Wednesday, November 19, 2008

65% of Irish Websites Put Cardholder Data at Risk



65pc of Irish websites put consumers at risk


According to an analysis from Enterprise Risk Services at Deloitte, some 65pc of Irish websites put consumers at risk of fraud.


Consumers have been warned about identity theft and fraud today in the run-up to Christmas after a study found that online payment security is not fully enforced on 65 per cent of Irish websites.
According to a study done by Deloitte Enterprise Risk Services, which analysed over 100 Irish based e-commerce websites, "a significant proportion of websites" are not compliant with the payment card industry security standards.

Deloitte examined over 100 Irish e-commerce sites and checked for the kind of security measures in place to ensure safe online transactions for the shopper and found that "a significant proportion of websites" are not compliant with payment card industry security standards.

The good news, Deloitte said, is that the situation with regard to compliance with the Payment Card Industry Data Security Standards (PCI DSS) has improved since its last analysis.

A breakdown of figures showed that 100-plus companies had weak encryption for online transactions, meaning that customers entrusting their MasterCard or Visa across these sites were putting their card and personal data at risk of fraud or identity theft.

Moreover, 53 per cent of companies supported weak or legacy encryption, with 2 per cent of sites not encrypting cardholder data entry sessions at all. This means that the information that visitors to the site submit such as name, address and credit card details can potentially be compromised and accessed by fraudsters.

There were no details from the report with a breakdown of how the payments were managed, ie whether the online merchant was privy to those details, or whether they were passed on to a trusted third-party payments processor such as Realex or PayPal, both of which would automatically have extremely secure methods of encryption and data protection.

Most sites will ask you to verify your credit-card details with the three-digit CVV2 code on the back of your credit card, which is another protection against fraud, but the Deloitte analysis found that 7pc of Irish e-commerce sites did have this.

A further 3 percent had expired SSL certificates, which are certificates displayed to ensure that the site you are dealing with is actually that site – another method of protection against phishing attempts whereby a fraudster could put a false web front in place in order to steal your details.

“The results of the survey show that many websites do not have adequate levels of security for processing online transactions, which many consumers carry out on a very regular basis,” said Colm McDonnell, partner, Enterprise Risk Services, Deloitte.

“Identity theft and credit-card fraud is a growing problem here in Ireland, and inadequate levels of security must be addressed by merchants as a matter of priority.”

By Marie Boran


Reblog this post [with Zemanta]

Disqus for ePayment News