Opting Out. Avoid Becoming the Next Breach Statistic. Copyright 2014 MAC. All Rights Reserved.

Transcription

1 Opting Out Avoid Becoming the Next Breach Statistic

2 Panelists and Agenda Cliff Gray, Principal, Gray Consulting Panel Moderator Ruston Miles, Chief of Innovation, Bluefin P2PE and Tokenization Troy Leach, CTO, PCI Council PCI Rick Slater, Senior Systems Architect, Intuit Merchant Implementation

3 The Threat to Merchants and ISOs A network breach could shutter a merchant overnight - and end up becoming a marquee line item in your loss report. Losses could include: Issuer fees Chargebacks Given the losses incurred by a breach, only the largest of breached merchants would be able to continue acceptance (read stay in business ). In addition to the fees noted above, other costs could be incurred due to: QSA Audits IT Response and Reinvestment These threats and liabilities all apply to an ISO, no differently than to a merchant

4 Potential Costs of a Breach Larger merchant breaches dominate the media, yet smaller merchants no less vulnerable to financial devastation Regardless of merchant size, threat remains significant

5 The Cost of Securing Data Protecting PAN and other sensitive data takes real money and time. Annual SAQ and/or QSA audits IT smarts - admins and engineers with a history of fraud protection, network security Network infrastructure impact Network hardware - firewalls, encryption/decryption machines, etc. Network software - anti-virus, anti-intrusion, file monitors, etc.

6 An Alternate Proposal Enable the merchant to Opt Out of handling PAN data Purging any PAN data from merchant s PoS infrastructure Ensure PoS hardware/software prevents PAN from entering network Enacting policies to ensure the merchant environment continues PAN free Merchant and ISO Benefits Merchants at any level validate as PCI compliant using the simplest SAQ available Saves time and money by minimizing effort needed to validate Impact of a merchant breach is minimized Sponsoring ISO avoids liability of a failed merchant ISOs can avoid requirement to qualify as Service Provider

7 The Premise of Opting Out Merchants don t need the card number Only the consumer and the card issuer care about the actual PAN. Commercial technology can effectively hide the PAN, typically with no impact to merchant implementations The brands have long endorsed this strategy This method of risk mitigation is highly compelling Simplified SAQs = higher compliance ratios

8 A Compelling ROI.

9 P2PE and Tokenization Ruston Miles, Chief of Innovation, Bluefin

10 The Problem: POS Malware Over the past year, the Secret Service has responded to network intrusions at numerous businesses throughout the United States that have been impacted by the Backoff malware. Seven PoS system providers/vendors have confirmed that they have had multiple clients affected. Reporting continues on additional compromised locations, involving private sector entities of all sizes, and the Secret Service currently estimates that over 1,000 U.S. businesses are affected. July 31, 2014 Backoff Malware FrameworkPOS Malware Black POS Malware

11 Defending Data is Not Enough Most of the major retailer card data breaches in the past 15 months have been a direct result of clear-text card data exposed to Malware in the POS.

12 A Holistic Approach to Security P2PE Encrypts card data at point of entry Point of Sale Tokenization Replaces card data at rest EMV Fraud Prevention for Physical Counterfeit, Lost or Stolen Cards

13 PCI Malware Infographic The PCI Security Standards Council released a Malware infographic in November 2014 addressing POS Malware. To protect against malware, the infographic recommends: Consider implementing a: PCI-approved point-of-interaction (POI) device with SRED functionality PCI-approved point-to-point encryption (P2PE) solution Download the PCI Malware Infographic and PCI Bulletin

14 Devalue the Card Data with P2PE P2PE is a set of requirements defined by the PCI Security Standards Council (SSC) P2PE ensures credit card information is encrypted at the Point of Interaction (POI) so that it cannot be read / decrypted at any point within the merchant s network P2PE includes tamper, theft and chain of custody protection of all secure card readers and devices Cardholder data is devalued before it reaches the POS System rendering the data useless to hackers if it exposed.

15 Why a PCI-Validated Solution? FAQ 1162

16 P2PE ROI and Scope Reduction Merchants can qualify for the SAQ P2PE-HW 35 security requirements vs 329 under standard SAQ D Cardholder Data Environment (CDE) scope can be reduced Decrease total cost and level of effort for compliance program Reduce risk of breach by encrypting card data and point of entry Protect the brand Assurance of a PCI Council-listed P2PE Solution versus un-validated vendor claims

17 PCI Troy Leach, CTO, PCI Council

18 About the PCI Council Founded in Guiding open standards for payment card security Development Management Education Awareness

19 Our World is More Connected Your fridge just carried out a DNS attack against my organization Hack My Ride: Cyber Attack Risk on Car Computers Man 'fixes' women's computers, watches them through their webcams Millions Of Android Users Vulnerable To Security Breaches 2 U.S. power plants victim of cyber attack

20 Three Things that Really Matter Understand your risk People, Process & Technology Be prepared to be breached

21 Four Phases to a Breach 1. Break in 2. Insert malware 3. Move data PCI is so much more than just preventing the first phase 4. Steal the data

22 Cost/Risk of a Data Breach The average cost of a data breach is up worldwide in 2014 Data breach costs on average $5.85 million up from $5.4 million in Globally, the cost of a breach is up 15% Cost per record stolen now at $201 U.S. companies averaged 29,087 records compromised in 2014 Source: Ponemon Institute 2014 Cost of Data Breach Study: United States

23 New Threats POODLE Memory-Scraping Malware Heartbleed APT

24 New Opportunities Dynamic Data P2PE Tokenization

25 Don t Need It? Don t Store It.

26 ROI of PCI CE = COST new strategy COST current practice BENEFIT new strategy BENEFIT current practice CE < 1.0 favorable

27 How PCI Can Help Guidance for Merchants Infographics Training Please visit our website at

28 Tales from the Front Rick Slater, Senior Systems Architect, Intuit

29 How Does Intuit Use P2PE? Use Tokenization? Reduce Blast Area?

30 Blast Area How many card numbers was THAT!?

31 GoPayments Merchant Swipe KSN DEK https PAN PAN P2PE(Swipe) gopayment.intuit.com gopayment service merchantaccount service Intuit P2PE BDK Mobile Device (ios, Android) IDTech Reader P2PE Reader Key Entry Injection/Fulfillment IDTech + IKSN + IDEK derived from BDK https PAN Swipe Chase PaymenTech PAN Swipe Card Associations

32 QuickBooks POS Merchant Intuit KSN DEK Ingenico IPP350 PIN Pad Reader PAN https PAN Swipe TDES(PIN) merchantaccount.quickbooks.com Workstation (PC) Key Entry https PAN Swipe TDES(PIN) Chase PaymenTech + IKSN + IDEK derived from PIN BDK Swipe TDES'(PIN) PAN Swipe PIN BDK Intuit Injection/Fulfillment TASQ merchantaccount service PIN Swipe Debit Network Debit Networks Card Associations

33 QuickBooks Online (Payments) Merchant Intuit Swipe https Token QBO service merchantaccount service https PAN Swipe Chase PaymenTech PAN Swipe Card Associations USB Reader QBO Payments Workstation (PC) Key Entry PAN qbo.intuit.com Swipe PAN Token Tokenize only sensitive data tokenization service Token Swipe PAN

34 QuickBooks Payments using Revel Merchant Intuit KSN DEK https P2PE(PAN) P2PE(Swipe) TDES(PIN) Ingenico IPP350 PIN Pad P2PE Reader P2PE Key Entry Apple ipad Revel POS api.intuit.com transaction service PIN Swipe PAN P2PE BDK Injection/Fulfillment TASQ + IKSN + IDEK derived from P2PE BDK, PIN BDK https PAN Swipe TDES(PIN) Chase PaymenTech Swipe TDES'(PIN) PAN Swipe PIN BDK Intuit Debit Network Debit Networks Card Associations

35 Surface Area: Blast Radius Potential Where could card number possibly be accessed? Location GoPayment QBPOS QBO Payments QBO Payments Revel POS Device Merchant Network TDES(Track) PAN https(tdes(swipe)) https(pan) TDES(PIN) Track PAN https(tdes(pin)) https(track) https(pan) Track PAN https(track) https(pan) https(token) TDES(PIN) TDES(Track) TDES(PAN) https(tdes(pin)) https(tdes(track)) https(tdes(pan)) Comments PA-DSS In all cases the acquirer, acquirer processor and injection/fulfillment partners must follow proper key management processes and procedures to protect the BDK Remember that people are often the weakest link. P2PE and Tokenization can reduce surface area to the point where a good hard look at that is warranted.

36 Audience Q & A And Wrap Up

37 Frame Your Own Discussion Conventional wisdom frames the discussion around protecting the PAN Let your merchants Opt Out of handling PAN data, and change the discussion entirely Opting Out with P2PE compliance may also mesh nicely with your EMV investment strategies