April 20, 2018
April 18, 2018
Posted January 14, 2015
You might have been too busy celebrating the start of 2015 to notice, but 1 January also marked a rather important date in the calendar when it comes to card data security. The long awaited Payment Card Industry Data Security Standard (PCI DSS) v3.0 finally came into full force, with a list of new requirements designed to make organisations more resilient to the kind of breaches that have become commonplace in 2014.
But while any steps designed to improve the security of firms which handle and store card data should be welcomed, PCI DSS doesn’t cover the whole picture. As we know all too well at ThreatMetrix®, account takeover fraud is also becoming a major problem but one which, disappointingly, is still under-addressed by many firms.
So what can organisations expect from version 3 of PCI DSS? Well, according to the PCI Security Standards Council (PCI SSC) more effort has been spent on trying to get firms on board with the often onerous task of compliance. The idea is that it should be viewed not as a tick box compliance affair, but a framework which can genuinely help make your business more secure.
Specifically, there are several new requirements designed to make it more relevant to the current payment security landscape. Broadly speaking, these are around:
The other side of the coin
That’s all good news for preventing breaches, but what about security breaches that occur at an individual account level? They may not generate the big headlines and negative publicity for retailers and the like, but if left unchecked could also lead to an exodus of customers. The ThreatMetrix Cybercrime Report: Q4 2014 revealed that device spoofing is rife: 5% of anything logging on to an online retail website to make a transaction is now trying to hide its identity.
Account log-in and account creation are now the highest risk fraud types facing online businesses. Cybercriminals know that they’ve a better chance of using trusted credit cards from valid customer accounts than to try and re-use stolen cards that have a limited shelf life. And netizens are making their job a whole lot easier by sharing passwords across accounts, many of which now require an email in lieu of a user name.
Hopefully PCI DSS 3.0 will help online businesses fortify their systems against attack, but no database is 100% breach proof against a determined enemy. Senior executives need to think more clearly about what happens to that stolen data downstream, and take ownership of the account fraud problem. After all, there are tools on the market that can help right now, but it’s also important not to add extra friction into the log-in or purchasing journey. That can end up putting off customers too.
ThreatMetrix products are powered by a Global Trust Intelligence Network which analyses 850 million transactions each month, using anonymous customer-based device, identity and behavioural data to decide who can be trusted. It’s completely transparent to the user and takes less than a second and costs less than a penny. So let’s start 2015 as we mean to go on and take the fight to the fraudsters.