By Daniel Hunter
With Christmas approaching, and all expectations pointing to another bumper season for e-commerce and credit card transactions, fears are rising that most UK businesses are taking inadequate steps to safeguard customers’ credit card details.
Analysis by Ground Labs, the identity protection specialists, has found that the vast majority of UK businesses hold consumer credit card data unwittingly.
Holding credit card details in this way is a breach of Payment Card Industry Data Security Standards (PCI DSS) compliance obligations and can attract up to a £500,000 fine by the Information Commissioner Officer (ICO) in a case of a data breach.
Latest figures show that £341 million was stolen in the UK in 2011 through credit card fraud. There is a global black market for credit card data and hacking incidents have risen by 19% in the past six months. The UK is consistently among the top three most targeted countries and in August 2012 suffered 69% of worldwide phishing attacks.
Retention of credit card data is an issue for businesses of all sizes. A random survey of security experts who use Ground Labs software across more than 100 consumer-facing businesses found that every one of them had credit card details unwittingly stored on IT equipment. On average more than 1,000 credit card records were found by Ground Labs’ software within each business sampled.
Even businesses that claim to be compliant with agreed global standards for credit card data security hold rogue details, the Ground Labs survey has found. There are various possible reasons for this, all linked to standard computer processes such as browser caches or email duplications.
Amongst the worst examples uncovered was a company that firmly believed it had no records. It was found that the business actually held more than 20 million credit card numbers on servers throughout its network.
“We have more than 1,000 businesses across the UK and Europe that have used our software and every single business found erroneous card records in its IT systems”, said European Director for Ground Labs, Mohamed Zouine. “What we have found is that even those businesses that believe that their systems are clean are carrying records that could be easily acquired by hackers.”
Many UK businesses have adopted an open mind, accepting there may be hidden data, and have already taken steps to identify and resolve any possible problems. Ground Labs is advocating the use of a simple software programme called Card Recon as part of the standard systems maintenance routine to detect and remove credit card details.
Mohamed Zouine added: “We believe a routine check should be as frequent as anti-virus checks. There are many ways in which card details can remain on business’s IT infrastructure unwittingly. Transaction logs sent back from banks, browser caches, email duplications and more can hold sensitive data that has a black market value in the wrong hands and can be used to defraud consumers.”
Zouine added: “The issue for small businesses is that they are far less protected than large corporations. It is relatively easy for an entrepreneurial thief to steal IT equipment or hack in to a business and retrieve valuable credit card data.”
The software is also beneficial for consumers. A similar routine test of 50 PCs and laptops found that all but one of them held credit card details without the owner’s knowledge. “It is surprising to learn that many businesses continue prompting customers to email their credit card information as part of completing a transaction such as a hotel reservation for example’, Zouine commented.
Join us on