The Ins and Outs of New Security Rules
Remember the First of November.
That’s when companies will be forced to comply with the “red flag” provisions of the Fair and Accurate Credit Transactions Act.
The provisions, which mandate several security measures for financial institutions, have come into greater focus after last week’s U.S. Department of Justice indictment of 11 people for allegedly hacking nine major U.S. retailers to steal more than 40 million credit and debit card numbers. The 11 have been charged with numerous crimes, including conspiracy, computer intrusion, fraud, and identity theft.
BankInnovation.net spoke to Thomas J. Harkins, the chief strategy officer of Brentwood, Tenn.-based Secure Identity Systems and former vice president of risk and security at MasterCard Inc., to discuss the Nov. 1 deadline, PCI, and new security technologies on the horizon.
BankInnovation.net: How effective have been the steps taken by merchants and financial institutions to help eliminate credit card data breaches?
Thomas J. Harkins: Payment Card Infrastructure (PCI) standards were implemented so that every merchant is required to do minimum amount of data security. Databases were created and used by merchants — mainly retail — that included customer information, which was used for marketing purposes. Hackers were aware of these databases and found ways to hack into retail establishments and sell the information. The standards outline that everything has to be encrypted, firewalls must be installed, passwords must be protected, PIN info has to be entered upon usage. This has helped quite a bit, but not every merchant has the money to comply. Restructuring a system is expensive, and many businesses cannot afford to restructure all at once. Many incorporate new system requirements a little at a time. There is always margin for error; firewalls are left open, forgotten passwords, etc.
BI.Net: The Fair and Accurate Credit Transactions Act (FACT Act or FACTA) Red Flags regulations require you to create a comprehensive identity theft prevention program. How effective do you think these provisions will be?
Harkins: FACTA involves financial institutions, along with anyone who deals with customers, to make sure everyone does their best to stop identity theft. FACTA enables consumers to obtain free individual credit reports once a year and allows individuals to place Red Flags credit alerts on their credit histories. The new set of rules must be executed by Nov 1. I’ll highlight three [of the red-flag rules]:
1) Positively ID the customer by taking information to compare it with that of a trusted third-party database for a positive match ….;
2) Check history of consumer by viewing previous address. Ask “out of wallet questions” that an average criminal would not know in the event that a person’s wallet or purse was stolen; and
3) Being aware of known incidences of fraud history on this account or other incidents of identity theft.
There is also a policy and procedures manual that allows institutions and merchants to look at all products and vulnerabilities of each. Proper employee training is also very important. Everything helps.
BI.Net: Is there more of a risk of a security lapse when using the consumer uses a credit or debit card?
Harkins: From a consumer perspective, I would say paying with a credit card may be [less risky], because it allows you to pay using a line of credit from a financial institution. You are then required to pay the bank, instead of money being removed directly from your account [as is the case when paying with a debit card].
In terms of transactions, the way they’re processed is the same, so I’d say that there is probably the same difficulty [involved in] hacking into either system.
BI.Net: Are there any new emerging technologies that may help prevent security breaches?
Harkins: Companies are now using what is known as an “ethical hack.” A trustworthy expert is brought in and attempts to beat the system to determine what areas need to be improved. Companies are beginning to understand that they may have to spend money to keep their businesses and clients secure. It is in their better interests to invest in security measures before there is a threat. I think it is hard to put a price on what you should have spent to keep your information secure.
