1
MasterCard International Credit Card Security & Risk
IS6800 Group Presentation
Mike CornishKathleen DelphaMary Erslon
November 2004
2
Agenda
MasterCard Organization Credit Card 101 Credit Card Fraud Case Studies
Card Not Present Fraud Identity Theft Fraud
Best Practices for Credit Card Security
4
CIO & SEVPGlobal Technology
& Operations
SVP GTO HumanResources
SVP Computer & Network Services
SVP TechnologyBusiness
Management
SVP Security &Risk Management
SVP GTOAdministration
SVP MemberServices
SVP SystemsDevelopment
SVP DebitServices
TechnicalArchitecture
BusinessRequirementsManagement
TechnologySales
Organization
BusinessSystems
TechnologyInfrastructure
Data WarehouseHardware &
Software ChangeManagement
Data CenterOperations
NetworkOperations
ProjectManagement
Office
OffshorePartnership
Management& Sales
Debit SystemsDevelopment
Global DebitOperations
Debit CustomerSupport
IT InvestmentManagement
Office
GTO Plans &Budgets
VP TechnologyCommunications
Security & RiskAnalysis
Field Operations
Global MemberOperations Support
1-800-MasterCardCall Center
MasterCard Product Support
Call Center
MasterCard’s IT & Security Organizations1
Direct IT Functions Security & Fraud Functions
CIO reports to the President & CEO
5
Major IT Decisions1
IT Principles MasterCard GTO level
IT Architecture MasterCard GTO level
IT Infrastructure MasterCard GTO level
Business Application Needs
Federal:Core- MasterCard GTO level
Value Added*- Mixture of GTO and business levels
IT Investment and Prioritization
Duopoly: CxO level & GTO
* Includes Security & Risk Management applications
6
Governance1
Transitioning to IT Duopoly at the CxO level from IT Monarchy All IT spending remains under control of GTO GTO led initiative to bring transparency to the IT
decision making processes, and to bring business involvement into IT investment management
CxO level sets budget for technology investment & decides priorities
GTO investment management office Facilitates business prioritization by CxO level Allocates & tracks technology spending across GTO
7
Metrics
• 37 Sites: Global HQ, GTO HQ, 5 regional & 30 local country offices2
• Total GTO FTE*: ~2,0003
• Total MasterCard FTE*: ~4,0002
• Desktops: ~ 4,800 worldwide4
• Security & Fraud Applications: 115
• GTO’s IT Budget for 2003 was ~11%6 of Total Revenue of $2.23 Bn7
* Full-time Equivalents (employees, contractors, temps)
9
Open System: Interchange Model
Biggest threats come from outside the payment system!* Structure for Visa is similar.
*
Merchant
Acquiring Processor
Acquiring Bank
Issuing Bank
Issuing Processor
CardholderAccount
Relationship
TransactionRelationship
ProcessingRelationship
StatementingRelationship
10
Open System:Interchange Transaction Flow
Authorization Request (real-time)
Authorization Response (real-time)
First Presentment Notice
Settlement
Merchant Deposit
Merchant Payment
Statement
Payment
Merchant Acquiring Processor
Acquiring Bank
Issuing Bank
Issuing Processor
Cardholder
* Flow is similar for Visa.
*
11
Closed System
* Structure for Discover is similar.
*
Merchant
Acquiring Processor
Cardholder
Biggest threats come from outside the payment system!
AccountRelationship
TransactionRelationship
12
Closed System:Typical Transaction Flow
Authorization Request (real-time)
Authorization Response (real-time)
Merchant Deposit
Merchant Payment
Statement
Payment
Merchant Acquiring Processor
Cardholder
* Flow is similar for Discover.
*
13
MasterCard’s Space
MasterCard International is a global payments company2
Membership corporation of 25,000 financial institutions that issue MasterCard, Maestro, and Cirrus branded cards
Licensor and franchisor for the MasterCard, Maestro, and Cirrus payment brands
2003 Key Business Indicators2,8
Gross volume: US$ 1,272 Bn Number of transactions: 13.2 Bn Number of account: 529.5 MM Number of cards: 632.4 MM Number of merchants: 22.0+ MM in 210 Countries Number of ATMs: 900K+ in 120+ Countries
14
Not MasterCard’s Space2
MasterCard does not… Issue cards Set annual fees on cards Determine annual percentage rates
(APRs) Solicit merchants to accept cards or set
their discount rates
16
Headlines
“
”Aug 5, 2004
“ ”Jan 23, 2003
“
”Feb 27, 2003
“ ”Oct 24, 2003
“ ”Feb 19, 2003
“
”Nov 20, 2001
“ ”
Sep 12, 2003
March 17, 2003
”“
”Sep 12, 2003
“
17
Types of Fraud9
Identity Theft * Application Fraud Account Takeover
Card Not Present * Mail, telephone, web
Counterfeit * Skimming Account number
generation Lost & stolen Never Received after Issue Merchant Fraud
Collusion Triangulation
* Increasing and gaining a lot of attention in recent years, especially in the online space
Incidence of Fraud by Method
48%
15% 14% 12%6% 5%
0%
10%
20%
30%
40%
50%
Lost/S
tole
n
ID T
heft
Skim
min
g
Counte
rfeit
Never
Rec
eive
d
Oth
er
18
Industry Fraud Estimates*
* There is no true consolidated source for credit card fraud statistics in the industry
10
12
11
13
Fraud Rates as % of Transaction Volume
19
MasterCard’s Security & Risk Mission
“Protect brand integrity and manage fraud
risk through best in class core and value
added services with integrated end to end
solutions to help position MasterCard as
the Global Payments Leader ”
Mission: 14
20
Security & Risk Management Applications & Services5
Awareness Detection Prevention
Account M
anag
emen
t Sys
tem
Address
Ver
ifica
tion S
yste
m
Comm
on Poin
ts o
f Purc
hase
Fraud V
eloci
ty M
onitorin
g
Issu
ers
Clear
inghouse
Ser
vice
Mas
terC
ard A
lerts
Mas
terC
ard In
tern
et G
atew
ay S
ervi
ces
Mas
terC
ard S
ecure
Code
Mer
chan
t Ale
rts to
Contro
l Hig
h Ris
k
Mer
chan
t Onlin
e Sta
tus
Track
ing
NameP
rote
ct P
artn
ersh
ip
RiskF
inder
Site D
ata
Prote
ctio
n
Syste
m to
Avo
id F
raud E
ffect
ivel
y
ID Theft D P D D A
Counterfeit P D D A P P D D P A
Card Not Present P D A P P D D P A
Lost & Stolen P P D A D A
Never Received P A
Merchant Fraud D P P D D A
Fraud Type
Application or Service
22
“Card Not Present” Defined
Definition9: Neither the card nor the cardholder is present
at the point-of-sale Merchants are unable to check the physical
security features of the card to determine if it is genuine
Ecommerce; online or telephone transactions No way to dispute a cardholder claim that a
purchase wasn’t made
23
Ecommerce Market15
> $3 Trillion worldwide MasterCard research
shows that 90% of online buyers worry about their personal and financial information online
24
Statistics
MasterCard CNP incidents account for between 80 and 84% of credit card fraud16
Online fraud rates up to 30x higher than in the physical world17
2003- $1.6B or ~2% of all online sales lost to credit care fraud17
2004 credit card fraud rate has decreased by 0.5% since 2000, but the amount lost has increased by 60%19
Projected losses to internet merchants in 2005 expected to be $5 - $15 billion9
25
Statistics (continued)
Merchant Risk Council Survey 200319
Fraud chargeback rates > 1% = 9.7% 50% reduction since 2002
Fraud chargeback rates < 0.35% = 64% 30% increase since 2002
17% of merchants spent > 2% of revenue on fraud prevention 30% increase since 2002
26
Examples of Card Not Present Credit Card Fraud
Low-Tech: Dumpster Diving Card Loss/Theft
High Tech: Phishing or site
cloning Account number
generators Online “auctions” or
false merchant sites
27
Card Not Present
May be caused by Less-than-diligent cardholder (dumpster
diving, theft) Cardholder response to plausible ploy
(phishing) May be out of cardholder’s control
(numbers generator, hacking)
28
Combating CNP Fraud: Legislative Examples
Anti-Phishing Act of 200420
Introduced 07/04 by Sen. Leahy (D-VT) Phishing responsible for $2B in merchant
losses/year Enters 2 new crimes into US Crime Code
E-mail that links to sham websites with the intent of committing a crime
The sham websites that are the true scene of the crime
29
Combating CNP Fraud: Legislative Examples
State laws21 regulate the amount of information on a credit card receipt to the last four numbers of the credit card
Expiration date may not appear on receipt
CA, WA, MD, CT enacting legislation
31
Combating CNP Fraud: Merchant
Multi-level technical solutions Cardholder Authentication Neural Networks
32
Case Study: SecureCode™
Licensed MasterCard cardholder authentication solution15 enables cardholders to authenticate themselves to their issuer through the use of a unique personal code (PIN)
A VISA counterpart is“Verified by VISA” or “VbyV.”
33
SecureCode15
Cardholders enter their secure code in a separate browser window before an on-line transaction can be authorized Requires a merchant
“plug-in,” or software module, to be deployed on the merchant’s website
Requires the merchant to use a data transport mechanism and processing support
34
SecureCode15
The participating merchant gets explicit evidence of an authorized purchase (authentication data)
Fully guaranteed online payments – protection from chargebacks
MasterCard mandated that issuers implement support for MasterCard Secure Code by November 1, 2004
35
SecureCode and eTronics22
A Top Ten Internet consumer electronics retailer >200,000 customers and 300,000 orders
annually Over $65 million in yearly sale
In 2002, eTronics had credit card chargeback costs of over 1 million/year
Implemented SecureCode in 2003 “Too soon to tell” impact since SecureCode
is not yet implemented globally, but eTronics is “optimistic and enthusiastic” about its success
37
Case Study: RiskFinder™ A “neural network” system Fair Isaac’s proprietary
profiling technology for fraud prevention – RiskFinder23 is a MasterCard-specific application
Enables transactions to be “scored” based on highly detailed cardholder patterns/behavior, existing patterns of fraud, and merchant trend data23
38
Case Study: RiskFinder™
The institution can establish a transaction score threshold, and conduct supplemental review and cardholder follow-up on any transaction that scores above the threshold23
RiskFinder has saved issuers up to 50% in fraud losses23
39
Citibank Fraud Detection
www.fightidentitytheft.com/video/babe_magnet.mpeg,Viewed, October 30, 2004
(Click the thumbnail to play the commercial)
42
Identity Theft: The neoteric crime of the IT era24
Identity theft is the illicit use of another individual’s identifying facts to perpetrate an economic fraud, such as Opening a bank account Obtaining bank loans or credit Applying for bank or department store cards Or leasing cars or apartments
in the name of another.24
43
Citibank Identity Theft
www.fightidentitytheft.com/video/flaps_mpls_te_mpg.mpeg, Viewed, October 30, 2004
(Click the thumbnail to play the commercial)
44
Identity Theft: The neoteric crime of the IT era
Number one source of consumer complaints to the Federal Trade Commission (FTC) in 2001(and thereafter)25
Credit card fraud was most common form of identity theft in 2002 according to the FT25
46
Identity Theft: The neoteric crime of the IT era
“Compared to equally profitable crimes involving drug or gun trafficking, the sentencing for identity fraud is much lighter—and these folks are tough to catch.”
- Bruce Townsend
Special Agent in charge of
Financial Crimes Division
Secret Service27
47
Identity Theft: The neoteric crime of the IT era
In 52% of cases in which the victim discovered how the information was stolen, the thief turned out to be a family member, neighbor, or coworker.28
Low-Tech sources include: Paper records of personal information kept
by numerous sources.
49
Identity Theft: Causes
Phishing “Stealing corporations’ identities as a
means to impersonating individuals”30
Greater number pieces of personal information = greater chance of Identity Theft
50
Identity Theft:
To counteract phishing, corporations are using software to search for sites breaching their copyrights, then go directly to the company hosting the bogus site to get it shut down.30
5% of consumers respond to phishing according to the Anti-Phishing Working Group.31
51
Identity Theft: High Tech Causes
Hacking merchant sites, home computers and any place where personal information is stored. Servers that aren’t set up correctly can be
compromised by techniques like “end-mapping,” which “pings” servers systematically until it finds an open port to exploit.
Trojan horse content can slip by ordinary packet filter devices deployed by firewalls (spyware, keyloggers).32
52
Identity Theft: High Tech Causes
Commandeering other applications. Eavesdropping Software that reports to
the hacker a person’s keystrokes and uses it to pick up passwords and gain entry.32
53
Identity Theft: High tech Causes
Case Study: “Operation Firewall”. 28 Identity Theft Suspects arrested 1.7 million stolen credit card numbers Investigation instigated by MasterCard’s
senior vice president of security risk services.33
54
Identity Theft: Low tech Causes
Security firms tend to stress physical security issues, which are easier to identify and remedy than human vulnerabilities.
Financial institutions, in order to reduce the risk from within, must create and sustain an institutional culture that values and promotes critical thinking, high self-esteem and genuine loyalty to the institution. 34
55
Identity Theft: Actions to Combat
Legislative Identity Theft and Assumption Deterrence Act of
199824
Privacy Act of 200135
Consumer Privacy Protection Act, May 200229
Identity Theft Prevention Act, Jan 200329
SSN Misuse Prevention Act, Jan 200329
Fair and Accurate Credit Transactions Act of 200336
Anti-Phishing Act of 2004 20
56
Identity Theft: Actions to Combat
Payment Industry—calling for implementation of technology that definitively corresponds the user to the instrument.27
57
Identity Theft: Actions to Combat
Identity Authentication Technologies Biometrics
Face recognition Retina scans Fingerprint authentication
Voice /speech verification Handwriting analysis
Genetic Engineering Analyzing DNA components of human fluids &
cells. 25
58
Identity Theft: Actions to Combat
Use of Public Key Infrastructure (PKI) Digital signature Protects electronic records Inherent security hinges on who has access
to system. 25
59
Identity Theft: Actions to Combat
System embedded security controls to enhance the privacy and confidentiality of information processed across Internet architectures Data encryption Digital signatures Secure socket layers (SSL) Cryptographic protocols such as hypertext
transfer protocol over SSL (HTTPS)37
60
Identity Theft: Actions to Combat
Smart Cards Contain embedded CPU (electronic chip). 32-kilobyte mini-processors are capable of
generating 72 quadrillion encryption keys. Can be programmed to perform tasks & store
information. Practically impossible to fraudulently decode.9
61
Identity Theft: Actions to Combat
Personnel & Procedures Background checks Limit access through password protection Leave an audit trail of who got into files &
when Shred information being thrown away Train staff by creating a security handbook25
62
Identity Theft: Actions to Combat
Designate a Privacy Officer –could be the Information Manager
“Privacy and security do not work if you do not have top-level buy-in. Information managers might very well be the key people within the organization to help accomplish this.”
- Gary Clayton
Founder & Chairman
The Privacy Council25
63
Identity Theft: Actions to Combat
Use of a layered approach to security Perimeter App-layer protection Intrusion detection Monitoring tools
Strategic rather than silver-bullet approach32
64
Issuers Clearinghouse
Joint MasterCard and Visa service. To detect fraudulent and high-risk
credit card applications. Screens, validates & tracks
Addresses Phone numbers Social Security numbers38
65
NameProtect®
Monitors Internet 24x7 Watches all gTLD and ccTLDs, new
registrations, and activations. “Identifies Web sites, emails, chat
rooms and other electronic venues where personal credit card data is published, sold or traded.”39
66
Identity Theft
“Rather than posing security as a hurdle to overcome, companies should view their customers’ privacy needs as an opportunity through which they can differentiate themselves as trust leaders, increase their financial value and even energize entire economies.”
Glover T. Ferguson
Chief Scientist
Accenture26
68
Best Practices: All Industries40
Protect your employees and customers from ID theft Ask only for necessary information Don’t use SSNs as identifiers Regularly check backgrounds of
employees who have access to identifying information
Define a privacy policy and communicate it to your customers and employees
69
Best Practices: All Industries40
Protect sensitive paper information like payment card numbers, social security numbers, and customer identifying data Secure records in a vault or under lock-and-key Restrict access only to persons with a legitimate
need to know Shred records when they are no longer needed Immediately report security breaches to affected
customers and law enforcement
70
Best Practices: All Industries41
Conduct a risk assessment for impact from loss or disclosure of business data
Design record retention policies and physical access controls based on the assessed risks from loss or disclosure.Area of Concern Low Medium High
Business Disruption - Moderate Major
Legal impact - Minor Major
Financial Impact - Minor Major
Health & Safety Impact - - Threatened
Effort to Restore Easy Moderate Significant
71
Best Practices: IT Functions 42, 43
Use firewalls, anti-virus, anti-spyware, and access control software to protect networks and computers
Keep operating system and security software up-to-date with latest security patches from vendors
Define policies for strong passwords and change them frequently
Monitor for signs of network and web server attack Monitor security websites for breaking information
about new threats and best practices (e.g., CERT® Coordination Center)
72
Best Practices: IT Functions43
Protect sensitive electronic info like customer identifying data and account numbers Segregate sensitive data on separate
servers from web servers Restrict data access rights to only those
persons and systems with legitimate need to know
Consider encrypting sensitive information housed in databases
73
Best Practices: Consumers44
Only give payment account numbers or personal identification information to companies you have contacted Challenge businesses that ask for it about why
they need to know Avoid saying information over the phone when
others may hear Do not carry unnecessary payment cards or
identification papers (e.g., social security card, birth certificate) in your wallet or purse Do not use SSN for your driver’s license or other
identification cards
74
Best Practices: Consumers44
Keep track of receipts for payment card transactions Shred receipts and account statements having
full account numbers Cancel unused credit card accounts* Keep a list of all of your payment card
account numbers along with their issuers’ names and contact numbers so you can cancel them quickly if lost or stolen
* But be aware of potential credit score impact
75
Best Practices: Consumers45
Use firewall, anti-virus, and anti-spyware software Keep your PC operating system and security
software up-to-date with latest security patches from your vendors
Be suspicious of emails and websites requesting private information
Verify URLs and make sure websites are secure before entering account numbers and personal identifying information Be careful locating sites through search engines Call the company if you are unsure of the validity of a site
76
Best Practices: Merchants46
Card Present Check that the embossing extends into the
hologram Check the hologram and indent printing Compare the signature on the card and sales
draft Check that the magnetic strip appears authentic Call for a “Code 10” authorization if something
doesn’t feel right
77
Best Practices: Merchants21
Card not Present Use address verification systems to
check the account holder’s billing address
Implement SecureCode and Verified by Visa services
Include card verification values/codes in authorization messages (but do not store them in your database)
78
Best Practices: Merchants21
Card not Present (Continued) Require complete customer contact and
payment information before completing an order
Process transactions in real-time keep the customer on the website until the
payment card is authorized and the sale is completed
Monitor international transactions
79
Best Practices: Merchants21
Card not Present (Continued) Employ rules-based systems to screen and
detect suspicious order activity Maintain negative databases of fraudulent
orders & offenders, and positive databases of trusted returning customers
Adopt MasterCard’s Best Practices for eCommerce websites Have a Site Data Protection audit done on your
eCommerce website
80
Best Practices: Acquirers & Merchant Processors
Merchant Acquirers & Processors Provide security features like Address
and Card Verification services to merchants
Monitor merchant deposit velocity for unexpected increases in deposits
Check & report merchant’s termination history
81
Best Practices: Issuers & Card Processors
Card Issuers & Processors Monitor cardholder purchase and cash
velocity for drastic changes Use behavioral models/neural network
software to detect fundamental changes in cardholders’ behaviors
82
Best Practices: Payment Companies
Payment Companies Create, refresh & enforce standards Monitor to detect shifts in types and
volumes of fraudulent activity Conduct research to innovate new fraud
detection and prevention mechanisms
85
References1. Fisher, Bill. Pers. Comm. VP Processing Strategy, MasterCard
International. Interviewed by telephone by Mike Cornish, October 26, 2004.
2. “MasterCard Corporate Fact Sheet,” www.mastercardinternational.com/docs/corporate_fact_sheet_0804.pdf, viewed October 18, 2004.
3. “Global Technology and Operations,” Fact Sheet. www.mastercardinternational.com/newsroom/gto.html, viewed October 18, 2004.
4. “Total Cost of Ownership Analysis.” Internal document: Powerpoint Presentation. Technology & Architecture Services, MasterCard International, February 26, 2003, page 4.
5. “Application Portfolio: Security & Risk Applications.” Internal document: Word document. MasterCard International, March 27, 2003.
6. “2003 GTO & Division Level Financial Data.” Internal document: Excel Sheet. GTO Division, MasterCard International, January 3, 2003.
86
References7. MasterCard International SEC Form10K – March 4, 2004,
www.sec.gov/Archives/edgar/data/1141391/000095012304002820/y94488e10vk.htm, pages 6, 22-24, viewed October 19, 2004.
8. MasterCard International SEC Form 8K – February 3, 2004, www.sec.gov/Archives/edgar/data/1141391/000095012304001154/y93767e8vk.txt, viewed October 18, 2004, pages 3.
9. Bhatla, TP, Prabhu, V, and Dua, A. “Understanding Credit Card Frauds”. Card Business Review #2003-01, June 2003, pp 1-15.
10. “Taking a Bite our of Credit Card Fraud,” Celent Communications, www.celent.com/PressReleases/20030121/CreditCardFraud.htm, viewed October 28, 2004.
11. “Identity Theft: Protecting the Customer – Protecting the Institution,” Celent Communications, www.celent.com/PressReleases/20020731(2)/IDTheft.htm, viewed October 28, 2004.
12. “Online Payment Fraud: The Grinch who stole Christmas?” Celent Communications, www.celent.com/PressReleases/20001218/OnlineFraud.htm, viewed October 28, 2004.
87
References13. Valentine, Lisa. “The Fraudsters’ Playground.” American Bankers
Association. ABA Banking Journal, 95(8), Aug. 2003, p. 39. 14. “Security & Risk Mission & Overview.” Document, MasterCard
International, February 24, 2003.15. “MasterCard SecureCode for Online Merchants.” Online security
document for merchants. http://www.mastercardmerchant.com/docs/securecode/Merchant_Brochure.pdf, viewed October 20, 2004.
16. Bennett, RA. “I didn’t do it.”. USBanker 111(12), December 2001, p. 48.
17. “Online fraudsters take $1.6B out of 2003 eCommerce.” CyberSource, www.retailindustry.about.com/cs/lp_internet/a/bl_cs111803.htm, viewed October 20, 2004.
18. US Credit Card Fraud Statistics 2000-2007. Celent Communications, www.epaynews.com/statistics/fraud.html, viewed October 18, 2004.
88
References19. Merchant Risk Council Press Release,
www.merchantriskcouncil.org/press.php?p_press_id+13, February 3, 2003, viewed October 21, 2004.
20. “New Leahy Bill Targets INTERNET “PHISHING” That Steals $2 b./yr. from Consumers.” July 2004. www.leahy.senate.gov/press/200404/070904c.html.
21. Micci-Barreca, D. “Unawed by Fraud.” Security Management 47(9), p. 75.
22. “MasterCard SecureCode Case Study: eTronics.” 2003. http://www.mastercardmerchant.com/docs/SC_Case_Study-eTronics.pdf., viewed October 21, 2004.
23. MasterCard RiskFinder. “Solutions.” http://www.fairisaac.com/cgi-bin/MsmGo.exe?grab_id=13&page_id=655872&query=RiskFinder&hiword=RiskFinder+, viewed October 21,2004.
89
References24. Saunders, Kurt M., and Zucker, Bruce, “Counteracting Identity
Fraud in the Information Age: The Identity Theft and Assumption of Deterrence Act” International Review of Law, Computers & Technology, August 1999, 183– 192.
25. Groves, Shanna, “Protecting Your Identity” Information Management Journal, May/June 2002, 27-31.
26. Myron, David, “Stolen Names, Big Numbers” American Demographics, September 2004, 36-38.
27. Bielski, Lauren, “Identity Theft” ABA Banking Journal, January 2001, 27-30.
28. Diller-Haas, Amy, “Identity Theft: It Can Happen to You” The CPA Journal, April 2004, 42-44.
29. Riordan, Diane A., and Riordan, Michael P., “Who Has Your Numbers?” Strategic Finance, April 2003, 22-26.
90
References30. O’Sullivan, Orla, “Gone ‘Phishing’” ABA Banking Journal, November
2003, 7-8.31. Bauerle, James F., “Pattern Recognition Software and Dramas of
Deception: New Challenges in Electronic Financial Services” The RMA Journal, October 2004, 2-5.
32. Bielski, Lauren, “Striving to Create a Safe Haven Online” ABA Banking Journal, May 2003, 53-59.
33. Krebs, Brian, “28 Identity Theft Suspects Arrested in Transatlantic Sting,” The Washington Post, October 29, 2004.
34. Bauerle, James F., “Golden Eye Redux” The Banking Law Journal, March 2003, 1-15.
35. Heller, Jason, “New Senate Privacy Bill Addresses Personally Identifiable Information” Intellectual Property & Technology Law Journal, September 2001, 31-32.
36. http://frwebgate.access.gpo.gov/cgi-bin/useftp.cgi?IPaddress=162.140.64.21&filename=h2622eas.pdf&directory=/diskb/wais/data/108_cong_bills , viewed October 25, 2004.
91
References37. Phillips, John T., “Privacy vs. Cybersecurity” Information Management
Journal, May/June 2002, 46-50.38. https://www.merchantconnect.com/CWRWeb/glossary.do?glossaryLett
er=i , Viewed October 30, 2004.
39. http://www.nameprotect.com/html/services/id_theft/credit_card.html, Viewed October 30, 2004.
40. “How can I protect my customers from identify theft?” Colorado Attorney General: ID Theft Prevention & Information, www.ago.state.co.us/idtheft/clients.htm, viewed November 3, 2003.
41. “Network Security Policy: Best Practices White Paper,” Cisco Systems, www.cisco.com/warp/public/126/secpol.html, Page 2, viewed November 2, 2004.
42. CERT® Security Improvement Modules, CERT® Coordination Center, www.cert.org/security-improvement, viewed November 2, 2004.
43. “Webserver Security Best Practices”, PC Magazine, www.pcmag.com/article2/0,4149,11525,00.asp, viewed November 2, 2004.
92
References44. “Tips for Preventing Credit Card Fraud,” MasterCard International,
www.mastercardinternational.com/newsroom/security_risk.html, viewed October 22, 2004.
45. “Best Practices for Preventing Online identity Theft”, Public Safety and Emergency Preparedness Canada, www.ocipep-bpiepc.gc.ca/opsprods/info_notes/IN04-002_e.asp, viewed November 2, 2004.
46. “Preventing Fraud: Fighting Fraud is a Shared Responsibility,” MasterCard International, www.mastercardmerchant.com/preventing_fraud, viewed October 28, 2004.