There is little doubt that an Account Data Compromise (ADC) would be detrimental to the operational effectiveness of any business. However, to organised criminal groups it can be an easy way in which to generate funds for criminal gain. In the 21st century, it can be easier for a criminal gang to commit cyber crimes, such as raiding the credit card details of a poorly maintained website, than to raid a high street bank.
The favoured methodology of website hackers is to exploit poorly written and unsecured websites and then seek to locate the credit card information held within. By focusing on weaker websites in this way, and ensuring that the total level of card fraud is not too high, many of the hackers simply take the 'low hanging fruit' and go unnoticed until it is too late.
Often exploiting the same common vulnerability across multiple different hosts, for example an authentication weakness in a popular shopping cart, allows the hacker to simply trawl the Internet for those websites that use that shopping cart to exploit and collect the reward. No organisation wants to fall foul to cyber crimes and therefore in order for them to protect themselves against a potential information security breach, certain steps should be taken to reduce susceptibility to the most common types of breaches.
The unlawful access to a system that is used by a merchant is on the whole in breach of section 1 of the Computer Misuse act and in the real world, stealing of cardholder data is more than likely to be associated with the stealing of PII (Personally Identifiable Information). Therefore, once a data breach has occurred, it can easily escalate from an exercise where the card brands are requesting their card numbers to be returned, to the local law enforcement agency mounting a personal data loss investigation.
Cardholder data breaches, that are the result of cyber crimes, are increasing raising interest within the various law enforcement and data protection agencies around the EU. Although currently each member state takes a different view on how to deal with the consequences of cyber crimes, growing public awareness on the issue could see law enforcement take a heavier, more legal based role in the near future.
Protecting Your Organisation
There are no hard and fast rules to ensure that your website is safe and secure from the persistent threat of cyber crimes. However, there are some actions that organisations can take to help avoid large fines for the misuse and loss of cardholder data. Below are 10 helpful tips for organisations seeking to become more proactive;
1. Get PCI DSS compliant. Look at your merchant agreement with your acquirer, it will state that you need to be PCI DSS compliant;
2. Plan, Plan, Plan - you don't know when the event might happen but an incident response plan and regular testing of this plan will pay dividends in the event of a breach;
3. Suppliers - know who your suppliers are and also what cardholder data they may or may not be processing on your behalf. They will need to be PCI DSS compliant and could easily be your weak point in the protection of cardholder data;
4. PFI Company - if there is a breach, one may be turning up at your door and asking questions that you might not immediately know the answer to. Pre-appointing a PFI and talking to them about what happens in a breach will iron out any potential problems;
5. PR Response - should the worst happen and your businesses' reputation is on the line, have a pre-planned public response; a response prepared beforehand is far better than a response drafted in the heat of the moment;
6. Policy - one of the easiest ways to mitigate the risk that a breach represents is to ensure that policies and procedures are robust enough to reduce the chance of a cardholder breach and also have the flexibility to respond if a breach occurs;
7. Data Protection - the legal and compliance authorities are becoming more interested in ensuring that the cardholder data that merchants process and the personal information they obtain is kept within the realms of the merchant, and does not get into the hands of the hackers. Whilst the card brands could fine an organisation for the miss-use and/or loss of cardholder data, the data protection authorities can also stop a merchant processing cardholder data;
8. Acquisition of evidence - should an external party be required to investigate a breach, a lot of time, energy and effort can be saved by allowing the external investigative party to investigate and acquire the data. The more that the data is tampered with before a forensic investigation is carried out, the less information can be found out about what actually happened;
9. Check your liabilities - ensure that you have the correct contracts; it may be that your 3rd party has provided you with a 'managed' firewall but what does that mean? You may only find out when a hacker has already taken your customer's cardholder information away;
10. Don't Panic -If the worst should happen, act with a clear head and don't make rushed decisions that could affect the outcome at a later stage.