pci dss – investing wisely...check-in data is stored (probably in the hotel property management...

global payment acceptance Hotel webinar - 25th July 2011 1 Security Matters - 29th June 2011 1 Safe & Sound - 29th March 2011 1

PCI DSS – Investing wisely...

Hotel webinar

Leading the way in secure payments

Neira Jones Head of Payment Security Barclaycard Global Payment Acceptance 25th July 2011

global payment acceptance Hotel webinar - 25th July 2011 2

News round up…

Sony Lulzsec

Citigroup Lush

Epsilon RSA

Lockheed Martin

Dropbox

Travelodge

Data breaches have almost become a

statistical certainty

ESSEX

Wordpress


Panic!

Companies feel under pressure to meet compliance deadlines of one type or another.

Panic to implement solutions they believe will address the most visible, urgent or potentially costly to ignore regulation looming on the horizon.

With requirements evolving, companies find themselves with discrete solutions for PCI DSS, Data Protection, FSA, SOX and others.

Many businesses are now on their 2nd or 3rd cycle of trying to automate processes related to compliance with specific policies, industry standards, and government regulations.

RESULT:

– Some successes with initial projects, but short lived, and costly.

– Suppliers often guilty of perpetrating a vicious circle by describing their offering as the next “silver bullet” (expensive to maintain and impossible to integrate or scale)

– Investments in infosec more difficult to secure as sustainability can’t be demonstrated to the Board.

– COMPLIANCE IN SILOS

global payment acceptance

How can I justify PCI DSS expenditure?...

http://www.google.co.uk/imgres?imgurl=http://www.dreamstime.com/bag-of-money-coins-clip-art-thumb2292306.jpg&imgrefurl=http://www.dreamstime.com/bag-of-money-coins-clip-art-image2292306&usg=__We0wPule3QN1Ur9oKcoUSh1E82E=&h=232&w=400&sz=23&hl=en&start=19&zoom=1&itbs=1&tbnid=EoKyBMDxMyVSUM:&tbnh=72&tbnw=124&prev=/search%3Fq%3Dcoins%26hl%3Den%26sa%3DX%26biw%3D1259%26bih%3D846%26tbs%3Ditp:clipart%26tbm%3Disch&ei=PEYoTs2IA9Gp8QOXmu2sAw


The cost depends on a number of factors…

TECHNICAL

• How are payments processed (face-to-face, mail order/ telephone order (MOTO), e-commerce etc.)

• In each channel, how compliant are your third parties and applications in the payment value chain?

• How mature the organisation is in terms of IT / IS security, policies and procedures, staff training and awareness etc.

• Centralised or distributed (multiple sites)

ORGANISATIONAL / CULTURAL COSTS

• Size of organisation

• Staff training


PCI DSS merchant levels

Merchants are classified according to the volume of card payments they process and the nature of their business

LEVEL HOW TO DETERMINE MERCHANT LEVEL

1 • Any merchant processing over 6,000,000 Visa or MasterCard

transactions per year, • OR, any compromised merchant.

2 • Any merchant processing one to six million Visa or MasterCard transactions per year.

3 • Any merchant processing 20,000 to one million Visa or MasterCard e-commerce transactions per year.

4

• Any merchant processing less than 20,000 Visa or MasterCard e-commerce transactions per year,

• and all other merchants processing up to one million Visa or MasterCard transactions per year.


It’s war Jim, but not as we know it...

Today’s cybercrime industry has evolved and automated itself to improve efficiency, scalability, and profitability with a clear intent on obtaining information that can be monetised.

The hackers’ best friends are businesses with inadequate and often outdated information security practices.

Cybercrime/ data protection not high on the Board’s agenda.

But... Governance & Risk Management are familiar to the Board.


Monetising card data

Online ordering systems for stolen credit card data available 24/7

– Inventories of as many as 800,000 stolen credit cards per site

– Tiered pricing available

– Pre-purchase testing validation available

– Can sell same data on many times

Current market value:


We’re all in it together…

When personal information is stolen, it goes viral...


Public social concerns...

Preventing crime 94%

Protecting personal information 94%

NHS 88%

Equal rights 88%

Improving education 87%

National security 87%

Environmental issues 87%

Protecting freedom of speech 85%

Source: ICO Annual Track 2008


Cause of data breaches in the hotel sector

Default passwords

SQL injection

Malware on payment server

Some hotels take a swipe of the magnetic stripe on the back of the card at check-in data is stored (probably in the hotel Property Management System). A pre-auth is done and the cardholder charged when they leave. Perhaps done via Express Check-out.

This data is extremely valuable and is one of the reasons criminals are targeting the hotel industry.


Happy 10th Birthday SQL Injection!!!


And now for the science...

Malware represented 80% of all data lost in 2010 and within that case load, 81% was performed via SQL injections.

Hacking represented 89% of records stolen and 76% of these were due to lax password management and authentication procedures.

Most data breaches are not discovered by the organisation suffering the attack.

The Verizon DBIR 2011 further claimed that 87% of attacks could be prevented using simple, proactive measures.


Seeing the wood from the trees...

The 2011 Verizon DBIR concluded that being prepared remains the best defense against security breaches.

Organisations still remain slow in detecting and responding to incidents.

Most organisations that have suffered a breach will have evidence of it in their logs, but these often get overlooked due to a lack of staff, tools or processes.


One step at a time...

Are my employees taking information outside of the organisation? How can they do this?

Can I limit access to this information to only those who need it?

What types of attackers would be interested in infiltrating my systems? What would they seek? Why?

If any web server was compromised, how difficult would it be for an attacker to work its way to those systems containing information? How easy would it be to take this information out?

How quickly would I know this has happened? How quickly can I stop it?

How quickly do I need to respond to the market?


Threat/ scenario modelling is only practiced by a few organisations


The reality

Protect brand and reputation – If card data is lost it is highly likely that other data has also been lost e.g. name and address etc. This could lead to identity theft as well as card fraud.

If customers lose trust, they often take their business elsewhere.

It is a Card Scheme requirement that merchants comply with PCI DSS and is incorporated in to the T & Cs.

Cost and business impact of a data breach.

PCI DSS non-compliance fees.


Data breaches and fines…


Cost of a small data breach… Small data loss

Item Conservative (L4 Merchant)

Cost (GBP)

Forensic Investigation 10,000

Card Scheme penalties 8,000

QSA On-Site Audit 12,000

Total 30,000

Item Conservative (L4 Merchant)

Cost (GBP)

Remediation ?

Brand & Reputation ?

Opportunity Cost ?

Total ?


To gain understanding and trust, businesses will promote how they safeguard their customers personal information. Investment in information security will be driven by business reality.


Only 4% of breaches assessed in the Verizon Business Data Breach Investigation Report 2011(DBIR 2011) required difficult and expensive protective measures.


It’s all about risk...

the identification, assessment and prioritisation of risks

followed by coordinated and economical application of resources

to minimise, monitor, and control the probability and/or impact of unfortunate events.


PCI DSS – What is it all about? 6 goals, 12 requirements


Key messages

1. Data compromises do happen!

2. The criminals are 5 years ahead of us. It is now organised crime, not geeky teenagers like in the film “War Games”

3. PCI DSS is a business / cultural change and will require a multi-disciplinary team to implement

4. Ensure that Third Parties are contractually liable to you

5. Try not to store card data, what you don’t have you can’t lose (part of scope reduction)

6. Never ever store card sensitive authentication data post authorisation

7. Identify the parts of your business with the greatest risk of being compromised and secure them first e.g. e-commerce sites

8. Use the PCI SSC Risk Prioritised Approach

9. PCI DSS is a continuous process a bit like an MOT check , but you still need to ensure that your car is road worthy in between MOTs


What can we learn?...

Lesson 1. Understand your risk profile

Lesson 2. Make risk management your objective, compliance will come naturally

Lesson 3. Avoid quick fixes and silos (i.e. don’t panic!)

Lesson 4. Automate

Lesson 5. Educate


In the months and years to come, we can expect increased scrutiny of corporate risk management practices. In response to this, businesses will strive to understand their risk profiles and whether the risks taken are within the enterprise’s risk appetite and tolerance thresholds.


How Barclaycard can help…


Barclaycard and the PCI SSC

The PCI SSC is a global organisation formed by the Card Schemes to develop global security standards for the protection of card data.

Barclaycard sits on the PCI SSC Board of Advisors, is a Participating Organisation and is involved in SIGs.

Barclaycard welcomes feedback from the merchant community and is actively working with the PCI SSC to raise issues concerning European merchants.


Barclaycard Risk Reduction Programme

Over the past 8 months, Barclaycard and IRM plc have researched and developed a risk reduction programme for Level 1 and Level 2 merchants.

PCI DSS is a good information security framework.

Use PCI DSS controls in the context of a recognised risk management framework (i.e. ISO 27001, Cobit, ITIL, CLAS, etc.)

The first step is a risk assessment.


Leaflets, white papers, tools, etc…

Our website: www.barclaycard.co.uk/pcidss


Don’t spend £100 protecting a £1 asset, know your risk, fix the basics first, and be prepared… Neira Jones Head of Payment Security Barclaycard, Global Payment Acceptance [email protected]

http://uk.linkedin.com/pub/neira-jones/0/7a5/140

neirajones

pci dss – investing wisely...check-in data is stored (probably in the hotel property management...

Documents