When holidays around the corner, the amount of fraudulent activity tends to increase. As we all know, the most important aspect of stopping fraud is reporting it immediately. Unfortunately, the holidays also mean that many financial institutions and companies are closed in observation. While many banks provide a 24/7 support year-round for reporting cards lost or stolen, some financial institutions do not. Even if your bank does provide the support, the only record you may have of that phone number may be on the card itself, so if you lose the card or have it stolen you might be at a loss where to call.

Luckily, most debit and credit cards are now backed by Visa or MasterCard. If your card is backed by one of these issuers, you may want to take this number down for emergencies. You know your card is backed if you see the Visa or MasterCard logo on the front.  If you are unable to contact your bank and you have had fraud or lost your card, you can use these numbers to get assistance. The representatives there can either put you in touch with the correct call center to block the card right away, or provide the service directly depending on your bank. In a pinch, these numbers can be essential.

VISA — 1-800-847-2911

1-800-MasterCard (1-800-627-8372)

Keep this information handy, but somewhere other than with your wallet (in case you lose it). I keep a long list of company phone numbers- everything from insurance to credit cards- just in case. These numbers are at the top of my list, and I have used them several times with great success. Be prepared, and all your holiday surprises will be pleasant!

Today, in a report by Wired Magazine, it was revealed that Savvis Inc- the company which performed audits for CardSystems during 2004 when they experienced one of the largest credit card data breaches for it’s time- is being “pulled into court in a novel suit that legal experts say could force increased scrutiny on largely self-regulated credit card security practices.”

Savvis is accused of certifying that payment systems were compliant with security standards, when they were not. Due to the recent rash of breaches by companies that were supposedly compliant with payment industry security standards, PCI Council said last year that it was tightening its oversight of auditors.

These auditors are in charge of ensuring that a company’s methods of processing payments and transmitting information are up to industry standards. However- Heartland Payment Systems and RBS WorldPay, two processors that recently experienced large breaches, were certified compliant before they were breached. I see many problems associated with this audit system as it stands today, highlighted in part by the article:

• Listing standards to become complaint is poor security practice. Good information security comes from adapting, expecting and meeting new threats. By the time new standards are drafted and approved as part of compliance, the threats may have already done damage.
• 3 people on full time staff are in charge of the auditor certification program. How much are these auditors scrutinized?
• Difficulty understanding complex standards creates difficulties for organizations desiring to install or update components to their systems
• 80 percent of the audits in the payment industry are conducted by a dozen major vendors. As the article pointed out, “the rules and requirements for auditors reveal a number of potential conflicts of interest (.pdf) that could arise between an auditor and the entity it’s assessing. For example, many security auditors also make security products. The rules state that a security company will not use its status as auditor to market its products to companies it audits, but if the auditor should happen to find that the client would benefit from its product, it must also tell the client about competing products.”
• A recent study reveals that 20% of IT security managers and technical staff from enterprises and government departments admit to cheating on security audits or knowing of a colleague that did. An even larger percentage “cut corners” resulting in potential holes in audits or security compromises
• Problems are getting worse as companies slash budgets. Staffing issues, substandard or used equipment which may or may not be infected with viruses, and time constraints are all symptomatic of the economic pressure on this industry

It is important to realize that standards and procedures are wonderful tools, necessary to implement any security process or program. However, a chain is only as strong as the weakest link. In this case, the links are made of people, and it only takes one lie or misrepresentation to create millions of dollars in loss.