1

NetDiligence®

Cyber Risk & PrivacyLiability Forum October 8-9, 2014

2

PCI Breach Scenario

Examining the Payment Card Industry (PCI) Adjudication Process

3

Speakers

David Navettamoderator

Partner

InfoLawGroup LLP

Denver, Colorado

Neeraj Sahni

Vice President

FINEX North America – Cyber and E&O

New York, New York

Grayson Lenik

Principal Consultant, Incident Response

Nuix DFIR

Helena, Montana

Ernie Liu

Senior Manager

Mandiant

Los Angeles, California

Mark E. Schreiber

Partner

Edwards Wildman Palmer LLP

Boston, Massachusetts

4

Background NVRBreeched, Inc. (Merchant) runs an ecommerce website selling various goods

The webserver for the site is hosted by a third party CloudsR’Secure, Inc. (Cloud Provider)

The site utilizes an ecommerce platform that includes a shopping cart application developed by UnSecureCoding, Inc. (Application Provider)– NVRBreech failed to vet this vendor or its software

NVRBreeched has a merchant agreement in place with, a payment processor, IamOnYourSide, Inc., (Payment Processor) and merchant bank, PassItOn, Inc. (Merchant Bank)

The site conducts approximately 30,000 payment card transactions each month

NVRBreeched does not store any payment cards on its systems

NVRBreeched has cyber liability insurance that includes coverage for “PCI fines and penalties” with a sublimit of $250,000; the policy also has a contract liability exclusion

5

Discovery and Initial Response On February 28, 2015, NVRBreeched (Merchant) receives a letter from its

processor indicating that Visa has discovered fraud on 50 cards and believes that NVRBreeched’s website is a the “common point of purchase”

Visa has requested that the Merchant conduct its own internal investigation and fill out a preliminary questionnaire

Discussion points:

Initial IT investigation (independent forensic investigator?)

Remediation versus forensic preservation

Legal issues and involvement

Coordination with cyber insurance carrier

6

Forensic Investigation and Role of PCI Forensic Investigator

NVRBreeched’s (Merchant) own internal investigation suggests that unauthorized access to its webserver may have occurred on February 14, 2015 (approximately 2 weeks earlier)

That day (March 1, 2015) NVRBreeched disabled its shopping cart application and re-routed its payment processing through a PayPal interface

NVRBreeched receives another communication from its processor indicating that Mastercard has identified it as a “common point of purchase” and is requiring the merchant to retain a PCI Forensic Investigator within 5 business days

Discussion points:

Role of PFI and scope of investigation

Potential conflicts of interest

Obtaining images and logs from CloudsR’Secure, Inc (Cloud Provider)

7

Forensic Findings NVRBreeched’s (Merchant) forensic assessor finds evidence suggesting that the sites’

code was modified allowing hackers with IP addresses from Vietnam to install a script designed to capture payment card information as it is inputted by users of the website into the shopping cart.

It appears that hackers first gained access to the server on January1, 2015 (2 months earlier). However, the evidence suggests that the malicious script was not installed until February 1, 2015 (1 month earlier).

“Dump files” with credit card exists, and the earliest file creation date correlates with the script installation date. However, only a handful of dump files are found suggesting that the attackers were deleting the files after taking them off the server.

Discussion points:

SQL injections and other common application/software vulnerabilities

Attackers ability to scale attacks – scanning for and exploiting common vulnerabilities

Capture of data in real time

8

Forensic Findings Timeline:

Jan. 1 (unauthorized access) Feb. 1 (script activated) March 1 (shopping cart disabled)

Card count (February 1, 2015 thru March 1, 2015)

Visa = 14,990 (15,000 Visa minimum)

Mastercard = 9985 (10,000 MC minimum*)

AXP = 5500 (10,000 AXP minimum)

The PFI has completed its final draft report and wants to set the “window of intrusion” as January 1, 2015 thru March 1, 2015 (affecting 60,000 cards)

Discussion points:

Scope of breach (from PFI perspective v. forensic evidence)

Applicability of card brand rules

Calculating impacted cards and “CAMS” alerts

9

Fines, Penalties and Assessments NVRBreeched receives a letter from its processor indicating that Visa is fining the company

$5000 for PCI non-compliance and will continue to do so for every month that it fails to certify its PCI compliance

NVRBreeched receives another letter from its processor indicating that Visa is issuing fraud recovery and operating expense recovery assessments. The operating expense recovery equals $50,000 (20,000 cards x$2.50 per card) while the fraud recovery amount is $2,000,000.

The processor indicates that it will begin taking 100% of every dollar earned on Visa transactions and put it into a reserve fund until these amounts are met

Discussion points: Vetting the card brands’ calculations Liability to whom (the PCI “Contract Chain”) Defenses and strategies for defense, and negotiations Liability of / indemnification from third parties

10

Insurance Coverage At the outset NVRBreeched notified its carrier of the breach and received coverage

for breach notification expenses

However, NVRBreached also requested that the carrier pay for legal expenses associated with defending the potential claims to be made by the payment processors/merchant banks/card brands arising out of the breach

In addition, NVRBreached requested that the carrier pay the fines, penalties and assessments levied by the card brands (that were taken by the processor pursuant to the merchant agreement)

A coverage letter is imminent.

Discussion points:

Coverage for “pre-claim” defense

Coverage for “assessments”

Coverage for reserve funds

11

Takeaways

Grayson: the earlier the client is engaged with legal counsel, the better the outcome

Mark: the earlier forensics is involved, the better chance of a more favorable outcome

Neeraj: make sure you coverage matches your specific risks in this context

Dave: Know the card brand rules ahead of time so you can anticipate potential defenses and leverage points from the beginning

12

Speaker Company Contact

David Navetta, Esq., CIPP/US InfoLawGroup LLP dnavetta@infolawgroup.com303.325.3528

Mark Schreiber Edwards Wildman Palmer LLP mschreiber@edwardswildman.com617-239-0585

Grayson Lenik Nuix DFIR grayson.lenik@nuix.com

Neeraj Sahni Willis North America Neeraj.sahni@willis.com212.915.8019

Marshall Heilman Mandiant marshall.heilman@mandiant.com(808) 230-4707