Cyber criminals are targeting online transactions where the EMV standard still offers little protection, warns the head of PCI SSC

Are you satisfied that your business’ PCI data security standards pass muster? Are you confident that the security standards you have put in place are robust and secure? Well, you may just have to reassess your strategy as this confidence isn’t necessarily shared by the body which administers the industry’s data security standard, the Payment Card Industry Security Standards Council (PCI SSC). At a recent Annual European Community Meeting in Berlin, the PCI SSC warned European merchants that they need to be more vigilant and will need to start paying more attention to securing electronic payments if future cybercrime problems are to be avoided.

Speaking to trade magazine, Computer Weekly Jeremey King, the European director of the PCI SSC, said:
“Cyber criminals have intensified the attack on US merchants as they move to the more secure Chip and PIN system based on the EMV standard already widely used in Europe. However, this does not mean that European merchants can relax because cyber criminals are targeting online transactions where the EMV standard still offers little protection.”

Why is the PCI SSC so concerned at the moment? Well, whilst Europe’s Chip and Pin adoption has done much to address the issue of credit card fraud and has been highly successful at cutting the levels of card-present fraud, the levels of card-not-present fraud continue to escalate, particularly amongst online transactions used in e-commerce:
“Cyber criminals only need to steal a few key pieces of information to enable them to carry out this kind of fraud, and they are proving to be successful at it in Europe. The critical pieces of information, such as the card holder’s name and the card expiry date, are still easily available to attackers, even in an EMV message,” he added.
So his message to the industry is clear – European merchants will still need to pay attention to security and ensure appropriate security education and awareness training at all levels, from the shop floor right up to the board of directors:

“Lack of understanding about the importance of strong passwords on all transactions systems, point of sale devices, routers and firewalls is still a big problem in Europe,” he said
“Organisations also need to be sure they are changing the default passwords in the systems and equipment they are using. Using poor or default passwords is making it very easy for criminals to find a way in to payment systems by either looking them up or simply guessing them,” said King.

He recommended that organisations should instruct all staff to replace weak or default passwords with stronger pass phrases that are easy to use, and yet provide much greater security.

The overall message that the PCI SSC was keen to stress is that all merchants need to become far more security-aware and understand that they are likely to be breached. They therefore need to have a good incident response plan in place:
“Many organisations still lack an incident response plan, and even where they do have one set up, they are unlikely to have tested it,” said King.

He also stressed that it is important to test these incident response plans regularly to ensure that, if or when they are breached, the intrusion can be contained quickly and the damage minimised:

“Incident response plans, which require training and planning, are also critical to enabling organisations, and merchants in particular, to recover quickly from attacks and resume business,” said King.

Mr King pointed out that the PCI SCC currently provides support to merchant organisations through training programmes that are aimed at all levels in an organisation to promote understanding of key areas of cyber security, but added that in the coming months, the PCI SCC plans to work with banks in Europe and the US to find ways of improving security, particularly for small merchants that lack the resources of larger organisations:

“We are looking at ways to make security as easy as possible by building more security into the payment services they are using to reduce the burden on the merchants. Chip and pin took away a lot of card-present fraud, so now we have to come up with a similar process for the e-commerce space where payment providers handle payments securely,” he said.

The PCI SCC is working with banks to draw up a list of reasonably priced, good third-party payment providers that are secure and comply with the PCI data security standards (PCI DSS):

“This approach means the merchant is no longer seeing the card data because all that is being handled by payment service providers who are experts in the field. Instead of trying to tacking e-commerce payments all on their own, merchants will be able to go for help to the financial institution that that they bank with, and the acquiring banks will be responsible for ensuring a consistent service to all merchants,” he added.

If you are concerned about the escalating security challenges and risk management issues facing your business today and would like to take precautions, then why not speak to Krypsys? Krypsys’ services are focused on helping your business assess its security posture against current and evolving security threats and educating you on the risks to which you are exposed. We have a wealth of experience in security projects in both the public and private sectors and have worked with organisations to protect high value information assets such as trading platforms, e-commerce systems, data-centres and cloud services. We also work with leading IT security vendors and specialist consultancies to close the gaps in your own IT security strategy and to assist in streamlining and prioritising your risk management spending.

Whether you’re looking for help with penetration testing and security reviews, or are looking for advice on security compliance and web security solutions, Krypsys can help you. For more information on web security solutions, please contact Krypsys on 01273 044072 or [email protected].