Credit card data breaches are much in the news these days, with the recent problems at Home Depot following on the heels of the well-publicized debacle at Target earlier this year. Such breaches are just the most public examples of a larger security problem.
According to Javelin Strategy & Research’s 2014 Identity Fraud Report, more than 13.1 million consumers became victims of identity fraud in 2013, the second highest level of ID fraud ever on record. Additionally, more than 6.5% of smartphone owners and 7.7% of tablet owners were defrauded in 2013, showing consumers’ reliance on mobile devices for card payments, as well as cyber criminals’ attraction towards hacking these vulnerable devices.
So, what can financial institutions do to ensure that their consumers are doing enough to protect their data? In 2004, major brands such as American Express, JCB International, Discover Financial Services, Visa and MasterCard formed the Payment Card Industry Security Standards Council and agreed to incorporate the Payment Care Industry Data Security Standard (PCI DSS) as a technical requirement for each of their data security compliance programs. Some of these requirements include implementing strong access control measures, regularly monitoring and testing networks and protecting card holder data.
While the PCI DSS guidelines are a start, there are a number of additional steps that financial institutions can be taking to make sure that their customer’s financial information is safe from wrong-doers. Here are four recommendations:
Know exactly where your business is taking place. Particularly with third party vendors, such as convenience stores or pharmacies now being contractually bound by a financial institution to process client transactions for credit transactions, a lot of the control is being taken out of the hands of banks. Rather than your banking colleagues handling your customer’s private information, the transactions are often left up to a store clerk. As a result, it is more critical than ever to know exactly how your customers’ information is being accessed and, more importantly, how it is being secured. It’s not just your customer’s credit card on the line, but your brand image that can be put at risk as well.
Protect data at rest, not just active data. A lot of banks assume that if financial data isn’t being accessed, then it is safe from any unwanted eyes. Unfortunately, that is not the case. Financial information that is stored on a phone or a laptop is a major contributor to ID fraud that is often overlooked. It doesn’t matter if you’re using the latest mobile payments app, logging into your online bank account or even if your device is turned off; hackers can still get in and get your customer’s confidential information. The only way to avoid it is by encrypting data while it is at-rest. If you encrypt that information, it doesn’t matter if your device is stolen by the most advanced hacker in the game – your customer’s financial information will still stay out of harm’s way.
Know the path of “PII.” Aside from data at-rest, banks also need to be able to access the path of personally identifiable information, or PII. Tools such as “sniffers,” or network traffic monitor software, enable banking institutions to locate that data in-flight and also know exactly where each piece of information has been on its way to an end-point destination. These types of services can also tell you whether or not certain pieces of information were encrypted during their transmission, allowing you to know if there is a potential threat before that data has even been accessed. They also have the ability to inform you which specific network devices are storing PII at any point in time. By doing this, your organization will be able to make the appropriate security adjustments based on potential threats.
Create and implement a mandatory, yet manageable, encryption policy. Banks need to make sure that they have an encryption policy that is not only mandatory but also manageable. For example, one of the biggest pain-points for end-users and IT administrators is forgotten passwords. When there is an encryption policy in place, resetting these passwords to access different machines and applications can end up wasting a significant amount of time and money for your organization.
One can make this more manageable, however, by implementing a pre-boot network authentication solution, which enables IT managers to reset users’ passwords and make Active Directory role assignments without needing to visit each machine and without users completing complicated password-challenge-response queries. Banks are also constantly making adjustments to their security standards, so making sure that those adjustments are easily controlled is key. This should really include the use of encryption with 128-bit keys (or stronger) as well as multiple rounds of testing before the policy is ever implemented.
You should also be conducting an audit of a sample of systems post-deployment that are consistent and on-going in order to ensure that the highest level of data security and the most up-to-date encryption policies are being enforced.
No financial institution wants to deal with the reputational damages that a data breach can bring. When confidential information is lost or stolen, customers want the validation that their private financial information is still well out of harm’s way thanks to the vigilance of their trusted bank.
Mr. Hickman is chief operating officer for Mississauga, Ontario-based WinMagic Inc. He can be reached at email@example.com.