SecurityA Payments Perspective

Terry DooleyEVP & CIO

SHAZAM Network

Agenda

What’s Happening

What’s Changing

Payment Security Myths

Industry Protections

New Challenges

Emerging Risks

What’s Happening

What’s Happening

Phishing Vishing

SmishingData

Compromises

You don’t need to teach an old dog new tricks!

What’s Happening

You get the phone call, text, or email

Yes it still works!

New sunglasses Insurance payment Facebook virtual money Transactions submitted in seconds

What’s Happening

Data Theft Phishing Vishing

Smishing

Consumer provides card

or account data

Data feed to counterfeiters

real time

Initial test transactions

begin simultaneously

in different countries

Based on data compromised, target is most

likely card-not-present

Source Verizon 2014 Data Breach Investigations Report

What’s Happening

Most skimming occurred on ATMs and gas pumps due to how relatively easy they can be approached and tampered with. Nearly all victims are U.S. organizations.

Industries most commonly affected by POS intrusions are restaurants, hotels, grocery stores, and other brick-and-mortar retailers.

Most skimming occurred on ATMs and gas pumps due to how relatively easy they can be approached and tampered with.

While phishing numbers are slightly lower in 2013, 8 percent of users will click an attachment and fill out a web form.

Most are skeptical of clicking an attachment, but 18 percent will visit a link within a phishing email.

What’s Changing

What’s Changing

Payment credentials

compromised

Small dollar test transactions — slow

flowing, wanting the 3 digit code on the back

of the card

More significant purchases,

transactions escalate

Fraud Goals

High value Merchandise

ApproachLow velocity Validation

Compromise Phishing Smishing

Payment Security Myths

Payment Security MythsTe

chno

logy

Inve

stm

ent If I invest in the

latest security technology can I get rid of other security technologies?

Tech

nolo

gy In

tegr

ation I have a firewall, IDS,

IPS, logging servers, and a SEIM, do I just plug them in and they work?

Hum

an R

esou

rces

How many technologies can a security department manage, train, and become experts on? If I invest in this technology can I reduce the need to add more positions?

The Ripple Effect

Industry Protections

Industry Protections

Perimeter Defenses:

Neural Engines:

Data Protection:

Consumer Account Bank/Debit/Credit

WAPS

Malware Detection Document Inspection

SEIMS

Velocity

Geographic Device

Usability

EncryptionTokenization

Dual Control

New Challenges

New Challenges

Mobile devices

Cloud computing

and personal usage

exploding

Alternative payment apps

Intelligence vs. stupidity

Emerging Risks

Emerging Risks

Compromises are no longer about the immediate theft and use of the data

Thieves are installing key loggers, malware, and rats, among other items and letting them simmer for months before using

There’s not a single security approach or technology that’ll prevent or mitigate the value of stealing account and card data as long as transactions can occur without authentication

Emerging Risks

Silver Bullet?EMV

TokenizationLayered Defenses

NoNoNo

Fraudulent TransactionsEMV prevented?

Yes – counterfeitNo – Internet

Target BreachEMV prevented? No

Thank you!QUESTIONS?

515-558-7502tdooley@shazam.net