|
With CHIP and PIN delivering results in reduced fraud at the point of sale, UK retail banks are now turning their attention to improving their customer verification techniques for internet banking.
As a result of this increasing investment by banks in securing their online services, fraudsters will be looking for easier and cheaper opportunities, which in turn will place online retailing at increased risk of attack. The PCI security standard that is being rolled out by VISA and MasterCard can help retailers to prevent criminals turning to them as potentially softer targets.
Increased media coverage on identity theft and more sophisticated fraud attacks, including the use ‘sleeper cells’ among bank staff, has driven most of the high street banks to conclude that they need to take pre-emptive action.
But it’s highly likely that improved security over internet banking will displace fraud elsewhere – to other parts of the bank, or other banks and to retailers – as fraudsters typically attack the weakest link in the chain.
Last year, for example, the introduction of CHIP and PIN in the UK resulted in a steep increase in card fraud in countries that have not introduced the technology. There’s a real danger that increased anti-fraud efforts by the banks will drive fraudsters to increase targeting of online retailers.
Major online retailers and payment service providers have been early adopters of the PCI standard (the Payment Card Industry Data Security Standard) issued jointly by VISA and MasterCard. This is seen by many retailers as purely a compliance challenge. But used effectively, PCI provides a framework to assess your security and build an effective defence mechanism.
PCI is intended to help retailers as well as banks and card companies. PCI can help retailers to reduce CNP fraud as well as protect against data theft from internal and external sources. Compliance by payment services providers means that retailers have greater assurance that customer data is secured throughout the payment cycle.
Simon Langley of KPMG’s information security team, who has advised merchants across Europe on PCI, says that good planning and open communication with your bank are the best ways to achieve PCI compliance at a reasonable cost.
“The card schemes are looking to see base levels of security achieved, but they are open to a constructive approach,” he said.
“For example, several retailers have agreed to build compliance with some of the tougher aspects of PCI into their normal technology refresh cycle rather than incurring immediate high cost expenditure.”
• KPMG is exhibiting at Infosecurity Europe 2007, Europe’s top information security event, which takes place at Olympia from April 24-26. For more information visit www.infosec.co.uk
|
