Merchant Risk Management PCIDSS. Presented by Dave Miller Senior Business Manager, Merchant Risk

Transcription

1 Merchant Risk Management PCIDSS Presented by Dave Miller Senior Business Manager, Merchant Risk 27 May 2009

2 History Westpac is the 2 nd largest Acquiring Bank in Australia; Westpac has a high market share of e-comm merchants; Westpac has its own 100% fully owned gateway provider; and Westpac has a dedicated resource to manage Merchant PCIDSS Compliance

3 Sources of Data Loss Pfizer / Wheels Inc. - [ ] (Names, addresses, birth dates and driver's license numbers of 1,800 employees revealed) New York City Financial Information Services Agency - [ ] (Stolen laptop contains financial information for as many as 280,000) University of Iowa - [ ] (Stolen laptop contains personal information for 184, including 100 Social Security numbers) Carnegie Mellon University - [ ] (Students' Social Security numbers on two stolen laptops) Gap Inc. - [ ] (Personal data including some Social Security numbers for 800,000 on stolen laptop) Massachusetts Division of Professional Licensure - [ ] (Social Security numbers of about 450,000 licensed professionals inadvertently released) The Nature Conservancy - [ ] (Social Security numbers, names, and addresses of 14,000 illegally accessed) TD Ameritrade - [ ] (Personal information of 6.3 million exposed by database hack) West Virginia Board of Barbers and Cosmetologists - [ ] (Personal information of thousands in stolen safe Pfizer - [ ] (Social Security numbers, names and financial information of 34,000 accessed by employee) HM Customs and Revenue - [ ] (Stolen laptop contains personal and financial details of at least 400) MacEwan College - [ ] (Credit card numbers, addresses, and other information publicly available on internet) Athens Regional Health Services - [ ] (Medical information, names, and some Social Security numbers of 1,441 on stolen computer) Kartenhaus - [ ] (Credit card numbers and billing addresses for 66,000 customers stolen) American Ex-Prisoners of War - [ ] (Stolen paper records include Social Security numbers and addresses of 35,000)

4 Analysis of 7 Westpac Data Compromise Events PCI Levels: 3 Level 3 Merchants, 4 Level 4; Total Annual Card Transactions: 12,183,240 Total Potentially Exposed Data: 407,656 Total Number of Compromised cards: 3,779 (3,200 came from one merchant) Identification Source: 5 via a CPP alert, 2 raised by the merchant Source of Breach: Evidence that 5 compromises came from internal sources due to poor data management practices, only 1 SQL injection.

5 Not All Press Is Good Press

6 The Challenges Faced Australia has a small population, a small merchant base and a large geographical footprint, (40% of the population resides outside of the capital cities) this makes it difficult to individually manage merchants; To put this challenge into perspective: Australia USA Geographical Size 7,700,000 sq km 9,830,000 sq km Population 23.1M 300M # of Merchants 743,000 7,800,000 E-Comm merchants were not well managed in the early days, this has meant that there has been a lot of catching up to do, particularly amongst Level 4 merchants;

7 The Challenges Faced (cont) Many large merchants have antiquated legacy systems that are extremely complex and costly to make compliant. It is not unusual for the older legacy systems to be so old that total compliance is impossible, compensating controls control the risks effectively, but still leave the merchant out of compliance; Over 97%, of our e-comm merchants are Level 4. 44% of transactions, by number, are Levels 1, 2 & 3, scheme and Bank focus has been on the upper level merchants, the compromise events experienced have been on the lower level merchants have we concentrated in the right space; There are a significant number of players involved in the e-comm space who touch customer data; Many of these, Web Hosters for example, are transparent to the Bank; Players who do not have direct contractual arrangements with a Bank are difficult to police, and direct compliance enforcement is almost impossible;

8 The Challenges Faced (cont) Merchants are unwilling to invest in a process that does not have an immediate capital return; The task of simply discovering which merchants pose the most risks is multifaceted, does a merchant transacting 400 transactions a year on an unsecured web site pose a greater risk than a MOTO merchant who stores 5,000 mail order forms in an unlocked store room? Internal resourcing, particularly in a declining credit market means that obtaining the right level resourcing is a challenge; Smaller merchants do not have the systems, nor the technical expertise to know when they have been breached, this means that there is a heavy reliance on CPP analysis identifying compromised merchants, some issuers are a lot better at this than others; Many merchants do not even know if they have cardholder data in their systems;

9 The Challenges Faced (cont) It is difficult to gain buy in from Client Relationship Managers as there is no financial reward for compliance activities; Many Integrated EFTPoS Systems have been developed in-house, apart from an on-site audit, discovery of card data storage points is impossible.

10 The Westpac Approach Determine the Level 1, 2 and 3 merchants by total card turnover; Enforce compliance at an appropriate Level, the exception to this is that we do not use combined levels to mandate on-site audits or for the purposes of scheme reporting; Risk profile the Level 4 merchants by turnover and delivery channel; Use external tools to identify merchants who trade on the internet without an e-comm merchant facility; Work directly with customer Relationship Managers; Have good collateral (brochures) to provide to merchants; Westpac is vendor agnostic, we use the best vendor for the most appropriate fit to a customers requirements and needs; and Have a robust incident response plan for when breaches are identified, this especially includes other parts of the business who look after CPP alerts.

11 What Happens Next? We continue to profile the Level 4 merchants for potential data breach exposures; We have engaged an external vendor, G2 Web services, to identify which of our merchants have a internet presence without having an e-comm merchant facility; Ensure that large merchants, with outdated legacy systems, do not slow down on their compliance activities; Make sure merchants use compliant web-hosters and gateways; Encourage merchants to use hosted solutions; Make sure 3 rd Party vendors are appropriately registered; and Validate all device types to ensure PCI compliance.

12 Summary Breaches are inevitable; It is impossible to micro-manage every merchant; Ensure resources are directed to the biggest areas of risk; Work closely with CPP teams; Have robust incident response plans; and Use PCIDSS compliance as a value add to merchants, it is much easier to sell a value add than a compliance requirement.

13 Question Time