Paymentech proprietary and confidential information

For: Seneca College FCA240

By: John Florinis

Date: March 19th, 2003

Visa Account Information Security

21/01/03Paymentech proprietary and confidential information

Agenda What is AIS? Why AIS? Hackers Credit Card Fraud Identity Theft AIS 15 Points AIS Process Case Studies

21/01/03Paymentech proprietary and confidential information

What is the Visa AIS Program?

AIS is a Visa International Operating Regulation that outlines the

requirements, disclosure, use, storage and disposition of account and

transaction information

21/01/03Paymentech proprietary and confidential information

What is the Visa AIS Program? Objective: to protect card account and

transaction “data at rest”. AIS impacts all entities that store card

account and transaction data, including: Merchants, acquirers, processors, embossers, etc.

AIS is an international mandate that affects businesses in all Visa’s operating regions.

21/01/03Paymentech proprietary and confidential information

Why AIS? Mass digitization of personal information Threat of Hackers Credit card fraud Rise in identity fraud Protect the Visa brand

The Visa AIS Program is intended to prevent data theft and protect businesses

and individuals

21/01/03Paymentech proprietary and confidential information

Hackers on the Rise 82,094 reported instances in 2002

52,658 in 2001 and 21,756 in 2000 (Source: CERT, 2003))

55% increase – How many go unreported? Symantec reported 689 attacks on FI’s

48% of those attacks were severe (Source: Symantec, 2003)

Symantec reported 616 attacks on e-commerce merchants 19% of those attacks were severe (Source: Symantec, 2003)

21/01/03Paymentech proprietary and confidential information

Hackers 24% of hacker attacks are intended

76% are opportunistic (Symantec, 2003)

Hackers fall into 2 groups: Thrill Seekers – hack for the challenge Professionals – usually work for foreign

governments and organized criminal gangs

21/01/03Paymentech proprietary and confidential information

Credit Card Fraud Projected Visa fraud in Canada is over

$92 million 330,686 fraudulent transactions

Average sale = $105.91 Average loss = $278.83

<1% of transactions are fraudulent Internet fraud accounts for 5% ($4.6

MM) of Visa Canada’s total fraud loss

Source: Visa Canada

21/01/03Paymentech proprietary and confidential information

Credit Card Fraud

21/01/03Paymentech proprietary and confidential information

Credit Card Fraud

21/01/03Paymentech proprietary and confidential information

Identity Theft

Definition:“Identity theft or fraud involves “stealing” another

person’s identifying information, such as SIN number, DOB and mother’s maiden name, in order to to fraudulently establish credit, run up debt, and take over any financial or miscellaneous accounts, and obtain false documents”

- Ariana-Michele Moore

Celent Communications

21/01/03Paymentech proprietary and confidential information

Identity Theft Over 100,000 identities are stolen every year in

the U.S. (Source: Celent Communications)

Rising at a CAGR of 20.7% from 2002 – 2006 (Source: Celent Communications)

The Internet has given criminals a new way to obtain personal information Example – Criminals created a spoof eBay site and

had customers enter credit card details and personal information.

Example – Job posting sites

21/01/03Paymentech proprietary and confidential information

Identity Theft

21/01/03Paymentech proprietary and confidential information

Identity Theft

Impact on Financial Services Industry Over the past 5 years identity fraud has

cost close to $2 billion USD. (Source: Celent Communications)

Intangible loss – brand equity and consumer confidence.

Increase in security spending and employee training.

21/01/03Paymentech proprietary and confidential information

Identity Theft

21/01/03Paymentech proprietary and confidential information

15 Steps of AIS1. Establish a hiring policy for staff and contractors

2. Restrict access to data on a “need-to-know” basis.

3. Assign each person a unique ID to be validated when accessing data.

4. Track access to data, including read access, by each person.

5. Install and maintain a network firewall, if data can be accessed via the Internet.

6. Encrypt data maintained on databases or files accessible from the Internet

7. Encrypt data sent across networks.

8. Protect systems and data from viruses.

9. Keep security patches for software up-to-date.

10. Don’t use vendor-supplied defaults for system passwords and other security parameters.

11. Don’t leave paper/diskettes/computers with data unsecured.

12. Securely destroy data when it’s no longer needed for business reasons.

13. Regularly test security systems and procedures.

14. Immediately investigate and report to Visa any suspected loss of Account or Transaction information.

15. Use only service providers that meet these security standards.

21/01/03Paymentech proprietary and confidential information

The Process A business that stores card account or

transaction data must go through the AIS audit There are 3 transactional thresholds

< 5,000 (monthly) – Self-Assessment Questionnaire 5,000-50,000 (monthly) – SAQ and remote scan > 50,000 (monthly) – SAQ, remote scan, full on-site review.

Every Visa acquirer in Canada is participating Each is responsible for enrolling their own

merchants

21/01/03Paymentech proprietary and confidential information

The Process Failing the AIS program could result in:

Being fined (if you lied) Not being able to process Visa cards

Most businesses are given a chance to fix their weak spots – remedial plan

21/01/03Paymentech proprietary and confidential information

Approved AIS Auditing Firms

                                                                                                     

21/01/03Paymentech proprietary and confidential information

AIS Benefits Helps protect a business against hacker

attacks Protects against credit card fraud and

identity theft that could damage a business’ reputation and ability to accept Visa cards.

AIS 15 points can serve as standard operating procedures for any company in any industry.

21/01/03Paymentech proprietary and confidential information

Case Study – ISM Canada A hard disk went missing that contained customer

profiles from several businesses The Co-operators lost 180,000 customer profiles Government of Manitoba lost tax information for 43,000

businesses. Other companies include Investors Group, Sasktel and

Saskatchewan Power Corp. Over 1,000,000 personal records were on the hard disk,

including, bank account numbers, insurance and pension plan data.

A 41-year old employee stole it. Working with ISM for 6 years. Told police he wanted an extra hard disk.

ISM is a subsidiary of IBM!

21/01/03Paymentech proprietary and confidential information

Case Study - DPI A hacker gained access to 8 million

credit cards – DPI is based in Omaha 60,000 Canadian Visas were compromised

8,000 belonged to Scotiabank DPI processes credit cards for Internet,

retail, MOTO merchants Luckily;

Stolen credit card numbers have not been used Merchants that use DPI have not been named

21/01/03Paymentech proprietary and confidential information

Questions?

21/01/03Paymentech proprietary and confidential information

Source Links www.visa.com/secured www.cyberfraudsolutions.com www.cybersource.com http://news.com.com/2100-1017-966835.html www.celent.com http://www.securitystats.com/reports/Symantec

Internet_Security_Threat_Report_vIII.20030201.pdf http://www.cert.org/stats/cert_stats.html http://www.usatoday.com/money/perfi/credit/2003-02-19-credit-card-

hacker_x.html

21/01/03Paymentech proprietary and confidential information

Contact Info

John Florinis

Product Analyst, Internet Commerce

Paymentech Canada

416.933.2590

john.florinis@paymentech.ca