Master Card International Credit Card Security Risk IS

Master. Card International Credit Card Security & Risk IS 6800 Group Presentation Mike Cornish Kathleen Delpha Mary Erslon November 2004 1

Agenda n n Master. Card Organization Credit Card 101 Credit Card Fraud Case Studies ¡ ¡ n Card Not Present Fraud Identity Theft Fraud Best Practices for Credit Card Security 2

Master. Card Organization 3

Master. Card’s IT & Security Organizations 1 CIO & SEVP Global Technology & Operations SVP GTO Human Resources SVP Computer & Network Services SVP Technology Business Management SVP Security & Risk Management CIO reports to the President & CEO SVP GTO Administration SVP Member Services SVP Systems Development SVP Debit Services Data Center Operations Business Requirements Management Security & Risk Analysis IT Investment Management Office Global Member Operations Support Business Systems Debit Systems Development Network Operations Technology Sales Organization Field Operations GTO Plans & Budgets 1 -800 -Master. Card Call Center Technology Infrastructure Global Debit Operations Hardware & Software Change Management Technical Architecture Master. Card Product Support Call Center Data Warehouse Debit Customer Support VP Technology Communications Project Management Office Offshore Partnership Management & Sales Direct IT Functions Security & Fraud Functions 4

Major IT Decisions 1 IT Principles Master. Card GTO level IT Architecture Master. Card GTO level IT Infrastructure Master. Card GTO level Business Application Needs Federal: Core- Master. Card GTO level Value Added*- Mixture of GTO and business levels IT Investment and Prioritization Duopoly: Cx. O level & GTO * Includes Security & Risk Management applications 5

Governance 1 n Transitioning to IT Duopoly at the Cx. O level from IT Monarchy ¡ ¡ All IT spending remains under control of GTO led initiative to bring transparency to the IT decision making processes, and to bring business involvement into IT investment management Cx. O level sets budget for technology investment & decides priorities GTO investment management office n n Facilitates business prioritization by Cx. O level Allocates & tracks technology spending across GTO 6

Metrics • 37 Sites: Global HQ, GTO HQ, 5 regional & 30 local country offices 2 • Total GTO FTE*: ~2, 0003 • Total Master. Card FTE*: ~4, 0002 • Desktops: ~ 4, 800 worldwide 4 • Security & Fraud Applications: 115 • GTO’s IT Budget for 2003 was ~11%6 of Total Revenue of $2. 23 Bn 7 * Full-time Equivalents (employees, contractors, temps) 7

Credit Card 101 8

Open System: Interchange Model Cardholder Account Relationship Merchant * Acquiring Bank Statementing Relationship Issuing Bank Transaction Relationship Processing Relationship Acquiring Processor * Structure for Visa is similar. Issuing Processor Biggest threats come from outside the payment system! 9

Open System: Interchange Transaction Flow * Merchant Acquiring Processor Acquiring Bank Issuing Processor Cardholder Authorization Request (real-time) Authorization Response (real-time) Merchant Deposit Merchant Payment First Presentment Notice Settlement Statement Payment * Flow is similar for Visa. 10

Closed System Cardholder Merchant Transaction Relationship Acquiring Processor * Structure for Discover is similar. Account Relationship * Biggest threats come from outside the payment system! 11

Closed System: Typical Transaction Flow * Merchant Acquiring Processor Cardholder Authorization Request (real-time) Authorization Response (real-time) Merchant Deposit Merchant Payment Statement Payment * Flow is similar for Discover. 12

Master. Card’s Space n Master. Card International is a global payments company 2 ¡ ¡ n Membership corporation of 25, 000 financial institutions that issue Master. Card, Maestro, and Cirrus branded cards Licensor and franchisor for the Master. Card, Maestro, and Cirrus payment brands 2003 Key Business Indicators 2, 8 ¡ ¡ ¡ Gross volume: US$ 1, 272 Bn Number of transactions: 13. 2 Bn Number of account: 529. 5 MM Number of cards: 632. 4 MM Number of merchants: 22. 0+ MM in 210 Countries Number of ATMs: 900 K+ in 120+ Countries 13

Not Master. Card’s Space 2 n Master. Card does not… ¡ ¡ Issue cards Set annual fees on cards Determine annual percentage rates (APRs) Solicit merchants to accept cards or set their discount rates 14

Credit Card Fraud Master. Card’s Strategies 15

Headlines “ ” “ Jan 23, 2003 ” “ Sep 12, 2003 ” “ Aug 5, 2004 ” Oct 24, 2003 “ ” Feb 19, 2003 “ ” March 17, 2003 “ “ ” Nov 20, 2001 ” Feb 27, 2003 ” “ Sep 12, 2003 16

Types of Fraud 9 n Identity Theft * ¡ ¡ n Card Not Present * ¡ n n Mail, telephone, web Counterfeit * ¡ n Application Fraud Account Takeover Skimming Account number generation Lost & stolen Never Received after Issue Merchant Fraud ¡ ¡ Collusion Triangulation * Increasing and gaining a lot of attention in recent years, especially in the online space 17

Industry Fraud Estimates* 10 12 11 13 Fraud Rates as % of Transaction Volume * There is no true consolidated source for credit card fraud statistics in the industry 18

Master. Card’s Security & Risk Mission: 14 “Protect brand integrity and manage fraud risk through best in class core and value added services with integrated end to end solutions to help position Master. Card as the Global Payments Leader ” 19

Security & Risk Management Applications & Services 5 Application or Service Fraud Type 20 Awareness Detection Prevention

Case Study Card Not Present Fraud 21

“Card Not Present” Defined n Definition 9: ¡ ¡ ¡ n Neither the card nor the cardholder is present at the point-of-sale Merchants are unable to check the physical security features of the card to determine if it is genuine Ecommerce; online or telephone transactions No way to dispute a cardholder claim that a purchase wasn’t made 22

Ecommerce Market 15 n > $3 Trillion worldwide n Master. Card research shows that 90% of online buyers worry about their personal and financial information online 23

Statistics n n n Master. Card CNP incidents account for between 80 and 84% of credit card fraud 16 Online fraud rates up to 30 x higher than in the physical world 17 2003 - $1. 6 B or ~2% of all online sales lost to credit care fraud 17 2004 credit card fraud rate has decreased by 0. 5% since 2000, but the amount lost has increased by 60%19 Projected losses to internet merchants in 2005 expected to be $5 - $15 billion 9 24

Statistics (continued) n Merchant Risk Council Survey 200319 ¡ Fraud chargeback rates > 1% = 9. 7% n ¡ Fraud chargeback rates < 0. 35% = 64% n ¡ 50% reduction since 2002 30% increase since 2002 17% of merchants spent > 2% of revenue on fraud prevention n 30% increase since 2002 25

Examples of Card Not Present Credit Card Fraud n Low-Tech: ¡ ¡ n Dumpster Diving Card Loss/Theft High Tech: ¡ ¡ ¡ Phishing or site cloning Account number generators Online “auctions” or false merchant sites 26

Card Not Present n May be caused by ¡ ¡ ¡ Less-than-diligent cardholder (dumpster diving, theft) Cardholder response to plausible ploy (phishing) May be out of cardholder’s control (numbers generator, hacking) 27

Combating CNP Fraud: Legislative Examples n Anti-Phishing Act of 200420 ¡ ¡ ¡ Introduced 07/04 by Sen. Leahy (D-VT) Phishing responsible for $2 B in merchant losses/year Enters 2 new crimes into US Crime Code n n E-mail that links to sham websites with the intent of committing a crime The sham websites that are the true scene of the crime 28

Combating CNP Fraud: Legislative Examples n n n State laws 21 regulate the amount of information on a credit card receipt to the last four numbers of the credit card Expiration date may not appear on receipt CA, WA, MD, CT enacting legislation 29

Combating CNP Fraud: Consumer n n Education and Awareness Consumer “Best Practices” 30

Combating CNP Fraud: Merchant n Multi-level technical solutions ¡ ¡ Cardholder Authentication Neural Networks 31

Case Study: Secure. Code™ n Licensed Master. Card cardholder authentication solution 15 enables cardholders to authenticate themselves to their issuer through the use of a unique personal code (PIN) A VISA counterpart is “Verified by VISA” or “Vby. V. ” 32

Secure. Code 15 n Cardholders enter their secure code in a separate browser window before an online transaction can be authorized ¡ ¡ Requires a merchant “plug-in, ” or software module, to be deployed on the merchant’s website Requires the merchant to use a data transport mechanism and processing support 33

Secure. Code 15 n n n The participating merchant gets explicit evidence of an authorized purchase (authentication data) Fully guaranteed online payments – protection from chargebacks Master. Card mandated that issuers implement support for Master. Card Secure Code by November 1, 2004 34

Secure. Code and e. Tronics 22 n A Top Ten Internet consumer electronics retailer ¡ ¡ n n n >200, 000 customers and 300, 000 orders annually Over $65 million in yearly sale In 2002, e. Tronics had credit card chargeback costs of over 1 million/year Implemented Secure. Code in 2003 “Too soon to tell” impact since Secure. Code is not yet implemented globally, but e. Tronics is “optimistic and enthusiastic” about its success 35

“Phishing Attack” – Mike’s Experience Phishing Attack Website Authentic My. Citi Website 36

Case Study: Risk. Finder™ n n n A “neural network” system Fair Isaac’s proprietary profiling technology for fraud prevention – Risk. Finder 23 is a Master. Card-specific application Enables transactions to be “scored” based on highly detailed cardholder patterns/behavior, existing patterns of fraud, and merchant trend data 23 37

Case Study: Risk. Finder™ n n The institution can establish a transaction score threshold, and conduct supplemental review and cardholder follow-up on any transaction that scores above threshold 23 Risk. Finder has saved issuers up to 50% in fraud losses 23 38

Citibank Fraud Detection (Click the thumbnail to play the commercial) www. fightidentitytheft. com/video/babe_magnet. mpeg, Viewed, October 30, 2004 39

Risk. Finder and Kathleen’s Story n Kathleen’s daughter goes camping in Venice. 40

Case Study Identity Theft Fraud 41

Identity Theft: The neoteric crime of the IT era n 24 Identity theft is the illicit use of another individual’s identifying facts to perpetrate an economic fraud, such as ¡ ¡ Opening a bank account Obtaining bank loans or credit Applying for bank or department store cards Or leasing cars or apartments in the name of another. 24 42

Citibank Identity Theft (Click the thumbnail to play the commercial) www. fightidentitytheft. com/video/flaps_mpls_te_mpg. mpeg, Viewed, October 30, 2004 43

Identity Theft: n n The neoteric crime of the IT era Number one source of consumer complaints to the Federal Trade Commission (FTC) in 2001(and thereafter)25 Credit card fraud was most common form of identity theft in 2002 according to the FT 25 44

Identity Theft: The neoteric crime of the IT era 26 45

Identity Theft: n The neoteric crime of the IT era “Compared to equally profitable crimes involving drug or gun trafficking, the sentencing for identity fraud is much lighter—and these folks are tough to catch. ” - Bruce Townsend Special Agent in charge of Financial Crimes Division Secret Service 27 46

Identity Theft: n n The neoteric crime of the IT era In 52% of cases in which the victim discovered how the information was stolen, the thief turned out to be a family member, neighbor, or coworker. 28 Low-Tech sources include: ¡ Paper records of personal information kept by numerous sources. 47

Identity Theft: The neoteric crime of the IT era 29 48

Identity Theft: Causes n Phishing ¡ “Stealing corporations’ identities as a means to impersonating individuals” 30 n Greater number pieces of personal information = greater chance of Identity Theft 49

Identity Theft: ¡ ¡ To counteract phishing, corporations are using software to search for sites breaching their copyrights, then go directly to the company hosting the bogus site to get it shut down. 30 5% of consumers respond to phishing according to the Anti-Phishing Working Group. 31 50

Identity Theft: High Tech Causes n Hacking merchant sites, home computers and any place where personal information is stored. ¡ ¡ Servers that aren’t set up correctly can be compromised by techniques like “end-mapping, ” which “pings” servers systematically until it finds an open port to exploit. Trojan horse content can slip by ordinary packet filter devices deployed by firewalls (spyware, keyloggers). 32 51

Identity Theft: ¡ ¡ High Tech Causes Commandeering other applications. Eavesdropping Software that reports to the hacker a person’s keystrokes and uses it to pick up passwords and gain entry. 32 52

Identity Theft: High tech Causes n Case Study: “Operation Firewall”. ¡ ¡ ¡ 28 Identity Theft Suspects arrested 1. 7 million stolen credit card numbers Investigation instigated by Master. Card’s senior vice president of security risk services. 33 53

Identity Theft: Low tech Causes n n Security firms tend to stress physical security issues, which are easier to identify and remedy than human vulnerabilities. Financial institutions, in order to reduce the risk from within, must create and sustain an institutional culture that values and promotes critical thinking, high self-esteem and genuine loyalty to the institution. 34 54

Identity Theft: Actions to Combat n Legislative ¡ ¡ ¡ ¡ Identity Theft and Assumption Deterrence Act of 199824 Privacy Act of 200135 Consumer Privacy Protection Act, May 200229 Identity Theft Prevention Act, Jan 200329 SSN Misuse Prevention Act, Jan 200329 Fair and Accurate Credit Transactions Act of 200336 Anti-Phishing Act of 2004 20 55

Identity Theft: Actions to Combat n Payment Industry—calling for implementation of technology that definitively corresponds the user to the instrument. 27 56

Identity Theft: Actions to Combat ¡ Identity Authentication Technologies n Biometrics ¡ ¡ ¡ n Face recognition Retina scans Fingerprint authentication Voice /speech verification Handwriting analysis Genetic Engineering ¡ Analyzing DNA components of human fluids & cells. 25 57

Identity Theft: Actions to Combat ¡ Use of Public Key Infrastructure (PKI) n n n Digital signature Protects electronic records Inherent security hinges on who has access to system. 25 58

Identity Theft: Actions to Combat ¡ System embedded security controls to enhance the privacy and confidentiality of information processed across Internet architectures n n Data encryption Digital signatures Secure socket layers (SSL) Cryptographic protocols such as hypertext transfer protocol over SSL (HTTPS)37 59

Identity Theft: Actions to Combat ¡ Smart Cards n n Contain embedded CPU (electronic chip). 32 -kilobyte mini-processors are capable of generating 72 quadrillion encryption keys. Can be programmed to perform tasks & store information. Practically impossible to fraudulently decode. 9 60

Identity Theft: Actions to Combat ¡ Personnel & Procedures n n n Background checks Limit access through password protection Leave an audit trail of who got into files & when Shred information being thrown away Train staff by creating a security handbook 25 61

Identity Theft: Actions to Combat n Designate a Privacy Officer –could be the Information Manager “Privacy and security do not work if you do not have top-level buy-in. Information managers might very well be the key people within the organization to help accomplish this. ” - Gary Clayton Founder & Chairman The Privacy Council 25 62

Identity Theft: Actions to Combat ¡ Use of a layered approach to security n n ¡ Perimeter App-layer protection Intrusion detection Monitoring tools Strategic rather than silver-bullet approach 32 63

Issuers Clearinghouse n n n Joint Master. Card and Visa service. To detect fraudulent and high-risk credit card applications. Screens, validates & tracks ¡ ¡ ¡ Addresses Phone numbers Social Security numbers 38 64

Name. Protect® n n n Monitors Internet 24 x 7 Watches all g. TLD and cc. TLDs, new registrations, and activations. “Identifies Web sites, emails, chat rooms and other electronic venues where personal credit card data is published, sold or traded. ” 39 65

Identity Theft “Rather than posing security as a hurdle to overcome, companies should view their customers’ privacy needs as an opportunity through which they can differentiate themselves as trust leaders, increase their financial value and even energize entire economies. ” Glover T. Ferguson Chief Scientist Accenture 26 66

Best Practices 67

Best Practices: All Industries 40 n Protect your employees and customers from ID theft ¡ ¡ Ask only for necessary information Don’t use SSNs as identifiers Regularly check backgrounds of employees who have access to identifying information Define a privacy policy and communicate it to your customers and employees 68

Best Practices: All Industries 40 n Protect sensitive paper information like payment card numbers, social security numbers, and customer identifying data ¡ ¡ Secure records in a vault or under lock-and-key Restrict access only to persons with a legitimate need to know Shred records when they are no longer needed Immediately report security breaches to affected customers and law enforcement 69

Best Practices: All Industries 41 n Conduct a risk assessment for impact from loss or disclosure of business data n Design record retention policies and physical access controls based on the assessed risks from loss or disclosure. 70

Best Practices: IT Functions 42, 43 n n n Use firewalls, anti-virus, anti-spyware, and access control software to protect networks and computers Keep operating system and security software up-todate with latest security patches from vendors Define policies for strong passwords and change them frequently Monitor for signs of network and web server attack Monitor security websites for breaking information about new threats and best practices (e. g. , CERT® Coordination Center) 71

Best Practices: IT Functions 43 n Protect sensitive electronic info like customer identifying data and account numbers ¡ Segregate sensitive data on separate servers from web servers ¡ Restrict data access rights to only those persons and systems with legitimate need to know ¡ Consider encrypting sensitive information housed in databases 72

Best Practices: Consumers 44 n n Only give payment account numbers or personal identification information to companies you have contacted ¡ Challenge businesses that ask for it about why they need to know ¡ Avoid saying information over the phone when others may hear Do not carry unnecessary payment cards or identification papers (e. g. , social security card, birth certificate) in your wallet or purse ¡ Do not use SSN for your driver’s license or other identification cards 73

Best Practices: Consumers 44 n Keep track of receipts for payment card transactions ¡ n n Shred receipts and account statements having full account numbers Cancel unused credit card accounts* Keep a list of all of your payment card account numbers along with their issuers’ names and contact numbers so you cancel them quickly if lost or stolen * But be aware of potential credit score impact 74

Best Practices: Consumers 45 n n Use firewall, anti-virus, and anti-spyware software Keep your PC operating system and security software up-to-date with latest security patches from your vendors Be suspicious of emails and websites requesting private information Verify URLs and make sure websites are secure before entering account numbers and personal identifying information ¡ ¡ Be careful locating sites through search engines Call the company if you are unsure of the validity of a site 75

Best Practices: Merchants 46 n Card Present ¡ ¡ ¡ Check that the embossing extends into the hologram Check the hologram and indent printing Compare the signature on the card and sales draft Check that the magnetic strip appears authentic Call for a “Code 10” authorization if something doesn’t feel right 76

Best Practices: Merchants 21 n Card not Present ¡ ¡ ¡ Use address verification systems to check the account holder’s billing address Implement Secure. Code and Verified by Visa services Include card verification values/codes in authorization messages (but do not store them in your database) 77

Best Practices: Merchants 21 n Card not Present (Continued) ¡ ¡ Require complete customer contact and payment information before completing an order Process transactions in real-time n ¡ keep the customer on the website until the payment card is authorized and the sale is completed Monitor international transactions 78

Best Practices: Merchants 21 n Card not Present (Continued) ¡ ¡ ¡ Employ rules-based systems to screen and detect suspicious order activity Maintain negative databases of fraudulent orders & offenders, and positive databases of trusted returning customers Adopt Master. Card’s Best Practices for e. Commerce websites n Have a Site Data Protection audit done on your e. Commerce website 79

Best Practices: Acquirers & Merchant Processors n Merchant Acquirers & Processors ¡ ¡ ¡ Provide security features like Address and Card Verification services to merchants Monitor merchant deposit velocity for unexpected increases in deposits Check & report merchant’s termination history 80

Best Practices: Issuers & Card Processors n Card Issuers & Processors ¡ ¡ Monitor cardholder purchase and cash velocity for drastic changes Use behavioral models/neural network software to detect fundamental changes in cardholders’ behaviors 81

Best Practices: Payment Companies n Payment Companies ¡ ¡ ¡ Create, refresh & enforce standards Monitor to detect shifts in types and volumes of fraudulent activity Conduct research to innovate new fraud detection and prevention mechanisms 82

Questions & Answers 83

References 84

References 1. 2. 3. 4. 5. 6. Fisher, Bill. Pers. Comm. VP Processing Strategy, Master. Card International. Interviewed by telephone by Mike Cornish, October 26, 2004. “Master. Card Corporate Fact Sheet, ” www. mastercardinternational. com/docs/corporate_fact_sheet_0804. pdf, viewed October 18, 2004. “Global Technology and Operations, ” Fact Sheet. www. mastercardinternational. com/newsroom/gto. html, viewed October 18, 2004. “Total Cost of Ownership Analysis. ” Internal document: Powerpoint Presentation. Technology & Architecture Services, Master. Card International, February 26, 2003, page 4. “Application Portfolio: Security & Risk Applications. ” Internal document: Word document. Master. Card International, March 27, 2003. “ 2003 GTO & Division Level Financial Data. ” Internal document: Excel Sheet. GTO Division, Master. Card International, January 3, 2003. 85

References 7. 8. 9. 10. 11. 12. Master. Card International SEC Form 10 K – March 4, 2004, www. sec. gov/Archives/edgar/data/1141391/000095012304002820/ y 94488 e 10 vk. htm, pages 6, 22 -24, viewed October 19, 2004. Master. Card International SEC Form 8 K – February 3, 2004, www. sec. gov/Archives/edgar/data/1141391/000095012304001154/ y 93767 e 8 vk. txt, viewed October 18, 2004, pages 3. Bhatla, TP, Prabhu, V, and Dua, A. “Understanding Credit Card Frauds”. Card Business Review #2003 -01, June 2003, pp 1 -15. “Taking a Bite our of Credit Card Fraud, ” Celent Communications, www. celent. com/Press. Releases/20030121/Credit. Card. Fraud. htm, viewed October 28, 2004. “Identity Theft: Protecting the Customer – Protecting the Institution, ” Celent Communications, www. celent. com/Press. Releases/20020731(2)/IDTheft. htm, viewed October 28, 2004. “Online Payment Fraud: The Grinch who stole Christmas? ” Celent Communications, www. celent. com/Press. Releases/20001218/Online. Fraud. htm, viewed October 28, 2004. 86

References 13. 14. 15. 16. 17. 18. Valentine, Lisa. “The Fraudsters’ Playground. ” American Bankers Association. ABA Banking Journal, 95(8), Aug. 2003, p. 39. “Security & Risk Mission & Overview. ” Document, Master. Card International, February 24, 2003. “Master. Card Secure. Code for Online Merchants. ” Online security document for merchants. http: //www. mastercardmerchant. com/docs/securecode/Merchant_B rochure. pdf, viewed October 20, 2004. Bennett, RA. “I didn’t do it. ”. USBanker 111(12), December 2001, p. 48. “Online fraudsters take $1. 6 B out of 2003 e. Commerce. ” Cyber. Source, www. retailindustry. about. com/cs/lp_internet/a/bl_cs 111803. htm, viewed October 20, 2004. US Credit Card Fraud Statistics 2000 -2007. Celent Communications, www. epaynews. com/statistics/fraud. html, viewed October 18, 2004. 87

References 19. 20. 21. 22. 23. Merchant Risk Council Press Release, www. merchantriskcouncil. org/press. php? p_press_id+13, February 3, 2003, viewed October 21, 2004. “New Leahy Bill Targets INTERNET “PHISHING” That Steals $2 b. /yr. from Consumers. ” July 2004. www. leahy. senate. gov/press/200404/070904 c. html. Micci-Barreca, D. “Unawed by Fraud. ” Security Management 47(9), p. 75. “Master. Card Secure. Code Case Study: e. Tronics. ” 2003. http: //www. mastercardmerchant. com/docs/SC_Case_Studye. Tronics. pdf. , viewed October 21, 2004. Master. Card Risk. Finder. “Solutions. ” http: //www. fairisaac. com/cgibin/Msm. Go. exe? grab_id=13&page_id=655872&query=Risk. Finder& hiword=Risk. Finder+, viewed October 21, 2004. 88

References 24. 25. 26. 27. 28. 29. Saunders, Kurt M. , and Zucker, Bruce, “Counteracting Identity Fraud in the Information Age: The Identity Theft and Assumption of Deterrence Act” International Review of Law, Computers & Technology, August 1999, 183– 192. Groves, Shanna, “Protecting Your Identity” Information Management Journal, May/June 2002, 27 -31. Myron, David, “Stolen Names, Big Numbers” American Demographics, September 2004, 36 -38. Bielski, Lauren, “Identity Theft” ABA Banking Journal, January 2001, 27 -30. Diller-Haas, Amy, “Identity Theft: It Can Happen to You” The CPA Journal, April 2004, 42 -44. Riordan, Diane A. , and Riordan, Michael P. , “Who Has Your Numbers? ” Strategic Finance, April 2003, 22 -26. 89

References 30. 31. 32. 33. 34. 35. 36. O’Sullivan, Orla, “Gone ‘Phishing’” ABA Banking Journal, November 2003, 7 -8. Bauerle, James F. , “Pattern Recognition Software and Dramas of Deception: New Challenges in Electronic Financial Services” The RMA Journal, October 2004, 2 -5. Bielski, Lauren, “Striving to Create a Safe Haven Online” ABA Banking Journal, May 2003, 53 -59. Krebs, Brian, “ 28 Identity Theft Suspects Arrested in Transatlantic Sting, ” The Washington Post, October 29, 2004. Bauerle, James F. , “Golden Eye Redux” The Banking Law Journal, March 2003, 1 -15. Heller, Jason, “New Senate Privacy Bill Addresses Personally Identifiable Information” Intellectual Property & Technology Law Journal, September 2001, 31 -32. http: //frwebgate. access. gpo. gov/cgibin/useftp. cgi? IPaddress=162. 140. 64. 21&filename=h 2622 eas. pdf& directory=/diskb/wais/data/108_cong_bills , viewed October 25, 2004. 90

References 37. 38. 39. 40. 41. 42. 43. Phillips, John T. , “Privacy vs. Cybersecurity” Information Management Journal, May/June 2002, 46 -50. https: //www. merchantconnect. com/CWRWeb/glossary. do? glossar y. Letter=i , Viewed October 30, 2004. http: //www. nameprotect. com/html/services/id_theft/credit_card. htm l, Viewed October 30, 2004. “How can I protect my customers from identify theft? ” Colorado Attorney General: ID Theft Prevention & Information, www. ago. state. co. us/idtheft/clients. htm, viewed November 3, 2003. “Network Security Policy: Best Practices White Paper, ” Cisco Systems, www. cisco. com/warp/public/126/secpol. html, Page 2, viewed November 2, 2004. CERT® Security Improvement Modules, CERT® Coordination Center, www. cert. org/security-improvement, viewed November 2, 2004. “Webserver Security Best Practices”, PC Magazine, www. pcmag. com/article 2/0, 4149, 11525, 00. asp, viewed November 2, 2004. 91

References 44. 45. 46. “Tips for Preventing Credit Card Fraud, ” Master. Card International, www. mastercardinternational. com/newsroom/security_risk. html, viewed October 22, 2004. “Best Practices for Preventing Online identity Theft”, Public Safety and Emergency Preparedness Canada, www. ocipepbpiepc. gc. ca/opsprods/info_notes/IN 04 -002_e. asp, viewed November 2, 2004. “Preventing Fraud: Fighting Fraud is a Shared Responsibility, ” Master. Card International, www. mastercardmerchant. com/preventing_fraud, viewed October 28, 2004. 92