Standard for Security Data

This desire to provide UK plc with the tools to secure itself is unveiled alongside the release of new statistics that show a 5% year-on-year increase in Card Not Present fraud, a relatively low statistic when compared with the 29% rise shown between 2004 and 2005.

APACS also highlights a rise in ‘phishing incidents’ (in other words, fake e-mails leading people to fake web sites where they are asked to input their private financial data). By early 2006, this had led to online banking fraud losses of £22.5 million (a year-on-year increase of approximately 55%).

Today, more than 16 million people make banking transactions online, all of them providing personal financial and confidential data via their PC or laptop. APACS should be applauded for its awareness campaign, but we must not forget the responsibility that rests with businesses and financial institutions to ensure that data provided is being securely communicated and stored.

The Payment Card Industry (PCI) Security Data Standard is a comprehensive security standard that establishes common processes and precautions for handling, processing, storing and transmitting credit card data. Merchants and organisations storing such data are now required to comply with this standard, thereby increasing consumer confidence in shopping online.

In September last year, a group of five leading payment brands (including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International) jointly announced the formation of the PCI Security Standards Council, an independent body established to manage the ongoing evolution of the PCI Standard. Concurrent with that announcement, the Council released Version 1.1 of the PCI Standard. It outlines a set of security Best Practices and provides organisations with a framework to build and maintain a secure network.

Firewalls are required on all compliant networks, along with formal configuration standards and change processes to ensure that no vendor-supplied default values, service activations or administrative passwords are retained in the production environment.

Best Practice 2.2 concerns the protection of cardholder data. Customer account data should only be stored when absolutely necessary, and as defined by a formal data retention and disposal policy. The storage environment must be protected by firewalls, strong authentication, session encryption and other measures. Transmitted data must always be encrypted.

Maintaining a vulnerability management program is the subject of Best Practice 3.3. Up-to-date anti-virus software should be used, and all systems and software must be kept current with vendor-supplied security patches. In addition to this, industry Best Practice has to be employed to develop and maintain secure systems and applications.

Best Practice 4.4 is on the implementation of strong access control measures. Access to customer data has to be restricted to those with a business ‘need to know’. Unique IDs must be assigned to all computer users, while physical access to customer data ought to be restricted both by policy and active controls.

The regular monitoring and testing of networks is the subject of Best Practice 5.5. All access to the network and customer data must be monitored and recorded. Network security has to be tested regularly to identify and then resolve any vulnerabilities.

Best Practice 6.6 is all about maintaining an information security policy. Companies have to develop and publish a security policy that addresses all aspects of the PCI Standard. Also, contractual obligations must be put in place to protect customer data accessed by third party business partners.

Amer Deeba Chief Marketing Officer Qualys