Payment Card Industry Update and Cyber Risk Management

Transcription

1 Payment Card Industry Update and Cyber Risk Management CRAIG A. HOFFMAN, ESQ. BAKERHOSTETLER ADAM COTTINI, MANAGING DIRECTOR, CYBER LIABILITY PRACTICE, ARTHUR J GALLAGHER & CO. OCTOBER 22, ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

2 Agenda October 22, 2015 Industry Rules Investigatory Phase What Happens After? Advanced Security Cyber Risk Management Prevention Breach Preparation Insurance and Data Breach Advisory 2014 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

3 Payment Card Industry Update and Cyber Risk Management October 22, 2015 Craig A. Hoffman, Blog:

4 PCI Stakeholders

5 Stages of a PCI Breach Discovery Engage PFI Calls with the acquirer/processor & card networks (proactive alerts) Preliminary PFIreport Issuance of CAMS/SAFE alerts Final PFIreport Remediation & revalidation of PCI DSS Fines GCAR & ADCR process (fraud & reissuance costs) Appeal

6 10/21/2015

7 August 2014 PCI Security Council Best Practices for Maintaining PCI DSS Compliance 0 IN TEN YEARS Of all the companies investigated by our forensics team over the last 10 years following a breach, not one was found to have been fully PCI DSS compliant at the time of the breach. Verizon 2015 PCI Compliance Report

8 PCI Fines & Penalties Fines for non compliance with PCI DSS Case management fee Fines for non cooperation Liquidated damages Assessments to recover from the acquirer and reimburse issuers: Operating expenses (heightened monitoring and card reissuance) Incremental counterfeit fraud losses

9 10/21/2015

10 Catastrophic Liability Cap based on 2 5% of prior year Visa sales Assessed 9 12 months after final PFI report submitted

11

12 Other PCI Fun Appeal Rights Acquirer Establishes Reserve Account Acquirer Takes Fines, Fee, & Assessments from Settlement Account Issuing Bank Claims

13 PCI Myths Privilege or work product protection applies to a PFI report and investigation There must be actual evidence of exfiltration for card data to be considered at risk by card networks CPPs are never wrong Merchants can always recover from their vendors Merchants aren t responsible if it was a vendor s fault

14 EMV Chip Card Technology Named after the original developers: EuroPay MasterCard Visa Smart chip technology that uses an embedded microprocessor that stores and protects cardholder data Issuers can decide to issue for authentication in two ways: Chip and PIN Chip and Signature Most significant benefit of EMV technology is prevention of counterfeit card present fraud. The chip creates dynamic authentication codes for each transaction: Dynamic values exist in the EMV and are verified by POS to ensure authenticity of the card Authenticated data changes upon each use

15 EMV Liability Shift The Stick EMV Shift is not a law or requirement October 1, 2015 Liability Shift Date If a merchant has not completed the EMV certification process through its acquirer, then the merchant will be responsible for all card present counterfeit fraud losses Liability shift applies to counterfeit fraud on magnetic stripe AND EMV cards Visa and MasterCard rules indicate application to all transactions American Express states that it transfers liability for certain types of fraudulent transactions away from the party with the most secure form of EMV technology Discover has similar language to American Express

16 What Liability Shifts? BUR 972/images/Vantiv%20EMV%20Toolkit%203page.pdf 10/21/2015

17 EMV Liability Shift The Carrot Annual PCI Revalidation Waiver If 75% of transactions are routed through EMV enabled terminals, the card networks will waive the requirement of an annual obligation to revalidate PCI DSS compliance Some conditions to this waiver apply, i.e. merchants have to submit a Technology Innovation Program (TIP) application For Visa, the conditions are: Validated PCI DSS compliance within the previous 12 months or submitted to Visa (via acquirer) a defined remediation plan for achieving compliance, based on a gap analysis Confirmed that sensitive authentication data is not stored, as defined in the PCI DSS At least 75% of the merchant s total transaction count must originate from dual interface (contact /contactless) enabled chip reading device terminals Not be involved in a breach of cardholder data. Breached merchant may qualify for TIP if they have subsequently validated PCI DSS compliance

18 EMV Liability Shift The Carrot Card Present Data Breach Safe Harbor Historically, Visa and MasterCard made assessments against a breached merchant s acquiring bank to reimburse banks that issued affected cards for costs. Incentive for EMV Visa and MasterCard will provide safe harbor from these assessments. Visa GCAR Liability Safe Harbor Applies if a merchant generates 95% of card present transactions from EMV enabled terminals 30 days before the start of a compromise event. The 95% card present threshold only applies to point of sale terminals, excludes card not present transactions and does not require a chip card or a chip on chip transaction. MasterCard ADC Liability Safe Harbor Applies if at least 95% of the Merchant s annual total transaction count was acquired via Dual Interface Hybrid POS Terminals; At least 95% of the transactions deemed by MasterCard to be within the scope of the compromise event were acquired via Dual Interface Hybrid POS Terminals; and Merchant has not been identified by MasterCard as having experienced a different compromise event during the 12 months prior to date of publication of earliest alert for the compromise event.

19 Risks That Remain After EMV Based on EMV migration data from other countries: Reduction of card present counterfeit fraud Simultaneous increase in card not present fraud Shimmers EMV technology protects against fraud occurring at the point of sale in stores. But: EMV is not a network security solution It has been projected to take up to 5 years before 90% of the cards in circulation are EMV enabled, so even companies with EMV enabled terminals will continue to have customers swiping magnetic stripe cards in their stores for years Recognizing the difficulty of securing their cardholder environment continuously, merchants continue to evaluate the benefits of future proof technology

20 Advanced Security Point-to-Point Encryption (P2PE) Tokenization 10/21/2015

21 Atlanta Chicago Cincinnati Cleveland Columbus Costa Mesa Denver Houston Los Angeles New York Orlando Philadelphia Seattle Washington, DC These materials have been prepared by Baker & Hostetler LLP for informational purposes only and are not legal advice. The information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional counsel. You should consult a lawyer for individual advice regarding your own situation.

22 October 22, 2015 Cyber Risk Management Prevention Breach Preparation Insurance and Data Breach Advisory 2014 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS 1

23 Prevention ADAM COTTINI, MANAGING DIRECTOR, CYBER LIABILITY PRACTICE ARTHUR J GALLAGHER & CO. OCTOBER 22, ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

24 Look to Expert Advice Payment Card Industry - PCI Compliance Cyber Security Readiness Network Assessments Security Awareness Employee Training on Social Engineering Vendor Management Contract Review Regulatory Compliance - Complex Legal Environment Federal Regulations State Laws 2013 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS 3

25 Preparedness ADAM COTTINI, MANAGING DIRECTOR, CYBER LIABILITY PRACTICE ARTHUR J GALLAGHER & CO. OCTOBER 22, ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

26 Incident Response Planning The Importance of an Incident Response Plan Prepare and regularly train staff on internally reporting potential or actual breaches or suspicious activity. Identify key internal staff responsible for receiving such reports and notifying appropriate internal and external parties Follow cyber insurance policy requirements of Prior Approval and utilization of Panel Service Providers 2013 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS 5

27 Visualize / Prioritize your Incident Response Partners Breach Coach / Legal Advisory Forensics Notification / Call Center Monitoring Services Public Relations Litigation Defense Counsel Law Firm A Forensics A Notice & Call Center Firm A Monitoring Firm A PR Firm A Defense Firm A Law Firm B Forensics B Notice & Call Center Firm B Monitoring Firm B PR Firm B Defense Firm B Law Firm C Forensics C Notice & Call Center Firm C Defense Firm C 2013 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS 6

28 Duties in the Event of a Breach A. Incident Response Planning B. Breach Response Notification Requirements C. Cyber Insurance Coverage Initial Coverage Evaluation D. Post-Breach Litigation 2013 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS 7

29 Risk Management ADAM COTTINI, MANAGING DIRECTOR, CYBER LIABILITY PRACTICE ARTHUR J GALLAGHER & CO. OCTOBER 22, ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

30 Risk Management Insurance and Data Breach Advisory Risk Manager Tools help manage cyber risk more effectively Incident Response Roadmap spells out the steps to take in the event of a breach (Breach Coach) Experts Directory features qualified third-party providers of breach-related services Best Practices (articles, white papers & webinars) Proprietary Benchmarking Coverage Gap Analysis Policy Design and Best in Class Terms 2013 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS 9

31 Craig A. Hoffman, Esq Adam Cottini Thank You Adam Cottini Managing Director, Cyber Liability Practice Arthur J. Gallagher & Co BSD17\26685A 2014 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS