by Brian Fenwick, Operations Director
Financial Fraud Action UK (FFA UK) has published its 2015 Annual Review. The organisation, which is ‘responsible for leading the collective fight against fraud in the UK payments industry’ and has banks, credit, debit and charge card issuers and card payment acquirers in its membership, reveals that fraud losses on UK cards reached £479 million in 2014.
This figure is up 6 per cent on 2013 (£450 million) and up 40 per cent on 2011 (£340 million). This must, however, be seen in context. According to the Dedicated Card and Payment Crime Unit (DCPCU) figures, there has been an overall fall in card fraud of 78 per cent since Chip & Pin was introduced in 2004. This equates to 7.5p for every £100 spent, compared to 12.4p in 2008.
The area that is now seen as being most at risk is those termed as “cardholder not present” transactions. These are online and telephone based transactions which, in 2014, accounted for £330.5m of UK card fraud. That is 69% of the total.
The solution is to take card data out of the IT environment by removing personal card data to a secure off-site store. Adhering to the data security standards laid down in the Data Protection Act and PCI DSS will ensure that compliance is achieved.
Taking these standards a step further by adopting the ISO 27001 framework is, however, the most effective way to ensure data security. More and more organisations are now asking for help in securing ISO 27001 certification because within its framework there is not only a comprehensive data security protocol but it also brings with it an inherently inbuilt flexibility. Used as a basis, it is possible to use its methodology to manage several compliance programmes and to build security into each layer of an online or telephone sales operation.
There are many potential pitfalls when dealing with data security compliance in general. The main one is selecting the wrong product; but others include not specifying correctly or misinterpreting the intent of the standards. Using a consultant experienced in all aspects of data protection and standards reduces these risks while improving the chances of a successful integrated and cost effective strategy.