Visa Reiterates Risk of Poorly Stored Credit Card Data

Visa International said merchants should take a greater responsibility for credit card security—for example, by complying with the security standards in the Account Information Security program.

The program is sponsored by Visa and run by its member banks. However, uptake among merchants in New Zealand, especially small and medium-sized ones, has been slow, said Iain Jamieson, Visa International’s New Zealand country manager.

“I’m a little concerned that the message we are trying to get out there hasn’t got much traction at the moment,” he said.

“In collaboration with the banks, we need to interact at a much lower level with the merchants in this country, to make sure that they understand what the requirements are for ensuring that cardholder information is stored correctly. And if they don’t need to store it, they should delete it,” he said.

Visa Asia-Pacific cooperates with website security company ScanAlert, which performs vulnerability tests of merchants’ systems free of charge.

“I suppose the issue is that to go through with the scan, you need to have the latest security software in place, and I think this is where New Zealand falls behind the rest of the world a little bit. Do the small and medium-sized merchant in New Zealand actually have that software?”

“If merchants are storing cardholder information … they should encrypt it. If they don’t need that information, they need to change their business practices and get rid of that cardholder data.”

Cardholder information stored on a server, for example, could be an easy gold mine for criminals, he said.

“You don’t need to have a direct Internet connection for a criminal to get into the system. If you have got an external e-mail system or a corporate Internet system, that could be the hole that lets a criminal in.”

John Albertson, chief executive of the New Zealand Retailers Association, said the primary responsibility for the security of credit cards lies with customers, but that retailers have a responsibility to ensure that credit card information is not made available to anyone.

“In terms of card security overall, the key security point is with the customers themselves—for example, making sure that PIN numbers are kept absolutely confidential,” he said.

One of the aspects that has changed over recent years is the detail shown on the credit card docket, he said.

“Going back some years, basically the full credit card number was printed on the credit card chit. That is now changed and the full number is no longer shown. That was quite a significant step in terms of security,” he said.

The information retailers might store, for balancing their accounts, no longer has the details of the customer’s account on it, he said. However, he can’t guarantee that all retailers in New Zealand have changed their systems. Albertson recommended talking to Electronic Transaction Services Limited (ETSL) for more information, but ETSL was not immediately available for a comment.

The international EMV-standard (Europay, Mastercard, Visa) chip cards are to be fully introduced in New Zealand by January 2008. In Europe, the move to chip cards happened because of the fraud issue, Jamieson said. But in New Zealand, fraud is not an issue.

According to Visa’s research, fraud in New Zealand and Australia is at an all-time low. Only 0.03 percent of Visa sales are lost through fraud, compared to a world average of 0.07 percent. Online fraud in New Zealand and Australia has halved in the last five years, mainly thanks to investments that banks and financial institutions have made in advanced technology to prevent fraud, Jamieson said.

“There is no business case in New Zealand to move to chip on fraud ground alone. There has got to be something more to add value to the customer.”

Malaysia used to have one of the highest fraud rates globally before the government decided that the country should migrate to chip cards, and it did it within a couple of years, said Jamieson.

However, fraud doesn’t go away. It just goes to go places that are easier to attack, he said.

“What we noticed was that as fraud dropped in Malaysia, fraud increased in Thailand across the border,” he said. “So, my message to the New Zealand community is that we might not have a problem now, but if other countries decide to move to ‘chip,’ the fraudsters are going to look for places that are easier to attack and, at the moment, we don’t have chip cards. It’s easier to attack a bank in New Zealand than one in Malaysia or Japan that has implemented chip technology.”

Jamieson thinks that banks in New Zealand will start moving toward the EMV-standard in the next 12 months.

Mobile commerce is another new technology that might be coming in a couple of years. Jamieson said a number of pilots are being conducted around the world.

“Some Nokia phones have the ability to have a second chip put into the handset, and that second chip can be used as a payment application,” he said.

There are two types of trials going on, according to Jamieson. One uses the infrared application on the handset. The user points the phone at a specialized point-of-sale device and sends a payment request via infrared, he said.

“The other one uses a contactless-type approach, where the Visa chip in the phone will have a contactless application.”

The user pays by pushing the phone toward a contactless plate at the point-of-sale.

Fraud might be declining, but other threats are on the rise. For example, the number of phishing sites has increased 3.5 times since last year, he said.

“In May 2005 there were 3,326 phishing sites that had been detected, and in May 2006 there were 11,976 phishing sites.”

Although it should be a well-known fact by now that no bank or financial institution will ever ask clients to put any financial or personal information in an e-mail, phishing scams still succeed, he said.

“It’s unfortunate that every time a phishing attacks occurs, a couple of customers have obliged the fraudsters.”

By Ulrika Hedquist, Computerworld New Zealand Online

Keep checking in at our Security Feed for updated news coverage.