Tuesday, February 5, 2013
Guidelines for ATM and e-commerce security were released by the PCI Security Standards Council (SSC) in the final two days of January 2013. The ATM Security Guidelines Information Supplement was released Jan. 30, and the Payment Card Industry (PCI) Data Security Standard (DSS) E-Commerce Guidelines Information Supplement was released the next day.
In the notice of the ATM guidelines' release, the PCI SSC said the ATM security guidelines were developed with input from the PCI community to deter card data theft at ATMs. The council said skimming remains the top threat to ATM transactions.
"Different kinds of brute force attacks [are] continuing unabated," the council further noted. It also reported that PIN and account data presented in ATM transactions are a growing target for theft by gangs that use the information to produce counterfeit cards to use in fraudulent ATM withdrawals and other illegal transactions.
The extent of credit card fraud in the United States was demonstrated by the FBI on Feb. 5, 2013, when it arrested 13 people in four states on charges of creating more than 7,000 false identities and more than 25,000 fraudulent credit cards. They allegedly stole more than $200 million by manipulating borrowing limits on the phony cards. The FBI said it found more than $70,000 in one defendant's oven.
"Skimming and other types of attacks on ATMs continue to be top of mind for our constituents," Bob Russo, General Manager of the PCI SSC, stated. "There are already some excellent resources out there that help with various pieces of ATM security. What this guidance does is pull together these different best practices into one comprehensive set, which is what our stakeholders have been asking for."
The ATM security guidelines cover best practices for integration of hardware to prevent theft of mag stripe, PIN and other account data; software security; device management and operation; and ATM application management.
The e-commerce security guidelines were produced by the PCI SSC's E-commerce Security Special Interest Group. Businesses selling on the Internet can use the guidelines as an aid when choosing e-commerce technologies and third-party service providers to secure customer data and support PCI DSS compliance. More than 60 companies, including banks, retailers, security assessors and technology vendors, participated in developing the e-commerce SIG's guidelines.
Russo said the e-commerce guidelines will help retailers understand their responsibilities and ask pertinent questions of their service providers. The guidelines include an e-commerce overview, a discussion of common e-commerce security vulnerabilities and best practices recommendations. The document also offers PCI DSS guidance for e-commerce environments and describes the retailer and the third-party responsibilities for correctly employing the PCI.
"E-commerce continues to be a target for attacks on card data, especially with EMV technology helping drive so much of the face-to-face fraud down in Europe and other parts of the world," Jeremy King, European Director of the PCI SSC, said.
The PCI SSC is hosting a webinar on the new guidelines Feb. 7 and Feb. 14, 2013. For more information or to register for the webinar, please visit the PCI SSC website, www.pcisecuritystandards.org .
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.