November 14, 2017
PCI DSS Version 3 Comes to Town But What About Account Fraud?
Posted January 14, 2015
You might have been too busy celebrating the start of 2015 to notice, but 1 January also marked a rather important date in the calendar when it comes to card data security. The long awaited Payment Card Industry Data Security Standard (PCI DSS) v3.0 finally came into full force, with a list of new requirements designed to make organisations more resilient to the kind of breaches that have become commonplace in 2014.
But while any steps designed to improve the security of firms which handle and store card data should be welcomed, PCI DSS doesn’t cover the whole picture. As we know all too well at ThreatMetrix®, account takeover fraud is also becoming a major problem but one which, disappointingly, is still under-addressed by many firms.
So what can organisations expect from version 3 of PCI DSS? Well, according to the PCI Security Standards Council (PCI SSC) more effort has been spent on trying to get firms on board with the often onerous task of compliance. The idea is that it should be viewed not as a tick box compliance affair, but a framework which can genuinely help make your business more secure.
Specifically, there are several new requirements designed to make it more relevant to the current payment security landscape. Broadly speaking, these are around:
- Raising awareness and education amongst employees. More training on the dangers of clicking on malicious links, picking weak passwords or posting sensitive corporate information online could make a big difference to minimising the risk of breaches. That’s why there are new PCI DSS requirements around password education and training on POS security.
- Improving flexibility. No organisation is the same so PCI SSC has tried to allow some extra latitude for complying firms. One new requirement allows firms to implement password strength appropriate to their strategy and another offers more flexibility to prioritise log reviews according to their needs.
- Shared responsibility. Third parties are responsible for 63% of security issues which could be exploited by hackers, PCI SSC says. That’s why there is now guidance on outsourcing PCI DSS responsibilities, and a new compliance requirement for service providers.
The other side of the coin
That’s all good news for preventing breaches, but what about security breaches that occur at an individual account level? They may not generate the big headlines and negative publicity for retailers and the like, but if left unchecked could also lead to an exodus of customers. The ThreatMetrix Cybercrime Report: Q4 2014 revealed that device spoofing is rife: 5% of anything logging on to an online retail website to make a transaction is now trying to hide its identity.
Account log-in and account creation are now the highest risk fraud types facing online businesses. Cybercriminals know that they’ve a better chance of using trusted credit cards from valid customer accounts than to try and re-use stolen cards that have a limited shelf life. And netizens are making their job a whole lot easier by sharing passwords across accounts, many of which now require an email in lieu of a user name.
Hopefully PCI DSS 3.0 will help online businesses fortify their systems against attack, but no database is 100% breach proof against a determined enemy. Senior executives need to think more clearly about what happens to that stolen data downstream, and take ownership of the account fraud problem. After all, there are tools on the market that can help right now, but it’s also important not to add extra friction into the log-in or purchasing journey. That can end up putting off customers too.
ThreatMetrix products are powered by a Global Trust Intelligence Network which analyses 850 million transactions each month, using anonymous customer-based device, identity and behavioural data to decide who can be trusted. It’s completely transparent to the user and takes less than a second and costs less than a penny. So let’s start 2015 as we mean to go on and take the fight to the fraudsters.