Chapter 2 Introduction to Fraud, ID Theft and Regulatory Mandates

Credit card fraud and identity theft are both epic problems that continue to grow each year. Certainly, credit card fraud and identity theft pre-date the age of the Internet. It is an ironic fact that the things that make your life easier, improve efficiency, and make things more convenient, also make crime easier, efficient, and more convenient.

Criminals have gone high-tech and they have discovered that there is a significant amount of money to be acquired with very little risk. Hacking a company database or orchestrating a phishing attack while sitting in your pajamas eating chocolate ice cream in the living room of your house has much more appeal than robbing banks or convenience stores, and the risk of getting shot or killed is much lower. Depending on the company being targeted, the sophistication of the attack, and sometimes sheer luck, the high-tech crime may also be significantly more lucrative than traditional armed robbery.

Malicious software (malware) and cyber-criminals are not the only threat. Sadly, the very companies and organizations that are entrusted with sensitive information are often to blame. Consumers and businesses are faced with a wide variety of threats to their data and personal information on any given day. Spyware, phishing attacks, and robot networks (botnets) are all computer attacks that are on the rise and pose a significant threat to users as they connect to the Web and use their computers. However, those threats pale in comparison with the amount of personally identifiable information and sensitive data that has been compromised through carelessness or negligence by corporations.

According to some sources, more than 50 million individual records were exposed in 2005, through the loss of mobile devices or portable storage media, or by attackers gaining access to the corporate network and extracting the data themselves. A security breach at CardSystems in June 2005, was responsible for 40 million of the 50 million total. Early in 2007, a security breach at TJX Companies, the parent of retail establishments such as T.J. Maxx, Bob’s, Marshall’s, HomeGoods, and A.J. Wright, may potentially have exposed more credit information and individual account data than even the 40 million records compromised by CardSystems data. Some estimates place the TJX breach at over 50 million compromised accounts by itself.

In an era when more consumers are using computers and the Internet to conduct business and make purchases, and more companies are storing more data, it is more important than ever that the proper steps are taken to secure and protect personally identifiable information and other sensitive data. It is bad for companies, individuals, and the economy at large if consumer confidence is eroded by having their personal information exposed or compromised.

The information security field has a number of laws and regulations to adhere to. Depending on what industry a company does business in, they may fall under Sarbanes-Oxley (SOX), the Gramm-Leach Bliley Act of 1999 (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and other regulatory mandates, or some combination thereof. However, as evidenced by the volume and continuing occurrence of data compromise and exposure, many organizations still fail to enforce adequate security measures.

These breaches are often targeted at consumer credit card information, and threatened to tarnish the reputation of the credit card industry, so the major credit card vendors banded together to develop the Payment Card Industry (PCI) Data Security Standards (DSS). In essence, the credit card industry has taken proactive steps to assure the integrity and security of credit card data and transactions and maintain the public trust in credit cards as a primary means of transacting money. If you want to accept credit cards as payment or take part in any step of the processing of the credit card transaction, you must comply with the PCI DSS or face stiff consequences.

Unlike SOX or HIPAA, the PCI DSS are not a law; however, in many ways, they are more effective. Non-compliance won’t land you in jail, but it can mean having your merchant status revoked. For some organizations, losing the ability to process credit card payments would drastically affect their ability to do business and possibly even bring about the death of the company.

There is nothing extraordinary or magical about the PCI DSS requirements, though. The guidelines spelled out are all essentially common sense that any organization should follow without being told. Even so, some of the requirements leave room for interpretation and complying with PCI DSS can be tricky.

As with any information security regulation or guideline, you need to keep your eye on the ultimate goal. When executing a compliance project, some organizations follow the letter, rather than the spirit of the requirements. The end result may be that they were able to check off all of the boxes on the checklist and declare their network compliant, yet not be truly secure. Remember, if you follow the requirements and seek to make your network as secure as possible, you are almost guaranteed to be compliant. But, if you gloss over the requirements and seek to make your network compliant, there is a fair chance that your network could still be insecure.

The major retailers and larger enterprises are well aware of the PCI DSS. They have dedicated teams that can focus on security and on PCI DSS compliance. They have the resources and the budget to bring in third-party auditors to assess and remediate issues. The scope of PCI DSS impacts almost every business, from the largest retail megastores down to a self-employed single mother working from her home computer. If the business accepts, processes, transmits, or in any other way handles credit card transactions, they must comply with PCI DSS.

I created this book to give small and medium organizations something they can work with. It is not simply a rehash of the PCI DSS requirements. You can get the latest copy of the standard from PCI Co and read the requirements yourself for free. This book takes a more holistic approach. I have structured the book to address the major areas of network management and information security, and how to effectively implement processes and technologies that will make your organization more secure and compliant with PCI DSS at the same time.

The purpose of this book is to provide an overview of the components that make up the PCI DSS and to provide you with the information you need to know to get your network PCI DSS compliant and keep it that way. Each major area of security covered by the PCI DSS are discussed in some detail along with the steps you can take to implement the security measures on your network to protect your data.

The team of authors that have assisted on this project are each established information security professionals. They have been there and done that, and have acquired wisdom through trial and error. Their experience is shared here to help you implement effective solutions that are both secure and compliant.