Banking and Financial Services

Given that in the United States, most activities center around debt and credit management, a consumer’s credit report is perhaps one of his or her most important financial documents. The Fair Credit Reporting Act (FCRA) defines the procedures for managing credit reporting. It provides protection and guidelines for credit reporting agencies as well as users of credit reports. There are a number of authentication services, including ones used by eBay (in conjunction with VeriSign), that verify the identity of a buyer using a combination of public and nonpublic information, including credit report information.

Because a credit report gives authenticity not only to a consumer’s identity but also to his or her credit worthiness, a rating can be assigned for the given application. Many of these services must comply with the FCRA.

What Is Identrus
Identrus was formed in 1999 through a partnership of leading financial institutions, including ABN AMRO, Bank of America, Bankers Trust (since acquired by Deutsche Bank), Barclays, Chase Manhattan, Citigroup, Deutsche Bank, and Hypo Vereinsbank. The main purpose was to enable a trusted business-tobusiness (B2B) ecommerce marketplace with financial institutions as the key trust providers. The organization leverages financial institutions with a global reach that can still provide local presences. The organization provides identity validation and warranty protection for global B2B ecommerce. Identrus provides a vendor-neutral environment that has the legal backing of all that PKI brings. Need for Identrus

The two biggest benefactors of Identrus are the trading partners that require nonrepudiatable identities of their counterparts and financial institutions that want to extend their banking online. These benefactors, among others, can also leverage a global standard, which would be difficult to do on their own. In addition, through a common standard, more banks are willing to use PKIbased technology because the cost of deployment is decreased with an increasing number of applications and trading partners.

The U.S. Congress signed the Gramm-Leach-Bliley Act (GLBA) into law on November 12, 1999. The intent of the law was to encourage adequate competition among members of the financial services industry. The GLBA was similar to HIPAA (a healthcare legislation) in that both laws sought to encourage efficiencies in their respective industries. Similarly, both recognized the need for security and the privacy of the individual. The GLBA specifies, in seven titles, the specific requirements for all major financial players, including banks, securities firms, and insurance companies and the responsibilities of the financial community to protect the individual’s right to privacy.

These are major parts (or titles) of the GLBA:
TITLE I: facilitating affiliations among banks, securities firms, and insurance companies
This title covers the inner details of the banking industry and the change that allows banks and brokerage firms to merge their operations (previously disallowed under the Glass-Steagall Act).

TITLE II: functional regulation
This title defines rules for functional regulation of bank securities activities (among other easing of restrictions).

Risk, an inherent part of business, has been brought to the attention of a wider public audience as a result of a series of events over the past years. These included incidents of fraud, major credit failures, exploits focused on information technology and many others. Media response and public interest have confirmed that risk management is seen as an important priority to maintain public confidence in the international financial system.[Basel II, ITGI Institute]

Within the banking and financial services community, risk, in general, requires categorization to create manageable GRC structures. Risk categories are usually defined along the core business areas found in a typical bank or financial services organization. These risk categories include:

• Credit risk
• Market risk
• Operational risk
• Liquidity risk
• Interest rate risk
• Legal risk
• Strategic risk
• Reputational risk

The Basel Committee on Banking Supervision

One of benefits of PCI compliance is that your organization will not be fined in case of a compromise. If the post-mortem analysis shows that your company was still compliant at the time of the incident, no fines will be assessed, and you will be granted what is known as “safe harbor.” It is likely that your company will be taken to civil court regardless of your compliance status should a breach occur. However, a jury will be much more sympathetic to your company’s case if you can show that due diligence was practice by the virtue of PCI compliance.

More immediately, if your company is a Level 1 or Level 2 merchant, you may be eligible to receive a part of the $20 million in financial incentives from Visa. In December 2006, Visa USA announced their PCI Compliance Acceleration Program (CAP).Those merchants that demonstrate compliance by August 31, 2007, may receive a one-time payment incentive.

Now that we've looked at the particulars of the PCI requirements for protecting cardholder data, and discussed some of the technologies and methods available to achieve compliance, let's take a step back and briefly discuss your approach.

In many cases, organizations involved in handling PCI data existed and were involved with it before the PCI DSS came out. So, networks and architecture processes already existed. If you were designing your network and your plan from the ground up with PCI DSS in mind, you'd do it differently. Attempting to apply specific security standards after the fact is a different (and more difficult) proposition.