Processing Payments Securely in the Digital World

Transcription

1 Processing Payments Securely in the Digital World Frank J. Leone, SVP, CTP Treasury Management Capital One Bank Mark Kemen Senior Business Analyst & Project Manager Cincinnati Bell William Cohn Head of Product, ecomerce Vantiv Merchant Services

2 Today s Agenda Welcome Remarks and Introductions Challenges encountered by Corporates accepting ecommerce payments Solution/Opportunity: Tokenization Cincinnati Bell s Story Mark Kemen Key Take-Aways from today s session Questions and Answers

3 Capital One Commercial Banking Capital One Bank is among the top 10 financial services providers in the U.S. Capital One Bank offers a unique combination of financial strength, personal attention and flexible products. And since we know that every business has its own unique challenges and opportunities, our focus is on getting to know the way you operate and understanding where you want your business to go. Serves over 6,100 clients Employs over 2,700 associates Services a $67 billion loan portfolio Processes 550,000 monetary and non-monetary servicing transactions* Manages 750 million ACH and wire transactions valued at $2 trillion Handles $34 billion in currency orders and deposits through its vault services Processes 7 million payments valued at $10 billion through its lockbox services* Processes $1.5+ billion in commercial card payments*

4 Capital One Merchant Services powered by Vantiv 800+ T H O U S A N D # 1PIN Debit Acquirer* $826 # B I L L I O N 2Merchant Transaction Acquirer 23.0 B I L L I O N Merchant Locations Volume Processed Transactions Today, we re the nation s #1 PIN debit processor and the #2 processor overall. We ve been named one of Forbes fastest growing technology companies. *As ranked by Nilson for general purpose transaction Volume Vantiv, LLC. All rights reserved.

5 Cincinnati Bell Overview 143-year history of innovation, reinvention and transformational growth and execution 1873 Cincinnati Bell first independent telephone company 1992 First in the nation to deploy SONET Ring technology 1994 First in the nation to deploy Metro Ethernet services 1997 First ADSL installation in North America 2000 Early provider of UCaaS 2007 Early provider of IaaS 2013 Successful spinoff of Cyrus One data center business 2015 Successful spinoff of Morphick cyber security business Key Financial Stats ($ in millions) 2016 Revenue: $ 2016 EBITDA: 1,186 $ 305 NYSE: CBB CBB Employees: 3,000 CBTS Employees: 1,000

6 E-Commerce Trends

7 E-Commerce Trends

8 E-Commerce Trends

9 Challenges encountered by Corporates Protect customers data Mitigate risk of loss Minimize PCI compliance scope (and costs) Implementing in-house security program

10 Data Thieves are Adept at Finding Vulnerabilities A big oil company s network was breached via a malware-infected online menu from Chinese restaurant frequented by employees Technique known as a watering hole attack A major as breached via its heating and cooling systems, which monitor its office systems remotely Hackers Lurking in Vents and Soda Machines ; April 4, 2014.

11 Solution : Tokenization What is a token? A benign, untranslatable numerical reference sequence that is useless and worthless outside of the transaction between the merchant and their token service provider (e.g. Capital One Merchant Services powered by Vantiv) Used in place of card numbers (or echeck numbers) by all of a merchant s systems

12 Solution : Tokenization Tokenization provides security for data in-transit, at-rest and in-use VT / Call Center Order Entry Chargeback Processing DB Finance Accounting DB Gateway/Processor Marketing Analytics CRM Back Office Merchant Systems DB Tokenization Service Provider Online

13 Control Costs by Reducing PCI Scope Costs: Depends upon PCI Level Level 1 and 2: Initial compliance: $150K - $2.5M Annual compliance validation: $40K - $250K 1 In house labor cost constitutes 21% of PCI costs 1 Mitigation of identified vulnerabilities Also, opportunity cost By reducing the cardholder data environment (CDE) smaller merchants may be able to do a self-assessment (SAQ-A) Self-Assessment Questionnaire A and Attestation of Compliance [1] Gartner Research, PCI Compliance Remains Challenging and Expensive, May 2008, (Image credit:

14 Reduce Risk and PCI Scope Further By Tokenizing at Initial Capture The card number never enters your systems Reduced exposure limits your risk of breach and lowers annual PCI compliance costs Thieves can t steal what isn t there, and organizations don t need to protect what they no longer store 1 1. TOKENIZATION: WHAT S NEXT AFTER PCI?

15 Cincinnati Bell s Story Pre-Tokenization Challenges Maintaining PCI compliance each year. Protecting/Encrypting card holder data in all channels. Network Security and Monitoring Costs Hardware Software Internal Resources

16 Cincinnati Bell s Story - PCI Scope Prior to Tokenization

17 Cincinnati Bell s Story - Tokenization All cards stored in database converted to tokens Card numbers entered are tokenized and stored in database e-protect implemented for card entry

18 Cincinnati Bell s Story - TriPOS Retail P2P encrypted connection to cloud Card readers not connected to POS

19 Cincinnati Bell s Story PCI Scope After Tokenization

20 Cincinnati Bell s Story - IVR Limitations Currently no way to prevent card numbers from being entered directly into our IVR applications. Isolate the servers receiving this information into their own network, surrounded by their own firewall. All touch tone and voice recordings will be paused whenever payment area/vector are encountered and then restarted when leaving that area.

21 Questions and Answers Bill Cohn Senior Product Leader, ecommerce Vantiv Merchant Services o: m: Frank J. Leone, CTP, MBA Senior Vice President Treasury Management Capital One Bank o: m: Mark Kemen Senior Business Analyst & Project Manager Cincinnati Bell