This page contains a Flash digital edition of a book.
Feature
investigators are a little like taxi are closed, or use post -transaction
cabs, holding their card is free, they analysis to identify systematic
only charge when you use them fraud, then it is possible to harden
and they are often available at your systems and processes and
unsociable times. The only successfully deter larger breaches
difference is that it makes sense to in future.
confirm all the legal agreements in At The Logic Group we follow
advance so that there is no delay the ‘PPP’ mantra in our approach
when you have to make the phone to card fraud and data breaches,
call. which stands for ‘Prevent, Protect,
There is another very good reason Pursue’.
to have a Digital Forensics Prevent: The use of fraud
Investigator on call, and this is a bit prevention tools and fraud
of inside information – so don’t tell detection analysis to reduce the
anyone. If you suspect a breach you action, with no promise of a result. number of fraudulent or
must report it to the payment Again ensuring that you are unnecessary transactions, either in
brands (PCI 12.9.1), although no ‘breach-ready’ rather than making real-time or often in the form of
time frame is given. A private rash decisions under the pressures charge backs or refunds analysis.
Digital Forensic Investigator (DFI) of a breach will ensure a smoother Protect: Conducting in-depth risk
can find out an awful lot in a short response. Most companies feel analysis initially to meet PCI
period of time (maybe even confirm violated when they have been compliance but going further, to
that no breach has occurred at all). breached and the initial reaction identify the specific requirements
More importantly a Qualified can be an emotional one. However of the merchant and the risks not
Forensic Investigator (QFI) will be if this is discussed in advance then only of their card data but of all
assigned to assess the suspected a more reasonable, measured their assets.
breach and subsequent reaction to approach can be decided upon and Pursue: Ensuring that you have
it. Often days, sometimes even if litigation is probable then access to a dedicated forensics lab
weeks, go by before they have all lawyers, and methods to protect so that you can take steps towards
the legal and commercial evidence, can be established ahead identifying who committed the
agreements in place to start work. of time. A formal litigation fraud. Signing up for a hacking
The amount of support and effort strategy can be agreed in advance awareness training course will also
a merchant puts into a breach can with the expert input of a forensic help to decide on the appropriate
determine how the payment brands investigator who will be able to counter-measures and aid the
will respond in terms of fines and draw upon a range of experiences, process of catching fraudsters to
other financial penalties. In many all of which will help to form your prevent repeat offences.
cases it is not common for the DFI strategy. However you decide to approach
to have covered so much ground PCI, credit card breaches and fraud,
prior to the QFI’s arrival on the HOW CAN YOU REDUCE YOUR remember you are working in a
scene that they really only rubber RISK OF A BREACH? very dynamic environment as PCI
stamp the DFI’s findings. Taking a In a nutshell you need to become a requirements change and methods
proactive and decisive approach hard target so that fraudsters move of fraud become more
such as this will be considered onto softer targets. Working sophisticated. So yes, today you
favourably by the payment brands. towards PCI compliance will help may ‘get away’ with reduced effort
Also the QFI will only share the but many companies install file and costs to achieve compliance or
report with you, whereas the integrity checking software and bury a breach; maybe the fraud
private investigator can conduct a Intrusion Prevention Systems purely itself is small enough to absorb; or
complete real-time risk assessment to meet PCI compliance and the fines for non-compliance can
of the entire organisation rather subsequently fail to fine tune be written-off just as another ‘cost
than just the area of the breach. them, or do not react when they of doing business’. Even the cost of
So acting in advance of a produce a report. PCI DSS is a a formal investigation to identify
potential breach, rather than ‘minimum’ requirement and the how, why, where and who may
reacting in the face of one, could merchants will often only enforce be a manageable undertaking. But
promise savings in terms of both the minimum, when their business when it does become a legal
time and money, as well as helping and data assets would better be requirement to make a data breach
your ongoing plans and protected by additional controls. public or if you are unlucky and
preparations for PCI compliance Another less obvious area to news of a breach does filter into
and improved card data security consider in advance, besides breach the media, then the reputational
overall. profiling, is fraudulent activity in damage experienced by other
the most basic sense of the word major retailers could make itself an
DO YOU WANT TO PROSECUTE? (either in-house or from external unwelcome addition to that list of
This is a difficult decision and can sources). If you can identify and costs. So the question is... do you
often be a very expensive course of stop fraud before the transactions feel lucky? RF
ISSUE 4 AUGUST 2009 • 31
Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42
Produced with Yudu - www.yudu.com