Protecting consumer data with a fraud and risk assessment policy

Protecting consumer data with a fraud and risk assessment policy

What should be the fraud and risk assessment policy at consumer banking cards' sales end?

    Requires Free Membership to View

    Login

    SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.co.uk you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.co.uk is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Fraud mitigation and risk assessment are different things. I am interpreting this question to ask about policies that retailers and other merchants should be implementing relative to consumer banking cards. Many of the requirements for protecting cardholder information are specified in the Payment Card Industry Data Security Standard, commonly known as PCI DSS.

PCI DSS specifies 12 different requirements to secure cardholder data and requires a qualified assessor to examine a merchant's environment to ensure compliance. Penalties for non-compliance range from small fines to the inability to use a specific type of credit or debit card.

Specific to risk assessment, the PCI DSS standard requires that "security controls, limitations, network connections and restrictions" are tested at least annually. It also mandates quarterly use of a wireless analyzer to see if your Wi-Fi networks are vulnerable. Additionally, the regulation requires quarterly vulnerability scans to ensure that no known vulnerabilities put cardholder data at risk.

I strongly recommend that organizations also conduct a more formal penetration test, ideally performed by outside resources, at least once a year, and also use automated pen testing tools internally more often. Why? Because the bad guys are testing your network and applications every day. They are performing risk assessments all the time, trying to figure out how to compromise your systems, so you should use their same tools and techniques to find and remediate problems.

For more information:

  • In this tip, contributor Khalid Kark defines the framework that makes organizational risk management work in your enterprise.
  • In this expert response, Joel Dubin discusses whether or not tokenization can meet PCI DSS standards for storing credit card data.

    • This was first published in October 2007

    Back to top