Application 2 – Annotated Bibliography

FEATURE

July 2010 Computer Fraud & Security 5

Prevent, protect, pursue – a paradigm for fighting fraud

According to CIFAS, the UK’s Fraud Prevention Service, nearly 60,000 proven frauds were identified in the first three months of 2010 alone. Identity threat, where fraudsters use the names and details of innocent victims to generate cashflow, also increased by almost 20 per cent in the first quarter of 2010 compared with the same period in 2009.

“Fraud can occur anywhere within a business – from externally generated activity to internal threats from a company’s own staff”

In order to effectively combat fraud and security breaches, merchants across all sectors need a better understanding of their overall fraud and security land- scape and the threats and exposures it presents. For instance, many merchants make the mistake of putting all their effort into preventing e-commerce fraud but this is short-sighted as there are no boundaries to fraudulent activity – all channels are vulnerable.

Fraudsters can be first-party, third- party, ‘friendly’, opportunistic or part of an organised group of criminals – any- thing from an underage person trying to buy alcohol with a parental credit card to an organised gang of criminals

performing a complex Denial of Service (DoS) attack designed to make a com- puter resource unavailable to its intend- ed users. Fraud can also occur anywhere within a business – from externally gen- erated activity to internal threats from a company’s own staff.

Multichannel approach

The problem is vast, constant and evolving. As fast as merchants can detect fraudulent activity and shut it down, fraudsters remain one step ahead, coming up with new techniques for merchants and the payments industry to fight against across mul- tichannel environments.

“When a gang of criminals succeeds in committing fraud in one particular channel, they will often extend their activity to other channels simply because it is easy for them to do so”

And no matter how much an organi- sation works to protect or prevent security breaches, you can bet the persistent fraudsters will be working diligently to find another channel to exploit. If they have been prevented from defrauding a merchant in a shop

where the cardholder has to be present to make a purchase by chip-and-PIN, they may then try to find gaps within a merchant’s e-commerce environ- ment.

If that merchant implemented the 3D Secure protocol – such as Verified by Visa or MasterCard SecureCode – to limit e-commerce fraud, fraudsters may then see if they can exploit that merchant’s call centre channel. And, when a fraudster or gang of criminals succeeds in committing fraud in one particular channel, they will often extend their activity to other channels simply because it is easy for them to do so.

“Charities are well known as test sites for fraudsters, who use their sites to see if compromised cards can get through authorisation before going to other sites selling higher-value goods”

Certain sectors are also subject to particular types of targeted fraud and merchants should be aware of the spe- cific types of fraud prevalent in their market. In the financial services sec- tor, for example, No Intention to Pay (NITP) fraud is on the increase. Here fraudsters may sign up for car insur- ance (usually using a compromised credit card) for the first payment of the policy and then set up a direct debit to pay for the remaining 11 instalments. As soon as the insurance certificate is received, the fraudster cancels the direct debit facility. The insurance company generally writes

Robin Adams, The Logic Group

According to the January 2010 report from the National Fraud Authority, fraud now costs the UK an eye-watering £30 billion a year. Some 58 per cent of fraud is committed in the private sector, with tax fraud hitting £15.2 billion. And, in the private sector, financial services companies and organisations are said to suf- fer yearly losses of £3.8 billion through crimes including mortgage and insur- ance fraud, online banking, cheque and card fraud.

FEATURE

Computer Fraud & Security July 2010 6

this off as it’s deemed too expensive to follow through. Meanwhile the fraud- ster has the certificate if he is stopped by the police or needs to prove the vehicle is insured.

Charities are also well known as test sites for fraudsters. As many of them take low-value transactions, fraudsters use their sites to see if compromised cards can get through authorisation before going to other sites selling higher-value goods.

Merchants that sell goods and servic- es with an age restriction (eg, alcohol, knives, games or betting services) are also regularly targeted by fraudsters. Underage children may try to make themselves appear older by changing their date of birth or use a parent’s credit card to buy restricted goods. Or someone may try to open an account to access pornography by using a nearest and dearest’s personal details. Without proper identity checks to catch them out, fraudsters can easily get around many restrictions.

“Even if a merchant follows best-practice guidelines and is PCI DSS compliant, it may still be the victim of a breach”

What should merchants do in order to be safe?

The truth is that there is no silver bul- let to combat fraud. A merchant can’t simply adopt 3D Secure and presume it is safe – fraudsters will find another way. There is also no ‘one size fits all’ solution, as every merchant is different, with different fraud levels and exposure. A particular prevention technique will work for one and not the other.

Merchants need to look at their pay- ment and loyalty environments as a whole, and not just at fraud prevention in isolation. This involves a three-step approach: 1. Prevent: the first step is to take

measures to prevent fraud and detect

areas of vulnerability before fraud- sters can attack. This can be done by implementing correct procedures (and ensuring that the business is follow- ing them); training staff to recognise fraudulent activity; adhering to indus- try initiatives such as the Payment Card Industry Data Security Standard (PCI DSS), 3D Secure and CV2; and making use of expert fraud screening and prevention suppliers.

2. Protect: merchants need to make sure their infrastructure is protected against security breaches. If infrastruc- ture and networks are not protected, hackers will penetrate systems and steal consumer and business data. By complying with best-practice guide- lines such as PCI DSS, organisations can protect their infrastructure, cus- tomer confidence, loyalty and ulti- mately retention.

3. Pursue: even if a merchant follows best-practice guidelines and is PCI DSS compliant, it may still be the victim of a breach. At this stage it is important to have procedures in place to pursue. This allows merchants to rapidly respond to any external or internal breach and understand why

it happened, who caused it, where and when it took place so the breach does not occur again. This can include call- ing in a Qualified Forensic Investigator (QFI) that uses ethical hackers and a dedicated forensics lab to identify and pursue attacks including web- site hacking, unauthorised access to critical systems, theft of financial or critical data, and unauthorised use of computer equipment.

“To identify and prevent fraudulent transactions, mer- chants can route transactions to specialist fraud service providers who can offer dif- ferent types and levels of fraud screening”

Although fraudsters are increasingly resourceful and have been more active than ever during the peak of the reces- sion, there is a continued effort on behalf of the industry to stay ahead of the fraud curve. As there is no one solu- tion or approach to combat fraud, retail- ers, banks and security specialists must increasingly work together and pool

Figure 1: The three-step approach to combating fraud.

FEATURE

July 2010 Computer Fraud & Security 7

expertise to help organisations actively prevent fraud before it happens, protect against breaches that are likely to happen or are happening, and aggressively pur- sue fraudsters once a breach has actually taken place.

In order to enhance customer confi- dence and interaction, and reduce busi- ness risk, organisations must also step up and put the processes in place to ensure that they are managing their information and transactions securely. Point solutions are available, but at the end of the day, it will be combined fraud and risk manage- ment expertise with an overall integrated approach that will keep fraudsters at bay.

1. Prevent

A key step is to take measures to limit fraud exposure from the outset. How? By implementing comprehensive fraud and risk-management programmes to prevent fraud before it occurs.

Identifying areas of vulnerability The first step is to fully understand the exposure to fraud across all payment and loyalty infrastructures within the busi- ness. The technologies used to combat card fraud are varied and constantly evolve to deal with increasingly innova- tive attacks by fraudsters looking for new ways to exploit businesses and their cus- tomers alike.

While fraudsters may initially be selective in where they look to strike, fraud is a multichannel issue and can occur throughout the business – be that in-store, online, call centre or internal. Fraudsters are opportunistic and will strike wherever there are vulnerabilities.

Typically, merchants need to protect themselves across three areas: card data fraud, identity fraud and internal fraud. This is where fraud screening and pre- vention suppliers come in, as each busi- ness is different and requires different levels of fraud screening and protection. Manual security processes and proce-

dures are also needed in some circum- stances. Merchants should be compliant with industry best-practice initiatives to detect and prevent fraud.

Card data fraud often occurs on e-commerce sites or via call centres where the cardholder is not present dur- ing a transaction. To identify and pre- vent fraudulent transactions, merchants can route transactions to specialist fraud service providers who can offer different types and levels of fraud screening across multichannel environments. These services will allow legitimate clients to transact seamlessly while fraudsters are identified and rejected prior to payment authorisa- tion taking place.

Fraud prevention services use a variety of methods to verify and authenticate cardholders. Fraud detection rules and pattern detection engines can be set up specific to an organisation’s business proc- esses or industry, and advanced artificial intelligence models can be used to detect behaviours and patterns that can indicate when fraud is likely to occur.

For example, using a process called geolocation, fraud specialists can automat- ically check to see if the same card is being used in different parts of the globe. This is done by identifying and comparing an Internet Protocol (IP) address to the street address of the card transaction, so different transactions in close proximity carried out in diverse locations would be flagged to the merchant as a potential problem.

“Using a process called geolocation, fraud specialists can automatically check to see if the same card is being used in different parts of the globe”

Also, a technique called ‘device recog- nition’, which is commonly referred to as ‘device fingerprinting’ because of its similarity to the human equivalent, allows fraud specialists to uniquely identify and track a payment device, so a positive or negative history can be developed for its online activity.

Checking for inconsistencies Another area of prevention is identity fraud. An identity check can identify developed identities, impersonation or other high-risk conditions pertaining to identity fraud. An obvious discrepancy would be if, for example, the date of birth specified in an online purchase does not match data that has been sent to an infor- mation services company such as Experian – for instance, in the case of an underage youth trying to use a parent’s credit card to transact online. Many people aren’t aware that these checks even take place.

“Specialist services can identify stock shrinkage for loss prevention and are often linked to CCTV services”

Special fraud detection technologies can also look at behavioural patterns to detect potential fraud. If a cardholder typically buys a month’s worth of shopping, such as groceries, then suddenly buys several high-value items such as electrical goods, a car, and concert tickets – this too can be flagged as potentially fraudulent until the purchases have been verified with the card holder.

Information services companies have to physically match data for a transaction to be put through – for example, just because someone has a ‘credit footprint’ doesn’t necessarily mean that they are 18 years old, because even a 17-year old can register on the full electoral role. This is a method which is used by many data resel- lers and is not 100 per cent accurate.

“Merchants should be aware that some security processes can be made more efficient by automation, saving time and money”

There are many other methods that are used to detect identity fraud, includ- ing accessing information in the Credit Application Previous Search (CAPS) file

FEATURE

Computer Fraud & Security July 2010 8

and the Mortality File, which contains up- to-date data on the recently deceased.

Internal fraud

The third and perhaps most sensitive area that merchants should protect themselves against is internal fraud. Retrospective to each payment or loyalty transaction, data is screened using cli- ent and sector-specific rules to distin- guish whether any unusual activity has occurred. This can highlight internal fraud, including collusion between employees, ‘sweetheart’ fraud and abuse of staff discount and loyalty cards.

These services look for behavioural patterns that could indicate internal fraud. For example, if the same loyalty card keeps being applied to multiple transactions, this could indicate that an employee is collecting loyalty points for themselves rather than applying them to the legitimate customer.

Specialist services can also identify stock shrinkage for loss prevention and are often linked to CCTV services. For instance, a common cause of stock shrinkage is ‘sweetheart’ fraud, where – say – a customer whose partner works on a certain supermarket till every Thursday night might do their weekly shopping that night, with the partner failing to put every purchase through the system.

People and processes

Merchants should also ensure that their employees are aware of fraud preven- tion processes. These processes should be continually monitored, reviewed and checked to make certain they are working in a positive way for the business, reduc- ing false positives and ensuring that good customers can get their goods and services without having their buying experience lengthened or tarnished.

Simple checks that are part of general security awareness training are crucial. These include straightforward checks such as that the person standing at the till is the same gender as on the card. If the card

says Mr Smith and a woman is purchasing goods, for instance, the cardholder should be challenged.

Merchants should also be aware that some security processes can be made more efficient by automation, saving the mer- chant time and money. This could include ‘review’ queues in call centres that could instead be handled by specific automated fraud-prevention rules implemented by fraud-prevention specialists.

Industry initiatives

Merchants should also be using industry initiatives such as 3D Secure and CV2 checking. Some of these initiatives are mandated for certain transactions and therefore may offer both preferential merchant service charges and liability shift (shifting the liability and cost of the transaction/chargeback away from the merchant and onto the card issuer).

A merchant must also ensure that they are using either a PCI-compliant Payment Service Provider (PSP) and/or are PCI- compliant themselves. The PCI standard is global and very well recognised; any merchant willing to take the risk of not adhering to PCI compliance and the associated best practice and guidelines is unlikely to retain customers if a security breach occurs.

And, although there are many solutions available that are designed to tackle fraud, many of these are point products and will only address certain areas of vulnerability. In order to fully assess exposure across a business, organisations should look to experts who can draw experience from a wide range of sources and have worked within multichannel environments.

“In order to fully assess expo- sure across a business, organi- sations should look to experts who can draw experience from a wide range of sources”

Preventing fraudulent activity before it happens is an organisation’s best first defence and there are many tech-

nologies and solutions that can help. Unfortunately, however, even when an organisation employs fraud-screening services, follows best-practice guidelines and complies with industry and payment card directives designed to obviate fraudu- lent activity, fraudsters still get through. Organisations therefore must also have processes and procedures in place to pro- tect their infrastructure against attacks when they do occur.

“Large companies are deal- ing with an average of 45 incidents a year – up from 15 only two years ago – and the cost incurred to deal with these incidents is soaring”

2. Protect In the past decade there has been increas- ing focus on the security of cardholder data held by third parties. High-profile data breaches and the associated losses resulting from the fraudulent use of compromised cardholder data have made global headlines and have struck fear into consumers and merchants alike.

Well-publicised breaches include those involving Heartland Payment Systems in 2008 and TJX in 2007. In each case it was reported that well over 40 million card details were compromised. Although breaches tend not to be as well-publicised in Europe (where the duty of disclosure is not mandated), in the UK, fraud is known to have accounted for £610 million-worth of transactions in 2008 – 0.12 per cent of total card turnover.

However, fraud can and does, hit every part of a business. According to a survey published in April 2010 by PricewaterhouseCoopers, 92 per cent of large UK businesses have experienced some kind of security breach in the past year – including attacks by cybercriminals and accidental leaks of confidential data. According to the report, large companies are dealing with an average of 45 incidents a year – up from 15 only two years ago – and the cost incurred to deal with these incidents is soaring, with the worst cases

FEATURE

July 2010 Computer Fraud & Security 9

cited as costing as much as £690,000 to put right.

In addition to putting measures in place to prevent fraud at the point of purchase, merchants must also protect their infrastructures from security breaches and attacks. If network infrastructures are not protected from hackers intent on obtaining sensitive information, such as cardholder data, they will penetrate systems and steal consumer and business information that will be used for fraudu- lent activity.

“Though PCI DSS may initially be daunting, merchants should view compliance not just as a mandate, but as a critical component of their overall security and anti-fraud strategy”

All businesses, regardless of size or industry, need to fully understand the scope of their fraud and security landscape and put measures in place to prevent fraudulent activity from occurring.

A multifaceted approach

The most comprehensive way for a mer- chant to protect its infrastructure is by complying with PCI DSS, which was introduced to address the increasing threat of the loss of cardholder data and

to protect infrastructures from attack. Merchants, acquirers, PSPs and issuers are now mandated to become compliant with this standard to protect cardholder data both in transmission and at rest through- out the payment network infrastructure.

PCI DSS is multifaceted and includes requirements for security management, policies and procedures, network archi- tecture, software design and other critical protective measures. This includes build- ing and maintaining a secure network, protecting cardholder data through encryption technology, developing and maintaining secure systems and applica- tions, implementing access control meas- ures, regular testing of security systems and processes, and maintaining a policy that addresses information security.

Though PCI DSS may initially be daunting, merchants should view compli- ance not just as a mandate, but as a critical component of their overall security and anti-fraud strategy.

“If organisations focus on comprehensive security across their business channels, then compliance will follow”

The cost of non- compliance

Although there is a significant threat of fines for non-compliance to the standard,

merchants should also consider that a data breach resulting from non-compliance will inevitably result in significant damage to their brand reputation. A report by Ipsos MORI found that merchants could expect to see customers abandoning firms that suffered security breaches (53 per cent of respondents), opting to cancel their credit cards (48 per cent) and even reporting them to the police (20 per cent) or nation- al consumer bodies (17 per cent)

The Logic Group recently carried out its fifth annual survey of PCI DSS compli- ance and awareness, which encouragingly revealed that there is a growing trend towards adoption of the standard by card security professionals and that the stand- ard is achieving its objectives. According to the study, 83 per cent of businesses believe that their organisation is more or significantly more secure due to PCI DSS, which is good news for all.

The survey also discovered that organi- sations, although more attuned to the benefits of PCI DSS than ever before, are almost unanimous (98 per cent) in their belief that greater focus should be placed upon improving security and not just achieving compliance for the sake of it. Perceived wisdom is that if organisations focus on comprehensive security across their business channels, then compliance will follow.

There are many specialists that can help organisations implement and

Figure 2: Data is routed via a data centre. If this is PCI DSS compliant, and the data is encrypted, this reduces exposure to fraud while the data is being transferred.

FEATURE

Computer Fraud & Security July 2010 10

comply with PCI DSS but there are only around 40 organisations with Qualified Security Assessors (QSAs) in the UK that are authorised to conduct onsite audits validating a merchant’s adherence to the requirements of the PCI DSS. To become a QSA, the organisation’s suitability has to be reviewed as part of a rigorous applica- tion process, before it can receive approval from the Security Standards Council to put forward a number of individuals to take the QSA training course and exam.

When implemented correctly, the requirements of the PCI DSS successfully protect merchants from data exposure and compromise. As a result, onsite PCI DSS audits performed by QSAs have become vital in today’s environment. How successfully an assessment is conducted can have a significant impact on the implementation of PCI measures and controls, which can be a costly and quite painful process for merchants, so it is a qualification that comes with significant responsibilities.

Although increasing numbers of com- panies are embracing the broader benefits of PCI DSS, many are still underestimat- ing the amount of time it will take to achieve compliance. At the beginning of 2008, 71 per cent of respondents said they were either already compliant or expected to be compliant within 12 months. One year on, however, the figure to have successfully achieved full compli- ance still stands at only 25 per cent.

“Companies are still underestimating the amount of time it will take to achieve compliance”

Constant evolution Technology and business processes linked to fighting card fraud and sustaining compliance are rapidly evolving and keep- ing up can be a challenge. Attacks and techniques are increasingly innovative and fraudsters are persistent. In addition to putting measures in place to prevent fraudulent activity, organisations need to protect their infrastructure against security

breaches, and for this, PCI DSS compli- ance is a must.

End-to-end encryption (E2EE) is a system that requires that card data to be encrypted at the point of payment, using a secure device. The data is only decrypted, or reformed within a secure data centre which has been certified as a PCI DSS compliant environment. This practice ensures that card data is not exposed to the threat of fraud while it is being trans- ferred to the point of storage.

Putting preventative and protective measures in place, however, isn’t fool- proof and, unfortunately, 100 per cent security doesn’t exist. The reality is that even if an organisation is PCI DSS compliant, it may still be the victim of a breach. Merchants therefore should have procedures in place to prepare themselves for the eventuality of a com- promise so they are ready to pursue and rapidly respond to any external or inter- nal breach should it occur.

“Prompt action is critical when a breach occurs; if a merchant doesn’t already have rela- tionships in place with a QFI, valuable time can be lost”

3. Pursue The frustrating truth is that almost every organisation will suffer a security breach at some point – whether it is the defacing of a website, loss of data through a trojan or the corruption of a system by a virus or worm. This includes merchants that have diligently put measures in place to prevent fraud by implementing the correct security processes and procedures, enlisted spe- cialist third-party anti-fraud services, adhered to appropriate industry initia- tives such as 3D Secure and CV2, and complied with PCI DSS to protect their infrastructure against attack.

While all of these measures form part of a comprehensive security plan, there is no foolproof solution. The level of fraud is staggering and always chang- ing in scope. In 2008 for example, 19

per cent of organisations that suffered a security breach were, in fact, PCI com- pliant. Many organisations never even realise they are hacked. In 2008, 69 per cent of credit card breaches reported were by third parties rather than the breached organisation.

Hackers use freely available company data to target and ‘footprint’ an organi- sation in preparation for an attack. They are creative, innovative and above all persistent – intent on stealing data from whatever channel they can, be it customer data, credit card numbers or corporate documents. No matter how much an organisation tries to prevent and protect against a breach, the per- sistent hacker may find a hole that a systems administrator hasn’t plugged. Merchants should therefore be ready for the eventuality of a security breach, with procedures in place to pursue and rapidly respond should an external or internal breach occur.

Prepared for action

Once a breach becomes apparent, mer- chants must immediately contain and limit the exposure of the breach to mini- mise data loss. If the merchant is PCI DSS compliant it will have an incident response process in place that should be followed. If a merchant does not have an incident response process or is not PCI DSS com- pliant, it should engage the services of a forensic specialist to investigate the breach to determine the root cause and to pursue the perpetrators.

“In the majority of cases the method, area of breach and data at risk can be identified”

Merchants also need to notify their acquiring banks as soon as possible, and the banks may also request that they assign a Qualified Forensics Investigator (QFI) to investigate the breach. The mer- chant can choose its own QFI from a list provided by VISA and/or MasterCard. Prompt action is critical when a breach

FEATURE

July 2010 Computer Fraud & Security 11

occurs; if a merchant doesn’t already have relationships in place with a QFI, valuable time can be lost. In some instances it can take as long as three to four weeks to get the legal agreements in place (such as NDAs, contract for forensic services, pricing schedule etc). It therefore makes sense to already have a QFI assigned to the company. If the relationship already exists, the QFI can be integrated into a merchant’s inci- dent response plan so that reaction to a breach is immediate.

“Pre-arranged service contracts with QFIs are available, providing a 24 x 7 call-out service to deal with any security incident. Such contracts are similar to a gas boiler maintenance contract with an on-call emergency service”

Pre-arranged service contracts with QFIs are available, providing a 24 x 7 call-out service to deal with any secu- rity incident. Such contracts are similar to a gas boiler maintenance contract with an on-call emergency service and an annual inspection to assess risks and exposure from external and internal threats.

Within three days the merchant must also provide a Compromised Entity Details report to the card scheme(s).

Investigating a breach

A forensic investigator will follow a structured forensic methodology using various tools to analyse the compro- mised environment. An investigator will first work to isolate the area of compromise, both to limit further compromises and also to maintain the integrity of the environment. This will allow him to then conduct forensic tests to identify the method of com- promise and, where possible, find evi- dence to help discover the identity of the perpetrator. Most importantly, the

investigator will know how to preserve, extract and analyse evidence in a man- ner that can stand up in a court of law and that complies with the require- ments of the card schemes.

Many security breaches are via SQL injection. Typically this is where an e-commerce website has not been secu- rity coded or hasn’t had the appropriate security penetration testing performed. This weakness allows a hacker to steal data directly from the customer data- base anonymously over the Internet. Many high street brand names have a significant online presence in, for example, the estate agent, holiday travel, car insurance, electrical gadgets, auction and bookselling market sec- tors. In these markets, insecure websites have the potential to leak both cus- tomer and financial data.

In the majority of cases the method, area of breach and data at risk can be identified. In cases where the compro- mised card numbers are known, they can be searched for using e-discovery tools.

QFIs can also use a Certified Ethical Hacker (CEH) to identify risks. Using the same tools as an unethical hacker, a CEH will have permission to hack a live system with the full co-operation of the client in order to identify where there are weaknesses in the environ- ment. The CEH will then write a report on the weaknesses found and provide recommendations for remedia- tion.

The evidence captured during an investigation will be analysed, logged and securely stored in a forensics lab, which employs specialist tools to ensure that all data is protected during the investigation so evidence cannot be tampered with.

Knowing what to do and taking quick action in the event of a breach is critical. Using the services of a QFI and establishing the relationship early on will help to ensure that any breach will be identified and contained quickly. The resulting forensic analysis will also

provide the best possible chance of pursuing the breach and shoring up an organisation’s defences to ensure a simi- lar attack doesn’t happen again.

“Many security breaches are via SQL injection. Typically this is where an e-commerce website has not been security coded or hasn’t had the appropriate security penetration testing performed.”

No quick fix Security is not a quick fix. Organisations must evaluate and assess all parts of their business to identify the risks and poten- tial of exposure. Comprehensive processes and procedures must be put in place to prevent breaches from happening in the first place; best-practice guidelines should be followed to protect an infrastructure from attack, including compliance to PCI DSS; and organisations should be ready to pursue a breach, if one occurs, by rapidly responding in the event of a compromise. Although fraudulent activ- ity can never be avoided completely, this is an organisation’s best defence.

About the author

Robin Adams, director of Security, Fraud and Risk Management, is a Qualified Security Assessor (QSA) for The Logic Group. The organisation is responsible for providing card pay- ment security advisory services related to risk management, fraud prevention, PCI remediation, preparation for PCI DSS audits and forensic investigations. Adams has over 20 years of experience as an IT professional covering diverse platforms and security issues. His previous roles included heading up a European team of QSAs and leading a team of security specialist consultants at PricewaterhouseCoopers. He has special- isms in security architecture, security administration, security management, PCI consultancy, security and risk-based audits and identity management.