Data Breach Disclosures Needed To Avert Fraud

MUMBAI: Indian cardholders and banks are exposed to higher risks in the absence of any disclosure norms on banks and merchants in the event of a data breach. Security experts see this as weakness as with 40 crore credit and debit cards India is the fourth largest issuer of plastic worldwide and is now attracting the attention of global fraudsters.
In the US almost all states have in place security breach notification laws which follow “SB 1386” legislation passed in California in 2002. These laws require any data breach to be immediately reported. In the UK, any breach of database containing personal data has to be disclosed under the Data Protection Act. In the European Union, a breach notification law was implemented under the Directive on Privacy and Electronic Communications.
“If disclosures are not made, it could cause loss to the card issuing bank and pose challenges to the consumer in resolving subsequent fraud,” said Nitin Bhatnagar, SAARC sales head, SISA Information Security-a firm that audits and certifies security standards in firms worldwide. He added that by publicizing a data breach banks and merchants can take the help of regulators and assist them in resolving the issue.
Global disclosure norms are somewhat like product recall laws. They enable pre-emptive measures such as issue of fresh cards by banks. They also enable customers to place limits on transactions even if the breach has not resulted in a subsequent fraud. In India too thousands of cards were cloned last year in what industry officials believe was the result of a malware at a retail chain. Although banks went for a massive card replacement, the nature of the security breach or the number of cardholders affected was never disclosed.
Last month, Target-a large US retail chain-announced that up to 40 million customers’ credit and debit card information had been stolen from people who shopped in stores from Nov. 27 to Dec. 15. Last Friday, a luxury goods department store Neiman Marcus too announced that its database of customer information was hacked last month-the same time as the attack on Target. Target revealed this week that the breach was related to a malware infecting the company’s point-of-sale (PoS) terminals which enabled it to capture data from transactions across stores.
Traditionally retailers in India have not been storing credit card data. But in the last few years that has changed with many organized retail outlets and e-commerce websites storing card data for customer convenience and their own analytics. There is no law that prevents merchants from storing cardholder information. The only requirement is that the storage system complies with international Payment Card Industry Data Security Standard (PCI-DSS). A banker said that these norms are as strict as a doctor’s prescription for a heart patient.
But Bhatnagar says that service providers are more keen on acquiring the piece of paper that certifies them rather than implement the measures in spirit.
Credit Sudhaar is India’s first Credit Health management & improvement company whose goal is to help clients to Restore, Enhance and Protect their Credit and make them credit healthy.

CS IdentityShield helps you to Monitor, Protect and Recover your Identity from multiple risks.
Courtesy : Times of India