FBI Credit Card Ring Bust Exposes PCI Challenges

Some experts say existence of complex credit card fraud black market a sign that PCI isnt effective

The publicity around the FBI sting that nabbed dozens of criminals in an international credit card fraud ring provides a good opportunity to reflect on the sophistication of todays data theft black market and the importance of organizations to look beyond the baseline security levels set by compliance regulations such as PCI, security experts say.
[What do auditors really want? See
The Secret World of Compliance Auditors
. ]
Announced by the U.S. Attorneys office in the Southern District of New York, the criminal investigation was a two-year effort by the FBI into a carding operation that netted 11 arrests in the U.S. and 13 more in other countries. The action uncovered stolen credit card numbers taken from 47 breached organizations. The documents made public with the announcements showed how complex such a previously successful carding operation had matured to, offering everything from sales of credit card numbers to fraudsters by the thousands to peddling of a large variety of malware to would-be thieves looking to acquire numbers on their own.
Its always been exciting when we see such a strong law enforcement action when we see this kind of fraud because we know that its very different to actually track down the individuals who are involved in this kind of scheme and it doesnt happen very often, says Ben Knieff, director of fraud product marketing at NICE Actimize. It brings to light for people who arent so intimately involved in fighting this sort of fraud how complex and how many different parties are actually involved.
Some within the security industry say the sting offers yet another piece of evidence of how important it is to move beyond check-the-box compliance.
The prevalence of credit card theft that this sting clearly demonstrates is a call for security to move beyond check-the-box regulatory compliance and focus on effective security measures, says Gretchen Hellman, director of product marketing at McAfee. Regulations can only provide general requirements for security practices, but given the unique nature of every IT environment and the subsequent environmental risk, it is up to enterprises to ensure those practices are effective in protecting customer data.
Still others go so far as to say this is evidence of PCIs ineffectiveness as a regulation, charging that the existence of such unchecked commerce in stolen credit card numbers cast a shadow on PCIs touted successes.
“So, 47 organizations were breached. The real question is will any of them be fined by the PCI Council? says Tim Erlin, director of director of IT security and risk strategy for nCircle. This seems like a significant blow to the effectiveness of PCI. After years of regulation and enforcement, it appears that little progress has been made in actually securing cardholder data. Of course, that assumes the goal of PCI is to secure data. If you look at the PCI DSS as a means of transferring liability for the security of card holder data, then the question of PCI effectiveness can be viewed in dramatically different light.”
Knieff at NICE Actimize wouldnt go so far. He says he believes PCI has helped the industry make great strides in limiting the number of consumers victimized by card thieves. But he also believes theres still work to be done.
PCI absolutely helps but it is not an end all be all. There are still weaknesses in the system, he says. Obviously, one of the challenges that we face is that theres more than one level of PCI compliance on the merchant side. And because theyre relatively well-known it also allows criminals to know whos likely to be weaker or stronger from a security perspective.
According to Knieff, PCI and security practices notwithstanding, such complex cybercriminal activity shows that organizations need to focus risk management not only on how they treat sensitive data but also how consumers interact with it.
It definitely highlights the fact that no matter how hard you try, even if every merchant and every processor and every issuing institution was perfect, you still have weak links at the endpoint, he says, which is the consumer entering their information into a phishing site or a skimming device on a POS terminal or an ATM. PCI is good but its not good enough to solve all of our problems at this point.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ GFI Software introduces MailSecurity 2011. ◂ Discovered: 05/01/2025 Category: security	▸ Open-source project server hacked, backdoor Trojan found. ◂ Discovered: 05/01/2025 Category: security	▸ Billions of dollars lost due to missing laptops. ◂ Discovered: 05/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
FBI Credit Card Ring Bust Exposes PCI Challenges