Information from Seneca II Manual & Multi Engine Oral Prep (Information from Rochester Air Center)
Paymentech proprietary and confidential information For: Seneca College FCA240 By: John Florinis...
-
Upload
augustus-gott -
Category
Documents
-
view
217 -
download
2
Transcript of Paymentech proprietary and confidential information For: Seneca College FCA240 By: John Florinis...
Paymentech proprietary and confidential information
For: Seneca College FCA240
By: John Florinis
Date: March 19th, 2003
Visa Account Information Security
21/01/03Paymentech proprietary and confidential information
Agenda What is AIS? Why AIS? Hackers Credit Card Fraud Identity Theft AIS 15 Points AIS Process Case Studies
21/01/03Paymentech proprietary and confidential information
What is the Visa AIS Program?
AIS is a Visa International Operating Regulation that outlines the
requirements, disclosure, use, storage and disposition of account and
transaction information
21/01/03Paymentech proprietary and confidential information
What is the Visa AIS Program? Objective: to protect card account and
transaction “data at rest”. AIS impacts all entities that store card
account and transaction data, including: Merchants, acquirers, processors, embossers, etc.
AIS is an international mandate that affects businesses in all Visa’s operating regions.
21/01/03Paymentech proprietary and confidential information
Why AIS? Mass digitization of personal information Threat of Hackers Credit card fraud Rise in identity fraud Protect the Visa brand
The Visa AIS Program is intended to prevent data theft and protect businesses
and individuals
21/01/03Paymentech proprietary and confidential information
Hackers on the Rise 82,094 reported instances in 2002
52,658 in 2001 and 21,756 in 2000 (Source: CERT, 2003))
55% increase – How many go unreported? Symantec reported 689 attacks on FI’s
48% of those attacks were severe (Source: Symantec, 2003)
Symantec reported 616 attacks on e-commerce merchants 19% of those attacks were severe (Source: Symantec, 2003)
21/01/03Paymentech proprietary and confidential information
Hackers 24% of hacker attacks are intended
76% are opportunistic (Symantec, 2003)
Hackers fall into 2 groups: Thrill Seekers – hack for the challenge Professionals – usually work for foreign
governments and organized criminal gangs
21/01/03Paymentech proprietary and confidential information
Credit Card Fraud Projected Visa fraud in Canada is over
$92 million 330,686 fraudulent transactions
Average sale = $105.91 Average loss = $278.83
<1% of transactions are fraudulent Internet fraud accounts for 5% ($4.6
MM) of Visa Canada’s total fraud loss
Source: Visa Canada
21/01/03Paymentech proprietary and confidential information
Credit Card Fraud
21/01/03Paymentech proprietary and confidential information
Credit Card Fraud
21/01/03Paymentech proprietary and confidential information
Identity Theft
Definition:“Identity theft or fraud involves “stealing” another
person’s identifying information, such as SIN number, DOB and mother’s maiden name, in order to to fraudulently establish credit, run up debt, and take over any financial or miscellaneous accounts, and obtain false documents”
- Ariana-Michele Moore
Celent Communications
21/01/03Paymentech proprietary and confidential information
Identity Theft Over 100,000 identities are stolen every year in
the U.S. (Source: Celent Communications)
Rising at a CAGR of 20.7% from 2002 – 2006 (Source: Celent Communications)
The Internet has given criminals a new way to obtain personal information Example – Criminals created a spoof eBay site and
had customers enter credit card details and personal information.
Example – Job posting sites
21/01/03Paymentech proprietary and confidential information
Identity Theft
21/01/03Paymentech proprietary and confidential information
Identity Theft
Impact on Financial Services Industry Over the past 5 years identity fraud has
cost close to $2 billion USD. (Source: Celent Communications)
Intangible loss – brand equity and consumer confidence.
Increase in security spending and employee training.
21/01/03Paymentech proprietary and confidential information
Identity Theft
21/01/03Paymentech proprietary and confidential information
15 Steps of AIS1. Establish a hiring policy for staff and contractors
2. Restrict access to data on a “need-to-know” basis.
3. Assign each person a unique ID to be validated when accessing data.
4. Track access to data, including read access, by each person.
5. Install and maintain a network firewall, if data can be accessed via the Internet.
6. Encrypt data maintained on databases or files accessible from the Internet
7. Encrypt data sent across networks.
8. Protect systems and data from viruses.
9. Keep security patches for software up-to-date.
10. Don’t use vendor-supplied defaults for system passwords and other security parameters.
11. Don’t leave paper/diskettes/computers with data unsecured.
12. Securely destroy data when it’s no longer needed for business reasons.
13. Regularly test security systems and procedures.
14. Immediately investigate and report to Visa any suspected loss of Account or Transaction information.
15. Use only service providers that meet these security standards.
21/01/03Paymentech proprietary and confidential information
The Process A business that stores card account or
transaction data must go through the AIS audit There are 3 transactional thresholds
< 5,000 (monthly) – Self-Assessment Questionnaire 5,000-50,000 (monthly) – SAQ and remote scan > 50,000 (monthly) – SAQ, remote scan, full on-site review.
Every Visa acquirer in Canada is participating Each is responsible for enrolling their own
merchants
21/01/03Paymentech proprietary and confidential information
The Process Failing the AIS program could result in:
Being fined (if you lied) Not being able to process Visa cards
Most businesses are given a chance to fix their weak spots – remedial plan
21/01/03Paymentech proprietary and confidential information
Approved AIS Auditing Firms
21/01/03Paymentech proprietary and confidential information
AIS Benefits Helps protect a business against hacker
attacks Protects against credit card fraud and
identity theft that could damage a business’ reputation and ability to accept Visa cards.
AIS 15 points can serve as standard operating procedures for any company in any industry.
21/01/03Paymentech proprietary and confidential information
Case Study – ISM Canada A hard disk went missing that contained customer
profiles from several businesses The Co-operators lost 180,000 customer profiles Government of Manitoba lost tax information for 43,000
businesses. Other companies include Investors Group, Sasktel and
Saskatchewan Power Corp. Over 1,000,000 personal records were on the hard disk,
including, bank account numbers, insurance and pension plan data.
A 41-year old employee stole it. Working with ISM for 6 years. Told police he wanted an extra hard disk.
ISM is a subsidiary of IBM!
21/01/03Paymentech proprietary and confidential information
Case Study - DPI A hacker gained access to 8 million
credit cards – DPI is based in Omaha 60,000 Canadian Visas were compromised
8,000 belonged to Scotiabank DPI processes credit cards for Internet,
retail, MOTO merchants Luckily;
Stolen credit card numbers have not been used Merchants that use DPI have not been named
21/01/03Paymentech proprietary and confidential information
Questions?
21/01/03Paymentech proprietary and confidential information
Source Links www.visa.com/secured www.cyberfraudsolutions.com www.cybersource.com http://news.com.com/2100-1017-966835.html www.celent.com http://www.securitystats.com/reports/Symantec
Internet_Security_Threat_Report_vIII.20030201.pdf http://www.cert.org/stats/cert_stats.html http://www.usatoday.com/money/perfi/credit/2003-02-19-credit-card-
hacker_x.html
21/01/03Paymentech proprietary and confidential information
Contact Info
John Florinis
Product Analyst, Internet Commerce
Paymentech Canada
416.933.2590