Compliance and Privacy
Compliance and Privacy News )
Essential Reading for Today's Business 23 February 2007

in this issue:
  • Nationwide customers pay £1m fine
  • PayPal CISO outlines antifraud strategy
  • MiFID Recruitment Timebomb Ready to Explode
  • One-year anniversary of chip and PIN change over - UK leads the way in chip and PIN rollout
  • Banking industry reports progress on new faster internet and phone payment service
  • Are 'Sealed' Websites Any Safer?
  • Free MiFID briefings on offer
  • Managed Security Services: Buy Or Build?
  • IE7 gives green light to trusted websites
  • Tablus Partners With VeriSign to Provide PCI Auditing and Scanning Services
  • 'The Any Era Has Arrived And Everyone Has Noticed' - Stratton Sclavos, VeriSign

    Dear Visitor,

    February has been so busy that there has been no time even to breathe. Security issues and regulatory issues have been springing up where none were ever expected. Look at Nationwide, who lost a laptop and have been fined just under a million pounds sterling! Or each Nationwide member has been fined eight pence each.

    We're also just over a year on in the UK from the Chip and PIN cutover. Oddly there are still some retailers who are PIN-free, and there was that major Shell issue with fraud in 2006. We're carrying an APACS report on the issues they have seen since inception.

    We're looking at a lot in this issue. Again we've only put less than half the items from the site's breaking news into the newsletter, but that's why we have an RSS newsfeed, too, and also why we added the search box at the head of all the pages. Over the coming months, depending on your feedback, we are considering moving to the RSS newsfeed as the delivery model, so let us know what you think by replying to me.

    Apart from that we've added "Snap" to the site so you can preview links as well as follow them. it's an experiment in user ergonomics, or as they were labelled many years ago by the father of word processing, "Human Factors". Just run your mouse over the links and see what you think.

    Last, but absolutely not least, we have Stratton Sclavos's recent RSA Conference keynote presentation 'The Any Era Has Arrived And Everyone Has Noticed'. Strong stuff. Grab your own copy today.

    Peter Andrews

    Nationwide customers pay £1m fine

    The customers, not the directors, of Britain's biggest building society will pay a £980,000 fine for lapses in data security. Nationwide was fined on Wednesday after a laptop was stolen from an employee's home in August. It took three weeks before the society realised the extent and sensitivity of the customer details on the computer. But Nationwide has told the BBC that it "would not be fair" if the directors paid the fine.

    As a building society, Nationwide is owned by its members - the 11m customers - so any penalty, in effect, comes from their money. Many are not happy that they will have to pay the penalty for their data being compromised.

    Jill called BBC Radio 4's Money Box programme to say: "Because it's a mutual society, any fine will have to be picked up by the members, because there are no shareholders. "It's a double whammy. It's bad enough to think your details may have been spread across the globe unnecessarily. But to be told as a member of a mutual society you are going to be fined, that seems a little unfortunate."

    PayPal CISO outlines antifraud strategy

    PayPal has 133 million customers that use its Internet-based money-transfer service, which handled US$37 billion in transactions last year. Michael Barrett, who is CISO at the eBay subsidiary, recently spoke with Network World senior editor Ellen Messmer about new approaches PayPal is taking to combat online fraud.

    Almost every day I get a fake PayPal e-mail that's obviously a phishing scam. How do you deal with this phishing fraud or even use e-mail to communicate with PayPal customers?

    There's a lot of spoofing of and We get e-mail from customers asking questions about this and other topics and we respond within 15 minutes. We use our own Web-based e-mail to communicate. The problem with phishing and spoofing generally is there's no magic bullet. So it's classic defense in depth.

    How much fraud hits PayPal each year?

    As a class of operational loss, it's 0.41 percent. In the industry, that's known as 41 basis points, which is pretty low. When our customers are victimized, their user ID and password are compromised, we compensate them.

    What are some of your defensive strategies?

    If the consumer actually never actually saw the phish e-mail, it's hard for the criminal to victimize you. We're working with people who make e-mail clients and the ISPs, such as Yahoo, MSN and AOL, on a technical strategy that says if the e-mail is not signed by us, drop it. We're having good discussions, but we have nothing to announce now.

    MiFID Recruitment Timebomb Ready to Explode

    There are just nine months to go before the Markets in Financial Instruments Directive (MiFID) is enforced by the FSA and London compliance recruitment agency, Joslin Rowe, is warning that this has big implications for compliance recruitment in London and across the UK.

    “Over the last two months we have seen a 20% increase in the number of temporary compliance jobs focusing on MiFID orientated projects and this number is rising every week,” says Michelle Myers of Joslin Rowe. “It's becoming a hotbed of compliance recruitment across the temporary market as financial institutions scramble to get the right people on board immediately. As a consequence multiple compliance job offers are becoming commonplace and contract rates are rocketing. Companies cannot afford to hang around if they want to have the right people on board to hit the November 1st deadline smoothly.”

    According to the Joslin Rowe recruitment research an extra 1,200 temporary workers skilled in compliance will be required in the City of London over the next 10 months – thanks to MiFID alone.

    One-year anniversary of chip and PIN change over - UK leads the way in chip and PIN rollout

    Wednesday 14 February 2007 marks the one-year anniversary of PIN Day – the official change over to chip and PIN in the UK. To recognise this milestone, APACS, the UK payments association, has issued an update on the successful progress of chip and PIN. As at January 2007 APACS figures show that:

    • More than 99.9 per cent of all chip and PIN card transactions are now PIN-verified – confirming that very few card accepting businesses have not upgraded to chip and PIN.
    • More than 185 chip and PIN transactions take place every second. This compares with 125 every second a year ago.
    • The UK 's banks and card companies have now issued 138 million chip and PIN cards - representing 97 per cent of the UK 's 142 million payment cards. This is eight million more than were in circulation six months ago and over 30 million more than eighteen months ago. In 2007, remaining cards will continue to be upgraded.
    • Approximately 900,000 shop tills have been upgraded to chip and PIN. This represents 98 per cent of all shop tills in the UK – an increase of over 75,000 tills since PIN day.
    • Total card fraud losses fell in 2005 and we expect the figures to reveal that this trend continued in 2006
    • As customers have got used to using their PIN retailers have reported that transaction times have become quicker with queues in shops shorter.

    Banking industry reports progress on new faster internet and phone payment service

    To coincide with Monday 12 February 2007's publication of the OFT's final Payment Systems Task Force Report, the UK banking industry today confirms that they are on track to introduce the new faster payments system, agreed with the Task Force, by November 2007. They also announced that there are thirteen founding members* of the new system.

    • New central system on track to be in place from November 2007
    • Thirteen financial institutions confirmed to be founding members

    Are 'Sealed' Websites Any Safer?

    As consumers become more concerned about protecting their information online, more "secure" labels have emerged, each promising to serve as a "Good Housekeeping seal of approval" for Website security. Hacker Safe and ControlScan, for example, prove that a site has been vulnerability-scanned. The new Extended Validation SSL (EV SSL) moniker, championed by digital certificate vendors such as VeriSign and Cybertrust, help verify that a site is not a phish or a phony. (See Cybertrust Enters EV SSL Fray.)

    And now ScanAlert is rolling its "Hacker Safe" seal into a service for enterprises, company executives say. Hacker Safe Enterprise is a fully managed service that includes vulnerability assessment, hands-on analysis, and support from ScanAlert's security experts.

    VeriSign, whose VeriSign Secured Seal logo is displayed on over 65,000 Websites, and Cybertrust, are in the process of rolling out EV SSL. If a site is EV SSL-certified, its address shows up in green on newer browsers such as Internet Explorer 7.

    But are sites with a Website seal really more secure?

    Website operators say displaying these logos demonstrates that they have made a good faith effort to run a clean site, and that they are being proactive in securing their sites. "I know that by implementing [Hacker Safe], I'm still ten times more secure than without it," says Lynnette Montgomery, general manager of e-commerce for Levenger, a $75 million reading and writing tools retailer that offers its products online as well as through stores and paper catalogs. "It's more that you are covering your bases, trying to be the best you can be, honest and putting your best foot forward."

    Montgomery says another attraction of the Hacker Safe seal is its potential to bring in new customers. "Most companies I spoke to [about Hacker Safe] increased their conversion rate," she says. And that provides an ROI for the security service: "If I receive a two percent increase in conversion of customers, that's almost $500,000 in additional sales," she explains.

    Free MiFID briefings on offer

    A series of free MiFID briefings looking at practical responses to the new regulatory environment will be hosted around the country by Investmaster. Speakers set to take part include Guy Sears, deputy chief executive of APCIMS, the organisation lobbying both Canary Wharf and Brussels over issues affecting private client investment managers and stockbrokers. Sears will focus on coming COB rule changes, but particularly the practical changes firms must implement to survive the new environment.

    Discussion will also look to how automation can assist, although the idea is to offer those who are less advanced in implementing a response to MiFID the chance to gain answers to questions about just what will be expected of their operating procedures and processes after November, when the new regime comes into force.

    Managed Security Services: Buy Or Build?

    Managed services in the channel took on a life of their own in 2006. Resellers and service providers, recognizing the need among SMBs, demanded changes in vendor pricing and services so they could build or sell vendor-managed services.

    Given its placement at the top of end users' priority lists, security is one of the hottest opportunities in the services market. The grand potential for VARs, of course, is the SMB space, where companies typically don't have the internal resources to effectively and cost-efficiently secure their networks.

    But there's confusion in the market around the pricing of services for companies that can't afford to pay for comprehensive, 24/7 coverage.

    "All along, our bread and butter has been in the enterprise," says Fergal Lyons, senior product manager for Symantec Security Information Manager (SIM). "The smaller organizations, and the VARs supporting them, are not going to spend a couple-hundred grand for enterprise-level managed services."

    IE7 gives green light to trusted websites

    Microsoft has quietly flipped the switch on a new feature in Internet Explorer 7 meant to combat phishing scams. The software giant in early January made a change on its computer systems that allowed websites fitted with a new type of security certificate to display a green-filled address bar in Internet Explorer 7 (IE7), Markellos Diorinos, a product manager for Windows at Microsoft, said in an interview.

    "We have rolled out many of the parts that are required to get it working. We're coming close to the point where all the moving parts are in place," Diorinos said. Microsoft plans to promote the green bar at next week's RSA Conference in San Francisco, an annual security confab kicked off by Microsoft chairman Bill Gates.

    The coloured address bar, a new weapon in the fight against phishing scams, is meant as a sign that a site can be trusted, giving web surfers the green light to carry out transactions there. The green bar already appears on the secured sites of and VeriSign.

    VeriSign has about 300 customers, including online retailer, that have signed up for the green bar certification process, said Spiros Theodossiou, a senior product manager at VeriSign. The company plans to unveil the names of more participating websites at the RSA Conference, he said.

    Tablus Partners With VeriSign to Provide PCI Auditing and Scanning Services

    Tablus Inc., a leading provider of content protection solutions, today announced that VeriSign will use the Tablus Content Sentinel solution as part of the VeriSign Payment Card Industry (PCI) onsite audit and scanning services practice. VeriSign is an authorized security assessor for PCI Compliance to assist merchants and service providers with required annual audits.

    "Companies are being forced to take a closer look at their existing security postures to examine how they can implement stronger solutions in line with industry mandates," said Anne Bonaparte, Tablus president and CEO. "VeriSign's use of the Tablus Content Sentinel in its PCI onsite audit and scanning service practice will enable enterprises to better assess their ability to safeguard sensitive customer information from illegal or improper use."

    The PCI Data Security Standard was created by major credit card companies to safeguard customer information. Visa, MasterCard, American Express, and other credit card associations mandate that merchants and service providers meet certain minimum standards of security when they store, process and transmit cardholder data. Achieving PCI compliance became mandatory on June 30, 2005, however, that has proven to be a difficult and complex process for many businesses that may lack the resources necessary to meet the strict standards set forth by PCI language. There are 12 requirements that compose the PCI Data Security Standard, including the development and maintenance of a secure network, protection of cardholder data and maintenance of an information security policy.

    'The Any Era Has Arrived And Everyone Has Noticed' - Stratton Sclavos, VeriSign

    VeriSign's CEO Stratton Sclavos presented at the recent US RSA Conference, 'The Any Era Has Arrived And Everyone Has Noticed'

    Quick Links...


    Readers should note that references to VeriSign's sponsorship are historical. That sponsorship ended on 28 February 2007, and is simply included here for context and historical purposes. VeriSign is not formally associated with this site in any manner, and has asked us to emphasise this point.