Dec 19 2010

Protect your credit card information and avoid Fraud

Category: cyber securityDISC @ 10:51 pm
NEW YORK - MAY 20:  In this photo illustration...
Image by Getty Images via @daylife

Essentials of Online payment Security and Fraud Prevention

As we all know that credit card frauds are on the rise and crooks are utilizing more advanced techniques to acquire credit card information. In these circumstances anyone can lose their private and credit card information to crooks. Individual due diligence is necessary to protect credit card information and below are few measures which can help to protect it.

– At least once a year (or preferably every 6 months) report each one of your cards missing, so that your credit card company would issue you a new card. This is because often crooks steal credit card info but they wait to collect many (at least a million) before they sell them and this process typically takes a year (according to FBI) so most of the times your credit card info may be compromised but you don’t know about it until the crook sells it to a buyer and then in a matter of 1-2 weeks you get hit by tons of purchases and before you know it you credit card is maxed and you are stuck with proving it wasn’t you.

– Sign up with www.LifeLock.com, instead of the many identity theft programs that your bank offers. This program costs about $80-$100 a year (similar in cost to what banks like Chase and WFB offer) but this program TRULY covers all the costs of when your identity is stolen and cards are maxed. They do by far MORE than the other programs that banks offer and they cover all the costs that you may incur (including replacing your PC that maybe infected with a virus).

– If anyone calls you (from Visa, MC, AmEx or any credit card company) and told you anything like your credit card has been used, stolen, etc, get their telephone number and tell them you will call them back before you say ANYTHING to them. And then call the 800 number on the back of your card and verify that the phone number they gave you is indeed a valid number. Do NOT give anything, specially the 3 digit off the back of your card to anyone who calls you.

– As always, do NOT enter your ATM card PIN into any email.

– Do NOT open any emails from anyone that you do NOT know. If you do, and there is a .pdf file is attached, make sure it makes sense that the sender has sent you this file otherwise do NOT open the .pdf file. Many viruses are embedded in .pdf files (Not pictures or txt files, just .pdf)

– If you do on-line banking (as we all do) do NOT do bill payment or if you do then once a day check the balance in your account. Also, if possible contact your bank and BAN any WIRE TRANSFERs from your account. Tons, tons of wire transfer fraud has happened during the past year or two and people have LOST THEIR MONEY, the banks have NO obligation to repay even if you can prove you didn’t do the transfer. They say that your computer was hacked and that is YOUR fault not theirs. Check your bank account balances DAILY as with wire transfer you have 24 hours (in most cases) to reverse it but if it is gone then your money is GONE and you may never be able to collect it back.

– NEVER give your laptop for repair or upgrades to anyone that you do NOT know really well. Once your laptop or computer is in the hands of a crook he can install spyware and other programs that will go into the core of your PC and nothing, as in NOT EVEN FORMATTING YOUR HARD DISK, can get rid of the virus or spyware. Your only option is to throw away your PC and buy a new one.

– When online, if you happen to go to a website that had many different items on it; such as “Sarah Palin’s info”, “Earthquake victims”, “Las Vegas Deals”, etc. DO NOT open any files or documents (don’t click on them). These websites are put together by very smart crooks who want to attract people so they have a variety of info posted but each article has a virus/spyware loaded in it and if you click on it the virus will be loaded into your PC and from that point on they can monitor your keyboard entries, even the screens you look at. Avoid any website that has an unusual or strange collection of info on them.

– Have one credit card with a low limit ($1000-$2000) only for use on internet purchases.

– Have another card with even a lower limit ($500) only for use in Gas stations. Gas stations have the highest rate of fraud because the pumps have Readers/Pin pads in them that are really old and do NOT have any security feature in them. So have a very low limit card only for use in Gas stations.

– Have one/more high limit cards that you only use when you purchase something that you SIGN for, and always check your statements at the end of the month.

Tags: Business, Consumer, Credit card, Financial services, Identity Theft, Merchant Services, Sarah Palin, Wire transfer


May 28 2009

PCI compliance is essential and why you have to

Category: pci dssDISC @ 3:18 pm
Image result for pci dss compliance

 

During this down turn economy organized cyber crime is a booming underground business these days. Most of the security expert and FBI agree that cybercrimes are on the rise and pose a biggest threat to US vital infrastructure. Cybercriminals are thieves in cyberspace who will swipe the sensitive data and sell to other criminals in their community, who might turn around and ask for ransom to keep the data private or perhaps resell to the highest bidder again in the black market. The risk of getting caught is minimized by legal jurisdiction and neglected by huge monetary gains. Motivated by potential gains, cybercriminals are determined to exploit the vulnerabilities of the target rich environment. Another issue to this problem is that our personal and private information has potential to be exploited at various locations such as banks, credit card companies, credit debit card processor, credit report companies and merchants etc…

Level 1, 2 and 3 merchants usually follow security best practice, allocate enough resources and try to maintain PCI compliance. On the other hand level 4 merchant are usually not compliant and have security vulnerabilities which are easy picking for cybercriminals, which is a primary reason why more security breaches happens to level 4 merchants. PCI was apparently created to safeguard the credit card and debit card data. PCI DSS standard are managed by PCI Security Standard Council.

The most significant reason to comply with PCI is because you have to.

 

PCI DSS address the baseline security for payment card infrastructure and ROI is a total cost of ownership. PCI DSS cannot guarantee absolute security but making organization to adhere to due care security justify its cost and use. As far as liability goes the security breach will be very detrimental in the state of non compliance which will include fines, legal fee and possibly lose the credit card processing ability. To motivate themselves, merchants should also remember that their customer’s data is worth a lot of money to cyber criminals.

The trick is keeping the state of compliance – true security of credit card holder data requires nonstop assessment and remediation to ensure that likelihood and impact of the security breach is kept as low as possible. PCI compliance is not a project; it’s an ongoing process of assessment. PCI assessor utilized defined set of controls objectives to assess the state of compliance. PCI provides an option of doing internal assessment with an officer sign off.
Merchants should monitor and assess to keep compliance on ongoing basis. Implement defense in depth mechanism and apply security control at every layer (network, application, operating system, and data). The idea is to make their job hard enough so the attacker moves on to easier target.

Check my previous posts regarding PCI DSS.
pci-dss-misconceptions-and-facts
pci-dss-significance-and-contractual-agreement

Vulnerability Scanner that scans your machine, reports back on vulnerabilities, and provides solutions to fix them

 

Recommended books to implement PCI DSS compliance process

 

Tags: Credit card, defense in depth, level 4 merchant, Merchant Services, pci dss, PCI Security Standard Council, roi, Security, Total cost of ownership


Apr 28 2009

PCI DSS Misconceptions and Facts

Category: pci dssDISC @ 7:13 pm

Information Security Wordle: PCI Data Security...

M1 – We are relatively small company so we don’t have to worry about PCI compliance
F1 – The PCI DSS must be met by all organizations that transmit, process or store payment card data

M2 – PCI DSS is either a regulation or a standard
F2 – It‘s a neither a standard nor a regulation. It is a contractual agreement between card associations, the merchant banks and merchants

M3 – We neither understand PCI and nor have in house expertise to address compliance
F3 – PCI document clarify most of the questions in business terms but get help to interpret technical questions. Due care imply to understand your requirements to comply and protect your data

M4 – PCI has no ROI and simply too much for a small business
F4 – PCI address a baseline security for payment card infrastructure and its ROI is a total cost of ownership

M5 – Why bother when some companies get breached even though they were compliant
F5 – PCI DSS compliance is not a onetime process it is an ongoing process to maintain it

M6 – PCI compliance cannot be that hard, all we have to do is fill out the questionnaires
F6 – Yes, on the questionnaires has to be validated through scan. Vulnerabilities need to be resolved before submitting the report to merchant bank

M7 – My application and POS equipment are PCI compliant
F7 – PCI DSS compliance apply to an organization neither to an application nor an equipment

M8 – PCI compliance addresses the security of the whole organization
F8 – PCI DSS does not addresses the CIA for the whole organization but only card holder data security

M9 – Data breach will not affect the business revenue
F9 – Become level 1 (cost of monitoring), lose card acquiring ability, forensic charges and fines

M10 – We don’t need to scan PCI assets
F10 – Quarterly scanning is mandatory for all merchants (Level 1-4)

M11 – Merchants can use any application to transmit, process and store PCI data
F11 – Not really, beginning 2010, merchants can only use payment applications validated under the payment application data security standard (PA-DSS)

M12 – We have compensating control in place so we are covered
F12 – You still have to prove how well compensating control covers the PCI requirement. Compensating controls are harder to do and cost more money in the long run











Documentation Compliance Toolkit



PCI Compliance



Practical guide to implementation (Soft Cover)



Practical guide to implementation (Download)



Reblog this post [with Zemanta]




Tags: Company, Financial services, Merchant Services, Payment card industry, pci dss, Security