Nov 15 2012

Tips for staying safe this Cyber Monday

Category: cyber security,CybercrimeDISC @ 12:52 pm

Cyber Monday deals

Cyber Monday, one of the largest online shopping days of the entire year, is coming November 26. The National Retail Federation estimates that shoppers spent more than $1.2 billion last year, doing more than a third of their holiday shopping online.

The issue? This influx of activity online, often times during business hours on a corporate network, is a holiday in itself for scammers and seasoned hackers.

As much as the bosses may not like it, the shopping on Monday is inevitable. So what should end users be mindful of to protect themselves AND the sensitive data on their personal or corporate networks?

FortiGuard Labs threat researchers, Guillaume Lovet and Derek Manky offer a few security tips to help you stay safe online.

1. Unsolicited e-mails: While it may be tempting to click on an email link that says, “Great Deal on iPads… 50% off!” Be careful! By clicking on that link, you could be taken to a compromised Website that downloads malware onto your computer. That malware can then be used to capture your computer key strokes, download additional malware, such as fake antivirus applications, or simply turn your computer into a spam generator.

What to do: If a deal looks too good to be true? It probably is. If you’re still tempted, simply place your cursor over the link (without clicking on it) and check to make sure the URL listed is where you were intending to go.

2. Nefarious search engine results: Search Engine Optimization (SEO) attacks (also known as search engine poisoning) typically occur during major events and holidays. This time of year, hackers may use search terms such as “Holiday Sale,” “Christmas bargains,” or “Year End Specials.” When a user clicks on the malicious link, they could be taken to a Website where their computer can be immediately compromised.

What to do: Same with the tip above, check the link before you click. Also, make sure if you do go to the site that the content looks relevant to what you searched for, versus lots of keywords globbed together on a page in random sentences

3. Unknown online retailers: If you discover an online store that’s offering unbelievable specials on holiday merchandise, do some digging to make sure it’s a legitimate store and not a false front that will disappear later that day along with your credit card information. And even if they are legitimate, you’ll want to make sure their site hasn’t been unknowingly compromised by SQL injection or other server attacks.

Compromised websites won’t always redirect you to a malicious site, but often will phish or try to surreptitiously install other forms of malware on your computer, such as Trojans, bots, keyloggers and rootkits, which are designed to harm systems and steal personal information.

What to do: Make sure your antivirus system is up-to-date, as well as intrusion prevention to help guard against these exploits. Without them, you may not even know that you’re infected.

4. Beware of friends sharing unsolicited links: Malicious links don’t always come from spam emails. They could come from your closest friend on Facebook or via e-mail whose machine has been unknowingly compromised. The infected machine may have a botnet that’s been programmed to comb through email or Facebook address books and send malicious links to everyone in them. The message might say, “Hey, check out the holiday sale going on here!” or “This place is have a 50% off Christmas sale!” By clicking on the link you could be taken to a malicious Website that installs malware on your system or phishes for your credit card credentials.

What to do: Use common sense. Does your friend normally update you on when sales come up? If you’re not sure, a quick private message or phone call to ask, “Did you mean to send me this?” could save you from compromising your personal (and corporate) sensitive information.

Tags: Credit card, Cyber Monday, National Retail Federation, Online shopping, SQL injection, Website


Jul 08 2011

How to protect ourselves from Payment Fraud

Category: Cyber Threats,Cybercrime,pci dssDISC @ 11:26 pm

Some basic advice has been issued by Apacs, and includes:

    * Don’t let your cards or your card details out of your sight when making a transaction
    * Do not keep your passwords, login details or Pins written down
    * Do not disclose Pins, login details or passwords in response to unsolicited emails
    * Only divulge card details over the phone when you have made the call or when you are familiar with the company
    * Access internet banking or shopping sites by typing the address into your browser. Never enter your personal details on a website you have accessed via a link from an e-mail
    * Shop at secure websites by checking that the security icon is showing in your browser window (a locked padlock or an unbroken key)
    * Always log out after shopping and save the confirmation e-mail as a record of your purchase

      For more advice you can visit:

      Spotting and avoid common scams, fraud and schemes online and offline

      How the scam works and what you need to do about it.

      and

      Online payment Security and Fraud Prevention

      Tags: Australia, Business, Credit card, Financial services, fraud, Internet fraud, Online banking


      Jun 09 2011

      Citi credit card security breach discovered

      Category: Security BreachDISC @ 10:42 am
      Citigroup

      Image via Wikipedia

      “Citigroup says it has discovered a security breach in which a hacker accessed personal information from hundreds of thousands of accounts.

      Citigroup said the breach occurred last month and affected about 200,000 customers.”

      “During routine monitoring, we recently discovered unauthorized access to Citi’s account online,” said Citigroup, in a prepared statement. “A limited number — roughly 1 percent – of Citi bankcard customers’ accounting information (such as name, account number and contact information including email address) was viewed.”

      According to its annual report, Citigroup has about 21 million credit card accounts in North America, where the breach occurred.

      The statement went on to say that the customers’ Social Security numbers, dates of birth, card expiration dates and card security codes “were not compromised.”

      Well the routine monitoring discovered the Citi Group incident which clearly shows that intrusion was not discovered during the incident but after the incident had happened.
      Cyber intrusion cost will increase and depend upon how late the incident was detected. The organizations should change their corporate strategy to more proactive approach where they can maintain, monitor and improve security controls based on the current value of the information asset.

      If you’re a Citibank customer, we suggest you take a look at your account and immediately report any irregularities.

      Stopping Identity Theft: 10 Easy Steps to Security

      http://www.youtube.com/watch?v=KH0zno_6d9M

      Tags: Citigroup, Credit card, Customer, Financial Times, Online service provider, PlayStation Network, Security, Social Security number


      Dec 19 2010

      Protect your credit card information and avoid Fraud

      Category: cyber securityDISC @ 10:51 pm
      NEW YORK - MAY 20:  In this photo illustration...
      Image by Getty Images via @daylife

      Essentials of Online payment Security and Fraud Prevention

      As we all know that credit card frauds are on the rise and crooks are utilizing more advanced techniques to acquire credit card information. In these circumstances anyone can lose their private and credit card information to crooks. Individual due diligence is necessary to protect credit card information and below are few measures which can help to protect it.

      – At least once a year (or preferably every 6 months) report each one of your cards missing, so that your credit card company would issue you a new card. This is because often crooks steal credit card info but they wait to collect many (at least a million) before they sell them and this process typically takes a year (according to FBI) so most of the times your credit card info may be compromised but you don’t know about it until the crook sells it to a buyer and then in a matter of 1-2 weeks you get hit by tons of purchases and before you know it you credit card is maxed and you are stuck with proving it wasn’t you.

      – Sign up with www.LifeLock.com, instead of the many identity theft programs that your bank offers. This program costs about $80-$100 a year (similar in cost to what banks like Chase and WFB offer) but this program TRULY covers all the costs of when your identity is stolen and cards are maxed. They do by far MORE than the other programs that banks offer and they cover all the costs that you may incur (including replacing your PC that maybe infected with a virus).

      – If anyone calls you (from Visa, MC, AmEx or any credit card company) and told you anything like your credit card has been used, stolen, etc, get their telephone number and tell them you will call them back before you say ANYTHING to them. And then call the 800 number on the back of your card and verify that the phone number they gave you is indeed a valid number. Do NOT give anything, specially the 3 digit off the back of your card to anyone who calls you.

      – As always, do NOT enter your ATM card PIN into any email.

      – Do NOT open any emails from anyone that you do NOT know. If you do, and there is a .pdf file is attached, make sure it makes sense that the sender has sent you this file otherwise do NOT open the .pdf file. Many viruses are embedded in .pdf files (Not pictures or txt files, just .pdf)

      – If you do on-line banking (as we all do) do NOT do bill payment or if you do then once a day check the balance in your account. Also, if possible contact your bank and BAN any WIRE TRANSFERs from your account. Tons, tons of wire transfer fraud has happened during the past year or two and people have LOST THEIR MONEY, the banks have NO obligation to repay even if you can prove you didn’t do the transfer. They say that your computer was hacked and that is YOUR fault not theirs. Check your bank account balances DAILY as with wire transfer you have 24 hours (in most cases) to reverse it but if it is gone then your money is GONE and you may never be able to collect it back.

      – NEVER give your laptop for repair or upgrades to anyone that you do NOT know really well. Once your laptop or computer is in the hands of a crook he can install spyware and other programs that will go into the core of your PC and nothing, as in NOT EVEN FORMATTING YOUR HARD DISK, can get rid of the virus or spyware. Your only option is to throw away your PC and buy a new one.

      – When online, if you happen to go to a website that had many different items on it; such as “Sarah Palin’s info”, “Earthquake victims”, “Las Vegas Deals”, etc. DO NOT open any files or documents (don’t click on them). These websites are put together by very smart crooks who want to attract people so they have a variety of info posted but each article has a virus/spyware loaded in it and if you click on it the virus will be loaded into your PC and from that point on they can monitor your keyboard entries, even the screens you look at. Avoid any website that has an unusual or strange collection of info on them.

      – Have one credit card with a low limit ($1000-$2000) only for use on internet purchases.

      – Have another card with even a lower limit ($500) only for use in Gas stations. Gas stations have the highest rate of fraud because the pumps have Readers/Pin pads in them that are really old and do NOT have any security feature in them. So have a very low limit card only for use in Gas stations.

      – Have one/more high limit cards that you only use when you purchase something that you SIGN for, and always check your statements at the end of the month.

      Tags: Business, Consumer, Credit card, Financial services, Identity Theft, Merchant Services, Sarah Palin, Wire transfer


      Aug 23 2010

      13 Things an Identity Thief Won’t Tell You

      Category: Identity TheftDISC @ 11:10 am
      Identity Thief, Incognito
      Image by CarbonNYC via Flickr

      Stopping Identity Theft: 10 Easy Steps to Security

      by Reader’s Digest Magazine, on Thu Aug 12, 2010 Interviews by Michelle Crouch

      Former identity thieves confess the tactics they use to scam you.

      1. Watch your back. In line at the grocery store, I’ll hold my phone
      like I’m looking at the screen and snap your card as you’re using it.
      Next thing you know, I’m ordering things online-on your dime.

      2. That red flag tells the mail carrier-and me-that you have outgoing
      mail. And that can mean credit card numbers and checks I can reproduce.

      3. Check your bank and credit card balances at least once a week. I can
      do a lot of damage in the 30 days between statements.

      4. In Europe, credit cards have an embedded chip and require a PIN,
      which makes them a lot harder to hack. Here, I can duplicate the
      magnetic stripe technology with a $50 machine.

      5. If a bill doesn’t show up when it’s supposed to, don’t breathe a sigh
      of relief. Start to wonder if your mail has been stolen.

      6. That’s me driving through your neighborhood at 3 a.m. on trash day. I
      fill my trunk with bags of garbage from different houses, then sort
      later.

      7. You throw away the darnedest things-preapproved credit card
      applications, old bills, expired credit cards, checking account deposit
      slips, and crumpled-up job or loan applications with all your personal
      information.

      8. If you see something that looks like it doesn’t belong on the ATM or
      sticks out from the card slot, walk away. That’s the skimmer I attached
      to capture your card information and PIN.

      9. Why don’t more of you call 888-5-OPTOUT to stop banks from sending
      you preapproved credit offers? You’re making it way too easy for me.

      10. I use your credit cards all the time, and I never get asked for ID.
      A helpful hint: I’d never use a credit card with a picture on it.

      11. I can call the electric company, pose as you, and say, “Hey, I
      thought I paid this bill. I can’t remember-did I use my Visa or
      MasterCard? Can you read me back that number?” I have to be in
      character, but it’s unbelievable what they’ll tell me.

      12. Thanks for using your debit card instead of your credit card.
      Hackers are constantly breaking into retail databases, and debit cards
      give me direct access to your banking account.

      13. Love that new credit card that showed up in your mailbox. If I can’t
      talk someone at your bank into activating it (and I usually can), I
      write down the number and put it back. After you’ve activated the card,
      I start using it.

      Tags: Automated teller machine, Business, Credit card, debit card, Financial services, Identity Theft, MasterCard, Visa


      Aug 09 2010

      Identity theft: How to protect your kids

      Category: Identity TheftDISC @ 10:34 am
      identity theft
      Image by TheTruthAbout… via Flickr

      Stopping Identity Theft: 10 Easy Steps to Security

      Identity theft that targets children is rising. Here are five steps to protect your family

      By Alissa Figueroa

      Identity theft has grown into a multibillion-dollar problem. And it’s not only adults who are targeted.

      At least 7 percent of the reported cases of identity theft target children. The number could actually be much higher, since many families don’t discover theft until a child applies for credit.

      And the problem is likely to get worse before it gets better, the Associated Press reports, as identity thieves steal children’s dormant Social Security numbers and use them to create phony lines of credit and rack up debt, sometimes for years.

      The scam, which has popped up only in the last year, is difficult to guard against, says Linda Foley, cofounder of the Identity Theft Resource Center (ITRC), an organization that offers counseling and resources to identity theft victims. The ITRC has seen a notable jump in the number of children identity-theft cases in the last year, reaching about 9 percent of its caseload this month.

      “There’s no way to protect your child completely,” says Ms. Foley. That’s partly because these thieves are likely using sophisticated programs that mine for dormant numbers through school or doctor’s offices databases, which often require that children’s Social Security numbers be provided. And partly because tactics for selling the numbers are constantly evolving, making this kind of theft difficult to track.

      Since credit issuers do not keep track of the age of Social Security number holders, they cannot alert families when a child’s number is being used. That’s something Foley’s organization has been trying to change since 2005, and a protection she considers vital for preventing child identity theft on a large scale.

      There is some advice that parents can follow, though, to reduce the risk of identity theft:

      1. Be cautious with your child’s Social Security number. Always ask why an organization needs the number and when possible, do not give it out. Be careful about which individuals, even friends and family, have access to your child’s number. Many identity thieves know their victims. Destroy extra documents that list your child’s number.

      2. Talk to your kids about identity theft. Teach children not to divulge their personal information on the telephone and online.

      3. Do not check your child’s credit report unless you have reason to believe there’s a problem. A minor should not have a report unless someone has applied for credit using that child’s Social Security number. To order reports unnecessarily can establish a credit report, opening a door to thieves, according to the ITRC.

      4. Watch for red flags. If you receive pre-approved credit card offers or calls from collection agencies, run a credit report on your child immediately to see if there has been fraud.

      5. Contact an identity theft specialist if you suspect a problem. There are several resources for families concerned with issues of identity theft. Visit the ITRC’s website for facts and information, or call its hotline at (888) 400-5530. You can also find information on the Federal Trade Commission’s identity-theft-prevention website.

      Tags: Credit card, crime, Federal Trade Commission, Identity Theft, ITRC, Linda Foley, Social Security number, Theft


      Jul 10 2010

      FTC Says Scammers Stole Millions, Using Virtual Companies

      Category: CybercrimeDISC @ 11:23 pm
      Seal of the United States Federal Trade Commis...
      Image via Wikipedia

      100% Internet Credit Card Fraud Protected

      by Robert McMillan
      The U.S. Federal Trade Commission has disrupted a long-running online scam that allowed offshore fraudsters to steal millions of dollars from U.S. consumers — often by taking just pennies at a time.

      The scam, which had been run for about four years, according to the FTC, provides a case lesson in how many of the online services used to lubricate business in the 21st century can equally be misused for fraud.

      “It was a very patient scam,” said Steve Wernikoff, a staff attorney with the FTC who is prosecuting the case. “The people who are behind this are very meticulous.”

      The FTC has not identified those responsible for the fraud, but in March, it quietly filed a civil lawsuit in U.S. District Court in Illinois. This has frozen the gang’s U.S. assets and also allowed the FTC to shut down merchant accounts and 14 “money mules” — U.S. residents recruited by the criminals to move money offshore to countries such as Bulgaria, Cyprus, and Estonia.

      “We’re going to aggressively seek to identify the ultimate masterminds behind this scheme,” Wernikoff said. According to him, the scammers found loopholes in the credit card processing system that allowed them to set up fake U.S. companies that then ran more than a million phony credit card transactions through legitimate credit card processing companies.

      Wernikoff doesn’t know where the scammers obtained the credit card numbers they charged, but they could have been purchased from online carder forums, black market Web sites where criminal buy and sell stolen information.

      Small Thefts Overlooked

      The scammers stayed under the radar by charging very small amounts — typically between $0.25 and $9 per card — and by setting up more than 100 bogus companies to process the transactions.

      U.S. consumers footed most of the bill for the scam because, amazingly, about 94 percent of all charges went uncontested by the victims. According to the FTC, the fraudsters charged 1.35 million credit cards a total of $9.5 million, but only 78,724 of these fake charges were ever noticed. Typically they floated just one charge per card number, billing on behalf of made-up business names such as Adele Services or Bartelca LLC.

      As credit cards are increasingly being used for inexpensive purchases — they’re now accepted by soda machines and parking meters — criminals have cashed in on the trend by running this type of unauthorized charging scam.

      “They know that most of the fraud detection systems won’t detect anything under $10 and they know that consumers won’t complain about a 20 cent fee,” said Avivah Litan, an analyst with the Gartner research firm who follows bank fraud. “What’s different here is the scale, and that they got away with it for so many years,” she said.

      Similar Cases Show Trend

      In March Alexsandr Bernik of Roseville, California, was sentenced to 70 months in prison for running a similar scam. He put tens of thousands of charges on Amex accounts, each ranging from $9 to $15. Neither federal authorities nor American Express would explain how Bernik obtained his card numbers.

      Bernik made his charges on behalf of a fictional corporation called Lexbay Ltd., but in the FTC case, the scammers would mimic legitimate companies — taking real federal tax I.D. numbers and then setting up fake businesses with nearly identical names that appeared to be located nearby. In a move that apparently tricked credit card processors into granting it a merchant account, Adele Services, for example, was set up to mimic a legitimate Bronx, New York group called Adele Organization.

      When the scammers tried to register merchant accounts with credit card processors, the processors would do some investigating, but using tricks like these, the scammers were always one step ahead.

      In fact, the FTC’s description of their operation reads like a textbook on how to set up a fake virtual corporation in the Internet age.

      The criminals used a range of legitimate business services to make it appear to credit card processors as though they were legitimate U.S. companies, even though the scammers may have never set foot in the U.S.

      For example, using a company called Regus, they were able to give their fictional companies addresses that were very close to the companies whose tax IDs they were stealing. Regus lets companies operate “virtual offices” out of a number of prestigious addresses throughout the U.S. — the Chrysler Building in New York for example — forwarding mail for as little as US$59 per month.

      Mail sent to Regus locations was then forwarded to another company, called Earth Class Mail, which scans correspondence and uses the Internet to deliver it to customers in pdf format.

      They used another legitimate virtual business service — United World Telecom’s CallMe800 — to have phone calls forwarded overseas. To further make it seem as though their companies were legitimate, the scammers would set up fake retail Web sites. And when credit card processors asked them to provide information about company executives, they handed over legitimate names and social security numbers, stolen from ID theft victims.

      When they had to log into payment processor Web sites, they would do this from IP addresses that were located near their virtual offices, again evading payment processor fraud detection services.

      One of the largest payment processors in the U.S., First Data, was a favorite of the scammers. Of the 116 fake merchant accounts the FTC uncovered, 110 were with First Data. The scammers also set up bogus accounts with Elavon and BBVA Compass.

      First Data would not comment on the measures it had taken to improve its merchant vetting process, but the company did confirm that it cooperated with the FTC investigation.

      Aided by ‘Mules’

      To get the money out of the U.S., the scammers had to recruit money mules. These were U.S. residents who were recruited online, often with spam e-mail messages. Under the impression that they were helping offshore businesses, the money mules set up bank accounts and helped the fraudsters move money offshore.

      In a letter to the judge presiding over the case, one of the mules, James P. Smith of Brownwood, Texas, says he worked for one of the scammers for four years without realizing that anything illegal was going on. Smith now says he is “ashamed” to be named in the FTC action, and offers to help catch his former boss, who used the name Alex Moore.

      The FTC’s Wernikoff believes that whoever is responsible for this crime lives outside of the U.S., but with the money-cashing operation now busted up, the scammers will have to start again from scratch, if they want to keep bilking consumers. And criminal investigators now have a trail to follow.

      “Does it prevent the people from ultimately responsible from building up again from scratch?” he asked. “No. But we do hope that this serously disrupts them.”.

      Tags: American Express, Business, Credit card, Federal Trade Commission, First Data, fraud, FTC, United States


      Jun 22 2010

      Symantec: SMBs Change Security Approach with Growing Threats

      Category: BCP,MalwareDISC @ 1:50 am
      Image representing Symantec as depicted in Cru...
      Image via CrunchBase

      By: Brian Prince

      A survey of small to midsize businesses from 28 different countries by Symantec found that companies are focusing more on information protection and backup and recovery. Driving these changes is a fear of losing data.

      Today’s small to midsize businesses (SMBs) are facing a growing threat from cyber-attacks, and are changing their behavior to keep up.

      In a May poll of 2,152 executives and IT decision makers at companies with between 10 and 499 employees, Symantec found SMBs are now spending two-thirds of their time dealing with things related to information protection, such as computer security, backup and archival tasks, and disaster preparedness. Eighty-seven percent said they have a disaster preparedness plan, but just 23 percent rate it as “pretty good” or “excellent.”

      Driving the push for these plans, as well as the interest in backup and recovery, is the fear of losing data. Some 42 percent reported having lost confidential or proprietary information in the past, and all of those reported experiencing revenue loss or increased costs as a result. Almost two-thirds of the respondents said they lost devices such as smartphones, laptops or iPads in the past 12 months, and all the participants reported having devices that lacked password protection and could not be remotely wiped if lost or stolen.

      In the past, SMBs would settle for having antivirus technology, said Bernard Laroche, senior director of product marketing at Symantec. Now, however, they are starting to realize the threat landscape is changing, he said.

      “If you look at endpoint usage … in most SMBs that’s the only place where the information resides because people were not backing up … so if somebody would lose a laptop at the airport or somebody steals the laptop in the back of car or something, then your information is obviously at risk and that can bring a lot of financial impact to small business,” he said.

      The survey also found SMBs are spending an average of about $51,000 on information protection. The financial damage for those who suffer cyber-attacks can be significant. Cyber-attacks cost an average of $188,242 annually, according to the survey. Seventy-three percent said they were victims of cyber-attacks in the past year, and 30 percent of those attacks were deemed “somewhat/extremely successful.” All of the attack victims suffered losses, such as downtime, theft of customer or employee information, or credit card data, Symantec reported.

      “The concept of, ‘I’ve got an antivirus solution, I’m fully protected,’ I think those days are gone,” Laroche said.

      Detail information on Symantec SMBs Suites:

      Symantec Endpoint Protection Small Business Edition 12.0

      Symantec Protection Suite Small Business Edition 3.0

      Tags: Backup, Business, Computer security, Credit card, Emergency Management, Small business, SMB, SMB suites, Symantec, Warfare and Conflict


      May 18 2010

      Taking Credit Card Security Seriously

      Category: pci dssDISC @ 1:33 pm

      NEW YORK - MAY 20:  In this photo illustration...
      Image by Getty Images via Daylife

      PCI DSS v1.2: A Practical Guide to Implementation

      By David F. Carr @ Forbes

      The easiest way for small businesses to address the information security requirements imposed by credit card companies is the wrong way. I’m talking about lying and praying.

      In 2004 the major credit card companies got together to define a common Payment Card Industry Data Security Standard (PCI DSS, often referred to as just PCI). They are gradually ratcheting up the pressure on merchants of all sizes to comply. Large companies, and some smaller ones that process a large volume of transactions (particularly if they’re doing it on the Web), are required to have an independent review of their processes and systems by a security professional credentialed as a qualified security assessor (QSA). Most small businesses can instead complete a self-assessment questionnaire, where they essentially grade themselves. That’s where the lying comes in. It’s not so hard to check off all the right answers (“Sure, I review my e-commerce server logs on a daily basis.”) without actually making them true.

      If you’re lying, you had better also be praying. If caught, you could be fined for non-compliance, to the tune of tens or hundreds of thousands of dollars–enough to put many a small organization out of business. Expect even harsher treatment if someone hacks your systems and downloads card data you claimed you weren’t even storing.

      Most of the requirements are basic security, like making sure there is a firewall between your Internet connection and any system that stores credit card numbers. Factory default passwords on your network equipment must be changed, so that no one can log on as user “admin,” password “admin.” And so on. More specifically, you’re responsible for protecting card holder data, and there’s some data you’re never supposed to store–like the full contents of a card’s magnetic strip.

      Many small businesses are still under the impression that the rules don’t apply to them because they’re too small, or because they don’t conduct e-commerce. Actually, the rules apply to any business–and even any nonprofit–that takes credit card payments. You can look for ways to lighten the compliance burden, but you can’t get yourself off the hook entirely. Even if no one has yet compelled you to complete a questionnaire or conduct an automated scan of your networks, you’re still supposed to be locking down your systems.

      Some businesses complain this all sounds too complicated and expensive. But they are missing the point, says Anton Chuvakin, author of PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance. The PCI rules really represent the minimum security standards businesses must meet to be fair to their customers, who, after all, are trusting the merchant every time they hand over a credit card number. In the wake of a card security breach, a larger business might suffer from the fines, damages and adverse publicity resulting from a card security breach. By contrast, “a small business is more likely to be GONE,” Chuvakin said. “Businesses that endanger their customers really do deserve to die.”

      If your organization is not equipped to handle credit card data securely, maybe you should not be handling it at all. Look for ways to shift as much of the burden as possible onto a service provider that specializes in secure payment processing. Services such as PayPal and Authorize.net let you forward customers to their websites for payment processing; credit card numbers never pass through your hands at all

      Small businesses such as restaurants that use an older generation of countertop credit card terminals may be breaking the rules inadvertently because the device stores magnetic stripe data or otherwise violates the PCI requirements. So consider upgrading to a payment device that is certified PCI compliant. Basic terminals capable of encrypting Personal Identification Number (PIN) codes and protecting other sensitive information are available for as little as $100 and might even be offered free by merchant account services trying to win your business. The PCI Security Standards Council publishes a list of approved devices. Just remember that using a compliant device is only one element of making your business compliant.

      Even if you’re not storing anything explicitly prohibited, you may be storing more credit card data than you need to. Small merchants typically store a day’s worth of credit card numbers on a card swipe terminal, then process all the transactions in a batch at the end of the day. Bigger retailers may record the card numbers in a centralized database so they can track all a customer’s purchases, and so they can retrieve the number if they need to issue a refund. But do you need to retain those numbers at all?

      Possible Solutions
      Perhaps not. Martin McKeay, a QSA and author of the Network Security Blog, recommends looking at new strategies for using end-to-end encryption and “tokenization.”

      For example, payment processor First Data ( FDC – news – people ) and security software firm RSA Security have developed a product called TransArmor that allows merchants to get authorization for a credit card number and then immediately dispose of the card number, replacing it with a token. The token is another number that acts as a stand-in for the credit card number itself. First Data keeps track of which tokens correspond with which credit card numbers. So if you’re executing previously authorized transactions at the end of the day, you send First Data a batch of tokens, and it relays the card numbers on to the bank. But if the tokens are stolen, by themselves they are worthless to anyone else.

      “With this, the only time you need the true credit card number is when you do the authorization,” says Craig Tieken, First Data vice president of merchant product management. “The merchant, in our opinion, no longer needs the card number.” TransArmor is still in beta testing, scheduled for release in the summer of 2010.

      PCI DSS v1.2: A Practical Guide to Implementation

      Tags: Business, Credit card, First Data, Payment Card Industry Data Security Standard, PayPal, Personal identification number, Qualified Security Assessor, Tokenization