Sunday 10 October 2010

Love it or Hate it, PCI DSS helps cut UK Card Fraud

UK card fraud is significantly decreasing, according to the “UK Cards Association” statistics UK card fraud is down 20% to £187m for the first half of 2010.

There are several reasons why card fraud in the UK has been dropping in my opinion:

1. Chip & Pin
Chip & Pin, known as EMV in the payments industry, has been highly successful in cutting "cardholder present" fraud, namely face to face debit and credit card transactions, since its adoption in the UK in 2005. Chip and Pin has forced card fraudsters to commit fraud against stolen UK cards in different ways, typically by using online payments or by creating counterfeit UK credit cards to use in countries where Chip and Pin hasn’t been mandated. However since 2005 more and more countries have observed the huge success of Chip and Pin in the UK, and have been adopting the same payment approach, this in turn is also helping to reduce UK card fraud, simply because the number of places where you are allowed to bypass Chip and Pin is reducing.

It has always been my strong view the US market should also take stock of the clear benefits and mandate Chip and Pin across North America. Aside from the clear security benefits of using two-factor authentication, it could finally lead to the removal of a biggest security weakness of all with our plastic, namely the black magnetic stripe on the back. The magnetic stripe has been around for 40 years and is not only a really outdated technology, but it seriously compromises the security of all debit and credit cards. The magnetic stripe holds the full credit card details in plain text, for one that it makes it very easy for the bad guys to steal card details in seconds by simply swiping any card within a £3 magnetic stripe reader. For instance the mag stripe allows for card skimming at cash points or within comphromised retail card readers. In addition that black stripe also makes it easy to create counterfeit cards, especially in comparison to the chip technology, which is very difficult to counterfeit. Unlike the magnetic stripe, the chip on our plastic is a constantly evolving technology, meaning it should keep a step ahead of the card fraudsters, not that card fraudsters have really ever managed to successfully crack a credit card chip yet, I mean why would they even bought at the moment when they can take advantage of the mag stripe weakness.

2. Anti-Fraud Systems
The increased anti-fraud schemes introduced by the card brands like Visa and MasterCard, and within banks is also having an affect in cutting card fraud. Schemes such as Verified by Visa and MasterCard’s SecureCode, known as 3D Secure in the payments industry, together with improved fraud detection systems operating behinds the scenes in the banks, is also playing a part in cutting cardholder not present fraud. These are typically ecommerce and over the phone transactions, where we can’t be certain the payee has their card in their possession or just simply has the details of the card in their possession, which may of course not be their card details.

3. Public Awareness
Public fraud and security awareness is improving; the UK public are being more security savvy when using their plastic, especially online, and so are becoming less likely to be victims of fraud techniques like phishing scams. I think the public are becoming more informed because they are learning the hard way after being hit with fraud, as opposed to any general security awareness that is going on.

4. Law Enforcement
Law enforcement is improving, more card fraudsters and hackers are actually being caught by the authorities. Despite the UK cyber enforcement still being very weak in my view, it is clear international card fraud law enforcement led by the US is improving, with many high profile card fraudsters being arrested during the last 12 months. Many of the top card fraudsters based outside the UK have world wide operations and often branch out into the UK market.

Finally, and this is my main point, I think the adoption of PCI DSS is also playing a positive part. Many large scale credit card data breaches in the UK have occurred due to security neglect by UK merchants. The vast majority of UK credit card breaches are not disclosed to the general public because it is not in the interest of MasterCard or Visa, or merchant breached to do so, and there is no UK law which makes companies publically disclosure such data breaches.
However PCI DSS is helping medium and large UK merchants to become secure against card breaches. Even where UK merchants are not yet fully compliant with PCI DSS, there is still a vast improvement in the overall merchant IT security, pre-PCI DSS most merchants did little to secure cardholder data in their care. As I say on many occasions, there has been no known PCI DSS compliant merchants or payment processors that have ever been breached. Some folk believe Heartland were compliant at the time of their breach, which is untrue. One of the world’s most prolific card fraudsters, Albert Gonzales, who incidently is now behind bars, admitted to compromising and stealing card data from Heartland during their PCI assessment by exploiting SQL Injection vulnerability. The bottom line is you simply can’t have a SQL Injection vulnerability in your cardholder environment and be PCI DSS compliant.

To conclude, PCI DSS and the many other security measures is appearing to be making a serious impact on UK credit card fraud, however it is dangerous to rest on our laurels, as security is a continued game of cat and mouse; I know the bad guys are already becoming even more sophisticated in how they attack and steal credit card details. In addition less card compromises will probably lead to an increase in the value of credit card data on the black market, which in turn will fuel the demand and desire to steal card details all over again, where there is a will, there is always a way.

 Today’s low hanging fruit for UK card fraudsters is generally the smaller merchants, who perhaps take card details in their hundreds and low thousands, typically businesses such as hotels and small online businesses, who often neglect basic security practices and either not aware or fully understand their PCI DSS obligations, turning them into easy pickings for card fraudsters frustrated in trying to compromise the bigger merchants, although having said that not all large scale merchants in the UK are not PCI DSS compliant or as secure as you may think, you indeed as they may think.