PCI Compliance

A recent survey conducted by the National Fraud Authority and CPP has uncovered some disturbing statistics. The annual cost of fraud in the UK per year is around £30 billion – a staggering amount. Research shows that 5% of people in the UK commit false insurance claims. 26% of Brits have been the victim of card fraud and around 40% of victims have been subject to account takeover fraud. If we’re to see any improvement in these statistics then companies and customers alike need to be extra careful. For businesses that take credit card details, fraud is an especially big issue as companies can be fined massive amounts should sensitive data become compromised. Becoming PCI (Payment Card Industry) compliant can negate that risk and keep you from becoming s fraud statistic.

…Elite sent to me-

Eleven companies complying
Ten leased lines connecting
Nine calls re-routing
Eight video screens glowing
Seven call stats showing
Six IVRs saying
Five call record-ings!
Four mobile phones
Three NGNs
Two Swyx systems
And a way to queue my calls effect-ively!

The Payment Card Industry Data Security Standard (PCI DSS) was created to improve card security. PCI DSS is now mandatory for all companies that store, process or transmit cardholder data. Protect your customers this Christmas and make sure that you’re PCI Compliant!

As anyone with a computer knows, there is always a risk from viruses or hackers or some type of malware or other. Now it seems that there is a new scam afoot that we need to be vigilant for – cold calling by scammers. IT magazine Which? Computing has received reports that fraudsters claiming to work for internet service providers have been ringing people and making them think that their computer has a virus. The fraudster takes the victim through various steps meant to fix the virus and end up with remote access to the computer. The computer is cleaned of anything of value and in most cases, the customer is also asked for credit card details to pay for the repair service. To keep safe, here are two pieces of advice – do not under any circumstances, keep sensitive card details on your computer. If you are a business, doing so could land you with a hefty fine as it goes against PCI-Compliance regulations. Also, if you are asked for your card details over the phone, the chances are that the person you are speaking to is a fraudster.  Just say no.

Co-founder of social networking site Twitter Jack Dorsey has announced a new start-up named Square that enables customers to accept credit card payments via their smartphones. The start-up comes just as mobile providers are trying to shift people towards mobile financial services.

A small plastic square (hence the name) that inserts into the audio jack has the ability to scan a credit or debit card’s magnetic strip and users can then sign their name on the touchscreen. Like PayPal, the smartphone transmits the payment to the user’s online Square account which is tied to their bank account. So seeing as the new mandatory PCI (Payment Card Industry) requirements apply to any institution that accepts card payments, I wonder if this will affect Square? Hmm.

It seems that as quickly as security experts can throw up safeguards, hackers are finding ways around them. The latest scheme is by a group of phishers hoping to tricks people’s card details out of them.

The scheme involves phishers emailing invites to people asking them to join the Verified by Visa online authentication scheme. The email links to a fake site which then requests all of the details you give when being issued a credit card – such as account number and mothers’ maiden name. What’s worrying the security experts is the level of sophistication that the fake site denotes. So Verified by Visa fans – use with caution!

IDC recently performed a global survey in which only 15% of companies believed they could lose data to hackers – nearly 50% believed that instead, employee negligence would be to blame. Outward defences of company networks are generally well-fortified however, the internal defences rarely are, which can leave systems open to attack. And with new PCI (Payment Card Industry) regulations being brought into force, this overlooked problem could cause untold damage.

Veritape’s recent discovery that out of the 39% of call centres that knew about PCI (Payment Card Industry) Compliance only 3% actually wiped card data from call recordings is disturbing enough. More disturbing though are the facts and figures concerning lost card data. In 2008, 285 million card records were lost worldwide. Large companies such as TJX, Heartland Payment Systems and Card Systems have also suffered huge losses. PCI Compliance should be bigger news – yet it isn’t. Most companies still have no idea just how much at risk they are. And the best way to stop thieves getting your customer’s card data? Simply don’t store it. Easy. Now all we need is for call centres to wake up and smell the larceny.

According to a new survey carried out, only 39% of contact centre managers are actually aware of the PCI DSS (Payment Card Industry Data Security Standard) regulations regarding the storage of card data on call recordings. And out of those 39%, only 3% are compliant with the rules stating that card data must be removed from call recordings. Shocking news really, when you consider the fact that card fraud is a steadily rising crime. They obviously don’t have CardGuard then.

It’s being called the Facebook Face-off and employers can’t really win either way. The technology used to control access to certain sites – mainly social networking sites such as Facebook – has been effectively used to block workers from going on these sites. As well as saving on the bandwidth of business broadband, companies are also ensuring that sensitive data wasn’t being leaked. Social networking sites could, for example, be used to leak customer card data quickly and easily. Now though, there has been a turnaround and people are beginning to say that social networking at work shouldn’t be blocked because it damages morale. Some people say that we should use technology to control what’s published or sent from these sites rather than blocking the whole site. I say, how about we go back to the days when work time and leisure time were separate and when you went to work you did…well, work. With huge fines for companies that are not PCI Compliant, it’s worth damaging the morale of a few in order to protect your company…don’t you think?

Recent studies by the Fraud Prevention service in the UK found that fraud rates have again increased this year, by 16%. Other data shows that 71% of companies are not taking PCI DSS (Payment Card Industry Data Security Standard) seriously – the set of standards designed to protect businesses and customers against card fraud.

In the news recently has been the story of Albert Gonzalez of Miami who organized a group of criminals to break into the wireless networks of major companies in order to steal card and identity data – he stole more than 40million credit card numbers. Also in the news recently is the story of the new online ‘phishing’ attacks where customers are directed to a fake bank page and fake nt messaging windows connect them to the criminals.

Fraud rates are getting worse, not better and criminals are coming up with ever more creative ways to relieve you of your card data and your identity. So to find out that 71% of companies aren’t particularly worried about PCI Compliance is in itself a worrying fact. Because let’s face it – the customer is the one to suffer most, not the company. Let’s hope they wise up soon.