countdown to emv: october 1 2015 - lba to emv - shane beardslee and j… · the impact of emv on...

Countdown to EMV:

©2015 Total System Services, Inc.® Confidential and proprietary. All rights reserved worldwide.

October 1 2015What banks need to know to help grow, protect and simplify their customer’s business.

Agenda

©2015 Total System Services, Inc.® Confidential and proprietary. All rights reserved worldwide.3

• Threat Landscape

• Fraud Techniques

• Examples of Breached Merchants

• Why is the US a Leading Target?

• What is EMV

• “What is PCI?

• Twelve Basic PCI DSS Requirements

• Additional Technology

• Merchant Compromise Impacts

• Q&A

3

Top 5 World Economies


United States 44%

China 36%

India 37%

Mexico

Germany 13%

United Arab Emirates 36% Brazil 33%

United Kingdom 34%

Australia 31%

Singapore 26%

Italy 24%

South Africa 25%

Indonesia 18%

Canada 25%France 20%

Sweden 12%

The Netherlands 12%

4

Cardholder Impacted by Fraud (by Country)


0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

Car

dhol

ders

Impa

cted

by

Frau

d

Source: Digital Transactions 2013

5

Industry Stats


Common Fraud Techniques


SkimmingPhishing

• Spam or pop-up messages used to lure unsuspecting cardholders to divulge personal or financial information.

• Depends on hijacked brands, such as Amazon, IRS, local bank, etc.

• “Phishing Without a Lure”

• Malicious code is loaded to a PC or server that misdirects consumers to a fraudulent website without their knowledge or consent.

• Cardholder information is gathered for future fraudulent transactions.

• Obtaining a card’s information through an automated device implanted within a card reader at a POS or ATM or by swiping it through a small reading device at the point of transaction.

• Stolen information is typically transferred to a counterfeit gift card.

Hacking

• Penetration of a business or government entity computer system, usually for the purpose of obtaining personal or financial information.

• Exploits weakness in a computer system or network.

Pharming

7

Examples of Breached Merchants

• Home Depot - April to September 2014• The same malware that affected Target was installed on company network servers tied

to POS systems• Financial institutions claim breach cost “billions of dollars” in fraud loss

• June to August 2014 - UPS • Malware installed on company network servers tied to POS systems

• August 2013 to April 2014 (9 Months) - Michaels Craft Stores• Malware installed on company network servers tied to POS systems• Card and personal information for 3 million customers was exposed• 2nd time: in 2011 Michaels was breached with PIN Pad tampering

• November to December 2013 - Target• Malware installed on company network servers tied to POS system• Card and personal information for 110 million customers was exposed

• July to October 2013 - Neiman Marcus • Malware installed on company network servers tied to POS systems• 1.1 million customers exposed


2005 to March 20th 2015Number of breaches = 5,203Number of records/people affected = 778,087,103

8

Why is the US the Leading Target?

Reliable Telecommunications


Un-Reliable Telecommunications in Europe drove the need for Europay/MasterCard/Visa (EMV) Smartcard Payment Systems.

EMV in the United States

575 MillionNEW EMV CARDS

Industry insiders expect that there will eventually be more than 575 million EMV chip-enabled payment cards in circulation in the U.S.

1.2 BillionCARDS WILL TRANSITION

The United States is set to transition more than 1.2 billion payment cards and 8 million point-of-sale terminals to meet EMV requirements.

An enormous amount of technology will be needed to handle these changes, and merchants will need assistance to ensure they are EMV enabled. They will eventually turn to their banks for assistance with this transition.

Source: First Data


What Makes EMV More Secure?

The EMV computer chip that replaces the old magnetic strip can hold a lot more information than the traditional magnetic stripe. It is virtually impossible to copy or make counterfeit cards, and EMV has encryption capabilities built in to lock down and protect private payment data.

Source: First Data

Unlike mag-stripe cards, an EMV chip card always remains in the physical possession of the consumer.

The buyer inserts the card into an EMV reader or taps it on a contactless sales terminal to make a transaction, with no hand off of a card number to the merchant and no swipe

The EMV technology makes it virtually impossible for thieves to duplicate cards, thereby reducing card fraud at the point of sale.

Only EMV-enabled terminals can read and decode the card.


The Impact of EMV on Small Merchant Businesses

The date for liability-shift is quickly approaching. After October 1, 2015, if a consumer uses and EMV chip card with a merchant who doesn’t have an EMV-compliant point-of-sale, and the transaction is found to be fraudulent, the liability for any charges falls on the merchant.

3/4

1/2According to market research by Javelin, more than half of small business owners have little or no knowledge of EMV – or the impending liability shift.

Not surprisingly, nearly three-fourths of small business owners have no plans to upgrade to EMV compliant POS devises by the end of 2015.

The main reason for not upgrading is a lack of knowledge about EMV.


Why EMV?


EMV is the name for the secure chip embedded in more that 2 billion payment cards worldwide – the vast majority of them outside the United States. The reason for vast adoption is simple. They dramatically reduce card fraud. The United States is one of the last countries in the world to adopt this technology.

25%TRANSACTIONSAlthough the US only accounts for a quarter of the world’s payment card transactions, more than ½ of all fraudulent transactions happen here.

$10B LOSSESLosses due to card fraud in the US are expected to top over $10 billion in 2015.

2 XFRAUDCredit card fraud rates have doubled in recent years, representing 10 cents out of every $100 transacted.

Source: First Data

13

Payments Processing Security



What is PCI?

• PCI-DSS is a security standard created by the industry to help protect cardholder data from credit card fraud, hacking and other threats

• Historically, the individual card brands had separate data security programs to protect cardholder data

• In 2004, the card brands partnered together to construct one industry standard for data security and created the PCI Security Standards Council (PCI SSC)

15


PCI Administration

• Enforcement of the standards is still the responsibility of the individual Card Brands

• The Card Brands set mandates that Acquiring Banks must follow• Acquiring Banks must ensure their customers meet the

requirements of the set mandates, which include being compliant with the PCI-DSS

16


PCI-DSS, PA-DSS, and PTS

Merchants: A business that has been issued a merchant ID number and accepts payments for goods or services

PCI-DSS

Payment Applications: A piece of software that can be purchased off the shelf and installed on a merchants computer

PA-DSS

Terminals: A piece of hardware that can be purchased to process payments and enter in PIN numbers

PTS

Service Providers: A 3rd

party; for example, a payment gateway that processes transactions on a merchant’s behalf

PCI-DSS

17


Leveraging Additional Technology

Advance cardholder data security and future proof your security investment through the use of robust technologies:

EMV Chip TechnologyChip cards used at EMV terminals protects against counterfeit transactions by replacing static data with dynamic

Point-to-Point Encryption (P2PE)Protects cardholder data from the point of data entry to the payment card processor Shields against malware that “sniffs” and “captures”

Tokenization TechnologyReplaces cardholder data with surrogate values, or “tokens” allows merchants to limit or eliminate the storage of cardholder data

If properly implemented, all three can reduce the scope of PCI DSS compliance.

Source: Visa Best Practices for P2PE and Tokenization – www.visa.com/cisp

18

• Fines – Visa & MasterCard are levying fines against merchants that are

PCI-DSS non-compliant

• Penalties, fines, litigation and financial losses

• Counterfeit cards and fraud

• Significant chargeback risk

• Reputation damage

• Negative media coverage

• Consumer confidence impacts

• Government intervention/legislation

Merchant Compromise Impacts



For More Information….

Visit the PCI Security Standard’s website at:www.pcisecuritystandards.org

More information regarding the PCI-DSS is available on the Visa and MasterCard websites:www.visa.com/cisp

www.mastercard.com/sdp

20

White Paper resources are available at:http://tsysmerchantsolutions.com/resource-center/white-papers/

Copyright © 2015 Trustwave Holdings, Inc.

1 About Trustwave2 Security Today (New)

3 PCI Data Security Standard

AGENDA



1,425%• Estimated ROI for a one-month

ransomware campaign

• Based on Trustwave SpiderLabs research into underground markets

• One example: $5,900 investment = $84,100 profit

• Make it difficult and expensive for criminals to target your organization

WHY DO CYBERCRIMINALS DO WHAT THEY DO?

Return on Investment (ROI)

TRUSTWAVE 2015 GLOBAL SECURITY REPORT



• Detailing cybercriminals’ methods and impact in the previous year

• 574 compromised locations investigated across 15 countries

• Billions of events each day across five global SOCs

• 4 million vulnerability scans

• Thousands of web app security scans

• Tens of millions of web transactions

• Tens of billions of email messages

• Millions of blocked malicious websites

• Thousands of penetration tests

THE 2015 TRUSTWAVE GLOBAL SECURITY REPORTSeventh annual compendium of Trustwave threat intelligence


GEOGRAPHIC LOCATIONS OF VICTIMSDistribution of investigations by location


ENVIRONMENTS COMPROMISED BY REGIONDistribution of investigations by type and region


COMPROMISES BY INDUSTRYDistribution of investigations by industry 2014

2013


ENVIRONMENTS COMPROMISED BY INDUSTRYDistribution of investigations by type and industry


FACTORS CONTRIBUTING TO COMPROMISEDistribution of investigations by factors that made the breach possible

Weak Remote Access Security

Weak Passwords

Weak (or Non-Existent) Input Validation

Unpatched Vulnerabilities

28%

28%

15%

15%

Misconfigurations8%

Malicious Insider6%


TYPES OF DATA TARGETEDDistribution of investigations by type of data targeted

PII + CHD (E-commerce Transaction Data)49%

Track Data (POS Transaction Data)31%

Financial Credentials12%

Proprietary Data8%


BREACH DETECTIONDistribution of investigations by modes of detection

81% of victims did not identify a breach themselves


DURATION OF A COMPROMISEMedian durations between various compromise milestones

111 Days a breach lasted 86 7

Days to detect a breach

Days to contain a breach


TARGETED ATTACKSKB Enterprises serves a lot of customers, handles a lot of payment card transactions and probably has a lot of customer data stored somewhere. I’m going to figure out how to break in.

OPPORTUNISTIC ATTACKI know how to compromise a web server via an Adobe Cold Fusion vulnerability. I’m going to scan the Internet to find unpatched servers and see whether I can access some valuable data inject malicious code to infect visitors with malware

• Target identified first• ONLY THEN is the attack considered• More effort spent planning and executing• Usually targeting larger organizations

• Exploit and vulnerability identified first• Target doesn't matter, just needs to be vulnerable to exploit• Low-hanging fruit• Smaller organizations usually fall victim


NETWORK VULNERABILITY SCAN ANALYSISTop 5 Most Frequently Detected Vulnerabilities

41% Of vulnerabilities detected were SSL vulnerabilities


ATTACKS ON WEB APPLICATIONS AND SERVERSTop Opportunistic Attack Methods Observed by Trustwave


SPAM CATEGORIES20142013

6% OF SPAM INCLUDES MALICIOUS LINKS OR ATTACHMENTS


PREVALENT EXPLOIT KITSExploit kit prevalence based on telemetry from Trustwave Secure Web Gateway

Neutrino5%

TOP EXPLOITED APPLICATIONSMost exploited client-side applications and plug-ins as observed by Trustwave in 2014

RIG25% Flash33%Nuclear23% Internet Explorer29%Angler17% Adobe Reader10%Fiesta13% Silverlight13%Magnitude9% Java ( 63%)15%



PASSWORD ANALYSISCracked 51 percent of passwords w/in 24 hours & another 37 percent w/in two weeks

TOP 10 COMMON KEY WORDS


PCI DSS


PCI BASICS

• The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements designed to protect cardholder data

• It is applied to ALL merchants, systems, networks and applications that process, store, and/or transmit card numbers

• PCI Data Security Standard High Level Overview– Build and Maintain a Secure Network and Systems (2)– Protect Cardholder Data (2)– Maintain a Vulnerability Management Program (2)– Implement Strong Access Control Measures (3)– Regularly Monitor and Test Networks (2)– Maintain an Information Security Policy (1)

PCI DSS Defined


PCI REQUIREMENTSBuild and Maintain a Secure Network and Systems

1.2.

Firewall Vendor Defaults

Install and maintain a firewall configuration to protect cardholder dataDo not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Protect stored cardholder dataEncrypt transmission of cardholder data across open, public networks

3.4.

Data at Rest Data in Transit

Maintain a Vulnerability Management Program

5.6.

Anti-virus Protection Secure Coding

Protect all systems against malware and regularly update anti-virus software or programs Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7.8.9.

Need to Know ID and Authentication Physical Security

Restrict access to cardholder data by business need to knowIdentify and authenticate access to system componentsRestrict physical access to cardholder data

Regularly Monitor and Test Networks

10.11.

Audit Trail Testing

Track and monitor all access to network resources and cardholder dataRegularly test security systems and processes

Maintain an Information Security Policy

12. Policy and Education Maintain a policy that addresses information security for all personnel

PCI DSS LIFE CYCLE

• Year 2• Three-Year Lifecycle

– Minimize volatility– Align with threats– Respond to trends

• Change Drivers– Threat landscape– Weak passwords– Lack of awareness– Third-party challenges– Slow self-detection– Malware– Assessment Issues– Evolving technologies

The Evolution of a Standard


PCI DSS COMPLIANCE

• Fundamental Best Security Practices– Avoid fraud– Helps to understand own system better– Clarifies where data is stored

• Upholds Brand Name– Adds value to name– Increases consumer confidence

• Non-compliant, compromised business could expect– Damage to their brand/reputation– Investigation costs– Remediation costs– Fines and fees

Sound Business Practice


VALIDATION ACTIONS DEPEND ON LEVELMerchant

Level Validation Actions Validated By

1 Any merchant that processes over 6 million total transactions annually

Annual Report on Compliance Qualified Security Assessor

Quarterly Network Scan Approved Scanning Vendor

2Any merchant that processes between 1 and 6 million total transactions annually

Annual Self-Assessment Questionnaire Merchant


3Any merchant that processes 20,000 to 1 million e-commerce transactions annually



4Any merchant that processes up to 1 million brick-and-mortar transactions, or less than 20,000 e-commerce transactions annually




SELF-ASSESSMENT QUESTIONNAIRES (9)

Understanding the SAQs in Detail (PDF)Full SAQ Documents (PDF)

SAQ Type High Level Description

Electronic Cardholder

Storage

Number of Questions

v3.0

ASV Scan Required

Penetration Test

Required

A Card-not-present merchants: All payment processing functions fully outsourced. Not permitted 14 No No

A-EP E-commerce merchants only. Not permitted 139 Yes Yes

B Merchants with imprint machines or standalone dial-out payment terminals only. Not permitted 41 No No

B-IP Merchants with standalone, IP-connected payment terminals. Not permitted 83 Yes No

C Merchants with payment application systems connected to the Internet. Not permitted 139 Yes Yes

C-VT Merchants with web-based virtual payment terminals. Not permitted 73 No No

D All other SAQ-eligible Merchants. Permitted 326 Yes Yes

D-SP SAQ-eligible Service Providers. Permitted 347 Yes Yes

P2PE Hardware payment terminals in a validated PCI P2PE solution only. Not permitted 35 No No


PCI DSS COMPLIANCE – BOTTOM LINE

Security Awareness and Education

Data Flow Diagrams Inventory of System

components Network Segmentation Service Providers

Changes at a Glance

Awareness and Education tools (e.g. LMS)

Data Loss Prevention Governance Risk and

Compliance Vulnerability Scanning Penetration Testing Vendor Management

Documentation Validation


RESOURCES

• PCI Security Standards Councilhttps://www.pcisecuritystandards.org– List of compliant payment applications on this site– Full version of the PCI DSS Standard

• TrustKeeper Support:– 800-363-1621– [email protected]



Questions?

48

Thank youShane BeardsleeTSYS Merchant Solutions402-574-7888sbeardslee@tsys.comwww.tsysmerchantsolutions.com

James [email protected]
