Terrorism and PCI Compliance

We have read complaints on other blogs about the PCI standards, claiming they are a burden for merchants and software developers.  But when considering the documented link between credit card fraud—which PCI DSS was developed to fight against—and terrorism, perhaps complaints about security standards will fall silent.

Kimberly Kiefer Peretti, Senior Counsel in the Computer Crime and Intellectual Property Secti on of the USA Department of Justice, recently wrote an excellent white paper, “Data Breaches: What the Underground World of  ‘Carding’ Reveals.”   In this paper, she gives a concise overview of large scale data breaches by skilled hackers—who is doing it and how, as well as the implications of these breaches.

One of Peretti’s most salient points comes in her discussion of how carding—activities surrounding the theft and fraudulent use of credit and debit card account numbers—is linked to other criminal behavior, including terrorism and drug trafficking.  She writes:

“Indeed, it appears that terrorists may be well aware of the carding underground. A convicted terrorist in Indonesia, Imam Samudra, specifically referred to credit card fraud and carding as a means to fund terrorist activities in his 280-page autobiography.  Samudra allegedly sought to fund the 2002 Bali nightclub bombings, of which he was convicted, in part through online credit card fraud.

In a second case connecting terrorism and credit card fraud, three British men were convicted of inciting terrorist murder via the Internet under the United Kingdom’s Terrorism Act of 2000.In this case, Younes Tsouli, Waseem Mughal, and Tariq Al- Daour allegedly ran a network of extremist websites and through al-Qaeda statements communication forums and videos of beheadings and suicide bombings in Iraq and other jihadi propaganda were disseminated.The second phase of the case, the three men pleaded guilty to conspiracy to defraud banks and credit card companies.With regard to these charges, Al-Daour and his confederates allegedly used stolen credit card numbers obtained through phishing scams and Trojan horses to make more than $3,5 million iHackern fraudulent charges.Specially, Al-Daour and his co-conspirators used the numbers at lots of online stores to purchase equipment and other items, including prepaid cell phones and airline tickets, to aid jihadi groups in the field.Apart from this, Tsouli and Mughal allegedly used stolen credit card numbers to set up and host jihadi websites. Significantly, the investigation revealed that these individuals were members of one or more carding organizations, including the now defunct Shadowcrew criminal organization.”

The Payment Card Industry Data Security Standards, PCI DSS, were created by the major credit card companies to prevent these types of data breaches to merchants and payment processors.  Although they are not a fool-proof plan against hackers, if a business follows PCI DSS carefully and implements it as part of a holistic security risk management plan, their customer information is less likely to be compromised.  And, in turn, a business is taking part in the squelching of the funding of terrorist organizations.  How empowering!

Tweet This Post 

Tags: PCI, PCI compliance, PCI compliant, PCI DSS, PCI DSS compliance

 Print This Post Posted in Spyware Software 11 Comments