A significant number of websites do not enforce adequate enough security for online payments, leading to a greater risk of identity theft and fraud, according to recent analysis performed by Deloitte Enterprise Risk Services.

The analysis looked at over 100 Irish based e-commerce websites and examined the security levels that were in place for online payments. While certain progress has been made in complying with the Payment Card Industry Data Security Standards (PCI DSS), a significant proportion of websites analysed are still not compliant with the standards. 53% of companies supported weak or legacy encryption, with 2% sites not encrypting cardholder data entry sessions at all. This means that the information that visitors to the site submit such as name, address and credit card details can potentially be compromised and accessed by fraudsters.

In addition, 7% websites did not require a CVV2 number – the three digit code on the back of credit cards. By requesting this number, the risk of fraud is greatly reduced. 3% of websites also had expired SSL certificates. SSL certificates verify that the website being interacted with is who it claims to be.

Commenting on the results Colm McDonnell, Partner, Enterprise Risk Services, Deloitte said: “The results of the survey show that many websites do not have adequate levels of security for processing online transactions, which many consumers carry out on a very regular basis. Identity theft and credit card fraud is a growing problem here in Ireland and inadequate levels of security must be addressed by merchants as a matter of priority.”

Michael Hofmeyr, Senior Manager, Enterprise Risk Services, Deloitte added: “Recent research released in National Identity Fraud Prevention Week found that almost 90,000 people in Ireland have fallen victim to identity fraud. It is imperative that companies are doing their utmost to ensure that online payments are as secure as possible on their websites and that they recognise their role in protecting consumers. By not securing the information that consumers provide on their websites, companies are putting them at risk of credit card fraud and identity theft which at best can result in a significant amount of stress for the victim, and at worst can result in a loss of money. In addition the merchants themselves could face significant fines if a fraud takes place and they are found not to be compliant with PCI DSS.”

PCI DSS is the set of standards which was created by the major credit card firms including Visa, MasterCard, American Express, Diner’s Club, Discover and JCB. These standards cover a range of areas including building and maintaining a secure network, protecting cardholder data, implementing strong access control measures and maintaining an information security policy among others.

Hofmeyr concluded: “The PCI DSS standards have recently been updated to further address the issue of protecting stored data and encrypting transmissions of cardholder data across public networks. Merchants are expected to comply with these updates immediately.”

Ends

Deloitte Profile
 
Deloitte’s 1,100 people in Dublin, Cork and Limerick provide audit, tax, consulting, and corporate finance services to public and private clients spanning multiple industries. With a globally connected network of member firms in 145 locations, Deloitte brings world class capabilities and deep local expertise to help clients succeed wherever they operate.
 
Deloitte's 165,000 professionals are committed to becoming the standard of excellence. Deloitte's professionals are unified by a collaborative culture that fosters integrity, outstanding value to markets and clients, commitment to each other, and strength from diversity. They enjoy an environment of continuous learning, challenging experiences, and enriching career opportunities. Deloitte's professionals are dedicated to strengthening corporate responsibility, building public trust, and making a positive impact in their communities.
 
Legal disclaimer
 
Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of which is a legally separate and independent entity.  Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its Member Firms.
 
These materials and the information contained herein are provided by Deloitte & Touche and are intended to provide general information on a particular subject or subjects and are not an exhaustive treatment of such subject(s).  Accordingly, the information in these materials is not intended to constitute accounting, tax, legal, investment, consulting or other professional advice or services.  The information is not intended to be relied upon as the sole basis for any decision which may affect you or your business.  Before making any decision or taking any action that might affect your personal finances or business, you should consult a qualified professional adviser.  These materials and the information contained therein are provided as is, and Deloitte & Touche makes no express or implied representations or warranties regarding these materials or the information contained therein.  Without limiting the foregoing, Deloitte & Touche does not warrant that the materials or information contained therein will be error-free or will meet any particular criteria of performance or quality.  Deloitte & Touche expressly disclaims all implied warranties, including, without limitation, warranties of merchantability, title, fitness for a particular purpose, non-infringement, compatibility, security and accuracy.
 
Your use of these materials and information contained therein is at your own risk, and you assume full responsibility and risk of loss resulting from the use thereof.  Deloitte & Touche will not be liable for any special, indirect, incidental, consequential or punitive damages or any other damages whatsoever, whether in an action of contract, statute, tort (including, without limitation, negligence) or otherwise, relating to the use of these materials or the information contained therein.