Penny Wise, IT Governance Foolish?
Posted by Jeff Papows on Tue, Jun 29, 2010 @ 10:52 AM
I just caught this news story by IDG reporter Robert McMillan about a recent Internet fraud ring that resulted in the theft of millions of dollars from U.S. consumers.
A patient band of thieves who basically stole spare change from consumers went undetected for years because the thefts were minimal -- ranging from pennies to a few dollars -- yet totaling $9.5 million. It turns out that the ring was able to uncover a loophole in the IT infrastructure of credit card processing companies that allowed the fake credit card transactions to get through.
Given the speed and volume of these types of online transactions, it's often difficult to proactively pinpoint the source of the thief and the location of the loophole until after the damage is done. Certainly there are mechanisms in place and security tools throughout the infrastructure that can halt a majority of theft before it takes place. One of the most common and widely used industry standards for credit card issuers to help prevent fraud is the PCI DSS (payment card industry data security standard).
Yet the sheer volume of data, speed of online transactions and growing complexity of our IT infrastructures will continue to leave us with these infrastructure gaps that allow less than scrupulous characters to pounce. It's these types of multi million dollar scams that elevate the need for applying standards and introducing and enforcing IT governance throughout the entire infrastructure.
Of course, PCI compliance and IT governance won't prevent online fraud. But it can decrease its impact if it's part of the early stages in software design and development. (As a sidenote and in the spirit of transparency, back in February WebLayers announced its Policy Annex, a sort of apps store if you will, that validates IT governance policies to support PCI compliance.)
Yet more than applying technologies and standards, preventing the exploitation of gaps in the infrastructure requires a combination of developer and management skills that are applied to technology.