preventing a card compromise: new tools that merchants can use to help protect themselves against...

Upload: vantiv

Post on 04-Jun-2018

216 views

Category:

Documents


0 download

TRANSCRIPT

  • 8/13/2019 Preventing a Card Compromise: New Tools that Merchants Can Use to Help Protect Themselves Against Fraud

    1/6

    Secure

    Preventing a Card Compromise:

    New Tools that MerchantsCan Use to Help ProtectThemselves Against Fraud

    October 4, 2011

    Copyright 2011 Vantiv, LLC. All rights reserved.

    Vantiv, the Vantiv logo and all other Vantiv product or service names and logos are registered trademarks or trademarks of Vantiv, LLC in the USA and

    other countries. indicates USA registration.

  • 8/13/2019 Preventing a Card Compromise: New Tools that Merchants Can Use to Help Protect Themselves Against Fraud

    2/6

    Preventing a Card Compromise: New Tools to Help Protect Against Fraud

    Executive SummaryCybercriminals have historically focused on compromising cardholder data within large

    merchant databases. In response to being breached, merchants have recognized

    that establishing PCI DSS compliance is only the beginning of a much larger security

    plan that requires constant effort and resources. Beyond PCI DSS compliance, large

    merchants have also sought to reduce their risk by deploying emerging technologies

    such as encryption and tokenization. These increased efforts and newer technologies

    have resulted in cybercriminals shifting their focus toward attacking small to mid-size

    merchants where vulnerabilities may still exist.

    While all small to mid-size merchants are required to maintain PCI DSS compliance,

    many nd the guidelines difcult to understand and tough to apply. Not knowing what

    steps to take may result in costly mistakes that still do not provide the baseline levelof protection intended by PCI DSS compliance. To help small to mid-size merchants

    secure their networks, PCI DSS evaluation tools have been developed to easily assess

    current compliance status and make suggestions about how to get compliant.

    Every day, new and more sophisticated attacks are being developed to the point that

    merchants need to take additional steps to protect their businesses. Small to mid-size

    merchants can also deploy encryption and tokenization technologies to eliminate card

    data from their systems and protect their business. While being compliant with PCI

    DSS guidelines reduces the risk of a data breach, it doesnt guarantee that a breachwont happen. Merchants can also obtain breach-protection services to reduce the

    nancial burden associated with a breach.

    Fraud Is a Never-Ending Burden, Shifting to Small and Mid-Size MerchantsOver the past 10 years, cybercriminals have consistently targeted their cyber attacks against large merchants, having

    successfully hacked a number of large cardholder databases. They have stolen large quantities of unprotected card

    numbers and made billions of dollars of fraudulent transactions. In response, large merchants have invested heavily in

    PCI DSS compliance and other preventive security measures, causing cybercriminals to change their strategy. They

    have turned their attention toward intercepting card numbers while transactions are being processed (in motion) through

    the retailers network. Several notable, large data breaches that have occurred in the past few years were the result of

    an organized assault by a multi-country hacker team that used sophisticated SQL injection attacks that installed sniffer

    programs to capture unencrypted card data traveling over the network on its way to the payment switch.1

    2

    1End-to-End Encryption, Tokenization, and EMV in the US, Javelin Strategy & Research, 2010.

  • 8/13/2019 Preventing a Card Compromise: New Tools that Merchants Can Use to Help Protect Themselves Against Fraud

    3/6

    Preventing a Card Compromise: New Tools to Help Protect Against Fraud

    3

    Merchants of all sizes, but most notably large merchants, have been forced to adopt new technologies designed to secure

    these vulnerable points. These investments, while successful, have cost billions of dollars to deploy. The National Retail

    Federation estimates that merchants spent more than $1 billion on PCI compliance in 20092

    to protect cardholder data.As large merchants have successfully deterred attacks, cybercriminals have turned their attention to small to mid-size

    retailers. A 2010 report by Verizon shows that the number of breach incidents is increasing and that more than 63% of

    reported data breaches occurred with businesses that have 100 or

    fewer employees.3That study cites, Criminals may be making a classic

    risk vs. reward decision and opting to play it safe in light of recent

    arrests and prosecutions following large-scale intrusions into nancial

    services rms. Numerous smaller strikes on hotels, restaurants and

    retailers represent a lower-risk alternative, and cybercriminals may be

    taking greater advantage of that option.

    Take Action to Evaluate Your PCI Compliance Status

    Small to mid-size merchants typically spend less time and money

    on PCI compliance or other ways to secure cardholder data. The

    guidelines are extensive and can be difcult to understand when

    applying. While turning to an expert is an option, it can be expensive and time-consuming. The result is that security falls

    by the wayside and sets the merchant up as a prime target for cybercriminals. If breached, the nancial and reputational

    impacts to the merchant can be extensive, compromising revenues and business continuity.

    Merchants need a partner that can help answer the questions, What does it mean to be PCI compliant? How can I tell if

    I am? The good news is that easy-to-use, online tools are available to help you evaluate your current compliance status

    and offer guidance about how you can improve your network security. The tools typically: Evaluate your current PCI environment by asking you a series of questions

    Make security recommendations

    Help you identify where and how to deploy technology solutions

    They also help you stay compliant by offering an annual evaluation that keeps you up to date as PCI guidelines change.

    These updates can provide you with valuable insights about where to focus your investments.

    Investigate Emerging Technologies They Could Make the Difference

    Spending time and money to ensure that your business is PCI compliant does not mean that you are completely

    protected. Cybercriminals are relentless, constantly guring out different ways to breach networks and obtain card data.

    They focus on weaknesses in POS and online payment applications, networks that handle transaction processing, and

    database storage systems. New technologies, such as end-to-end encryption (E2EE)and tokenization, help protect

    these susceptible transaction points.

    2http://www.nrf.com/modules.php?name=Pages&sp_id=1052Accessed Dec. 22, 2009.32011 Data Breach Investigations Report, Verizon, 2011.

    2011 Data Breach Investigations ReportVerizon, 2011

    # Employees Incidents Percentage

    1-10 46 6.10%

    11-100 436 57.40%

    101-1,000 74 9.70%

    1,001-10,000 49 6.50%

    10,001-100,000 59 7.80%

    100,000+ 55 7.20%

    Unknown 40 5.30% 759 100%

  • 8/13/2019 Preventing a Card Compromise: New Tools that Merchants Can Use to Help Protect Themselves Against Fraud

    4/6

    End-to-End Encryption

    Typically, a customers payment card information is collected when the card is swiped at the POS. After a card has

    been swiped, the card information is then transported through a series of networks in order to obtain an authorization.

    Without E2EE, the information is typically in the clear and vulnerable to hackers as it moves through the network. E2EE

    technology is designed to encrypt the card data at the point of entry and protect it as it travels through the network.Heres how E2EE works:

    At the time the card is swiped, or entered into an online payment application, the data is encryptedusing algorithms to encode the cardholder number into a non-readable form, called ciphertext.

    The ciphertext, instead of the unencrypted card data, is then sent as part of the transaction to the processor,where it is decrypted and returned it to its original form.

    If the transmission is breached, the cybercriminals will only have access to encrypted card data, which is unusable and

    worthless. The encryption process helps protect the merchant by encrypting the card data within the authorization and

    approval transactions from the point of swipe until it is decrypted at an endpoint outside the merchants network.

    While encryption is not required for PCI DSS compliance, the technology does provide a level of protection that goes

    beyond PCI DSS. Encryption may also reduce the level of effort required to achieve PCI DSS compliance by eliminating

    clear card data from the merchants network. As with most new technologies, E2EE has a tradeoff in that system

    components enabled to support encryption may be more expensive compared to equipment and applications that do

    not support encryption. The payback for these increased costs is the higher level of protection and reduced risk to both

    revenue and reputation if breached. When investigating E2EE technologies, merchants should work with a trusted

    payment provider that has performed the necessary due diligence required to successfully select and integrate encryption

    as a core service.

    Tokenization

    Encrypting card data as it travels through the network provides a foundation for more secure transactions, but its not

    the only point of data vulnerability for a transaction. Cybercriminals also focus on breaching transaction databases and

    analytical systems where card number data may be stored post-authorization. For example, POS systems may store the

    card number for use during post-authorization transactions like return processing, business analytics or marketing efforts

    (such as loyalty programs). Tokenization technology provides a level of protection similar to encryption but without having

    to manage the keys necessary to encrypt and decrypt the ciphertext.

    Tokenizationis designed to replace the real card number with a substitute reference value, or token, and reduce

    the merchants risk by keeping the actual card number out of the retailers data systems. Tokens, instead of ciphertext,

    better support post-authorization requirements like reporting without exposing sensitive card data. For small to mid-sized

    merchants, a tokenization solution is a secure and cost-effective means to support store operations while still removing

    card data from the network.

    Preventing a Card Compromise: New Tools to Help Protect Against Fraud

    4

    Card Data is Entered into Terminal and Encrypted

    Encrypted Data is Securely Sent to Processor

    Card Data is Decrypted and Sent to the Card Networks

    1

    2

    3

  • 8/13/2019 Preventing a Card Compromise: New Tools that Merchants Can Use to Help Protect Themselves Against Fraud

    5/6

    Preventing a Card Compromise: New Tools to Help Protect Against Fraud

    5

    Heres how a processor-based tokenization solution works:

    The card number (preferably encrypted) is used in the transaction.

    Once the transaction is authorized, the card data is sent to a secure system that generatesthe token and stores both the token and card number.

    To facilitate operations, the token typically maintains the last four digits of the card number.

    The token is returned to the merchant in the authorization response. Once returned, the token can be storedin the merchants business-management system.

    If breached, the token, like the encrypted ciphertext, is unusable by cybercriminals.

    Like encryption, tokenization adds another layer of data protection that goes beyond PCI DSS while possibly making PCI

    DSS compliance easier to obtain. As you evaluate tokenization, consider not only that tokenization removes card data, but

    that it also limits the impact to other post-authorization business processes. Again, be sure to work with a trusted payment

    provider that has done the necessary due diligence to evaluate solutions on your behalf, and adopt a tokenization solution

    that works with your card processor.

    Despite Your Best Efforts, Breaches Do Occur

    In spite of your best efforts, card data breaches do occur. When they do, you are required to report them to the networks

    and to the appropriate authorities. An often time-consuming and expensive forensics investigation will ensue to validate

    the breach and determine the extent of the compromise. If the investigation nds there was a breach, network nes, PCI

    compliance nes and card costs may be levied.

    The total nancial impact on your business can be extreme, creating the risk of putting you out of business. Royal Group

    Services (RGS) reports that the cost of the forensics analysis can be anywhere from $8,000 to $20,000.4The network and

    card association nes can run from $3 to $10 per card for replacement costs and $5,000 to $50,000 or more in network

    compliance nes.5And, the remediation expenses can be three times the actual theft. LexisNexis released a study that

    Encryption&

    Tokenizaton

  • 8/13/2019 Preventing a Card Compromise: New Tools that Merchants Can Use to Help Protect Themselves Against Fraud

    6/6

    Preventing a Card Compromise: New Tools to Help Protect Against Fraud

    6

    measured the true cost of fraud, nding that for every $1 in fraud loss that a merchant incurs, their actual fraud loss is

    $3, as they bear the additional costs associated with chargeback fees, interest and replacement merchandise charges.6

    The reputational impact also contributes to the risk of losing your business. Any publicity about the breach could costyou customers and revenue. A survey by Javelin Strategy & Research showed that 43% of consumers avoided certain

    merchants after they became victims of fraud, and 31% of them admitted to spending less money at the same merchant

    if they continued their relationships.7

    You can protect yourself from some of these costs if your processor offers a program that mitigates the nancial impact

    of a breach and helps you protect your business. A good program helps limit your nancial obligation for forensic and

    investigative expenses as well as network nes and assessments.

    Conclusion

    Cybercriminals are continuously guring out new ways to steal card data. All merchants need to follow PCI DSS

    compliance guidelines to secure cardholder data. Many small to mid-size businesses have not made the investments

    needed to be PCI DSS compliant because it is difcult for small retailers focused on their core business functions to

    understand. Even if a small business has worked hard to be PCI compliant, that doesnt guarantee that a breach wont

    occur, but there are still ways to further protect your company.

    So, dont stop at being PCI DSS compliant. New emerging technology options are available that address data while it is

    being processed in the network and while it is at rest in business systems. Start with encryption, which adds additional

    security to cardholder data within the transaction. Then add tokenization to further enhance the security of card data

    stored in databases. Finally, look into a breach-protection program that helps limit your nancial obligation for forensic

    and investigative expenses and reduces your liability to your processor and/or acquirer in the event of a breach.

    Consider Vantiv Secure: a suite of security products designed for small to mid-size merchants that includes PCI Assist,

    Encryption, Tokenization and Breach Assist protection. Vantiv Secure addresses many of the fraud-mitigation challenges

    that you face and can help you:

    Protect your business PCI Assist gives you access to easily understandable PCI compliance information thatcan help you deploy solutions where you need them, and lead you down the path to PCI compliance validation

    Protect your customers E2EE and Tokenization technologies help secure your transaction data throughthe network

    Protect your peace of mind when breaches occur, turn to Breach Assist to help you reduce certain breach-related expenses

    Its our core business to be payment experts. Concentrate on your core business while we concentrate on supporting

    solutions that can help you protect your business.

    Learn more about how you can protect your customers and your business with Vantiv Secure. Visit us online at

    www.vantiv.comor contact your relationship manager or sales executive today.

    4The Real Cost of Data Breach, John Halsey, Royal Group Services. http://www.pcicomplianceguide.org/merchants-20090416-cost-data-breach.php

    5The Real Cost of Data Breach, John Halsey, Royal Group Services. http://www.pcicomplianceguide.org/merchants-20090416-cost-data-breach.php

    62010 LexisNexis True Cost of Fraud Study, Javelin Strategy & Research.7End-to-End Encryption, Tokenization, and EMV in the US, Javelin Strategy & Research, 2010.