© Copyright 2012 | First Data Corporation What to Do if Compromised Liberty Picataggio First Data...

© Copyright 2012 | First Data Corporation

What to Do if Compromised

Liberty PicataggioFirst Data Merchant ServicesOctober 30, 2012

2 | © Copyright 2012 | First Data Corporation

•A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.

•Data breaches may involve financial information such as credit card or bank details and/or personal information.

What Is A Data Breach ?


• 81% utilized some form of hacking(+31%) • 69% incorporated malware (+20%)• 10% involved physical attacks (-19%)• 7% employed social tactics (-4%)• 5% resulted from privileged misuses (-12%)

• Data from Verizon’s 2012 Data Breach Investigations Report

How Do Data Breaches Occur ?


• 98% stemmed from external agents (+6%)• 4% implicated internal employees (-13%)• <1% committed by business partners (<>)• 58% of all data theft tied to activist groups


Who Is Behind Data Breaches ?


•Magnetic Stripe Data •PIN / PIN Block•Primary Account Number•Expiration Date•Cardholder Verification Number (CVN)

•Visa (CVV2)•MasterCard (CVC2)•Discover/Amex (CID)

What Information Do They Want ?


Protecting Cardholder Data In accordance With PCI Standards

Storage Permitted Protection Required

Data from PCI Security Standards Council PCI DSS Quick Reference Guide

YesData Element

Yes

Security Code (CVV2/CVC2/CID)

Primary Account Number(PAN)

Service Code

Cardholder NameExpiration Date

Full Magnetic Stripe DataNo

No No No

Full magnetic stripe data, security codes and Pin/Pin blocks MUST NEVER be stored subsequent to authorization(even if encrypted). The PAN should be unreadable anywhere it is stored (including on portable storage devices, logs, data received from wireless networks)

PIN / PIN Block No

Cannot store dataCannot store dataCannot store data

YesYesYesNo


•Of the total amount of records reported in Verizon’s 2012 report (855 incidents, 174 million compromised records):

• 83% were payment card data/numbers.• 13% were bank account data.• 4% were personal information.• <1% other.


Category Of Stolen Information


•79% of victims were targets of opportunity.•96% of attacks were not highly difficult.•85% of breaches took weeks to discover. •92% of incidents were discovered by 3rd party.•97% of breaches were easily avoidable. •96% of victims were not PCI compliant.


What Commonalities Exist ?


•The merchant/vendor was not PCI compliant. •Most breaches could have been easily prevented. •Self detection identified attacks an average of 43 days

after initial compromise. •When not self-detected, the attackers had an average of

173 days within the environment before being detected.


What Does This Mean ?


• Unknown or unexpected outgoing internet traffic.• Unknown files, software and devices installed.• Anti-virus programs malfunctioning or becoming disabled.• Unexplained modifications or deletions of data.• Excessive failed login attempts in system authentication and

event logs.• Suspicious after-hours file system activity.• Systems rebooting or shutting down for unknown reasons.• Unexplained new user accounts. • Any unknown or unexpected activity.

Some Signs Of A Breach


• Ensure your POS environment remains PCI compliant. • This includes, but is not limited to:

• Make sure firewalls and antivirus is updated regularly.

• Change administrative passwords on all POS systems.

• Continually upgrade to PCI compliant software.

• Implement access control list on remote access services.

• If 3rd party is handling any of the above ..confirm it.

• Avoid using the POS system to browse the internet.

• Change default credentials of all POS systems.

• Eliminate unnecessary data on your system.

• Ensure essential controls are met.

• Verify that any 3rd party vendor is compliant.

• Monitor Event Logs.

• Again. Ensure your POS environment is PCI compliant and that you validate compliance.

How To Minimize The Potential For A Data Breach


• Create an action plan on what to do if you are breached. • Practice that plan periodically. • Have a list of all relevant contacts, emails, numbers, etc.• Potential agreement with forensic firms already prepared.• Identify all third parties that touch, store or transmit card data on your

behalf.• Be familiar with your vendor agreements to understand your/their

responsibilities in regards to PCI compliance and breach notification. • Have an alternative payment solution available in case of a breach

(dial-up terminals, etc.). • Pay attention to customer/staff complaints of subsequent cardholder

fraud.

What To Have In Place Prior To A Compromise


1. Immediately contain and limit the exposure. Minimize data loss. – Do not access or alter the compromised system. – Do not log on to the compromised system and don’t change passwords.– Do not turn the compromised system off, just isolate compromised system from the

network(unplug network cable) – Switch to dial up terminals until the breach is remediated. – Preserve evidence and logs.– Document all actions taken.– Be on high alert and monitor traffic on all systems with cardholder data.

2. Alert all necessary parties immediately.– Your internal incident response team and Information Security group.– Your merchant bank/acquirer. – If you do not know your merchant bank/acquirer, notify the Card Brands immediately. – Notify the appropriate law enforcement agency..(local police, Secret Service, FBI). – Your legal counsel.

Data from Visa’s What to Do If Compromised Fraud Control and Investigative Procedures Version 3.0

What To Do If Compromised


3. Within 3 business days of the compromise provide a written statement of the incident to the Card Brands via your Merchant bank/ Acquirer or yourself.

4. Provide all compromised cards to your Merchant Bank/Acquirer within 10 days.



5. The incident report should be as detailed as possible and include the following info, as well as any other relevant info specific to the breach:

– Name of entity.– How did the compromise occur?– When and how was it identified?– Has the compromise been contained? if so, how?– What Card Brands are involved?– How many cards are at risk?– What is the at-risk time frame of the compromised cards? – What type of data was stolen (account #, expiry date, track data, CVV2,PIN, SS#, etc.)?– Are any other locations/affiliated companies effected?– Was law enforcement contacted? If so, provide contact info and case #.– If breach was employee related, status of the employee.(terminated, still employed,

arrested)?– Is it a skimming event or an actual breach of the POS system?– Type of POS system.



6. Once the Card Brands receive the incident report they will review and then notify the acquiring bank of their recommendation and/or mandatory next steps including:

– Merchant provides a more detailed questionnaire.– Merchant provides PCI validation documentation.– Merchant engages a Card Brand approved forensic examination. – Merchant bank provides Card Brands all possible compromised card numbers to be canceled

or monitored for fraud.



• If a forensic examination is required by the Card Brands, the merchant may only utilize an approved Payment Card Industry Forensic Investigator (PFI).

• If the merchant’s third party vendor is the suspected source of the compromise, the merchant will be responsible for ensuring the engagement of the forensic examiner.

• The Card Brands typically do not accept forensic reports from other parties, including the Secret Service.

• It is the compromised entity’s responsibility to pay for the cost of the forensic (including travel/boarding costs)

• For a list of PFI’s go to: https//www.pcisecuritystandards.org/approved_companies_provideres/pci_forensic_investigator.php

Forensic Examination


• Forensic examination. • Remediation efforts, including installation of new systems and

procedures.• Fines and penalties from Card Brands. • Termination of the ability to accept payment cards.• Legal settlements.• Loss of customer/public confidence.• Loss of business.

Potential Financial Impact To Compromised Merchant


Visa 1. Non-Compliance Fines.2. ADCR (Account Data Compromise Recover) -Must be over 15,000 cards and over $150,000 in reported fraud. -Comprised of Operating Expenses and Fraud Recovery fines.

MasterCard •Non-Compliance Fines.•Case Management Fees.•ADC (Account Data Compromise)

-Must be over 10,000 cards (No minimum reported fraud amount) -Comprised of Operating Expenses and Fraud Recovery fines.

Data Compromise Fines


• Cardholder realizes fraud on his/her card.• Cardholder notifies their issuing bank.• Issuing Bank notifies the Card Brands.• The Card Brands notify the Merchant’s Acquirer.• The Acquirer notifies the Merchant.• The Card Brands may require a forensic exam. • Merchant needs to address and remediate.• Merchant needs to validate PCI compliance. • Card Brands assess Fines. And some really large fines.

Typical Data Compromise Identification


• Any Merchant that accepts credit cards needs to be PCI compliant in accordance with PCI DSS (Payment Card Industry Data Security Standards).

• To validate PCI compliance the merchant needs to provide the following:– Self Assessment Questionnaire(SAQ) or Report of Compliance(ROC).– Vulnerability Scan (if applicable).– Attestation of Compliance.

• Information regarding PCI can be found at https://www.pcisecuritystandards.org/merchants/index.php

Validating PCI Compliance


Merchant Level and Validation Requirements

Level CriteriaReport of

Compliance (ROC)

Self Assessment

Questionnaire (SAQ)

Vulnerability Scan

Attestation of Compliance

1

Any merchant processing more than 6 million transactions per year. Any merchant that suffered a security breach resulting in a cardholder data compromise.

Annually N/AQuarterly, by an approved scan vendor

Annually

2Any merchant processing between 1 to 6 million transactions per year.

N/A AnnuallyQuarterly, by an approved scan vendor

Annually

3

Any merchant processing between 20,000 to 1 million e-commerce transactions per year.

N/A AnnuallyQuarterly, by an approved scan vendor

Annually

4

All other merchants processing up to 1 million transactions per year, and any merchant processing fewer than 20,000 e-commerce transactions per year.

N/A Annually Quarterly, by an approved scan vendor

Annually


Build and Maintain a Secure Network.

Protect Cardholder Data .

Maintain a Vulnerability Management Program.

Implement Strong Access Control Measures.

Regularly Monitor and Test Networks.

Maintain an Information Security Policy.

Goals PCI DSS Requirements

1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameter.

3. Protect stored cardholder data.4. Encrypt transmission of cardholder data across open public networks.

5. Use and regularly update anti-virus software or programs.6. Develop and maintain secure systems and applications.

7. Restrict access to cardholder data by business need to know.8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data.

10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes.

12. Maintain a policy that addresses information security for all personnel.


The PCI SSC sets the PCI security standards, but each Card Brand has its own program for compliance, validation levels and enforcement.

More information about compliance can be found at these links:•American Express: www.americanexpress.com/datasecurity•Discover Financial Services: www.discovernetwork.com/fraudsecurity/disc.html•JCB International: www.jcb-global.com/english/pci/index.html•MasterCard Worldwide: www.mastercard.com/sdp•Visa, Inc: www.visa.com/cisp

Card Brand Websites


• PCI Security Standards Council Web site, including Frequently Asked Questions (FAQs): www.pcisecuritystandards.org

• PCI SSC approved applications and devices• Payment Applications: www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php

• PCI Data Security Standard (PCI DSS)• The Standard: https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf• Supporting Documents: https://www.pcisecuritystandards.org/security_standards/documents.php• Approved Assessors and Scanning Vendors: https://www.pcisecuritystandards.org/approved_companies_providers/

index.php• Navigating the Standard: https://www.pcisecuritystandards.org/documents/navigating_dss_v20.pdf• Self-Assessment Questionnaire: https://www.pcisecuritystandards.org/merchants/self_assessment_form.php• Glossary: https://www.pcisecuritystandards.org/security_standards/glossary.php• Approved QSAs: https://www.pcisecuritystandards.org/approved_companies_providers/qualified_security_assessors.php• Approved ASVs: https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php

• Link to Verizon’s 2012 Data Breach Investigations Report.

• http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-20

• Link to Visa’s What to do if Compromised. http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf12_en_xg.pdf

Web Resources


• Understand what PCI is.• Be prepared in case you are compromised.• Have a back-up plan in place.• Ensure you validate and remain PCI compliant.• Don’t think it can’t happen to you.

In Summary


Questions ?

© Copyright 2012 | First Data Corporation What to Do if Compromised Liberty Picataggio First Data...

Documents

Transcript of © Copyright 2012 | First Data Corporation What to Do if Compromised Liberty Picataggio First Data...