree of efficiency that can be achieved through simplifying the controls by limiting the variety of similar control types.
Action: Take a look at how your managing your PCI and other compliance initiatives. Do you have the responsibility? Should you own it, all? Don’t reinvent the wheel – leverage your Risk Management / Internal Audit teams, all the documentation, tools, and charters are there for you to use.
A great seminar where extensive discussions were enabled through the format and quality of the attendees. I paid for this trip to NYC out of my own personal pocket, and found the value to be well worth it.
If readers have specific requests about the presentations (here is the conference agenda), please post them and I will answer them as fully as possible.
Best,
James DeLuccia IV
Categories: Compliance · IT Controls · PCI DSS · Payment Card Industry Data Security Standard · audit
)
