Banks and credit unions are feverishly working to meet the FFIEC's authentication compliance deadline next year. But experts say institutions should be looking beyond the guidance, by making investments in cross-channel fraud detection.
"With a company-issued device, you can issue a policy that says users have no rights of privacy over information on the device," says Javelin's Tom Wills. But with employee-owned devices? A whole new set of issues.
News about recent healthcare information breaches offers an important reminder: Monitoring the privacy and security procedures of your business associates should be a vital component of any breach prevention strategy.
The FFIEC Authentication Guidance update is out, and third-party service providers need to begin reviewing their internal systems and communicating with their financial institution customers, says Wells Fargo Bank's Phil Alexander.
"It's time to stop shifting the security burden onto retailers and restaurants like Margarita's," says Gartner analyst Avivah Litan on the latest payment card breach. "In fact, it was time for that over five years ago."
Some 200 people have reported fraudulent debit and credit transactions hitting their accounts after dining at Margarita's Mexican Restaurant in Texas. Investigators believe a third-party vendor may have been hacked.
The release of the list coincides with the issuance of the Common Weakness Scoring System that allows software makers to identify vulnerabilities in their programs and buyers to determine software they acquire is secure.
The California Supreme Court has ruled that a key provision of a tough state medical privacy law is not preempted by federal regulations. The evolving case, which eventually could wind up before the U.S. Supreme Court or grow into a class action case at the state level, is worth watching.