We Got Hacked.. But We re Not Worried & Our Credit Cards & Personal Information Are Safe!!!

Transcription

1 We Got Hacked.. But We re Not Worried & Our Credit Cards & Personal Information Are Safe!!!

2

3 chance that your business will be 60% hacked in 2015 Source, Forrester Group

4 Traditional security mechanisms have been 96% breached Source, Tripwire

5

6 .had only been masking 25% of their sensitive data. Locations Expected vs Actual WHY DOES IT HAPPEN? Legacy code Users store data Undocumented Vendor Process Developer testing DBA Backups WHY DOES IT MATTER? Cost of Data Breach Application logic 67% University (Several) Healthcare (Homegrown) Manufacturing (EBS) Healthcare (PSFT) WHY IS DICTIONARY SEARCH NOT ENOUGH? Not all relationships defined in DB Backup tables More than one Application 0% 20% 40% 60% 80% 100% Undocumented Documented Expected Total

7 1 2 3 SENSITIVE DATA Data Classification Built-in Extendible DICTIONARY DATA CODE WAYS TO FIND Dictionary match Relationship match Pattern match Data match Code match DATA CODE USERS DRIVES Reporting Masking Method selection Template Creation ENTERPRISE SENSITIVE DATA INTELLIGENCE

8 Data useful for IT purposes, not for theft Sensitive Data Access is an Exception! No more Risk! Detect any unauthorized access STATIC DATA MASKING DYNAMIC DATA MASKING TOKENIZATION ACTIVITY MONITORING NON PRODUCTION PRODUCTION DATA CODE USERS ENTERPRISE SENSITIVE DATA INTELLIGENCE

9 .had only been masking 25% of their sensitive data. Locations Expected vs Actual 67% University (Several) Healthcare (Homegrown) Manufacturing (EBS) Healthcare (PSFT) 0% 20% 40% 60% 80% 100% If you do not know ALL the locations of sensitive data, you are not secure as you think Undocumented Documented Expected Total

10

11 TARGET LOCATIONS On-Premise Cloud DEV APPLICATION 1 APPLICATION 2 TEST DEV TEST UAT TYPICAL PROCESS 1. Instance is refreshed 2. MENTIS creates Agent, and moves code & template 3. Data is updated in place 4. All Logs are sent back to repository for reporting & audit/history 5. After client certifies, MENTIS Agent is dropped DEV TEST UAT TRAIN MASKING TEMPLATES DATA CODE USERS ENTERPRISE SENSITIVE DATA INTELLIGENCE BENEFITS Protections are embedded into the database Masking inside the instance Much better performance Higher Security Since the data is being scrambled where it is stored, no accidental data leakage possible Job Engines & Parallelism mechanisms provided by database are taken advantage of

12

13 Database Application Big Data Cloud Mainframe Four approaches Embedded in the Database Embedded in Application Architecture Web Proxy Mainframe Terminal Emulation Tightly integrated with Sensitive Data Discovery Code Discovery User Access Discovery WHO WHAT WHERE WHEN MASKING RULES Only Solution with: Location-aware masking - mask based on location of user Conditional masking - mask rows of data based on conditions being applied DATA CODE USERS ENTERPRISE SENSITIVE DATA INTELLIGENCE

14

15 World s first Enterprise Sensitive Data Intelligence Platform! Continuous Code Change Monitoring Sensitive Data Retirement Sensitive Data Discovery Sensitive Code Discovery PLATFORM Single, Enterprise-class platform Shared Intelligence Built-in Segregation-of-Duties Collaborative Single deployment architecture, or Multi-node deployment Database Subsetting User Access Discovery MODULAR Address today s issue, without compromise Visionary status User Access Discovery Intrusion Prevention Dynamic Data Masking Static Data Masking INTEGRATED Built from the ground-up as a Sensitive Data protection solution Only solution with coverage for all databases and data sources Database Activity Monitoring

16

17

18 COOL VENDOR in Risk & Compliance VISIONARY in Data Masking CHALLENGER in Data Masking CHALLENGER in Data Masking

19

20 We Got Hacked.. But We re Not Worried & Our Credit Cards & Personal Information Are Safe!!!

21 Security Breach Data State of Data Security Current State of Payment Data Security Breaches in the U.S. In 2015, data and payment security breaches continue to be a major ongoing threat to governments, industries and individuals The cost of a data breach is rising: from $159 per record in 2013, up to $170 per record in Recent News: Hackers compromised the U.S. government > Latest estimate: 4 million current and former workers As of June 2015, 329 data breaches YTD with 103 million records exposed 2 There are two types of companies in the marketplace today: 1. Those that have been hacked 2. Those that will be hacked 1 Ponemon Institute 2015 Cost of a Data Breach Study: Global Analysis 2 Lisa Monaco, U.S. Homeland Security Advisor to President

22 The Rise of RAM Scraper Malware

23 Target Breach Analysis

24 Ideal Solution: Encryption and Tokenization Ideal Solution: Encryption (P2PE) & Tokenization

25 Tokenization Protecting Your Sales Channels Image for tokenization (maybe slide 8 in CardConnect Capabilities presentation) Circle icons of 6 payment methods, from slide #13, that tokenization does/does not protect (orange for yes; gray for no): ALL 6 orange

26 How CardConnect s Tokens Stack Up

27 Card- Not-Present: AJAX Tokenizer & PANPad

28 Retail: PANPad POS

29 P2PE Certification PCI DSS Validated P2PE Solutions and Applications A point-to-point encryption solution includes validated software, hardware, and solution provider environment and processes. Validation is done by a PCI-qualified P2PE assessor Only Council-listed solutions are recognized as meeting the requirements necessary for merchants to reduce the scope of their cardholder data environment All PCI-approved solutions are listed on the Council s website; there are 13 Benefits of validated P2PE Simplifies compliance with PCI DSS The P2PE Self-Assessment Questionnaire includes only 26 PCI DSS requirements Makes account data unreadable by unauthorized parties

30 P2PE 2.0 Defining PCI DSS s P2PE 2.0 P2PE Solution Consists of P2PE encryption and decryption environments, their configuration and design, and any P2PE components used with these environments. P2PE Application Consists of software or other files with access to clear-text data, intended to be used with a POI device and used as part of a P2PE solution. P2PE Component P2PE services that could include encryption management, decryption management and key injection. P2PE Solution Provider A solution provider designs, implements, and manages the P2PE solution. The provider can outsource certain responsibilities. In 2.0, merchants may choose to act as their own solution provider: Merchant-Managed Solution (MMS).

31 Technology Innovation Program Technology Innovation Program Along with the reduced PCI questionnaire, Visa s Technology Innovation Program (TIP) gives merchants more incentive to use P2PE. If 75% of a merchant s transactions originate from a secure acceptance channel (either validated P2PE solution or EMV-enabled device) the merchant may be exempt from PCI DSS compliance

32 PCI Scope Reduction Cost Savings PCI 3.0 is 27% larger than its predecessor meaning businesses will be forced to implement more security controls, making PCI compliance more expensive 1 The Ponemon Institute s True Cost of Compliance found the cost of compliance was, on average, more than $3.5 million 2 Failing to comply with regulations could cost an estimated $9.4 million 2 Merchant Level Initial Scope Becoming Compliant Annual PCI Cost Level 1 Merchant Over 6 million Visa transactions per year Level 2 Merchant 1M to 6M Visa transactions per year Level 3 and 4 Merchants Up to 1M transactions per year $250,000 $550,000-$1,000,000 $250,000 $125,000 $260,000-$500,000 $100,000 $50,000 $75,000-$90,000 $35,000 1 TechTarget 13 Aug 2014: Gartner on PCI DSS 3.0 changes: Bigger, harder and more expensive 2 Ponemon Institute January 2011: The True Cost of Compliance

33 Interchange Optimization Interchange Optimization Interchange the fee that a merchant s bank pays a customer s bank If you re a business that is not automatically passing Level II and Level III data (customer code, item description, tax ID) with each transaction, you are missing out on real savings Stuller Inc. - March Interchange Optimization Analysis Level II & III Data $ 18, D Secure Savings $ 1, *Plus Fraud Liability Shift Total Savings $ 19, Interchange Category * Volume Current FeeCurrent Cost Optimized FeeAdjusted Cost Savings Optimization Type** VS - Signature Business B2B $ 1,410, % $ 33, % $ 28, $ 4, Level II & III Data VS - Business Enhanced B2B $ 637, % $ 14, % $ 13, $ 1, Level II & III Data VS - Business Card B2B $ 284, % $ 5, % $ 5, $ Level II & III Data VS - Signature Business STD $ 132, % $ 3, % $ 2, $ 1, Level II & III Data VS - Purchasing Card B2B $ 81, % $ 2, % $ 1, $ Level II & III Data VS - Signature Pref Standard $ 58, % $ 1, % $ 1, $ Level II & III Data VS - Business Enhanced Std $ 36, % $ 1, % $ $ Level II & III Data VS - Corporate Card B2B $ 2, % $ % $ $ Level II & III Data MC - Comm DataRate 1 Bus Dbt $ 368, % $ 9, % $ 6, $ 3, Level II & III Data MC - Bus Spend Level 4 Data Rate 1 $ 366, % $ 10, % $ 7, $ 3, Level II & III Data MC - Comm DataRate 1 Bus $ 139, % $ 3, % $ 2, $ 1, Level II & III Data MC - Comm DataRate 1 Fleet $ 11, % $ % $ $ Level II & III Data MC - Bus Spend Level 3 Data Rate 1 $ 112, % $ 3, % $ 2, $ 1, Level II & III Data MC - Bus Spend Level 2 Data Rate 1 $ 54, % $ 1, % $ 1, $ Level II & III Data MC - Comm DataRate 1 Purch $ 16, % $ % $ $ Level II & III Data MC - Comm DataRate 1 Corp $ 6, % $ % $ $ Level II & III Data MC - Comm DataRate 2 Bus Dbt $ 1, % $ % $ $ 7.98 Level II & III Data VS - CPS Rewards 2 $ 865, % $ 16, % $ 15, $ 1, DSecure VS - CPS E-Comm Basic Dbt $ 126, % $ 2, % $ 2, $ DSecure VS - CPS CNP Dbt $ 50, % $ % $ $ DSecure MC - World Elite Merit 1 $ 398, % $ 9, % $ 8, $ 1, DSecure MC - World US Merit 1 $ 152, % $ 3, % $ 2, $ DSecure MC - Mastercard Merit 1 $ 115, % $ 2, % $ 1, $ DSecure MC - Enhanced Merit 1 $ 103, % $ 2, % $ 1, $ DSecure MC - Mastercard Merit 1 Dbt $ 82, % $ 1, % $ $ DSecure ** Optimization Types - 3DSecure - Ecommerce Optimization as well as Fraud Liability shift to the consumer Level II & Level III data passed that ensures transactions qualify properly.

34 CardConnect Interchange Optimization 1. Historical Statement Review CardConnect examines historical processing statements to identify areas of interchange cost reduction 2. API Integration - CardConnect Gateway automatically pulls data via the CardConnect API to fulfill Level II/III data requirements 3. Level II/III Data Autopopulation - When data is not available, CC Gateway autopopulates Level II/III data fields with default values known to satisfy requirements 4. Interchange+ Pricing - Whether processing with CardConnect or another processor, business must be on an IC+ pricing model to pass on savings to business 5. 3DSecure

35 Who We Are CardConnect is a payments technology company helping businesses accept any form of payment for goods and services simply and securely. A little bit about us: Based in Philadelphia, with offices in Chicago, Cleveland, Boca Raton and Kansas City 50,000+ merchant customers nationwide, from the Fortune 500 to small businesses Clients include the Social Security Administration, General Electric and The New York Times $15 billion in bankcard volume in 2014 Accept and secure payments at the Point of Sale: retail, mobile, e-commerce, MOTO (mail order/telephone order), smartphone applications, software applications

36 A History of Protecting Payments CardConnect has a proven track record developing security technology for the payments industry. 1997: CardConnect builds first payment gateway integrated to SAP for Fortune 500 corporations. 2004: CardConnect builds CardSecure, a payment card encryption solution for SAP 2006: CardConnect's payment gateway validated as PABP Compliant under Visa s Payment Application Best Practices program. 2009: CardConnect's payment gateway validated as PA-DSS Compliant and listed on the PCI Security Standards Council website. 2010: CardConnect's payment gateway validated as PCI-DSS Compliant and listed on Visa Service Provider Registry. 2012: CardConnect's PANPAD, a terminal that encrypts card data at the point of entry, named winner of Security Products Guide's Global Excellent Award. 2012: CardConnect's payment gateway with CardSecure becomes the first Oracle Validated Integration for payment acceptance and security. 2013: CardConnect develops proprietary P2PE solution in response to security risks for point-of-sale transactions. 2013: CardConnect receives two United States patents for securing confidential information through tokenization. 2015: CardConnect P2PE solution certified by PCI Council.

37 Our Clients Our clients represent a cross-section of Fortune 500 companies. All with the common desire to secure flexible card processing solutions in a 100% PCI compliant manner. 50,000+ merchants processing annually with a total volume over 13 billion USD

38 Mark Cuneo Cell John Sosnowski Cell Mark Passifione Cell Rajesh Parthasarathy Cell