Examination of Witnesses (Questions 140
WEDNESDAY 13 DECEMBER 2006
Q140 Lord Harris of Haringey:
It does sound to me as though what you are saying is that these
decisions are actually taken in terms of whether or not it is
going to damage the image of the institution concerned.
Mr Whittaker: I did not say that.
Q141 Lord Harris of Haringey:
I am saying that is what it sounded like. Could I ask specifically
whether in cases where there is some form of security breach which
has been initiated fraudulently, say by an employee, it is always
the practice of the institutions concerned to notify the police?
Mr Whittaker: By and large yes it is.
Q142 Lord Harris of Haringey:
Could we be told whether it is normally the practice where there
is some form of security breach for the institutions to notify
Mr Whittaker: Not necessarily. ENISA are involved
with critical national infrastructure.
Q143 Lord Harris of Haringey:
Financial institutions are part of that.
Mr Whittaker: Yes they are but at the moment
ENISA are concerned with critical national infrastructure incidents
and issues. It is not their responsibility to deal with levels
Q144 Lord Harris of Haringey:
I was talking about a security breach and I am concerned. You
say that it is not significant that a laptop has been stolen.
Nationwide lost a laptop and that put the personal data of 10
million customers at risk. That was not reported for several weeks
but in the end I think Nationwide did write to people about that.
Mr Whittaker: Yes.
Q145 Lord Harris of Haringey:
Why did they leave it so long?
Ms Quinn: I am afraid you would have to ask
Nationwide that question. That was a decision they made.
Q146 Lord Harris of Haringey:
What do you think is good practice?
Ms Quinn: Assessing the risk, assessing what
kind of information customers would find useful. I think the best
way of doing that is asking customers what kind of information
they would find useful. It is very easy to make judgment calls
about what we think a customer might find useful but the best
way is to ask customers themselves. If you go back to the US case,
there is a very different regulatory regime around there as well
in that if you have been a victim of fraud you do not always get
your money back whereas in the UK you have as a backstop that
if you have been a victim of fraud you will be recompensed. That
is not always what happens elsewhere.
Q147 Lord Harris of Haringey:
Could I ask Visa how many security breaches your organisation
has had in the last year which have been initiated by your own
Mr Littas: Internal fraud?
Q148 Lord Harris of Haringey:
I am interested both in internal fraud but also in inadvertent
security breaches which have made the system vulnerable.
Mr Littas: We did not have any security breaches
internally. We have had a number of breaches of security in various
entities where Visa account data was compromised which we subsequently
told the banks about. We had quite a substantial number of those
Q149 Lord Harris of Haringey:
Could you give me an example of what that sort of thing might
Mr Littas: It might mean that a hacker getting
into a merchant's database, taking that data and then using it
for fraud, in particular card not present fraud, because they
steal the account data that enables them to use that data to do
fraud on the Internet, so that is a problem. So we had a number
Q150 Lord Harris of Haringey:
Can you give us some indication of the number?
Mr Littas: I can give an exact number. For the
last year we had well over 100 breaches affecting European cards.
We actually only had 10 hacks in Europe affecting Visa Europe
cards. Most of these hacks take place in the US and then the data
is sold on the Internet or in other ways and then used fraudulently,
both face-to-face and in particular on the Internet for purchases.
Chairman: Lady Hilton has a question
on this subject. Would you like to ask that now.
Q151 Baroness Hilton of Eggardon:
I think effectively it has almost been answered but what steps
do you take to encourage your merchants to ensure that it has
security and do you have any sanctions if they fail to maintain
the right level of security?
Mr Littas: We have a programme which we call
the account information security programme which in fact is based
on a standard agreed in the whole payment card industrythe
payment card data security standardand we are implementing
that. It is a requirement both for merchant processors and everybody
who holds Visa or any organisations' payment card data to introduce
those measures, to protect data for the card owner, to avoid hackers
going infor example effective fire walls or encryption
or whatever is necessary to protect that data. That is a programme
that has been in place for a couple of years and we are implementing
that, together with the rest of the payment card industry.
Q152 Baroness Hilton of Eggardon:
If you find merchants who are not applying appropriate levels
of security, do you drop them in some way or remove their ability
to get payments by Visa?
Mr Littas: The sanction would be, which has
been clearly outlined in that programme, if a merchant does not
comply with those rules and there is subsequent fraud, that merchant
or the acquiring bank will then be liable for that fraud. We can
also penalise merchants via the acquiring bank who clearly are
out of order with these rules.
Mr Pemble: It is a requirement upon the acquiring
bank who are providing the merchant with the transactions to ensure
that the merchant provides evidence of the level of compliance
with the payment cards industry's standards. They have been recently
updated. There is now version two out and it does lay down a number
of stepsregular security testing, the use of encryption,
and not storing particularly sensitive data. That is a publicly
available standard and set of tests that anybody can get off the
Q153 Baroness Hilton of Eggardon:
My understanding from the banking sector is that you have not
had any examples of personal data being hacked into.
Ms Quinn: No, we are not aware of any case in
Q154 Lord Harris of Haringey:
Would you be told?
Mr Whittaker: Yes.
Q155 Earl of Erroll:
This is encryption inside the database at the field level, so
in other words it is not worth stealing the information; or is
it sitting there unencrypted at any point?
Mr Pemble: Certain field data in the database
is required to be encrypted.
Q156 Earl of Erroll:
If you insist on this then it is not worth stealing the databases?
Mr Pemble: A direct disk-to-disk copy of the
database would not be useable for direct card not present fraud.
Q157 Earl of Erroll:
So do you insist on this with all merchants?
Mr Littas: We do not insist on encryption; we
insist on protection such as putting a fire wall in front of the
server to make sure that the data cannot be hacked. Encryption
is not required as yet. This is one of the things we are thinking
about introducing but it is not required for now.
Chairman: We have almost run out of time
but Lord Young has a question.
Q158 Lord Young of Graffham:
Just one quite quick question regarding Visa. I understand Visa
has banned the use of credit cards for the purchase of child abuse
images. How can they police that? How do they know that an on-line
transaction takes place or if they can, would you see this as
being widened so that you could find more and more transactions
Mr Littas: Is it a question about whether we
plan to extend this system?
Q159 Lord Young of Graffham:
Yes, first of all, can you do it effectively?
Mr Littas: Absolutely. I think we can say that
the co-operation with the Child Exploitation and On-line Protection
Centre that we conduct has been very, very effective. They have
an intelligence section and they find suspect sites very, very
rapidly and they work with law enforcement and other entities
to close these down. I think we can say that that has been really
very effective. Whether we are going to extend that to apply to
other services or goods, we are certainly looking at everything.
We do not want Visa cards to be used for any sort of immoral or
illegal activities obviously, but right now we do not have any
plan to extend that approach because the law of the land is really
taking care of most markets.
Ms Alzetta: Our position has always been that
it is not our job to be the moral arbiter. However, the reason
that we made an exception for the child abuse images is because,
sadly, the fact is that law does not exist in all countries that
prohibits this so we have taken the step of saying we are just
not going to allow it.