• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   Cybercrime   »   Securing payment card data against identity thieves

Securing payment card data against identity thieves

  • Posted on:December 27, 2013
  • Posted in:Cybercrime
  • Posted by:
    Trend Micro
0

More than any type of sensitive data, transactional and payment card information is actionable. Both legitimate and malicious parties have devoted enormous resources to collecting data such as credit card numbers, as well as information about buying habits and histories.

On the legitimate end, many businesses have translated this broader knowledge of customer behavior into more effective marketing campaigns. However, protecting the sensitive information that fuels these efforts is a complex obligation, one that can sometimes strain the resources of businesses of all sizes, exposing them to the risk of data breaches.

While breaches involving names and addresses are certainly damaging to both an individual privacy and corporate reputation, incidents of stolen payment card data and Social Security Numbers often have more immediate consequences, easily escalating into identity thefts. A recent report from Javelin Strategy & Research demonstrated the strong link between the two phenomena, and while the revelation may come as no surprise to the cybersecurity community, it highlights the challenges that remain in securing payments.

With mobile payments and online retail also becoming pillars of retail, consumers, businesses and cybersecurity professionals must do more to cover all bases. Following sensible compliance frameworks and best practices will be essential to stemming the tide of identity theft.

Report finds strong link between stolen payment card data and identity theft
Last year, 16 million Americans were notified that their payment card data had been breached. Of that group, more than 25 percent also suffered identity theft, demonstrating the increasingly high stakes of protecting transactional and personally identifiable information from cybercriminals.

At the same time, not all data breaches are created equal. Lifted payment card data and Social Security Numbers enabled identity theft at a higher clip than stolen checking account numbers and online banking username/password combinations. Twenty-eight percent of the more than 4 million SSN data breach victims in 2012 suffered identity theft facilitated by that data.

Moreover, some industries were more likely to be the target of cybercriminal campaigns on this front than others. The healthcare, finance and retail sectors all face particular challenges that make them prime targets for data breaches that lead to identity theft. For example, healthcare providers are increasingly investing in electronic health records, while retailers have constructed intricate IT systems to support payment cards. Given the size and scope of these organizations’ clienteles, damage from breaches is often wide-reaching and varied, ranging from lawsuits to decreased customer retention..

“By breaching the data stores of businesses in the financial, healthcare and retail industries, criminals can obtain the fuel they need to execute various fraud schemes, and these crimes have crippling consequences,” stated Javelin senior analyst Al Pascual. “Identifying and protecting the sensitive information typically stored by these industries is essential for mitigating the risk of a data breach and, therefore, the risk of financial loss to data custodians, consumers and third-party businesses.”

However, in many cases these breaches are not solely the result of concerted cybercriminal effort. Rather, loose organization and classification of data frequently contributes to incidents since it creates confusion about the relative vulnerability of data assets, as well as the responsibility for protecting them.

A closer look at using classification to address data protection issues in retail
More specifically, retailers demonstrate how cybersecurity efforts can sometimes be derailed by a combination of complex compliance obligations and organizational oversight. The holiday shopping season, which compresses huge numbers of transactions into days like Black Friday and Cyber Monday, only exacerbates these issues, making the case for improved approaches to securing payment data.

A Florida TV station chronicled the identity theft risks that arise in November and December, when shoppers make numerous purchases both online and offline. Lax website security or unattended personal information may give thieves access to information such as SSNs, which can be used to impersonate others. Some consumers have witnessed massive tax returns wrongly issued in their names by the Internal Revenue Service, while others have noticed anomalous events in their credit card histories.

In retail, identity theft is a particularly nuanced issue since it is caused by both consumer habits and business practices. While some shoppers may not be the most diligent about checking for website SSL or keeping personally identifiable information under wraps, organizations also sometimes fall short in properly handling data on the backend, despite their obligations under the Payment Card Industry Data Security Standard. The rise of mobile and Internet payments has already pushed organizations in Europe to draft new security frameworks, potentially adding an extra layer of regulation on top of an already challenging compliance issue.

“Storing unprotected primary account numbers violates payment card industry guidelines, but retailers can lose track of where and how [the numbers] are being stored,” stated the Javelin report. “The unprotected storage of PANs for chargeback management, fraud analytics, or marketing purposes plays directly into the hands of criminals. PCI-related fines that are imposed on breached retailers can have high impact, especially for smaller merchants, but these are dwarfed by the dollar losses that can result from the fraud committed with breached payment card data.”

Retailers’ situation illustrates the fine line between proactively using consumer data to boost business and leaving it overly exposed to risk. Businesses need not abandon analytics altogether, but extra caution may be advisable. Assets should be classified according to their risk levels and given protections appropriate to their profiles.

What consumers and businesses can do to guard against identity theft
Encryption, usage policies and stronger access management are some of the fundamental steps that organizations in all sectors can use as building blocks for safer payment environments. In many cases, seeking the help of PCI DSS and perimeter security experts will go a long way to getting better insight into IT systems, which ultimately leads to improved cybersecurity and compliance.

For consumers, personally identifiable information requires careful handling. Using a password manager to automatically generate and store complex credentials can protect against attackers who exploit weak login security. Similarly, using a shredder to destroy documents, keeping antivirus software up-to-date and being mindful of where sensitive data is stored all contribute to a stronger front against identity thieves.

While identity theft appears to be on the rise, its prevalence is the product of changeable habits and behaviors. With a clear mind toward protecting transactional and payment card data, businesses and consumers can ensure that payments systems are both efficient and secure.

Related posts:

  1. Target breach shows need to create more secure payment systems.
  2. Credit card tokenization could lead to greater data protection
  3. How much of a skimming risk is the Coin smart payment card?
  4. Hackers breach payment processing firm; 1.5 million card numbers possibly exposed

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Trend Micro Transforms Channel Program to Advance Cloud Security and Services
  • Exceptional Attack Protection Proven in Rigorous MITRE Engenuity ATT&CK® Evaluations
  • Trend Micro Offerings Are FedRAMP Authorized and Available on AWS
  • Fujitsu and Trend Micro Demonstrate Solution To Secure Private 5G
  • Trend Micro Receives 5-Star Rating in 2021 CRN® Partner Program Guide
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.