Entries tagged with “heather mark”.


New Harris Poll released last week led some insights into consumer views on mobile payments.  Among the highlights of the poll is that more than 60% of respondents believe that smartphone payments will eventually replace cash and card payments.  This number is very high when compared with the number of respondents that have actually made (4%), or even witnessed (8%), a smartphone payment.  What’s more, far fewer respondents believe that this transition will occur within the next five years.  Contrast this with the media “Year of Mobile” pronouncements (that have occurred for the last two years, at least) and one would rightly ask where the disconnect is.  Media keeps saying mobile payments are imminent, while consumers seem to be hesitant.

One of the major variables for most consumers in using smartphone payments is the question of security.  According to the Harris Poll, “Among those who indicate being either not very or not at all interested in being able to make smartphone payments, security is a clear, if predictable, factor: half (51%) say they don’t want to store sensitive information on their phone, and four in ten (40%) don’t want to transmit sensitive information to a merchant’s device.” (Here is should be noted that there are mobile payment products that allow payments to be made without (1) storing payment data on the consumers phone or (2) transmitting sensitive data to the merchant’s device.)  Another significant portion weren’t interested in making smartphone payments simply because they did not own a smartphone.

So I put it to you, reader.  What do you think about smartphone payments?  Have you made one? Would you make one?  What factors or criteria are necessary for you to adopt this new technology?  Or are you just waiting for it to reach critical mass  so that it’s available in places that you frequent?

You may have seen headlines (small ones, but headlines nonetheless) regarding the re-authorization of the Safe Web Act.  The full name of the act, which is far more descriptive of its actual function, is ‘‘Undertaking Spam, Spyware, And Fraud Enforcement With Enforcers beyond Borders Act of 2006.’’  As implied in its title, the bill was originally passed in 2006, but was set to expire this year unless it was re-authorized.  On Dec. 7, 2012, President Obama re-authorized the act until 2020.  So does this mean that the web is now safe all the time for everyone?  No, but it allows the Federal Trade Commission certain powers that enable them to find and prosecute scammers, even if they are not domestic criminals.

The main thrust of the act is to allow the FTC to go beyond the US borders when investigating online criminal activity, especially as related to consumer protection. the act empowers the FTC to share information about scams and the criminals behind them with foreign law enforcement agencies.  Previously, the FTC had been restricted to sharing only with other US agencies.  Additionally, the FTC is empowered to aid foreign agencies in the investigation of online scams.  Further, the FTC will have the right to get information from foreign agencies.  The law provides “enhanced investigative and litigating tools” to the FTC to allow them to pursue investigation and actions more effectively.

This is not a complete summary of the law, but it does allow consumers to know that the FTC takes online scams and fraud very seriously and has been empowered, through 2020, to pursue these criminals even if they are not within the boundaries of the United States.  As Mary Bono Mack (R-CA), the bills lead sponsor says, “This is a win-win. It’s good for American consumers. It’s good for the future of e-commerce. And it’s the right thing to do for our nation and our friends around the world.”

A major national insurance company announced this week that its network had been compromised and more than 1 million customer records were stolen. Among the data included in the breach are “people’s names and a combination of Social Security numbers, driver’s license numbers, their date of birth, and possibly marital status, gender, and occupation, as well as the names and addresses of employers.”  A company spokesperson said that there is no evidence that credit card information or medical information was involved in the breach.  Affected individuals are being notified and offered free credit monitoring services.

It is interesting to note that this is the latest compromise in which sensitive personal information was stolen, while credit card data seems not have been involved.  A few months ago, South Carolina had a similar type of incident in which social security and banking information was compromised, while the encrypted cardholder data remained secure.  Now, I don’t have any details or knowledge of these events outside what is printed in the releases or articles, but it does leave me thinking of a very important reminder: PCI DSS only addresses cardholder data, not any other sensitive personal information.  Birth dates, routing numbers, social security numbers and other sensitive are left out in the cold with respect to PCI DSS, though they merit just as much, if not more, protection than cardholder data.

PCI DSS only applies to cardholder data.  It provides a baseline of protection for credit and debit card information.  Nowhere in its requirements does the PCI DSS require companies to protect social security numbers, bank routing information, birthdates or any other sensitive information.  Many companies take great pains to comply with PCI DSS and the standard has done a lot of positive things for an industry that desperately needed to implement strong security.  However, simply being PCI DSS compliant does not mean that all the sensitive data in an organization’s environment is protected.  A serious obstacle to overall security arises when companies believe that compliance with PCI DSS equates to security.

PCI DSS provides a good launching point for security initiatives.  Many of the requirements contained in the standards are best practices (if not requirements) for other types of data, as well.  It is tempting, particularly with so much focus on compliance, to focus on PCI DSS and cardholder data to the exclusion of everything else.  It’s important to remember, though, that companies have many types of data in their networks.  Companies would be well-served to conduct a data inventory, find out what they really need and what they don’t need to keep.  If it is needed, then it should be adequately protected. If it is not needed, it shouldn’t be stored.  Excess data is excess liability.

“The times are tough now, just getting tougher  - This old world is rough, it’s just getting rougher - Cover me, come on baby, cover me” – Bruce Springsteen 1984

Businesses work very hard to build their brand.   Small businesses are no different.  Establishing trust and loyalty among the customer base is essential to the longevity of any business.  Many companies focus on marketing and sales relationships to ensure that connection between customer and company continues to grow.  Social media, direct mailings, radio and tv advertising, print advertising, and data security and privacy policies all contribute to the growth of brand trust.  What a minute!  Did I say data security and privacy policies?  You betcha!  This is what I like to refer to as “brand security.”  Businesses spend an inordinate amount of time and money on establishing a brand that customers trust.  One of the fastest ways to lose that trust is to suffer a data security breach or to violate customer privacy.  For that reason, I often refer to data security and privacy programs as “brand cover.”

I’m going to borrow heavily, and probably poorly, from law enforcement and military actions here.  When you go into action, you generally have a forward team and then you have a team that provides “cover.”  This team keeps an eye out for threats that may not be visible or apparent to the forward team, but pose significant risk.  In the business world, one can think of your sales and marketing efforts as the forward team, while data security and privacy programs provide the cover.  You marketing and sales efforts move the company forward and increase awareness.  Your data security and privacy programs help to mitigate unseen, and sometimes unknown, risks to your brand’s integrity.  In fact, some larger organizations, particularly not-for-profits, are more concerned about brand damage in the event of a security or privacy compromise, than they are the fines that may be associated.

For small businesses, implementing and enforcing data security and privacy policies can seem daunting.  The Better Business Bureau, though, has put together a primer for businesses to help them develop these programs.  If you accept debit and credit card transactions, you can look for services to help minimize how much of that sensitive payment data your business stores.  You can also undertake an inventory to see just what data you are collecting and storing and how you are protecting it.  You can also evaluate the partners that you use and how you share data with them. Understanding your data can ultimately serve as a very effective means of protecting your company, your brand, and your customers.

For those of us in the security space, it’s common to hear about crime rings based out of Eastern Europe that are targeting US companies and consumers.  Stealing the data and selling it to make a fast buck has been something that we prefer to identify as something that happens from abroad.  A recent report from ID Analytics, though, tells us that we have plenty of trouble with that particular crime here at home.

ID Analytics, a leader in consumer risk management, has undertaken a study to identify crime rings in the US that specialize in identity theft.  According to the report,  there are more than 10,000 separate crime rings operating in the United States.  Those rings appear to be most highly concentrated  in Washington D.C.; Detroit; Tampa, Fla.; Greenville, Miss., Macon, Georgia; and Montgomery, Ala.    Another unusual finding of the report was that a large number of these rings were comprised of friends and family working together.  You know what they say.  ”The family that defrauds together…”

This report is interesting on a couple of levels.  First, there has been an assumption that Identity Theft is often the work of career criminals.  The report seems to contradict this, pointing out the almost communal nature of identity theft rings.  The individuals work together and even share identity information, like social security numbers, in an effort to get new lines of credits.  Secondly, while we do know that many breaches do originate from abroad, it is important that we not overlook the threat that we face here at home.   Another surprising revelation in the report is the genesis of the crimes.  Again, we tend to think of identity theft as an urban crime.  While most of the victims were city dwellers, the report shows that the crime rings originate largely in rural areas.

It would be interesting to see if longitudinal studies would uncover a relationship between the economic downturn, particularly as it hit these rural areas, and the increase in the formation and activity of identity theft rings.  It is sometimes easy to think of identity theft in the abstract, and that may entice people that wouldn’t be attracted to violent crime as a means of supporting themselves.