Web Professional Minute

A recent survey conducted by Imperva and the Ponemon Institute reflects that companies still struggle to protect consumer data.

According to the findings of a survey across more than 500 U.S. and multinational IT security practitioners showing that, despite the Payment Card Industry’s (PCI) Data Security Standard (DSS), companies still struggle with data security, putting consumers at continued risk for identity theft. In fact, 71% of companies surveyed admit to not making data security a top strategic initiative, and 55% admit to only securing credit card information and not sensitive information such as Social Security numbers, driver’s license numbers, and bank account details. However, the survey also found that companies taking a strategic approach to PCI compliance have fewer data breaches.

According to press reports, the survey, which covered 560 U.S. and multinational organizations, asked respondents a variety of questions about their investments and deployment of technology to comply with PCI DSS, which was introduced in 2005. It’s an industry standard created by major credit card companies that’s designed to protect customer payment data.

The survey found that 55 percent of organizations only secured credit card information but not other data such as Social Security and driver’s license numbers or bank account details. Also, only 28 percent of smaller companies between 501 to 1,000 employees comply with PCI DSS. That compares with more than 70 percent of large merchants with 75,000 or more employees that claimed they’re compliant.

According to a PCWORLD interview, “If you go the larger organizations to do business, you are more likely to be secure today,” said Amichai Shulman, CTO for Imperva, which makes security software for businesses to comply with PCI DSS. Imperva commissioned the survey from Ponemon Institute, a company that conducts research into privacy and information security policy.

The prime reason that companies don’t comply with PCI DSS is cost, Shulman said. “They don’t go to the effort to be compliant because it’s all or nothing, so they currently do nothing,” Shulman said.

Larger companies find it somewhat easier to handle the costs, he said. On average, companies spend about 35 percent of their IT security budgets on PCI DSS compliance.

Payment card companies mandate compliance, and most merchants are supposed to be compliant by now, according to information on the PCI Security Standards Council’s Web site.

The survey turned up some other disconcerting results. Around 10 percent of the respondents who said they were PCI DSS compliant said they weren’t using basic security software such as antivirus, firewalls and SSL (Secure Sockets Layers), Shulman said.

PCI doesn’t prescribe the use of specific software products but instead promotes practices and general advice, such as using a firewall and antivirus. In recent years, vendors have developed products to make the implementation of PCI DSS easier. Still, the result was surprising and indicative of perhaps continuing confusion or difficulty some businesses are having with PCI DSS.

“I would find it very hard to explain why I’m not using SSL as part of my PCI compliance,” Shulman said. “It seems to me that there is too much room for misinterpretation of the requirement, and companies are abusing it.”

PCI DSS is in the process of being updated, and the survey will be used as input. The PCI Security Standards Council, which was set up by major credit card companies in 2006, is collecting feedback through Oct. 31 on changes to a new version of the standard, due for release in September 2010.

Today’s Web Pro Minute is sponsored by the Adobe Corporation.

Adobe Announces Free eSeminars for Web Professionals

The time is now to be brilliant with your web design and development. Take an hour to join us for complimentary Adobe® Creative Suite® 4 online eSeminars and discover how to redefine the extraordinary in web design and development with Adobe® Creative Suite® 4 Web Premium Software.

Register Today for the Adobe Creative Suite 4 eSeminar Series for Web Professionals

Greetings WOW Members and Web Professionals everywhere!

Last week we podcasted an interesting interview with Laura Mather, PhD Founder and VP of Product Marketing Silver Tail Systems an anti fraud company and a volunteer for the anti phishing working group APWG. The topic was the size and scope of cyber crime and what to do about it. To add additional perspective to the topic, for today’s podcast, I’ll hone in on a few of the specific online fraud details that you should be aware of.

According to an 2008 report on Cyber Fraud conducted By CyberSource.com, “Managing online fraud continues to be a significant and growing cost for merchants of all sizes.”

According to the surveys executive summary, total losses from online payment fraud in the U.S. and Canada have steadily increased and in 2007, the report estimates that $3.6 billion in online revenues will be lost to online fraud up from $3.1 billion in 2006.

A few key findings:

* The percent of accepted orders which are later determined to be fraudulent increased slightly.
* The share of incoming orders merchants decline to accept due to suspicion of payment fraud was also up slightly.
* Merchants with order rejection rates near or above the 4.2% rate are rejecting a significant number of valid orders.
* Chargeback’s Understate Fraud Loss by as Much as 50%
* International orders is over two-and-one-half times as high as domestic orders.
* Merchants also reject international orders at a rate two-and-one-half times higher

Whether you’re designing or developing for the eEnterprise or small business, it would be worth your time to review the entire survey.

 

 Phishing, Cyber Crime and the Ugly Truth : Play Now | Play in Popup | Download

 

 Phishing, Cyber Crime and the Ugly Truth : Play Now | Play in Popup | Download

Greetings Web professionals everywhere! The topic for today’s podcast is Phising, Cyber Crime, the ugly truth and what we need to know and do about it. To assist us in better understanding the size and the scope of the problem, I reached out by telephone to Laura Mather, PhD Founder and VP of Product Marketing Silver Tail Systems an anti fraud company and a volunteer for the anti phising working group APWG.

In this three minute podcast, Dr. Mather, a former EBay executive provides key insights to how prevalent the issue has become, what we need to know as Web professionals and anti phishing educational resources we can share with our customers. She also ask that we participate with feedback as well.

According to Wikipedia, Phishing in the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Even when using server authentication, it may require tremendous skill to detect that the website is fake. Phishing is an example of social engineering techniques used to fool users, and exploits the poor usability of current web security technologies.[3] Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.

A phishing technique was described in detail in 1987, and the first recorded use of the term “phishing” was made in 1996. The term is a variant of fishing. probably influenced by phreaking, and alludes to baits used to “catch” financial information and passwords.

Today’s Web Pro Minute is sponsored by the crew at An Event Apart Conference taking place in Chicago, Il October 2009 at the Sheraton Hotel and Towers. The conference is from the makers of A List Apart: An Event Apart is an intensely educational two-day conference for passionate practitioners of standards-based web design. Save $100 when you
register with discount code AEAWOW. Check it out today and save!