A significant number of websites do not enforce adequate enough security for online payments, leading to a greater risk of identity theft and fraud, according to recent analysis performed by Deloitte Enterprise Risk Services.
The analysis looked at over 100 Irish based e-commerce websites and examined the security levels that were in place for online payments. While certain progress has been made in complying with the Payment Card Industry Data Security Standards (PCI DSS), a significant proportion of websites analysed are still not compliant with the standards. 53% of companies supported weak or legacy encryption, with 2% sites not encrypting cardholder data entry sessions at all. This means that the information that visitors to the site submit such as name, address and credit card details can potentially be compromised and accessed by fraudsters.
In addition, 7% websites did not require a CVV2 number – the three digit code on the back of credit cards. By requesting this number, the risk of fraud is greatly reduced. 3% of websites also had expired SSL certificates. SSL certificates verify that the website being interacted with is who it claims to be.
Commenting on the results Colm McDonnell, Partner, Enterprise Risk Services, Deloitte said: “The results of the survey show that many websites do not have adequate levels of security for processing online transactions, which many consumers carry out on a very regular basis. Identity theft and credit card fraud is a growing problem here in Ireland and inadequate levels of security must be addressed by merchants as a matter of priority.”
Michael Hofmeyr, Senior Manager, Enterprise Risk Services, Deloitte added: “Recent research released in National Identity Fraud Prevention Week found that almost 90,000 people in Ireland have fallen victim to identity fraud. It is imperative that companies are doing their utmost to ensure that online payments are as secure as possible on their websites and that they recognise their role in protecting consumers. By not securing the information that consumers provide on their websites, companies are putting them at risk of credit card fraud and identity theft which at best can result in a significant amount of stress for the victim, and at worst can result in a loss of money. In addition the merchants themselves could face significant fines if a fraud takes place and they are found not to be compliant with PCI DSS.”
PCI DSS is the set of standards which was created by the major credit card firms including Visa, MasterCard, American Express, Diner’s Club, Discover and JCB. These standards cover a range of areas including building and maintaining a secure network, protecting cardholder data, implementing strong access control measures and maintaining an information security policy among others.
Hofmeyr concluded: “The PCI DSS standards have recently been updated to further address the issue of protecting stored data and encrypting transmissions of cardholder data across public networks. Merchants are expected to comply with these updates immediately.”