According to Javelin Strategy & Researchs 2014 Identity Fraud Report, 13.1 million consumers became a victim of identity fraud in 2013the second highest level on record. This means that 5% of the U.S. population is now being affected by identity fraud every year.
To add to the problem, with essentially every consumer migrating their financial transactions from paper to digital or online, the opportunity for hackers to acquire a consumer's personal information is greater than ever. So what can be done to stop fraud or at least curtail the increase?
The Payment Card Industry (PCI) Security Standards Council's DSS guidelines, which can be traced to 2004when American Express, Discover Financial Services, JCB International, MasterCard and Visa formed the councilare a start. Some of the standards include implementing strong access control measures, regularly monitoring and testing networks and protecting cardholder data.
And there are several additional steps that financial institutions can take to ensure the security of their customers private financial information. What follows are recommendations on how issuers can conquer todays biggest data security challenges:
Issuers need to be more cognizant of where their business is taking place. Especially with the rise of banking agents, financial institutions are now allowing the owner or the employee of a retail outlet to process their customers credit card transactions, such as through a pharmacy, a supermarket or a convenience store. With the rise of third-party organizations handling consumers private banking information, it is critical that issuers know exactly how that information is being accessed.
Too often, banks think that information being accessed on an active machine is the only data that needs to be protected. That is simply not the case. Financial information that is stored on laptops is a major component that is frequently overlooked. It doesnt matter if a laptop or phone is in the process of accessing ones financial information or not, hackers can still attain the information stored on the device regardless. Data at-rest needs to be encrypted when it is at rest so that the physical theft of the devices is not a concern.
Banks and other issuers also need the ability to access the path of personally identifiable information, or PII. Through sniffers or network traffic monitor software, banks can not only determine where certain pieces of information have been, but also if they are being transmitted with or without encryption. They also have the ability to determine which specific network devices are storing PII and make security adjustments based on potential threats.
Banking professionals and other card issuers already have enough tasks on their plates; managing their security infrastructure shouldnt be one of them. If issuers want to be serious about the privacy and security of their consumers identity information, they need to hire a reputable data security partner who can continuously monitor and implement the most appropriate security strategies for both current and emerging security threats in real time.
A manageable encryption policy is also important. Financial institutions should make an encryption policy that is mandatory, yet manageable. This should include the use of encryption with 128-bit keys (or stronger) as well as multiple rounds of testing before the policy is implemented. There should also be an auditing of a sample of systems post-deployment. Role-based controls are another critical component of an encryption policy, where only certain individuals at an organization should have the ability to control or access specific pieces of information. Routine and ongoing audits are of course always suggested as well to ensure that data security and encryption policies are consistently enforced.
The consequences of not securing data are long-lasting and painful. When confidential data is lost and not secured there are many repercussions affecting your business that can be avoided by properly securing the data in the first place.
Mark Hickman is COO of WinMagic, a Toronto-based IT security company.