Banks get tough on internet security

Credit card and connector cable With CHIP and PIN now delivering results in reduced fraud at the point of sale, UK retail banks are turning their attention to improving their customer verification techniques for internet banking. Malcolm Marshall, partner at KPMG, investigates.

As a result of increasing investment by banks in securing their online services, fraudsters will be looking for easier and cheaper opportunities which in turn will place on-line retailing at increased risk of attack. The PCI security standard that is being rolled out by VISA and MasterCard can help retailers to prevent criminals turning to them as potentially softer targets.

Increased media coverage on identity theft and more sophisticated fraud attacks, including the use of 'sleeper cells' amongst bank staff, has driven most of the high street banks to conclude that they need to take pre-emptive  action. 

But it's highly likely that improved security over internet banking will displace fraud elsewhere - to other parts of the bank, or other banks and to retailers - as fraudsters will typically attack the weakest link in the chain. 

Last year, for example, the introduction of CHIP and PIN in the UK resulted in a steep increase in card fraud in countries that have not introduced the technology. There's a real danger that increased anti-fraud efforts by the banks will drive fraudsters to increase targeting of online retailers.

Major on-line retailers and payment service providers have been early adopters of the PCI standard (the Payment Card Industry Data Security Standard) issued jointly by VISA and MasterCard. This is seen by many retailers as purely a compliance challenge.  But used effectively PCI provides a framework to assess your security and build an effective defence mechanism. 

PCI is intended to help retailers as well as banks and card companies. PCI can help retailers to reduce CNP fraud as well as protect against data theft from internal and external sources. Compliance by payment services providers means that retailers have greater assurance that customer data is secured throughout the payment cycle.

Simon Langley of KPMG's information security team, who has advised merchants across Europe on PCI, says that good planning and open communication with your bank are the best ways to achieve PCI compliance at a reasonable cost. 

'The card schemes are looking to see base levels of security achieved,' he says, 'but they are open to a constructive approach. For example several retailers have agreed to build in compliance with some of the tougher aspects of PCI into their normal technology refresh cycle rather than incurring immediate high cost expenditure.'

Increasingly sophisticated criminals are the common enemy for retailers and banks alike. They will tirelessly seek out the weakest and most lucrative targets - PCI provides a common framework to protect against some of the greatest threats. 

Careful planning will enable you embed PCI into your own security and fraud prevention systems and processes, improving the payback, while managing the cost.

KPMG is exhibiting at Infosecurity Europe 2007 24–26 April 2007.

28 March 2007