What Is Your Bank Doing to Protect Your Data?

Opinion: These 20 questions will help you score your bank and discover what it is doing to ensure your privacy and where it falls short.

Nothing you could have done to ensure your privacy or protect your personal data would have made any difference in the hack that saw payment processor CardSystem Solutions potentially expose 40 million people to theft.

That hack had nothing to do with trying to scam personal data from home computers and everything to do with the increased focus by computer criminals on hijacking large amounts of information from millions of individuals traveling on corporate computer networks.

While you are good at changing your passwords, updating your security software and buying an Internet firewall, what is your bank doing to protect your data?

Do you feel too intimidated to sit down with your banker and ask the right questions?

Here are 20 questions you can print out and bring into your bank.

Twelve of the questions are drawn from the Payment Card Industry Data Security Standard, which I think is the minimum security effort banks, credit card companies and other financial institutions should be observing.

Scoring is easy. Give five points for each question, with a yes getting 5 and a no losing 5.

Do you want to do business with an A-level or a D-level bank? That choice is up to you.

20 Really Embarrassing Questions to Ask Your Bank

1. If you find out that some unauthorized person has accessed my account information will you tell me? Yes/No

2. Would you sell someone information about me and my account without letting me know? Yes/No

3. Can you tell me what my liability is if someone uses my credit card without my authorization?
Yes/No/Amount (add five bonus points) ______

4. Can you tell me what my liability is if someone uses my debit card without my authorization?
Yes/No/Amount (add five bonus points) _______

5. Does this bank adhere to the 12 requirements of the Payment Card Industry Data Security Standard? Yes/No/The What? (Deduct 50 points)

6. Requirement 1. Does this bank install and maintain a firewall configured to protect data? Yes/No

7. Requirement 2. Are you making sure not to use vendor-supplied defaults for system passwords and other security parameters? Yes/No

8. Requirement 3. Do you protect stored data? Yes/No

9. Requirement 4. When information about me and my account travels on the public network is it encrypted? Yes/No

10. Requirement 5. Do you use and regularly update anti-virus software? Yes/No

11. Requirement 6. Do you develop and maintain secure systems and applications? Yes/No

12. Requirement 7. Is access to my data restricted on a business need-to-know basis? Yes/No

13. Requirement 8. Does each person with computer access have a unique identification? Yes/No

14. Requirement 9. Do you restrict physical access to cardholder data? Yes/No

15. Requirement 10. Do you track and monitor all access to network resources and cardholder data? Yes/No

16. Requirement 11. Do you regularly test security systems and processes? Yes/No

17. Requirement 12. Do you maintain a policy that addresses information security? Yes/No

18. Do you require that all the businesses with which you work with and have access to my account data and sensitive information about me adhere to the same security procedures and rules as you use? Yes/No

19. Do you have a way to help me know that an e-mail I get from you is really from you? Yes/No

20. Do you have a way to quickly alert me if something unusual is going on with my account? Yes/No

eWEEK magazine editor in chief Eric Lundquist can be reached at eric_lundquist@ziffdavis.com.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.