PCI Compliance and Terrorism

We have read complaints on other blogs about the PCI standards, claiming they are a burden for merchants and software developers.  But when considering the documented link between credit card fraud—which PCI DSS was developed to fight against—and terrorism, perhaps complaints about security standards will fall silent.

Kimberly Kiefer Peretti, Senior Counsel in the Computer Crime and Intellectual Property Secti on of the USA Department of Justice, wrote an excellent white paper recently, “Data Breaches: What the Underground World of ‘Carding’ Reveals.” In this paper, she gives a concise overview of large scale data breaches by skilled hackers who is doing it and how, and the implications of these breaches.

One of Peretti’s most salient indicates comes in her discussion of how carding—activities surrounding the theft and fraudulent use of credit and debit card account numbers—is linked to other criminal behavior, consisting of terrorism and drug trafficking.  She writes:

“In fact, it seems that the terrorists can be fully aware of the carding underground. Imam Samudra who is a convicted terrorist in Indonesia, specifically referred to credit card fraud and carding as a means to fund terrorist activities in his 280-page autobiography.Samudra was convicted since he sought to fund the 2002 Bali nightclub bombings, in part through online credit card fraud.

In the second case, including terrorist attacks and credit card fraud, three British men were convicted of inciting terrorist murder via the Internet under the United Kingdom’s Terrorism Act of 2000.  In this case, Younes Tsouli, Waseem Mughal, and Tariq Al- Daour allegedly ran a network of extremist websites and communication forums through which al-Qaeda statements were issued and videos of beheadings and suicide bombings in Iraq and other jihadi propaganda were disseminated.The second phase of the case, the three men pleaded guilty to conspiracy to defraud banks and credit card companies.With regard to these charges, Al-Daour and his confederates allegedly used stolen credit card numbers obtained through phishing scams and Trojan horses to make more than ,5 million iHackern fraudulent charges.  In particular, Al-Daour and his co-conspirators used the numbers at hundreds of online stores to purchase equipment and other items, including prepaid cell phones and airline tickets, to aid jihadi groups in the field.Apart from this, Tsouli and Mughal allegedly used stolen credit card numbers to set up and host jihadi websites. Importantly, these individuals were members of one or more carding organizations, including the now defunct Shadowcrew criminal organization was revealed by the investigation.”

The Payment Card Industry Data Security Standards, PCI DSS, were created by the major credit card companies to prevent these types of data breaches to merchants and payment processors.  Although they are not a fool-proof plan against hackers, if a business follows PCI DSS carefully and implements it as part of a holistic security risk management plan, their customer information is less likely to be compromised.  And, in turn, a business is taking part in the squelching of the funding of terrorist organizations.How authorization!