© Copyright 2012 | First Data Corporation What to Do if Compromised Liberty Picataggio First Data...
-
Upload
frederick-robertson -
Category
Documents
-
view
219 -
download
0
Transcript of © Copyright 2012 | First Data Corporation What to Do if Compromised Liberty Picataggio First Data...
© Copyright 2012 | First Data Corporation
What to Do if Compromised
Liberty PicataggioFirst Data Merchant ServicesOctober 30, 2012
2 | © Copyright 2012 | First Data Corporation
•A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.
•Data breaches may involve financial information such as credit card or bank details and/or personal information.
What Is A Data Breach ?
3 | © Copyright 2012 | First Data Corporation
• 81% utilized some form of hacking(+31%) • 69% incorporated malware (+20%)• 10% involved physical attacks (-19%)• 7% employed social tactics (-4%)• 5% resulted from privileged misuses (-12%)
• Data from Verizon’s 2012 Data Breach Investigations Report
How Do Data Breaches Occur ?
4 | © Copyright 2012 | First Data Corporation
• 98% stemmed from external agents (+6%)• 4% implicated internal employees (-13%)• <1% committed by business partners (<>)• 58% of all data theft tied to activist groups
• Data from Verizon’s 2012 Data Breach Investigations Report
Who Is Behind Data Breaches ?
5 | © Copyright 2012 | First Data Corporation
•Magnetic Stripe Data •PIN / PIN Block•Primary Account Number•Expiration Date•Cardholder Verification Number (CVN)
•Visa (CVV2)•MasterCard (CVC2)•Discover/Amex (CID)
What Information Do They Want ?
6 | © Copyright 2012 | First Data Corporation
Protecting Cardholder Data In accordance With PCI Standards
Storage Permitted Protection Required
Data from PCI Security Standards Council PCI DSS Quick Reference Guide
YesData Element
Yes
Security Code (CVV2/CVC2/CID)
Primary Account Number(PAN)
Service Code
Cardholder NameExpiration Date
Full Magnetic Stripe DataNo
No No No
Full magnetic stripe data, security codes and Pin/Pin blocks MUST NEVER be stored subsequent to authorization(even if encrypted). The PAN should be unreadable anywhere it is stored (including on portable storage devices, logs, data received from wireless networks)
PIN / PIN Block No
Cannot store dataCannot store dataCannot store data
YesYesYesNo
7 | © Copyright 2012 | First Data Corporation
•Of the total amount of records reported in Verizon’s 2012 report (855 incidents, 174 million compromised records):
• 83% were payment card data/numbers.• 13% were bank account data.• 4% were personal information.• <1% other.
• Data from Verizon’s 2012 Data Breach Investigations Report
Category Of Stolen Information
8 | © Copyright 2012 | First Data Corporation
•79% of victims were targets of opportunity.•96% of attacks were not highly difficult.•85% of breaches took weeks to discover. •92% of incidents were discovered by 3rd party.•97% of breaches were easily avoidable. •96% of victims were not PCI compliant.
• Data from Verizon’s 2012 Data Breach Investigations Report
What Commonalities Exist ?
9 | © Copyright 2012 | First Data Corporation
•The merchant/vendor was not PCI compliant. •Most breaches could have been easily prevented. •Self detection identified attacks an average of 43 days
after initial compromise. •When not self-detected, the attackers had an average of
173 days within the environment before being detected.
• Data from Verizon’s 2012 Data Breach Investigations Report
What Does This Mean ?
10 | © Copyright 2012 | First Data Corporation
• Unknown or unexpected outgoing internet traffic.• Unknown files, software and devices installed.• Anti-virus programs malfunctioning or becoming disabled.• Unexplained modifications or deletions of data.• Excessive failed login attempts in system authentication and
event logs.• Suspicious after-hours file system activity.• Systems rebooting or shutting down for unknown reasons.• Unexplained new user accounts. • Any unknown or unexpected activity.
Some Signs Of A Breach
11 | © Copyright 2012 | First Data Corporation
• Ensure your POS environment remains PCI compliant. • This includes, but is not limited to:
• Make sure firewalls and antivirus is updated regularly.
• Change administrative passwords on all POS systems.
• Continually upgrade to PCI compliant software.
• Implement access control list on remote access services.
• If 3rd party is handling any of the above ..confirm it.
• Avoid using the POS system to browse the internet.
• Change default credentials of all POS systems.
• Eliminate unnecessary data on your system.
• Ensure essential controls are met.
• Verify that any 3rd party vendor is compliant.
• Monitor Event Logs.
• Again. Ensure your POS environment is PCI compliant and that you validate compliance.
How To Minimize The Potential For A Data Breach
12 | © Copyright 2012 | First Data Corporation
• Create an action plan on what to do if you are breached. • Practice that plan periodically. • Have a list of all relevant contacts, emails, numbers, etc.• Potential agreement with forensic firms already prepared.• Identify all third parties that touch, store or transmit card data on your
behalf.• Be familiar with your vendor agreements to understand your/their
responsibilities in regards to PCI compliance and breach notification. • Have an alternative payment solution available in case of a breach
(dial-up terminals, etc.). • Pay attention to customer/staff complaints of subsequent cardholder
fraud.
What To Have In Place Prior To A Compromise
13 | © Copyright 2012 | First Data Corporation
1. Immediately contain and limit the exposure. Minimize data loss. – Do not access or alter the compromised system. – Do not log on to the compromised system and don’t change passwords.– Do not turn the compromised system off, just isolate compromised system from the
network(unplug network cable) – Switch to dial up terminals until the breach is remediated. – Preserve evidence and logs.– Document all actions taken.– Be on high alert and monitor traffic on all systems with cardholder data.
2. Alert all necessary parties immediately.– Your internal incident response team and Information Security group.– Your merchant bank/acquirer. – If you do not know your merchant bank/acquirer, notify the Card Brands immediately. – Notify the appropriate law enforcement agency..(local police, Secret Service, FBI). – Your legal counsel.
Data from Visa’s What to Do If Compromised Fraud Control and Investigative Procedures Version 3.0
What To Do If Compromised
14 | © Copyright 2012 | First Data Corporation
3. Within 3 business days of the compromise provide a written statement of the incident to the Card Brands via your Merchant bank/ Acquirer or yourself.
4. Provide all compromised cards to your Merchant Bank/Acquirer within 10 days.
What To Do If Compromised
15 | © Copyright 2012 | First Data Corporation
5. The incident report should be as detailed as possible and include the following info, as well as any other relevant info specific to the breach:
– Name of entity.– How did the compromise occur?– When and how was it identified?– Has the compromise been contained? if so, how?– What Card Brands are involved?– How many cards are at risk?– What is the at-risk time frame of the compromised cards? – What type of data was stolen (account #, expiry date, track data, CVV2,PIN, SS#, etc.)?– Are any other locations/affiliated companies effected?– Was law enforcement contacted? If so, provide contact info and case #.– If breach was employee related, status of the employee.(terminated, still employed,
arrested)?– Is it a skimming event or an actual breach of the POS system?– Type of POS system.
What To Do If Compromised
16 | © Copyright 2012 | First Data Corporation
6. Once the Card Brands receive the incident report they will review and then notify the acquiring bank of their recommendation and/or mandatory next steps including:
– Merchant provides a more detailed questionnaire.– Merchant provides PCI validation documentation.– Merchant engages a Card Brand approved forensic examination. – Merchant bank provides Card Brands all possible compromised card numbers to be canceled
or monitored for fraud.
What To Do If Compromised
17 | © Copyright 2012 | First Data Corporation
• If a forensic examination is required by the Card Brands, the merchant may only utilize an approved Payment Card Industry Forensic Investigator (PFI).
• If the merchant’s third party vendor is the suspected source of the compromise, the merchant will be responsible for ensuring the engagement of the forensic examiner.
• The Card Brands typically do not accept forensic reports from other parties, including the Secret Service.
• It is the compromised entity’s responsibility to pay for the cost of the forensic (including travel/boarding costs)
• For a list of PFI’s go to: https//www.pcisecuritystandards.org/approved_companies_provideres/pci_forensic_investigator.php
Forensic Examination
18 | © Copyright 2012 | First Data Corporation
• Forensic examination. • Remediation efforts, including installation of new systems and
procedures.• Fines and penalties from Card Brands. • Termination of the ability to accept payment cards.• Legal settlements.• Loss of customer/public confidence.• Loss of business.
Potential Financial Impact To Compromised Merchant
19 | © Copyright 2012 | First Data Corporation
Visa 1. Non-Compliance Fines.2. ADCR (Account Data Compromise Recover) -Must be over 15,000 cards and over $150,000 in reported fraud. -Comprised of Operating Expenses and Fraud Recovery fines.
MasterCard •Non-Compliance Fines.•Case Management Fees.•ADC (Account Data Compromise)
-Must be over 10,000 cards (No minimum reported fraud amount) -Comprised of Operating Expenses and Fraud Recovery fines.
Data Compromise Fines
20 | © Copyright 2012 | First Data Corporation
• Cardholder realizes fraud on his/her card.• Cardholder notifies their issuing bank.• Issuing Bank notifies the Card Brands.• The Card Brands notify the Merchant’s Acquirer.• The Acquirer notifies the Merchant.• The Card Brands may require a forensic exam. • Merchant needs to address and remediate.• Merchant needs to validate PCI compliance. • Card Brands assess Fines. And some really large fines.
Typical Data Compromise Identification
21 | © Copyright 2012 | First Data Corporation
• Any Merchant that accepts credit cards needs to be PCI compliant in accordance with PCI DSS (Payment Card Industry Data Security Standards).
• To validate PCI compliance the merchant needs to provide the following:– Self Assessment Questionnaire(SAQ) or Report of Compliance(ROC).– Vulnerability Scan (if applicable).– Attestation of Compliance.
• Information regarding PCI can be found at https://www.pcisecuritystandards.org/merchants/index.php
Validating PCI Compliance
22 | © Copyright 2012 | First Data Corporation
Merchant Level and Validation Requirements
Level CriteriaReport of
Compliance (ROC)
Self Assessment
Questionnaire (SAQ)
Vulnerability Scan
Attestation of Compliance
1
Any merchant processing more than 6 million transactions per year. Any merchant that suffered a security breach resulting in a cardholder data compromise.
Annually N/AQuarterly, by an approved scan vendor
Annually
2Any merchant processing between 1 to 6 million transactions per year.
N/A AnnuallyQuarterly, by an approved scan vendor
Annually
3
Any merchant processing between 20,000 to 1 million e-commerce transactions per year.
N/A AnnuallyQuarterly, by an approved scan vendor
Annually
4
All other merchants processing up to 1 million transactions per year, and any merchant processing fewer than 20,000 e-commerce transactions per year.
N/A Annually Quarterly, by an approved scan vendor
Annually
23 | © Copyright 2012 | First Data Corporation
Build and Maintain a Secure Network.
Protect Cardholder Data .
Maintain a Vulnerability Management Program.
Implement Strong Access Control Measures.
Regularly Monitor and Test Networks.
Maintain an Information Security Policy.
Goals PCI DSS Requirements
1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameter.
3. Protect stored cardholder data.4. Encrypt transmission of cardholder data across open public networks.
5. Use and regularly update anti-virus software or programs.6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need to know.8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security for all personnel.
24 | © Copyright 2012 | First Data Corporation
The PCI SSC sets the PCI security standards, but each Card Brand has its own program for compliance, validation levels and enforcement.
More information about compliance can be found at these links:•American Express: www.americanexpress.com/datasecurity•Discover Financial Services: www.discovernetwork.com/fraudsecurity/disc.html•JCB International: www.jcb-global.com/english/pci/index.html•MasterCard Worldwide: www.mastercard.com/sdp•Visa, Inc: www.visa.com/cisp
Card Brand Websites
25 | © Copyright 2012 | First Data Corporation
• PCI Security Standards Council Web site, including Frequently Asked Questions (FAQs): www.pcisecuritystandards.org
• PCI SSC approved applications and devices• Payment Applications: www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php
• PCI Data Security Standard (PCI DSS)• The Standard: https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf• Supporting Documents: https://www.pcisecuritystandards.org/security_standards/documents.php• Approved Assessors and Scanning Vendors: https://www.pcisecuritystandards.org/approved_companies_providers/
index.php• Navigating the Standard: https://www.pcisecuritystandards.org/documents/navigating_dss_v20.pdf• Self-Assessment Questionnaire: https://www.pcisecuritystandards.org/merchants/self_assessment_form.php• Glossary: https://www.pcisecuritystandards.org/security_standards/glossary.php• Approved QSAs: https://www.pcisecuritystandards.org/approved_companies_providers/qualified_security_assessors.php• Approved ASVs: https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php
• Link to Verizon’s 2012 Data Breach Investigations Report.
• http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-20
• Link to Visa’s What to do if Compromised. http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf12_en_xg.pdf
Web Resources
26 | © Copyright 2012 | First Data Corporation
• Understand what PCI is.• Be prepared in case you are compromised.• Have a back-up plan in place.• Ensure you validate and remain PCI compliant.• Don’t think it can’t happen to you.
In Summary
27 | © Copyright 2012 | First Data Corporation
Questions ?