Select Committee on Science and Technology Minutes of Evidence


Examination of Witnesses (Questions 140 - 159)

WEDNESDAY 13 DECEMBER 2006

MR COLIN WHITTAKER, MS SANDRA QUINN, MR MATTHEW PEMBLE, MS SANDRA ALZETTA AND MR ROBERT LITTAS

  Q140  Lord Harris of Haringey: It does sound to me as though what you are saying is that these decisions are actually taken in terms of whether or not it is going to damage the image of the institution concerned.

  Mr Whittaker: I did not say that.

  Q141  Lord Harris of Haringey: I am saying that is what it sounded like. Could I ask specifically whether in cases where there is some form of security breach which has been initiated fraudulently, say by an employee, it is always the practice of the institutions concerned to notify the police?

  Mr Whittaker: By and large yes it is.

  Q142  Lord Harris of Haringey: Could we be told whether it is normally the practice where there is some form of security breach for the institutions to notify ENISA?

  Mr Whittaker: Not necessarily. ENISA are involved with critical national infrastructure.

  Q143  Lord Harris of Haringey: Financial institutions are part of that.

  Mr Whittaker: Yes they are but at the moment ENISA are concerned with critical national infrastructure incidents and issues. It is not their responsibility to deal with levels of fraud.

  Q144  Lord Harris of Haringey: I was talking about a security breach and I am concerned. You say that it is not significant that a laptop has been stolen. Nationwide lost a laptop and that put the personal data of 10 million customers at risk. That was not reported for several weeks but in the end I think Nationwide did write to people about that.

  Mr Whittaker: Yes.

  Q145  Lord Harris of Haringey: Why did they leave it so long?

  Ms Quinn: I am afraid you would have to ask Nationwide that question. That was a decision they made.

  Q146  Lord Harris of Haringey: What do you think is good practice?

  Ms Quinn: Assessing the risk, assessing what kind of information customers would find useful. I think the best way of doing that is asking customers what kind of information they would find useful. It is very easy to make judgment calls about what we think a customer might find useful but the best way is to ask customers themselves. If you go back to the US case, there is a very different regulatory regime around there as well in that if you have been a victim of fraud you do not always get your money back whereas in the UK you have as a backstop that if you have been a victim of fraud you will be recompensed. That is not always what happens elsewhere.

  Q147  Lord Harris of Haringey: Could I ask Visa how many security breaches your organisation has had in the last year which have been initiated by your own employees?

  Mr Littas: Internal fraud?

  Q148  Lord Harris of Haringey: I am interested both in internal fraud but also in inadvertent security breaches which have made the system vulnerable.

  Mr Littas: We did not have any security breaches internally. We have had a number of breaches of security in various entities where Visa account data was compromised which we subsequently told the banks about. We had quite a substantial number of those breaches.

  Q149  Lord Harris of Haringey: Could you give me an example of what that sort of thing might mean?

  Mr Littas: It might mean that a hacker getting into a merchant's database, taking that data and then using it for fraud, in particular card not present fraud, because they steal the account data that enables them to use that data to do fraud on the Internet, so that is a problem. So we had a number of breaches.

  Q150  Lord Harris of Haringey: Can you give us some indication of the number?

  Mr Littas: I can give an exact number. For the last year we had well over 100 breaches affecting European cards. We actually only had 10 hacks in Europe affecting Visa Europe cards. Most of these hacks take place in the US and then the data is sold on the Internet or in other ways and then used fraudulently, both face-to-face and in particular on the Internet for purchases.

  Chairman: Lady Hilton has a question on this subject. Would you like to ask that now.

  Q151  Baroness Hilton of Eggardon: I think effectively it has almost been answered but what steps do you take to encourage your merchants to ensure that it has security and do you have any sanctions if they fail to maintain the right level of security?

  Mr Littas: We have a programme which we call the account information security programme which in fact is based on a standard agreed in the whole payment card industry—the payment card data security standard—and we are implementing that. It is a requirement both for merchant processors and everybody who holds Visa or any organisations' payment card data to introduce those measures, to protect data for the card owner, to avoid hackers going in—for example effective fire walls or encryption or whatever is necessary to protect that data. That is a programme that has been in place for a couple of years and we are implementing that, together with the rest of the payment card industry.

  Q152  Baroness Hilton of Eggardon: If you find merchants who are not applying appropriate levels of security, do you drop them in some way or remove their ability to get payments by Visa?

  Mr Littas: The sanction would be, which has been clearly outlined in that programme, if a merchant does not comply with those rules and there is subsequent fraud, that merchant or the acquiring bank will then be liable for that fraud. We can also penalise merchants via the acquiring bank who clearly are out of order with these rules.

  Mr Pemble: It is a requirement upon the acquiring bank who are providing the merchant with the transactions to ensure that the merchant provides evidence of the level of compliance with the payment cards industry's standards. They have been recently updated. There is now version two out and it does lay down a number of steps—regular security testing, the use of encryption, and not storing particularly sensitive data. That is a publicly available standard and set of tests that anybody can get off the Internet.

  Q153  Baroness Hilton of Eggardon: My understanding from the banking sector is that you have not had any examples of personal data being hacked into.

  Ms Quinn: No, we are not aware of any case in the UK.

  Q154  Lord Harris of Haringey: Would you be told?

  Mr Whittaker: Yes.

  Q155  Earl of Erroll: This is encryption inside the database at the field level, so in other words it is not worth stealing the information; or is it sitting there unencrypted at any point?

  Mr Pemble: Certain field data in the database is required to be encrypted.

  Q156  Earl of Erroll: If you insist on this then it is not worth stealing the databases?

  Mr Pemble: A direct disk-to-disk copy of the database would not be useable for direct card not present fraud.

  Q157  Earl of Erroll: So do you insist on this with all merchants?

  Mr Littas: We do not insist on encryption; we insist on protection such as putting a fire wall in front of the server to make sure that the data cannot be hacked. Encryption is not required as yet. This is one of the things we are thinking about introducing but it is not required for now.

  Chairman: We have almost run out of time but Lord Young has a question.

  Q158  Lord Young of Graffham: Just one quite quick question regarding Visa. I understand Visa has banned the use of credit cards for the purchase of child abuse images. How can they police that? How do they know that an on-line transaction takes place or if they can, would you see this as being widened so that you could find more and more transactions being banned?

  Mr Littas: Is it a question about whether we plan to extend this system?

  Q159  Lord Young of Graffham: Yes, first of all, can you do it effectively?

  Mr Littas: Absolutely. I think we can say that the co-operation with the Child Exploitation and On-line Protection Centre that we conduct has been very, very effective. They have an intelligence section and they find suspect sites very, very rapidly and they work with law enforcement and other entities to close these down. I think we can say that that has been really very effective. Whether we are going to extend that to apply to other services or goods, we are certainly looking at everything. We do not want Visa cards to be used for any sort of immoral or illegal activities obviously, but right now we do not have any plan to extend that approach because the law of the land is really taking care of most markets.

  Ms Alzetta: Our position has always been that it is not our job to be the moral arbiter. However, the reason that we made an exception for the child abuse images is because, sadly, the fact is that law does not exist in all countries that prohibits this so we have taken the step of saying we are just not going to allow it.


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007