retail roundtable - bakerhostetler · • a combined total of us $150,000 or more counterfeit fraud...
TRANSCRIPT
![Page 1: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/1.jpg)
Retail Roundtable: Payment System Cyber Attacks – Preparing, Protecting, and Responding June 11, 2014
![Page 2: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/2.jpg)
Panel Members
Craig Hoffman Partner T: 513.929.3491 C: 513.227.3286 [email protected] www.dataprivacymonitor.com @BakerPrivacy @Craig_Hoffman
James Zerfas Chief of Security Technology [email protected]
David Damato Director [email protected]
Jason Maloni SVP & Chair of the Litigation Practice T: 202.973.1335 C: 202.834.9677 [email protected] @levick daily.levick.com
Spencer Timmel Privacy Liability and Network Security T: 513-354-1656 C: 513-518-1535 [email protected]
![Page 3: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/3.jpg)
![Page 4: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/4.jpg)
GLOSSARY
• PCI DSS = Payment Card Industry Data Security Standards
• PFI = PCI Forensic Investigator • QSA = Qualified Security Assessor • ROC = Report on Compliance • ADCR = Account Data Compromise Recovery • GCAR = Global Compromised Account Recovery • CPP = Common Point of Purchase • PAN = primary account number • CVV = card verification value • Track data = data in magnetic stripe
![Page 5: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/5.jpg)
PCI Stakeholders
• Credit Card Brands (e.g. Visa, MasterCard) • Issuing Banks • Acquiring Banks/Credit Card Processors • Merchants • PCI Security Standards Council (SSC) • Assessors • Service Providers
![Page 6: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/6.jpg)
![Page 7: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/7.jpg)
![Page 8: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/8.jpg)
Stages of a PCI Breach
• Discovery of incident (e.g. a CPP report) • Engagement of PFI • Calls with the acquirer/processor & card brands • Preliminary PFI report • Issuance of proactive alerts for at risk accounts • Final PFI report • Issuance of final alerts for at risk accounts • Remediation & revalidation of PCI DSS • GCAR, ADCR, DSOP process (fraud & reissuance
costs) • Fines and fees • Appeal
![Page 9: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/9.jpg)
![Page 10: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/10.jpg)
![Page 11: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/11.jpg)
Credit Card Skimming Devices
![Page 12: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/12.jpg)
Card Brand Assessment Programs
• Fines for non-compliance with PCI DSS • Case management fee • Fines for non-cooperation • Assessments to recover from the acquirer
and reimburse issuers: – Operating expenses (heightened monitoring
and card reissuance) – Incremental counterfeit fraud losses
![Page 13: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/13.jpg)
Visa’s Program is GCAR GCAR Qualification (Updated) Effective for Qualifying CAMS Events or VAB Events in which the first or only alert is sent on or after 15 May 2012, Visa will determine Account Data Compromise Event qualification, Counterfeit Fraud Recovery and Operating Expense Recovery amounts, Issuer eligibility, and Acquirer liability under the Global Compromised Account Recovery (GCAR) program, in accordance with the Visa Global Compromised Account Recovery (GCAR) Guide. To qualify an Account Data Compromise Event under GCAR, Visa must determine that all of the following criteria have been met: • A Payment Card Industry Data Security Standard (PCI DSS), PIN Management Requirements Documents, or Visa PIN Security Program Guide violation has occurred that could have allowed a compromise of Account Number and Card Verification Value (CVV) Magnetic-Stripe Data, and PIN data for events also involving PIN compromise • Account Number and CVV Magnetic-Stripe Data has been exposed to a compromise • 15,000 or more eligible accounts were sent in CAMS Internet Compromise (IC) and/or Research and Analysis (RA) alerts indicating Account Number and CVV Magnetic-Stripe Data is potentially at Risk • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense Recovery for all Issuers involved in the event • Elevated Magnetic-Stripe counterfeit fraud was observed in the population of eligible accounts sent in the CAMS Alert(s) associated with the Account Data Compromise Event ID#: 150413-150512-0026565
![Page 14: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/14.jpg)
PCI DSS 3.0 & Third Parties
![Page 15: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/15.jpg)
![Page 16: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/16.jpg)
What Causes a Breach to go Viral
• Record Setting Loss • Sensitive Community Affected • Competitive Media Markets • Concentration of Affected Parties in One Area • Delay in Notification • Customer Complaints Unanswered • Failure to Respond to Social Media
![Page 17: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/17.jpg)
Caution is Killing Response
![Page 18: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/18.jpg)
Effective Response
• Clear and Thorough • Compassionate • Responsive to Audience (employees,
customers, data holders) • Aggressive • Transparency but not a foolish Transparency
![Page 19: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/19.jpg)
Great Customer Service
![Page 20: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/20.jpg)
![Page 21: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/21.jpg)
PCI Forensic Investigations
• Supported by PFI • Requires reporting to card brands
– Both a preliminary report within 5 days – Final report detailing the incident
• Can be expensive and resource intensive
![Page 22: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/22.jpg)
Investigate Like a Pro
• Limit the cost / pain of the investigation – Select the right PFI
• Mitigate risk / reduce a breach’s scope – Implement a secure network architecture – Maintain proper logs and documentation
• Don’t make assumptions – Verify third party claims – Verify internal actions
![Page 23: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/23.jpg)
![Page 24: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/24.jpg)
Retail Cyber Exposures & Insurability
Credit Card Data Advertising & Social Media Other Forensics Defamation, Libel, Slander Employee Data
Public Relations Product Disparagement Loss of other Sensitive Info
Customer Notification Intellectual Property Infringement Virus Transmission
Credit Monitoring Misleading Advertising Denial of Service
Reg. Defence, Fines & Penalties
PCI Fines & Penalties
Business Interruption & EE
Loss of Customers: Rep Injury
Privacy Liability Class Actions
Bank Card Reissuance Liability
Data Restoration
Extortion Demands
![Page 25: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/25.jpg)
Card Data Breach Costs - What’s the Right Number? Ponemon Institute Cost of a Data Breach, 2014
• $201/record: US • $105/record: Retail
NetDiligence 2013 Cyber Paid Claims Study • $97/record: median? • $307/record: average?
Public Information on Past Card Data Breaches • 130 Million Cards: $150mm: $1.15 per card? • 46 Million Cards: $250mm: $5.44 per card? • 40 Million Cards: $61million in first 3 months: Total Cost: t.b.d.?
• Somewhere in between? Hylant/NetDiligence Data Breach Cost Calculator
![Page 26: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/26.jpg)
Increasing Exposure
• 75% of automated opportunistic attacks hit the Retail/Trade or Accommodation/Food Service industries
Verizon Data Breach Investigations Report
• Increased Regulatory Scrutiny: FTC, SEC, State AG
• Plaintiffs Bar continues to show their creativity
• Continued Legislation: State, Federal & International
![Page 27: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/27.jpg)
Gap Analysis Traditional Coverage's Are Not Adequate General Liability Insurance – Coverage for bodily injury or property damage - Intentional acts are excluded - Intangible property is excluded Property Insurance – Coverage for loss of tangible property caused by a covered peril - Computer viruses are excluded - Intangible property is excluded - Business interruption coverage only applies if a direct physical loss or damage to covered property Crime Insurance – Coverage for theft of money, securities or other property - No coverage for theft of information, trade secrets and other confidential information Directors & Officers Liability Insurance – Coverage for claims alleging acts, errors and/or omissions committed by directors or officers of a company in their capacity:
Errors & Omissions Liability Policies – Coverage for claims resulting from an Insured’s rendering or failure to render professional services to others for a fee.
![Page 28: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/28.jpg)
Global Cyber Coverage Marketplace • Global Annual Cyber Premiums estimated $1.0 to $1.5
billion
• Global Capacity: approximately $300 million: All industries • Card Data Capacity post 2013 breaches:
– Best In Class Insured's: $175-200mm
• 40+ Domestic Carriers, 20+ Lloyds Syndicates and elsewhere
• Domestic vs Lloyd’s Placements
• Developing Coverage
![Page 29: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/29.jpg)
Loss Mitigation Tools
• Employee Training and Compliance • Remote scanning of web-facing external
infrastructure for vulnerabilities • Plug-In technology that shuns bad IP
addresses, preventing them from entering and exiting a company’s network
• Limited Free Consultation • Data Security Assessments
![Page 30: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/30.jpg)
Spencer Timmel, CIPP/US, CIPM, CITRMS Spencer serves as the Network Security & Privacy Liability Product Leader. He provides risk management consultation and support to large revenue companies and manages the placements of their cyber programs. Spencer has over a 14 years of industry experience and holds several cyber industry designations; CIPP/US; CIPM; CITRMS
![Page 31: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/31.jpg)
![Page 32: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/32.jpg)
Merchant Risk and Security
© Copyright 2013 Vantiv, LLC. All rights reserved. Vantiv, and the Vantiv logo, and all other Vantiv product or service names and logos are registered trademarks or trademarks of Vantiv, LLC in the USA and other countries.® Indicates USA registration.
![Page 33: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/33.jpg)
The Cost of Crime
TheftFraud
Carding
Merchant
Cardholder Data
$10B Global Card Fraud Losses (2012) Source: The Nilson Report, August 2013
$3.4B Impact of Data Breaches (2012) Sources: - Verizon 2012 Data Breach Investigations Report - The Ponemon Institute, 2013 Cost of Data Breach Study
Lost, Stolen, Counterfeit Cards
Fines, Remediation Costs, Reimbursements
![Page 34: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/34.jpg)
Risks and Solutions
FraudTheft
Physical Attacks
System Breach
AccountData
Compromise
Counterfeit Cards
Lost/Stolen Cards
P2PE / Tokens
EMVChip
EMVPIN
Policy &Inspection
![Page 35: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/35.jpg)
Surrogate Values
ISVVantiv
P2PE
Encrypt Decrypt
Tokenize
DeTokenize
![Page 36: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/36.jpg)
Risk Spectrum
Merchant GoalsNon-
Compliant
Compliant
RiskReducing Descoping
Active Risk Management
AddressReduce
Manage
![Page 37: Retail Roundtable - BakerHostetler · • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense . Recovery for all Issuers involved in the event](https://reader033.vdocuments.mx/reader033/viewer/2022050310/5f729214445a7d4c7165c0e8/html5/thumbnails/37.jpg)
Atlanta Chicago Cincinnati Cleveland Columbus Costa Mesa Denver Houston Los Angeles New York Orlando Philadelphia Seattle Washington, DC www.bakerlaw.com
These materials have been prepared by Baker & Hostetler LLP for informational purposes only and are not legal advice. The information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional counsel. You should consult a lawyer for individual advice regarding your own situation. ©2014 Baker & Hostetler LLP. All Rights Reserved.