Experts: Easing standards like PCI DSS a bad idea

By Bill Brenner, Senior News Writer 09 May 2007 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Bedford, Mass.-based RSA, the security division of EMC, held the event at the Roosevelt Hotel so customers could gather to share their experiences and offer tips. The event is named after RSA's eFraudNetwork, a database of known fraud on the Internet. During a roundtable discussion on identity fraud, panelists were asked if industry standards and government regulations should be relaxed to help more companies comply.

During a recent conference focused on PCI DSS, First Data CISO Phil Mellinger, who developed the precursor to the current rules, called for an overhaul of PCI DSS to eliminate subjectivity and ease restrictions to help more merchants comply.

But the panelists at RSA's event said too much is at stake to relax some of the rules just because heeding them is hard. Whether it's PCI DSS or any number of government regulations, simply striving for compliance will lessen the likelihood of attackers pilfering credit card data from corporate networks, they said, citing such incidents as the data breach at Framingham, Mass.-based TJX Companies Inc. In that incident, at least 45.7 million credit and debit card holders were exposed to identity fraud.

Kevin Dougherty, senior vice president of information services at Orlando, Fla.-based CFE Federal Credit Union, and Baron Unbehagen, vice president of marketing and alliances at Postilion, a Norcross, Ga.-based vendor of integrated solutions for self-service banking and payment processing, agreed it's easy for companies to complain when they're forced down the path to compliance. But, Dougherty said, "It's our responsibility to meet the bar that's been set."

From a service provider standpoint, Unbehagen said, "Priority one is for the provider to do as much as possible to deliver solutions that are compliant out of the box with PCI DSS and other standards."

Dougherty has seen the impact of identity fraud up close. He said his credit union turned to RSA for help last year after it suffered a "vicious" phishing and denial-of-service attack. Cleaning up the aftermath has been a painful process, he said. For example, the organization has had to spend about $100,000 to re-issue compromised credit cards. It was the right thing to do, Dougherty said, but it was a big financial drain.

"It was a scary time," he said. "Until you're living and dealing with it, you don't know what it's like."

He said the experience has taught him that companies need to vigorously monitor transactions and have the necessary security tools in place to detect fraudulent activity. He warned that the problem will keep getting bigger. And if companies can't detect when large amounts of money are being sucked out of a customer's account, nobody will trust them enough to do business with them.

"Trust is everything," Dougherty said. "The customer trusts us to protect them."

Unbehagen acknowledged that while retailers need to do their part in protecting customer data, companies like his must bear responsibility as well.

"It's a shared responsibility," Unbehagen said. "On the one hand, the retailer must do their job. But the point-of-sale vendor and service providers must also work together to protect people."

Panelists agreed that working together means forging relationships with such law enforcement agencies as the FBI, and stepping up efforts to educate customers on the risks they face.

"When we were hit with the phishing attack, 19-year-olds, 55-year-olds and senior citizens were affected," Dougherty said. "We all need to do a better job educating the public on what the criminals are doing to target them." He noted that retired senior citizens are paying a heavy price from such attacks and that "we have to educate them so the rug isn't pulled out from under them."

He said his credit union is trying to help people by offering seminars on Internet fraud.

One thing that will make people more aware and build more trust is if more fraudsters are found and prosecuted, said Thomas Grasso Jr., supervisory special agent with the FBI's National Cyber-Forensics and Training Alliance.

"The more thieves we catch and prosecute, the better," he said. "We've found that the same people tend to be involved in these attacks and when they can steal money they'll keep coming back for more. Our experience is that businesses really want to help us find these guys."

Catching and prosecuting them, he said, is as important to security as patch management.

Tags: Enterprise Data Storage,  Data Protection Solutions and Strategy,  Compliance Regulation and Standard Requirements,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise Data Storage Safend expands data leakage prevention product to plug more gaps TrueCrypt: How to get started with open source disk encryption Report: Firms avoid encrypting backup tapes, databases Encryption tips: How to secure a laptop The real reason behind backup recovery disk failures Infosec pros wake up to Excel spreadsheet security risks How to enforce an enterprise data leak prevention policy PCI credit card complaince: Credit card data protection (over the phone) 3ami allows employers to track use of USB storage devices How to create a data classification policy Data Protection Solutions and Strategy In any given app for smartphone, security risks are being neglected First of data loss prevention vendors touts downloadable DLP software Ministry of Justice asks for input on UK privacy laws PCI PTS: Understanding PCI PIN security requirements IBM to acquire BigFix for configuration, vulnerability management Survey: SMB security increasing for better cybercrime protection PCI call centre: Understanding PCI DSS call recording requirements NuBridges update enables simultaneous data center tokenisation Prevent data leakage with secure media reuse policies PCI-compliant POS: Retail chain nears PCI compliance in the UK Compliance Regulation and Standard Requirements PCI compliance UK: The future of European merchant PCI compliance ISO 27001 SoA: Creating an information security policy document Ministry of Justice asks for input on UK privacy laws Exclusive PCI DSS news: EU regional director rallies UK merchants PCI PTS: Understanding PCI PIN security requirements PCI call centre: Understanding PCI DSS call recording requirements NuBridges update enables simultaneous data center tokenisation PCI-compliant POS: Retail chain nears PCI compliance in the UK SSC announces PCI-certified internal auditor course for PCI assessment Varied QSA assessment quality causes PCI compliance issues

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary