Beware! Your credit card info can be misused

[Guest guest]

Beware! Your credit card info can be misused

 

The retail boom is on, e-commerce is thriving and, while the consumer

goes merrily a-shopping, security firms are screaming

 

Beware

 

As you shop your weekend away, you leave behind a trail of credit

card information in malls. “Point of sale terminals, bill payment

devices, transaction counters and mall applications store your

debit/credit card information and it is easy for such data to be

collected and misused,†says Srikiran Raghavan, Regional Sales

Head, RSA Security, the security arm of EMC Corporation.

 

Globally, over 10 million people are affected by credit card theft

every year, estimates the Federal Trade Commission. Increasing

instances of skimming (where the card reader can be modified to store

information for later use) and online black-marketing of credit card

databases imply India is facing a rising threat of fraud driven by

neglect - both by card owners and retail houses.

 

Credit card fraud can affect both online and offline transactions.

Sixty per cent of online card fraud occurs only while buying an air

ticket, according to experts.

 

Correct card usage

 

In just a swipe of your credit card, the retailer (a restaurant, a

mall, a coffee shop) obtains information on Track 1 and 2 data. Track

1 data from the magnetic stripe gives the card account number, the

three-digit card verification value (CVV). This data per se can be

misused. Cardholders must ensure that they do not lose sight of their

card and observe if the swipe action is repeated, experts advice.

 

Visa says 30 per cent of card frauds currently involve situations

where the buyer is not present to physically sign for the

transaction. This will rise to nearly 50 per cent by the end of this

year. Track 2 data provides the merchant with your account number,

expiration date, service code and other discretionary data, which

gets stored in the computer terminal.

 

“When storing credit card holder data, truncating data and

masking part of the 16-digit number whenever in public is necessary.

However, many retailers do not comply with this. Credit card swiping

also has many opportunities for identity theft by employees of large

retail stores,†warns Dharshan Shanthamurthy, Chief Consultant,

SISA Information Security, a Bangalore-based security audit firm.

 

Merchant responsibility

 

Merchants must also buy the right retail automation software to

ensure the stored information is not misused. Software used to store

information should be certified with Payment Application Best

Practices, which specifies what information is private and what may

be stored.

 

“Such credit card information usually resides in more than one

location - the computer, servers, storage. Retailers should be

worried about the risk of multiple storage of client’s

information,†says Shanthamurthy, adding, “We have observed very

low security awareness levels among merchants in India. They have a

long way to go.â€

 

However S. Narayanan, Group IT Manager - Infrastructure and

Security, Hindustan Unilever Ltd, contends it is not just about

ignorance among the retailers. “It will mean additional investment

by the merchant. Software programs and card readers will have to

change. It is not the law yet. A mandate by the RBI or an amended IT

act will be necessary to see such changes. This will take a couple of

years.†HUL is one of the biggest suppliers of FMCG (fast moving

consumer goods) for malls and stores.

 

India is on its way to becoming a credit card-based economy; and

the more we spend, the more information is being collated by

fraudsters. “In the next three years, merchants will feel the pain

of not installing security. The potential for identity theft will

increase dramatically,†warns Raghavan.

 

Global guidelines

 

The sub-continent is lagging in the adoption of the global industry

standard PCI DSS - Payment Card Industry Data Security Standard,

which is backed by Visa, Mastercard, American Express and Discover.

In the US, 35 per cent of Level-1 merchants (top ones) are compliant

with PCI DSS. About 30 per cent of their European counterparts are

compliant.

 

By end-2008, SISA expects India’s 50 large merchants to be

compliant with international guidelines and security standards. Banks

and financial services organisations are upgrading security at their

data centres in line with this changing scene.

 

“It is in their best interest to save their users’ identity and

credit card information,†Raghavan says. Utility providers such as

phone, water and electricity services will adopt more stringent

security while dealing with transactions. Protecting consumer

information will become a priority for the government-to-consumer

(G2C) outlets.

 

 

ISSUED IN PUBLIC INTEREST... Please forward it to as many people as possible