Prevent Data Breaches with Data Security

A Quick Primer for Financial Professionals

Hooded computer hacker stealing information with digital tablet
••• Towfiqu Photography / Getty Images

Data security is a major issue of concern in the financial services industry because it is associated with huge potential financial and reputational costs. Cybercrime targeting financial firms is on the rise.

Accordingly, attention to data security matters should involve not only members of information technology staff but also risk management and compliance personnel, as well as the members of controller organizations and chief financial officers. Furthermore, financial management professionals in other industries need to be basically conversant with topics in data security, given the financial exposures.

The increasing frequency and cost of major data security breaches, which affect banks, investment firms, electronic payment processors, credit card networks, retail merchants and others, make this an area whose importance is virtually impossible to underestimate.

Threats to Data Security

Data security for companies that accept payment via credit cards and debit cards is essential when choosing an electronic payment processor. There are hundreds of companies in this line of business, but only a subset are rated payment card industry (PCI)-compliant by the Payment Card Industry Security Standard Council. The major credit card issuers, such as Visa and MasterCard, typically attempt to steer companies toward using only PCI-compliant payment processors.

To protect against data breaches, companies must perform a risk analysis of their potential weaknesses and take action to decrease the probability of successful attacks on their critical infrastructures.

Card and PIN Numbers

Data security regarding point-of-sale (POS) credit card and debit card processing, such as at cash registers, gas pumps and automated teller machines (ATMs), is increasingly being compromised and complicated by schemes to steal card numbers and personal identification numbers (PINs). Many of these schemes utilize the secret placement of radio frequency identification (RFID) chips by data thieves at these terminals to "skim" such data.

Security company ADT is a vendor that offers Anti-Skim software that triggers alerts when data breaches of this sort are detected. Additionally, a qualified security assessor (QSA) can be engaged to conduct a survey of a company's susceptibility to these types of data security breaches.

Unauthorized Personnel

Data security often depends on physical security at data centers. This involves ensuring that unauthorized personnel is kept out. Additionally, authorized personnel cannot be allowed to remove servers, laptops, flash drives, disks, tapes, or printouts, containing sensitive information from company locations. Similarly, controls should be in place to guard against unauthorized personnel's viewing of sensitive information that is not needed in the discharge of their duties.

Outside Vendors

In addition to security protocols and procedures on your company's premises, the practices of outside vendors of data processing and transmission services must be scrutinized. For example, if a third party firm hosts your company's website, you must be concerned about its data security procedures. The Statement on Auditing Standards (SAS) No. 70, Service Organizations, certification is a common standard for adequate security procedures regarding internal networks, required by the Sarbanes-Oxley Act for publicly held information technology firms.

Use of secure sockets layer (SSL) protocols are the standard for handling sensitive data securely online, such as the input of credit card numbers in payment for transactions. SSL is standard security technology for establishing an encrypted link between a web server and a browser.

Network Security Best Practices

Key aspects of network security that have an impact on data security are protections against hackers and the flooding of websites or networks. Both your in-house information technology group and your internet service provider (ISP) must have appropriate countermeasures in place. This is also a matter of concern for web hosting and payment processing companies. Outside vendors must demonstrate what protections they have in place.

The best practices that characterize your company's data networks, data centers, and data management should also be in place at all outside vendors of data processing, payments processing, networking and website hosting services that work with your company.

Before entering into any contract with a third-party provider, you should ascertain that it has the appropriate minimum certifications from independent outside bodies and conduct your own due diligence, led either by your company's own information technology personnel with the appropriate credentials or by qualified outside consultants.

Insurance Against Data Breaches

As a final consideration, it is possible to purchase insurance against the costs associated with data security breaches. Such costs include the fines and penalties levied by credit card networks, such as Visa and MasterCard, for these failures, as well as the expenses that they impose on card issuers—mainly banks, credit unions, and securities firms—for canceling credit and debit cards, issuing new ones. and making card members whole due to breaches caused by your company, expenses that they thus will attempt to charge back to your company.

Such insurance sometimes can be offered by payment processing firms, as well as being available from insurance companies directly. The fine print on these policies can be detailed, so buying this type of insurance requires a great deal of care.