IMGCAP(1)]
Much of the data fraud committed this year is "data-in-transit theft" instead of "data-stored theft" because merchants no longer are allowed to store payment card magnetic stripe data under the Payment Application Data Security Standard, a Trustwave representative tells CardLine sister publication ISO&Agent Weekly. Data-in-transit theft occurs when consumer card information moves among merchants' servers. Fraudsters may tap into the network and capture the unencrypted data as it moves, says Colin Sheppard, forensics practices manager with Trustwave, a Chicago-based data-security company. Some merchants may have older terminal software or hardware that does not encrypt data to today's standards. Data-stored theft occurs when fraudsters steal card information from a merchant's computer hard drive after a transaction, he says. The Payments Card Industry Security Standards Council manages the Payment Application Data Security Standard, which is intended to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic-stripe information.
