Following up on a post from last week, Montreal police have arrested nine people they allege were replacing the numeric keypads/card slides. Millions of dollars were taken from 18,000 bank accounts. Press reports say the gang included an employee of a subcontractor for the French bank Mouvements Desjardins's call center. This person may have sold confidential customer data to the scammers.

Visa USA, Inc. and MasterCard International, Inc. will be releasing new security standards within 30 to 60 days. Payment Card Industry (PCI) standards are about one year old now and this is the first major update.

PCI became a universal requirement on June 30, 2005. Adoption of these rules is growing which pleases industry analysts. Visa says that about 22% of Tier 1 merchants are compliant now. This accounts for the processing of more than 6 million card transactions per month. Another 72% of merchants are on schedule to becoming fully compliant. Unlike rules required by federal regulation or other laws, these are private standards that don't have the penalties associated with them that might otherwise be found.

The security standards are broad and list 12 controls that retailers, online merchants, data processors and other businesses implement to protect cardholder information. These include technology controls such as data encryption, end-user access control and activity monitoring, as well as procedural mandates.

How much have you saved your customers?

First National Bank South Dakota reports that in the first half of 2006 they saved their customers $1,130,397.23. How? By helping them avoid fraud losses such as:

• Nigerian scams,
  
• Internet sales schemes,
  
• fake lottery winnings,' and
  
• various other types of fraud
  

Lee Gass is the bank's Security Officer. He continually trains staff on frauds that are happening across the US in an effort to raise awareness. He tells them about counterfeit checks, cashiers checks, and other false monetary exchanges he sees in the news. And since they've stopped more than one million dollars in losses that would have been theirs, or their customers, it would seem that this training is paying for itself many times over.

Gass and the bank staff also remind customers that maybe they are not the one single person in the world that was contacted about some poor orphan's troubles getting millions of dollars out of their country or that the eBay sales check was accidentally made for too much money and they're trusting the bank customer to wire the excess back to Nigeria.

Are there things here that other banks could emulate? Certainly. Training and customer awareness are obviously contributing factors. Remember that the BOL Security page has information and links to help you.

• Robbery suspects and stories of recent crimes.
  
• Listings of Alerts and Counterfeit Checks
  
• ID Fraud and Phishing Center
  
• Phishing and Scam letter samples
  

Last March we were following the story of debit card PIN numbers being stolen with the magnetic stripe information. It was thought to be a hacked computer system at the core of the problem. That compromise caused 600,000 debit cards to be reissued.

Now, in Ottawa, Canada thieves are going into the merchants stores to do their work. They switch the existing keypad for a modified one. These Interac machine keypads store data on 200 cards and have been put in at least a dozen stores. This data can be used to create duplicate cards. And the thieves are using these to steal about $1,000 per account.

It is believed that store workers are aiding in this process. They may just be ignoring the person making the keypad switch, or they could be paid to do so. The investigation continues.