Securing The Data - Bank Negara Malaysia · Securing The Data Payment System Forum ... use of...
Transcript of Securing The Data - Bank Negara Malaysia · Securing The Data Payment System Forum ... use of...
Securing The Data
Payment System ForumBank Negara Malaysia27th November 2014
Murugesh KrishnanHead of Risk, South & Southeast Asia
2 BNM Payments Forum | November 2014 Visa Public
Disclaimer
Case studies, statistics, research and recommendations are provided "AS IS" and intended for informational purposes only and should not be reliedupon for operational, marketing, legal, technical, tax, financial or other advice. You should consult with your legal counsel to determine what lawsand regulations may apply to your circumstances. The actual costs, savings and benefits of any recommendations or programs may vary basedupon your specific business needs and program requirements. By their nature, recommendations are not guarantees of future performance orresults and are subject to risks, uncertainties and assumptions that are difficult to predict or quantify. Visa is not responsible for your use of theinformation contained herein (including errors, omissions, inaccuracy or non-timeliness of any kind) or any assumptions or conclusions you mightdraw from its use. Visa makes no warranty, express or implied, and explicitly disclaims the warranties of merchantability and fitness for a particularpurpose, any warranty of non-infringement of any third party's intellectual property rights. To the extent permitted by applicable law, Visa shall notbe liable to a client or any third party for any damages under any theory of law, including, without limitation, any special, consequential, incidentalor punitive damages, nor any damages for loss of business profits, business interruption, loss of business information, or other monetary loss, evenif advised of the possibility of such damages.
Forward Looking Statements Disclaimer
These presentations contain forward-looking statements within the meaning of the U.S. Private Securities Litigation Reform Act of 1995. Thesestatements can be identified by the terms “objective,” “goal,” “strategy,” “opportunities,” “continue," “can,” "will" and similar references to the future.Examples of such forward-looking statements include, but are not limited to, statements we make about our corporate strategy and product results,goals, plans and objectives. By their nature, forward-looking statements: (i) speak only as of the date they are made, (ii) are neither statements ofhistorical fact nor guarantees of future performance and (iii) are subject to risks, uncertainties, assumptions and changes in circumstances that aredifficult to predict or quantify. Therefore, actual results could differ materially and adversely from those forward-looking statements because of avariety of factors, including: the impact of new laws, regulations and marketplace barriers; developments in litigation or government enforcement;economic factors; industry developments; system developments; loss of organizational effectiveness or key employees; failure to effectively developproducts and businesses; Visa Europe’s exercise of their put option, and the other factors discussed in our most recent Annual Report on Form 10-Kfiled with the U.S. Securities and Exchange Commission. You should not place undue reliance on such statements.
3 BNM Payments Forum | November 2014 Visa Public
Data Breach - a case study
CNP fraud is outsized relative to CNP salesCNP fraud is outsized relative to CNP sales
Millions of card data breached by an international identity theft ring
Insecure domain controls, malware & inadequate monitoring
Fraudulent transactions, reselling of cardholder data
Overview
Vulnerabilities
Source: New York Times, March 25, 2010
*All brand names and logos are the property of their respective owners, are used for identification purposes only, and do not imply product endorsement or affiliation with Visa.
Fraudulent
Use
4 BNM Payments Forum | November 2014 Visa Public
Data Breach – continues in 2014
CNP fraud is outsized relative to CNP salesCNP fraud is outsized relative to CNP sales
High profile merchant data breaches, reported by respective companies, including card account and other personal information
Potentially insecure domain controls, malware & inadequate monitoring
Fraudulent transactions, reselling of cardholder data
Overview
Fraudulent
Use
Vulnerabilities
“All brand names and logos are the property of their respective owners, are used for identification purposes only, and do not imply product endorsement or affiliation with Visa.
5 BNM Payments Forum | November 2014 Visa Public
Data Breach – issues in Southeast Asia
Increasing CNP fraud relative to CNP sales
CNP fraud is outsized relative to CNP salesCNP fraud is outsized relative to CNP sales“All brand names and logos are the property of their respective owners, are used for identification purposes only, and do not imply product endorsement or affiliation with Visa.
Compromise of account data on mag stripe due to practice of “double swiping” in SEA
Remote access vulnerabilities at Merchant POS system; use of hardware and software keyloggers
Counterfeit Fraud
Overview
Fraudulent
Use
Vulnerabilities
6 BNM Payments Forum | November 2014 Visa Public
Multi-Layered Approach To Mitigate Risk
Data Security
Data Devaluation
FraudPrevention
BreachResponse
7 BNM Payments Forum | November 2014
Card Number Name Expiry Service
Code
CVV
What Data is Sensitive?
4 0 0 0 1 2 3 4 5 6 7 ^ S I EWN E E ^ 0 1 2 0 1 2 ^ 1 0 1 ^ 2 1 7 ^�
Magnetic Stripe
Data is Static
123
Visa Public
8 BNM Payments Forum | November 2014
Card Number Name Expiry Service
Code
iCVV Cryptogram
(DYNAMIC)
EMV Chip Mitigates Fraud
1 5 1 8 7 3 2 83 1 0 2 8 2 9 18 2 1 8 4 3 8 49 1 0 6 3 1 4 28 5 6 3 8 6 0 94 0 0 0 1 2 3 4 1 5 7 4 3 0 1 75 6 7 ^ S I EWN E E ^ 0 1 2 0 1 2 ^ 2 0 1 ^ 3 8 6 ^ ^�2 4 8 0 1 8 0 31 5 1 8 7 3 2 83 1 0 2 8 2 9 18 2 1 8 4 3 8 49 1 0 6 3 1 4 28 5 6 3 8 6 0 91 5 7 4 3 0 1 72 4 8 0 1 8 0 34 3 1 2 3 6 8 93 6 7 9 4 5 1 03 4 9 1 5 2 3 82 3 4 2 7 8 9 1
4000 1234 5678 9010
CARDHOLDER NAME
12/12
Chip
Generates
Dynamic Data
Visa Public
9 BNM Payments Forum | November 2014
What Data is Sensitive - Ecommerce
Payment Page – Account Number, Expiration Date, CVV2
Dynamic Data
10 BNM Payments Forum | November 2014Account Information Security Program: An Overview
�PCISSC established in response to industry call for a common standard
�Founded in Sep 2006 by Visa, MCI, Amex, JCB, Discover
�Move ownership to industry• Executive Council
• Board of Advisor (~40 companies from industry)
• Focus/Advisory Groups
�Manages
• Data Security Standards
• Accreditation (QSAs, PA-QSAs, ASVs, ISAs, PFIs)
• Awareness programs
Visa Public
12 BNM Payments Forum | November 2014Account Information Security Program: An Overview
PCI DSS – Role & Responsbility
AIS
SDP
AIS
Compliance
Requirements
DSOP
Compliance
Requirements
Visa Public
14 BNM Payments Forum | November 2014Account Information Security Program: An Overview
PCI DSS - applicability
�Entities that process store transmitprocess, store and/or transmit
Merchants Service Providers Banks
cardholder data
Visa Public
15 BNM Payments Forum | November 2014 Visa PublicAccount Information Security Program: An Overview
Merchants
16 BNM Payments Forum | November 2014Account Information Security Program: An Overview
PCIDSS - Definitions
�Self Assessment Questionnaire - SAQ• ~400 test points or questions
• Five versions available to simplify assessment for various merchant needs
�Report of Compliance – ROC (completed by QSA)
�Attestation of Compliance - AOC (issued by QSA)
�Approved Scanning Vendor - ASV- Non-intrusive vulnerability scan at Internet facing Ports/Access
Visa Public
17 BNM Payments Forum | November 2014 Visa PublicAccount Information Security Program: An Overview
Merchants – Four Groups
Level Criteria Validation Requirements
1
Merchants processing over 6 million Visa transactions annually (all channels)
• Annual Report on Compliance by QSA
• Quarterly network scan by ASV
• Attestation of Compliance Form
2
Merchants processing 1 – 6 million Visa transactions annually (all channels)
• Annual SAQ
• Quarterly network scan by ASV
• Attestation of Compliance Form
3
Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
• Annual SAQ
• Quarterly network scan by ASV
• Attestation of Compliance Form
4
Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually
• Annual SAQ recommended
• Quarterly network scan by ASV if applicable
• Compliance validation requirements set by acquirer
18 BNM Payments Forum | November 2014 Visa PublicAccount Information Security Program: An Overview
Payment applications
19 BNM Payments Forum | November 2014 Visa PublicAccount Information Security Program: An Overview
Payment Application Data Security Standard (PA-DSS)
� PA-DSS is a set of requirements derived from PCI Data Security Standards (PCI DSS)
� PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment application are sold, distributed, or licensed to third parties
� This includes payment applications that are typically sold and installed “off the shelf”
� List of validated payment applications can be found at www.pcisecuritystandards.org/security_standards/vpa
20 BNM Payments Forum | November 2014Account Information Security Program: An Overview
www.visa-asia.com
21 BNM Payments Forum | November 2014Account Information Security Program: An Overview
www.visa-asia.com
22 BNM Payments Forum | November 2014Account Information Security Program: An Overview
PCISSC Website
�PCI Security Standards Council (PCI SSC)www.pcisecuritystandards.org
�PCI DSSwww.pcisecuritystandards.org/security_standards/pci_dss.shtml
�PA DSSwww.pcisecuritystandards.org/security_standards/pa_dss.shtml
�PCI DSS Prioritized Approachwww.pcisecuritystandards.org/security_standards/documents.php
�List of Validated Payment Applicationswww.pcisecuritystandards.org/security_standards/vpa/
Visa Public
23 BNM Payments Forum | November 2014Account Information Security Program: An Overview
Summary
� Review Your Card Acceptance Practices
• Do Not “Double Swipe”
� PCIDSS is a Useful Framework for All Merchants• Stand-alone device
• Integrated-POS Device
• Self Service Devices (Auto Fuel Dispenser, Payment Kiosks)
• Ecommerce & Mobile Commerce
� Verify/Register Third Party Agents (Merchant Servicers)
� Stay Informed (Consult Your Bank, PCISSC & Card Scheme websites)
Visa Public