Beware! Your credit card info can be misused

[Guest guest]

Beware! Your credit card info can be misused Monday, 03 September , 2007, 08:20 The retail boom is on, e-commerce is thriving and, while the consumer goes merrily a-shopping, security firms are screaming . Beware As you shop your weekend away, you leave behind a trail of credit card information in malls. “Point of sale terminals, bill payment devices, transaction counters and mall applications store your debit/credit card information and it is easy for such data to be collected and misused,†says Srikiran Raghavan, Regional Sales Head, RSA Security, the security arm of EMC Corporation. Globally, over 10 million people are affected by credit card theft every year, estimates the Federal Trade Commission. Increasing instances of skimming (where the card reader can be modified to store information for later use) and online black-marketing of credit card databases imply India is facing a rising threat of fraud driven by neglect - both by card owners and retail houses. Credit card fraud can affect both online and offline

transactions. Sixty per cent of online card fraud occurs only while buying an air ticket, according to experts. Correct card usage In just a swipe of your credit card, the retailer (a restaurant, a mall, a coffee shop) obtains information on Track 1 and 2 data. Track 1 data from the magnetic stripe gives the card

account number, the three-digit card verification value (CVV). This data per se can be misused. Cardholders must ensure that they do not lose sight of their card and observe if the swipe action is repeated, experts advice. Visa says 30 per cent of card frauds currently involve situations where the buyer is not present to physically sign for the transaction. This will rise to nearly 50 per cent by the end of this year. Track 2 data provides the merchant with your account number, expiration date, service code and other discretionary data, which gets stored in the computer terminal. “When storing credit card holder data, truncating data and masking part of the 16-digit number whenever in public is necessary. However, many retailers do not comply with this. Credit card swiping also has many opportunities for identity theft by employees of large retail stores,†warns Dharshan Shanthamurthy, Chief Consultant, SISA Information Security, a Bangalore-based security audit firm. Merchant responsibility Merchants must also buy the right retail automation software to ensure the stored information is not misused. Software used to store information should be certified with Payment Application Best Practices, which specifies what information is private and what may be stored. “Such credit card information usually resides in more than one location - the computer, servers, storage. Retailers should be worried about the risk of multiple storage of client’s information,†says Shanthamurthy, adding, “We have observed very low security awareness levels among merchants in India. They have a long way to go.†However S. Narayanan, Group IT Manager - Infrastructure and Security, Hindustan Unilever Ltd, contends it is not just about ignorance among the retailers. “It will mean additional investment by the merchant. Software programs and card readers will have to change. It is not the law yet. A mandate by the RBI or an amended IT act will be necessary to see such changes. This will take a couple of years.†HUL is one of the biggest suppliers of FMCG (fast moving consumer goods) for malls and stores. India is on its way to becoming a credit card-based economy; and the more we spend, the more information is being collated by fraudsters. “In the next three years, merchants will feel the pain of not installing security. The potential for identity theft will increase dramatically,†warns Raghavan. Global guidelines The sub-continent is lagging in the adoption of the global industry standard PCI DSS - Payment Card Industry Data Security Standard, which is backed by Visa, Mastercard, American Express and Discover. In the US, 35 per cent of Level-1 merchants (top ones) are compliant with PCI DSS. About 30 per cent of their European counterparts are compliant. By end-2008, SISA expects India’s 50 large merchants to be compliant with international guidelines and security standards. Banks and financial services organisations are upgrading security at their data centres in line with this changing scene. “It is in their best interest to save their users’ identity and credit card information,†Raghavan says. Utility providers such as phone,

water and electricity services will adopt more stringent security while dealing with transactions. Protecting consumer information will become a priority for the government-to-consumer (G2C) outlets.

Boardwalk for $500? In 2007? Ha! Play Monopoly Here and Now (it's updated for today's economy) at Games.