Thursday, June 2, 2011

Recent credit card and identity data breaches

The recent spate of serious data breaches resulting in vast amounts of highly confidential credit card and identity data being compromised is again forcing a re-think about the practice of permanently storing highly confidential data, such as credit card and identity information, online in databases, in "secure" storage devices or on networks.

If security defences was able to do the job of protecting then there would be no data breaches. If defences, security plug-in's, fraud alert systems and the like were all doing exactly as their sellers claim, there would be no data breaches and everyone's highly confidential data would be totally safe.

But the uncomfortable truth of the matter is there will always remain an inherent risk to the security of any highly sensitive and confidential information, including credit card and identity data, when that data is taken and permanently stored electronically somewhere, especially online.

These risks will vary of course. If the company handling or permanently storing your information within their systems is not PCI compliant then the risk is highly elevated, indeed, they should not even be touching credit card data without PCI compliance. If the company handling or permanently storing your credit card and/or identity data within their systems is PCI compliant then the risk is significantly reduced.

It is important to note here that PCI compliance does not absolutely 100% guarantee the security of your highly sensitive credit card and identity data. Even the Payment Card Industry Security Standards Council (the governing body responsible for PCI compliance) themselves will confirm this. 

Your credit card data is amongst the most confidential personally identifiable data you own therefore you have a fundamental right under Australian Privacy Laws to determine what happens to it, who gets to store it online and who doesn't.

Not only do you have these rights but it is also encumbered upon any organisation, person or identity handing this data of yours that they must inform you what is about to happen to your personally identifiable data, especially sensitive credit card data. 

Let ma ask you this question, the last time you paid by credit card online using an automated online credit card payment processing system were you told they will be permanently storing your credit card data within their systems and that it is unlikely you will be able to have it deleted?

I'm not talking about being the recipient of "sales" talk about how safe they believe their systems are, "super encryption", "one way hash", "secure vault" etc, I'm talking about the cold hard fact that your credit card data is being taken from you online, permanently stored somewhere within their systems without you being able to have it removed.

Much of the world is currently at war against many forms of "cyber-hacking" or "cyber-crime" activity that targets sensitive information including credit card and identity details.

I believe the time is now to start exercising some control over what of your highly sensitive information you will allow to be taken from you and permanently stored online, especially credit card and identity data. That control can simply mean deciding not to allow your highly confidential information or data to be permanently stored online.

If your sensitive data doesn't exist online or in any storage device or system then no matter how good the "cyber-hacker" your sensitive data is simply not there to be stolen. It is the absolute ultimate online protection for your confidential information, not just credit card and identity data. 

e-Path is the first credit card payment gateway designed from the ground up to put the security of cardholder data first for a change. We enable credit card payment authorisations from the internet where credit card and identity data is NEVER permanently stored anywhere within our systems online.

If you are an online business then by offering your customers the opportunity to pay online via a payment gateway that will not be permanently storing credit card and identity data within its systems, such as e-Path, you will be offering your online customers a supreme level of security.

At the risk of repeating myself, the fact is the overwhelming majority of credit card and identity data theft in the world today does not need to happen, you just need to choose the right payment gateway!

... just a thought
Peter Thwaites