PREVENTING PAYMENT CARD DATA BREACHES
|
|
- Maurice Peters
- 8 years ago
- Views:
Transcription
1 NEW SCIENCE TRANSACTION SECURITY ARTICLE PREVENTING PAYMENT CARD DATA BREACHES DECEMBER 2014 UL.COM/NEWSCIENCE
2 NEW SCIENCE TRANSACTION SECURITY OVERVIEW From research on the latest electronic transaction security technologies to comprehensive strategies for reliable mobile payment solutions, UL s New Science advances are helping to support compliance, interoperability and security for the latest transaction technology implementations. UL is working with customers across the industry, conducting stateof-the-art trials; analyzing and assessing the security, functionality and interoperability of new and existing technologies; and enhancing implementation processes and developing unique migration architectures to help transition disparate systems to a new platform. NEW SCIENCE TRANSACTION SECURITY 2
3 WHY PREVENTING PAYMENT CARD DATA BREACHES MATTERS Payment card data breaches became a hot topic in the U.S. in 2013, highlighted by the Target and Neiman Marcus incidents, in which 40 million 1 and 350,000 2 cards, respectively, were compromised. However, while these two incidents dominated the spotlight, in the same year there were more than 600 security breaches in the U.S., 3 resulting in $6.8 billion in card fraud losses. 4 There were an additional $6.5 billion in card fraud losses in other countries in Understandably, preventing payment card data breaches has become a top priority for the payments industry, particularly in the U.S. CONTEXT A payment card data breach is the result of one or more hackers gaining access, often on a large scale, to information stored on debit or credit cards with the goal of selling this information on the black market or directly performing fraudulent transactions. 6 When a particular merchant is compromised, all consumers who used their payment cards at that merchant s retail locations are at risk. 7 This is broadly what occurred in the Target and Neiman Marcus incidents. In both cases, malware strains designed to take advantage of system vulnerabilities circumvented security, enabling backdoor access to consumer card data. 8 EMV cards have achieved a high level of adoption largely because they have helped decrease counterfeit fraud by 60 to 80 percent. Currently, the U.S. accounts for almost 50 percent of annual card fraud globally, which is comparatively high, given that 27 percent of card transactions occur in the U.S. 9 One contributing factor is that the U.S. is the last of the G20 countries to migrate to EMVbased credit and debit cards, 10 and the predominant credit and debit cards currently in use in the U.S. employ magnetic stripe (magstripe) technology, which was introduced to the mass market in the early 1970s 11 long before the Internet and mobility transformed the payments industry. EMV cards were first introduced in and were later adopted by most of the world, including 19 of the G20 nations. 13 These cards use an embedded chip to generate a unique encrypted code for each transaction, allowing the issuer to accurately confirm the authenticity of the card, while reducing the risk of fraud, unauthorized access to information and duplicate cards. 14 EMV cards have achieved a high level of adoption largely because they have helped decrease counterfeit fraud by 60 to 80 percent in countries where EMV cards have become the standard. 15 By the end of 2013, there were more than 2.37 billion EMV cards issued globally, 16 of which 17 to 20 million were issued in the U.S. 17 3
4 Driven by the major credit card brands, the U.S. is now in the process of migrating to EMV, with liability to card fraud mandated to shift to merchants by October 1, 2015 if they do not have EMV-enabled payment devices. 18 However, EMV is a digital transaction protocol that introduces a cryptographically secured means of determining the authenticity of credit and debit cards, helping these cards avoid being cloned by hackers. 19 Despite this protection, which goes beyond what is provided by magnetic stripe technology, EMV itself is unable to prevent the installation of malicious software that could lead to a commercial data breach, such as what occurred at Target and Neiman Marcus. 20 WHAT DID UL DO? UL conducted a comprehensive risk analysis of payment card fraud scenarios. From our study of data breaches, we understand that the type of card data that is obtained tends to include Track 2 data (the cardholder s account, encrypted PIN plus other discretionary data 21 ) of every card that was swiped at the compromised point-of-sale (PoS) device, along with the encrypted PIN data for every card transaction that was PIN-based. Although we believe it is extremely unlikely for the encryption to be broken, which would provide access to the actual PIN numbers, we have seen that stolen card data can be used to create counterfeit copies of the original cards. Whether these cards can be used in fraudulent transactions depends on two considerations: the kind of card that is compromised and the usage environment where the fraudulent card is used. These two considerations became the parameters for our risk analysis. 22 By itself, EMV technology is unable to prevent the installation of malicious software that could lead to a commercial data breach. We assessed the potential for fraud across different scenarios that are based on crossreferencing payment card technologies with acceptance environments. The specific payment card technologies we examined included magstripe and PIN, magstripe and signature, and EMV. The different acceptance environments included a magstripe PoS terminal, an EMV PoS terminal and an ATM machine for card-present transactions, as well as an Internet-based payment for card-not-present (CNP) transactions. This process yielded a robust set of scenarios, for which we then conducted risk assessments. 23 4
5 Payment card fraud risk assessment scenarios 24 Magstripe + Signature Compromised Card Magstripe + PIN EMV Attempted usage environment Magstripe PoS EMV PoS ATM Internet (CNP) Scenarios No fraud possibilities Conditional possibilities Unconditional possibilities Not a valid scenario Risk assessment insights Scenario 1: A swipe and PIN transaction is compromised, and fraud is attempted at magstripe PoS device that only requires a signature Unconditional fraud possibilities In this scenario, the ability for a criminal to commit fraud depends on the card type and issuer rules. As the PIN has not been compromised, signaturebased or no-cvm required (without the 3- or 4-digit code that is imprinted on the physical card but excluded from the magnetic stripe) transactions are at risk with issuers that allow their debit cards to be authorized either using a signature or without a PIN or signature (no CVM, for lowticket transactions). 26 Scenario 2: A swipe and PIN transaction is compromised, and fraud is attempted at a magstripe PoS device Conditional fraud possibilities This is the most likely form of fraud resulting from large-scale PoS compromise. In this scenario, a hacker is able to clone (i.e., create a copy) the compromised card to use in card-present situations using his or her 5
6 own signature. An issuer would have no way of telling the difference between a transaction with the genuine card or with the cloned card. The issuer would be liable for the fraud but may seek to shift liability to the merchant that was the source of the card data compromise. Acquirers can take additional measures to limit exposure to this kind of fraud. For example, PoS software can be modified to require merchants to enter the last four digits of the embossed primary account number (PAN) prior to authorization, as this would make it more difficult for a criminal to create cloned cards using compromised card data; although, this measure can be overcome because it has become relatively easy to obtain embossing equipment. Another fraud mitigation method is to ask customers for photo- ID to check against the name on the supplied card, but this can slow the transaction time, adding cost to the merchant while inconveniencing customers. 25 Scenario 3: An EMV-card transaction is compromised, and fraud is attempted at a magstripe PoS device Conditional fraud possibilities We assessed the potential for fraud across 12 different scenarios that were created by cross-referencing key payment card technologies with common acceptance environments. In this scenario, the ability to commit fraud is determined by the issuer of the card. The issuer will be able to detect that, based on the PoS entry mode data element in Field 55 (authorization data in the magstripe used by an acquirer to create a clearing message), the card is used in a magstripeonly terminal. Since this was originally an EMV card, this transaction may fall under the EMV liability shift regime (depending on region). The issuer may choose to decline the transaction, in which case no fraudulent transaction can take place. If the issuer chooses to approve the transaction, the fraud can occur and local liability shift rules will determine whether issuer or acquirer is liable for fraud. 27 Scenario 4: A swipe and PIN transaction is compromised, and fraud is attempted at EMV-compliant PoS device Unconditional fraud possibilities Here, the same rationale as Scenario 1 applies, with the assumption that the EMV-compliant PoS device is still capable of reading a magstripe card. Depending on the CVM requirements on a debit or credit card, transactions with a fraudulent card can potentially be authorized. 28 Scenario 5: A swipe and signature transaction is compromised, and fraud is attempted at EMV-compliant PoS device Conditional fraud possibilities 6
7 This case follows the same rationale as Scenario 2, in which the fraudulent card can be successfully used by the hacker, even though the PoS device is EMV-compliant. 29 Scenario 6: An EMV-card transaction is compromised, and fraud is attempted at EMV-compliant PoS terminal No fraud possibilities The ability to commit fraud in this scenario depends on regional fallback rules (the backup protocols, if any, that are authorized when the primary mode does not work). To an EMV-compliant PoS device, the fraudulent card will look like an EMV card in which the chip is damaged. In this case, the service code on the magstripe Track 2 would indicate the presence of a chip that the PoS device is unable to read, so the transaction may qualify for fallback under appropriate rules. If fallback is not allowed, the fraudulent transaction will be rejected. However, if fallback is allowed, the issuer will authorize the transaction if sufficient funds are available in the account. During the initial stages of EMV migration in the U.S., if fallback is allowed, Scenario 6 should be colored orange to indicate the potential for risk. 30 If the U.S. had already migrated to EMV, the consequences of the reported large-scale card compromises would have been less severe. Scenario 7: Magstripe and signature at an ATM Not a valid scenario There is no signature at an ATM. 31 Scenario 8: A swipe and PIN transaction is compromised, and fraud is attempted at an ATM Conditional fraud possibilities Generally, a cloned card is unable to be used to commit fraud at an ATM machine, as this would require a correct PIN number to be entered. However, criminals can use social engineering and phishing techniques to obtain PIN numbers 32, and it is also possible for criminals to obtain identity information to change the PIN numbers of cloned cards. 33 Scenario 9: ATM usage of a compromised EMV card No fraud possibilities With a cloned EMV card, criminals will not be able to duplicate the information contained in the EMV chip. An EMV-enabled ATM will return an invalid transaction on a duplicated card. 34 7
8 Scenarios 10, 11 and 12: Internet, CNP usage of a compromised card Conditional fraud possibilities In theory, the data that are stolen from cards by compromising a PoS device cannot be used for CNP internet purchases. This is because a compromised PoS device only gives access to magstripe Track 2 data, which do not contain the so-called security code (referred to as CVV2 or CVC2 data) printed on the signature panel of the card. 35 However, experience has shown that under certain circumstances, fraud can be successfully committed with the data gathered through a large-scale PoS compromise: In some cases, a web-based merchant that accepts card payments does not require entry of a security code to complete a transaction. In these cases, compromised card data can successfully be used for fraudulent purchases. Since the merchant does not require all the data it is supposed to (the CVC2 security code), the merchant will be liable for any losses. Some issuers do not validate the value of the CVC2 data, which means compromised card data can be used for CNP purchases. In this case, the issuer will be liable for any losses. A statistical attack vector exists with a large-scale PoS compromise. Because the CVC2 security code is a three-digit numerical value, there are 1,000 possible combinations. Most issuers allow three subsequent CVC2 validation attempts before fraud is suspected and authorization is declined, which yields a 0.3 percent per card success rate for fraudulent CNP transactions. When the data from millions of payment cards are stolen, there is a large statistical chance of committing fraud in CNP environments (the 0.3 percent hit rate would yield 3,000 usable cards out of one million compromised). In this case, the issuer would be liable for transaction fraud, but would likely seek to shift liability to the merchant where the large-scale PoS compromise took place. 36 Preventing large-scale data breaches The EMV transaction protocol takes place between an EMV-compliant card (debit or credit) and an EMV-compliant PoS device or ATM. By using EMV, PoS devices and/or card issuers will always be able to detect attempted card cloning. However, for reasons of backwards compatibility, non-emv compliant cards can be used on EMV-compliant 8
9 acceptance infrastructures. Similarly, EMV-compliant cards are usable on magstripeonly acceptance devices. Because of this, merchants that have EMV-enabled their PoS acceptance infrastructures can still be a source of card data compromise in case a hacker gains access to PoS software code and can still unknowingly acquire card fraud (see Scenarios 4, 5, and 6). That said, if the U.S. had already migrated to EMV, the consequences of large-scale card compromises, such as the ones recently reported, would have been less severe (see Scenario 6). 37 Beyond EMV compliance, UL believes that the Payment Card Industry (PCI) standards play a vital role in the process of preventing data breaches. PCI Data Security Standard (DSS) controls (a set of technical and operational requirements designed to protect cardholder data 38 ) have been designed to prevent and/or detect a large-scale compromise. To commit such fraud, criminals need a point of ingress to allow for the wide-scale delivery of a compromise, a known vulnerability in the system to allow for the compromise and a point of egress for the exfiltration of the collected data. These points are directly addressed by the PCI DSS requirements, and although compliance is not an absolute guarantee of prevention of such a compromise, we believe that data breaches are far more likely to have resulted from a lack of rigor around one or more of the PCI DSS controls. 39 If hackers were to attempt to collect card data directly from a PoS device, this form of compromise could largely be mitigated through the use of encryption on all cardholder data at the point of interaction (POI) at the PIN Entry Device itself before the data are passed into a PC-based PoS system. Specifically, compliance with the PCI Point-to-Point Encryption (P2PE) requirements, or even just the correct use of Secure Reading and Exchange of Data (SRED)-approved POI devices, would help remove all cardholder data from the PoS environment. This is likely the largest single step retailers can take to protect their customers card data. 40 The combination of PCI and EMV compliance will provide a robust framework against card fraud in both the card-present and CNP domains. IMPACT As the U.S. payments industry transitions from magstripe to EMV cards, a large number of potential security risks will be mitigated. EMV compliance will help ensure that the card account information that flows through a PCI-compliant acquiring infrastructure is genuine and can be authenticated, and an acquiring infrastructure that is compliant with applicable and up-to-date PCI standards should provide sufficient end-to-end protection against card account compromise. UL believes that the combination of PCI and EMV compliance will provide a robust framework against card fraud in both the card-present and CNP domains. During this time of transition in the U.S., we will continue to closely monitor existing and emerging security threats, identify gaps and formulate proactive risk mitigation strategies to help ensure payment security. 41 9
10 SOURCES 1 Riley, M. et al., Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It, BloombergBusinessweek, 13 Mar Web: 25 June Roman, J., Neiman Marcus Downsizes Breach Estimate, BankInfo Security, 23 Feb Web: 25 June The Path to Payment Security, CardConnect, Web: 13 June White_Paper.pdf. 4 Heggestuen, J., Here s What Will Change When the US Switches Over to the New EMV Chip on Credit Cards, Business Insider, 21 Apr Web: 13 June Ibid. 6 Bron, M., Prevention Is Better Than Cure, UL, White paper, 27 May Ibid. 8 Kepes, B., Target and Neiman Marcus Just the Tip of the Iceberg More Retail Security Breaches to Come, Forbes, 23 Jan Web: 26 June Dahiya, R., Preparing for EMV Cards, Independent Banker, 28 May Web: 13 June EMV: FAQ, Smart Card Alliance, Web: 26 June smartcardalliance.org/pages/publications-emv-faq#q2. 11 Halliday, S.G., Introduction to Magnetic Stripe & Other Card Technologies, High Tech Aid, 24 Apr Web: 26 June tech/card/intro_ms.htm. 12 Urken, R. K., Why Your Credit Card Needs an International Upgrade: The EMV Chip, Daily Finance, 8 Aug Web: 13 June com/2012/08/08/why-your-credit-card-needs-an-international-upgrade-theemv-chi/. 13 EMV: FAQ, Smart Card Alliance, Web: 26 June smartcardalliance.org/pages/publications-emv-faq#q2. 14 Tips for Preventing a Data Breach in Your Business Prepare for EMV Acceptance, Worldpay, Spring Web: 13 June us/merchant-advisor/spring-2014/tips.html. 15 EMV Chip + Fingerprint Technology Combine on SmartMetric Card to Fight Fraud, Marketwired, 4 Feb Web: 12 June marketwired.com/press-release/emv-chip-fingerprint-technology-combineon-smartmetric-card-to-fight-fraud-otcqb-smme htm. 16 EMV Resources, EMV Connection, Web: 13 June EMV: FAQ, Smart Card Alliance, Web: 26 June smartcardalliance.org/pages/publications-emv-faq#q2. 18 Morea, D., EMV in the U.S.: Putting It Into Perspective for Merchants and Financial Institutions, First Data Corporation White paper, Web: 26 June Bron, M., Interview, UL, 5 June Bron, M., Prevention Is Better Than Cure, UL, White paper, 27 May Padilla, L., Track Format of Magnetic Stripe Cards, ACME Technologies, 14 July Web: 26 June credit_cards/magstripe_track_format.html. 22 Bron, M., Prevention Is Better Than Cure, UL, White paper, 27 May Ibid. 24 Ibid. 25 Ibid. 26 Ibid. 27 Ibid. 28 Ibid. 29 Ibid. 30 Ibid. 31 Ibid. 32 What Should You Know About the Switch to EMV? Welch ATM, Web: 12 Nov Bron, M., Interview, UL, 7 Nov Krebs, B., Replay Attacks Spoof Chip Card Charges, Krebs on Security, 27 Oct Web: 12 Nov Bron, M., Prevention Is Better Than Cure, UL, White paper, 27 May Ibid. 37 Ibid. 38 Payment Card Industry (PCI) Data Security Standard, PCI Security Standards Council, Oct Web: 27 June documents/pci_dss_v2.pdf. 39 Bron, M., Prevention Is Better Than Cure, UL, White paper, 27 May Ibid. 41 Ibid. 10
11 TRANSACTION SECURITY ARTICLES MOBILE PAYMENTS SECURING HCE MOBILE PAYMENT SECURITY: BLE OR NFC SECURE PAYMENTS BIOMETRICS FOR PAYMENTS TRANSIT TICKETING CONTACTLESS INTEROPERABILITY IN TRANSIT NEXT GENERATION TRANSIT TICKETING 11
12 To learn more, explore the New Science advances in Indoor Air Quality, Transaction Security, Sustainable Energy, Workplace Health & Safety and Fire Safety. Watch our videos, read our journals, articles and case studies, scroll through our galleries and meet our experts. VISIT US ON UL.COM/NEWSCIENCE New Science Transaction Security cannot be copied, reproduced, distributed or displayed without UL s express written permission. V.17. UL, the UL Logo and NEW SCIENCE are trademarks of UL LLC 2014.
Prevention Is Better Than Cure EMV and PCI
Prevention Is Better Than Cure EMV and PCI Prevention Is Better Than Cure An independent view on the effectiveness of EMV and PCI in case of large-scale card compromise. Over the past couple of months,
More informationEMV and Small Merchants:
September 2014 EMV and Small Merchants: What you need to know Mike English Executive Director, Product Development Heartland Payment Systems 2014 Heartland Payment Systems, Inc. All trademarks, service
More informationEMV and Restaurants: What you need to know. Mike English. October 2014. Executive Director, Product Development Heartland Payment Systems
October 2014 EMV and Restaurants: What you need to know Mike English Executive Director, Product Development Heartland Payment Systems 2014 Heartland Payment Systems, Inc. All trademarks, service marks
More informationPayments Transformation - EMV comes to the US
Accenture Payment Services Payments Transformation - EMV comes to the US In 1993 Visa, MasterCard and Europay (EMV) came together and formed EMVCo 1 to tackle the global challenge of combatting fraudulent
More informationCONTACTLESS INTEROPERABILITY IN TRANSIT
NEW SCIENCE TRANSACTION SECURITY ARTICLE CONTACTLESS INTEROPERABILITY IN TRANSIT SUMMER 2014 UL.COM/NEWSCIENCE NEW SCIENCE TRANSACTION SECURITY OVERVIEW From research on the latest electronic transaction
More informationMitigating Fraud Risk Through Card Data Verification
Risk Management Best Practices 11 September 2014 Mitigating Fraud Risk Through Card Data Verification AP, Canada, CEMEA, LAC, U.S. Issuers, Processors With a number of cardholder payment options (e.g.,
More informationWhat Merchants Need to Know About EMV
Effective November 1, 2014 1. What is EMV? EMV is the global standard for card present payment processing technology and it s coming to the U.S. EMV uses an embedded chip in the card that holds all the
More informationHeartland Secure. By: Michael English. A Heartland Payment Systems White Paper 2014. Executive Director, Product Development
A Heartland Payment Systems White Paper 2014 Heartland Secure. By: Michael English Executive Director, Product Development 2014 Heartland Payment Systems. All trademarks, service marks and trade names
More informationMOBILE PAYMENT SECURITY: BLE OR NFC
NEW SCIENCE TRANSACTION SECURITY ARTICLE MOBILE PAYMENT SECURITY: BLE OR NFC SUMMER 2014 UL.COM/NEWSCIENCE NEW SCIENCE TRANSACTION SECURITY OVERVIEW From research on the latest electronic transaction security
More informationHow To Comply With The New Credit Card Chip And Pin Card Standards
My main responsibility as a Regional Account Manager for IMD is obtain the absolute lowest possible merchant fees for you as a business. Why? The more customers we can save money, the more volume of business
More informationEMV and Restaurants What you need to know! November 19, 2014
EMV and Restaurants What you need to know! Mike English Executive Director of Product Development Kristi Kuehn Sr. Director, Compliance November 9, 204 Agenda EMV overview Timelines Chip Card Liability
More informationU.S. Smart Card Migration: Stripe to EMV Claudia Swendseid, Federal Reserve Bank of Minneapolis Terry Dooley, SHAZAM Kristine Oberg, Elavon
U.S. Smart Card Migration: Stripe to EMV Claudia Swendseid, Federal Reserve Bank of Minneapolis Terry Dooley, SHAZAM Kristine Oberg, Elavon UMACHA Navigating Payments 2014 October 8, 2014 Who We Are Claudia
More informationEMV's Role in reducing Payment Risks: a Multi-Layered Approach
EMV's Role in reducing Payment Risks: a Multi-Layered Approach April 24, 2013 Agenda EMV Rationale Why is this worth the effort? Guides how we implement it EMV Vulnerability at the POS EMV Impact on CNP
More informationEmerging Trends in the Payment Ecosystem: The Good, the Bad and the Ugly DAN KRAMER
Emerging Trends in the Payment Ecosystem: The Good, the Bad and the Ugly DAN KRAMER SHAZAM, Senior Vice President Agenda The Ugly Fraud The Bad EMV? The Good Tokenization and Other Emerging Payment Options
More informationHow to Prepare. Point of sale requirements are changing. Get ready now.
How to Prepare for EMV Point of sale requirements are changing. Get ready now. The EMV mandate is fast approaching. Now is the time to plan a strategy to prepare for this change. 2 EMV: The Backstory 3
More informationCard Acceptance Best Practices Playing it Safe at the Point of Sale
White Paper Card Acceptance Best Practices Playing it Safe at the Point of Sale Fraudulent activity costs U.S. businesses billions. And that is just lost revenue. When you consider the associated damage
More informationEMV : Frequently Asked Questions for Merchants
EMV : Frequently Asked Questions for Merchants The information in this document is offered on an as is basis, without warranty of any kind, either expressed, implied or statutory, including but not limited
More informationEMV EMV TABLE OF CONTENTS
2 TABLE OF CONTENTS Intro... 2 Are You Ready?... 3 What Is?... 4 Why?... 5 What Does Mean To Your Business?... 6 Checklist... 8 3 U.S. Merchants 60% are expected to convert to -enabled devices by 2015.
More informationWhat is EMV? What is different?
U.S. consumers are receiving new debit and credit cards with embedded chip technology that better stores and protects cardholder information. These new chip cards are part of the new card standard, Europay,
More informationEMV Frequently Asked Questions for Merchants May, 2014
EMV Frequently Asked Questions for Merchants May, 2014 Copyright 2014 Vantiv All rights reserved. Disclaimer The information in this document is offered on an as is basis, without warranty of any kind,
More informationUnderstand the Business Impact of EMV Chip Cards
Understand the Business Impact of EMV Chip Cards 3 What About Mail/Telephone Order and ecommerce? 3 What Is EMV 3 How Chip Cards Work 3 Contactless Technology 4 Background: Behind the Curve 4 Liability
More informationwelcome to liber8:payment
liber8:payment welcome to liber8:payment Our self-service kiosks free up staff time and improve the overall patron experience. liber8:payment further enhances these benefits by providing the convenience
More informationCredit Card Processing, Point of Sale, ecommerce
Credit Card Processing, Point of Sale, ecommerce Compliance, Self Auditing, and More John Benson Kurt Willey HACKS REGULATIONS Greater Risk for Merchants Topics Compliance Changes Scans Self Audits
More informationCard Network Update Chip (EMV) Acceptance in the United States At-A-Glance
Card Network Update Chip (EMV) Acceptance in the United States At-A-Glance Allegiance Merchant Services is committed to assisting you in navigating through the various considerations that you may face
More informationPreparing for EMV chip card acceptance
Preparing for EMV chip card acceptance Ben Brown Vice President, Regional Sales Manager, Wells Fargo Merchant Services Lily Page Vice President, Wholesale ereceivables, Wells Fargo Merchant Services June
More informationTarget Security Breach
Target Security Breach Lessons Learned for Retailers and Consumers 2014 Pointe Solutions, Inc. PO Box 41, Exton, PA 19341 USA +1 610 524 1230 Background In the aftermath of the Target breach that affected
More informationPCI and EMV Compliance Checkup
PCI and EMV Compliance Checkup ATM Security Jim Pettitt Director, ATM Security Diebold Incorporated Agenda ATM threats today Top of mind risk PCI Impact on Security U.S. EMV Migration Conclusions / recommendations
More informationVisa Recommended Practices for EMV Chip Implementation in the U.S.
CHIP ADVISORY #20, UPDATED JULY 11, 2012 Visa Recommended Practices for EMV Chip Implementation in the U.S. Summary As issuers, acquirers, merchants, processors and vendors plan and begin programs to adopt
More informationPayment Card Industry (PCI) Data Security Standard. PCI DSS Applicability in an EMV Environment A Guidance Document Version 1
Payment Card Industry (PCI) Data Security Standard PCI DSS Applicability in an EMV Environment A Guidance Document Version 1 Release date: 5 October 2010 Table of Contents 1 Executive Summary... 3 1.1
More informationTransitions in Payments: PCI Compliance, EMV & True Transactions Security
Transitions in Payments: PCI Compliance, EMV & True Transactions Security There have been more than 600 million records compromised from approximately 4,000 data breaches since 2005 and those are just
More informationEMV and Chip Cards Key Information On What This Is, How It Works and What It Means
EMV and Chip Cards Key Information On What This Is, How It Works and What It Means Document Purpose This document is intended to provide information about the concepts behind and the processes involved
More informationTHE ROAD TO U.S. EMV MIGRATION Information and Strategies to Help Your Institution Make the Change
THE ROAD TO U.S. EMV MIGRATION Information and Strategies to Help Your Institution Make the Change Advancements in technological capabilities, along with increasing levels of counterfeit fraud, led the
More informationChip Card (EMV ) CAL-Card FAQs
U.S. Bank Chip Card (EMV ) CAL-Card FAQs Below are answers to some frequently asked questions about the migration to U.S. Bank chipenabled CAL-Cards. This guide can help ensure that you are prepared for
More informationPCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.
PCI 3.1 Changes Jon Bonham, CISA Coalfire System, Inc. Agenda Introduction of Coalfire What does this have to do with the business office Changes to version 3.1 EMV P2PE Questions and Answers Contact Information
More informationProtecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance
Payment Security White Paper Protecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance Breaches happen across all industries as thieves look for vulnerabilities.
More informationHow To Protect Your Restaurant From A Data Security Breach
NAVIGATING THE PAYMENTS AND SECURITY LANDSCAPE Payment disruptions impacting restaurant owners today An NCR Hospitality white paper Almost every month we hear a news story about another data breach that
More informationA Guide to EMV. Version 1.0 May 2011. Copyright 2011 EMVCo, LLC. All rights reserved.
A Guide to EMV Version 1.0 May 2011 Objective Provide an overview of the EMV specifications and processes What is EMV? Why EMV? Position EMV in the context of the wider payments industry Define the role
More informationA Brand New Checkout Experience
A Brand New Checkout Experience EMV Transformation EMV technology is transforming the U.S. payment industry, bringing a whole new experience to the checkout counter. Introduction What is EMV? It s 3 small
More informationA Brand New Checkout Experience
A Brand New Checkout Experience EMV Transformation EMV technology is transforming the U.S. payment industry, bringing a whole new experience to the checkout counter. Introduction What is EMV? It s 3 small
More informationEMV ADOPTION AND ITS IMPACT ON FRAUD MANAGEMENT WORLDWIDE
EMV ADOPTION AND ITS IMPACT ON FRAUD MANAGEMENT WORLDWIDE A Mercator Advisory Group Research Brief Sponsored by FICO January 2014 Table of Contents Introduction...3 The EMV Standard and What It Does...3
More informationOpenEdge Research & Development Group April 2015
2015: Security, Merchant Readiness & the Coming Liability Shift OpenEdge Research & Development Group April 2015 solutions@openedgepay.com openedgepay.com 2015: Security, Merchant Table of Contents The
More informationPayment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.
Payment Methods The cost of doing business Michelle Powell - BASYS Processing, Inc. You ve got to spend money, to make money Major Industry Topics Industry Process Flow PCI DSS Compliance Risks of Non-Compliance
More informationThe need for a secure & trusted payment instrument in e-commerce. Ali AlMeshal
The need for a secure & trusted payment instrument in e-commerce Ali AlMeshal In Physical/Real World Hand over card Visual check Swipe in POS Online authorization Receipt with signature panel Sign or Pin
More informationEnhancing Payment Card Security New Measures to be Phased in from 2 nd Quarter 2010 to 1 st Quarter 2011
Enhancing Payment Card Security New Measures to be Phased in from 2 nd Quarter 2010 to 1 st Quarter 2011 On 5 th March 2010, The Association of Banks in Singapore announced key measures to adopt a holistic
More informationWhat Issuers Need to Know Top 25 Questions on EMV Chip Cards and Personalization
Frequently Asked Questions What Issuers Need to Know Top 25 Questions on EMV Chip Cards and Personalization Issuers across the United States are beginning to embark in the planning and execution phase
More informationEffectively Managing Data Breaches
Effectively Managing Data Breaches May 27, 2015 Stoddard Lambertson Cyber Intelligence and Investigations Justina Jow Cyber Intelligence and Investigations Disclaimer The information or recommendations
More informationDATA SECURITY, FRAUD PREVENTION AND COMPLIANCE
DATA SECURITY, FRAUD PREVENTION AND COMPLIANCE December 2015 English_General This presentation was prepared exclusively for the benefit and internal use of the J.P. Morgan client or potential client to
More informationHow to Help Prevent Fraud
TD Canada Trust How to Help Prevent Fraud Merchant Services tips to help protect your business Fraud Awareness All credit cards issued in Canada are designed with special security features to help deter
More informationE2EE and PCI Compliancy. Martin Holloway VSP Sales Director VeriFone NEMEA
E2EE and PCI Compliancy Martin Holloway VSP Sales Director VeriFone NEMEA Security Breaches In The News 2 Security Breaches In The News 3 Security Breaches In The News 4 Security Breaches In The News 5
More informationIntroductions 1 min 4
1 2 1 Minute 3 Introductions 1 min 4 5 2 Minutes Briefly Introduce the topics for discussion. We will have time for Q and A following the webinar. 6 Randy - EMV History / Chip Cards /Terminals 5 Minutes
More informationImplication of EMV Migration for the U.S. Transportation Industry. May 1, 2015. Implication of EMV Migration for the U.S. Transportation Industry
Implication of EMV Migration for the U.S. Transportation Industry 1 Introduction Transportation payment methods are constantly evolving. When cash handling became too expensive and inconvenient, the metal
More informationPractically Thinking: What Small Merchants Should Know about EMV
Practically Thinking: What Small Merchants Should Know about EMV 1 Practically Thinking: What Small Merchants Should Know About EMV Overview Savvy business owners know that payments are about more than
More informationSection 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationA RE T HE U.S. CHIP RULES ENOUGH?
August 2015 A RE T HE U.S. CHIP RULES ENOUGH? A longer term view of security and the payments landscape is needed. Abstract: The United States is finally modernizing its card payment systems and confronting
More informationEMV and Encryption + Tokenization: A Layered Approach to Security
EMV and Encryption + Tokenization: A Layered Approach to Security 2012 First Data Corporation. All trademarks, service marks and trade names referenced in this material are the property of their respective
More informationA Guide to EMV Version 1.0 May 2011
Table of Contents TABLE OF CONTENTS... 2 LIST OF FIGURES... 4 1 INTRODUCTION... 5 1.1 Purpose... 5 1.2 References... 5 2 BACKGROUND... 6 2.1 What is EMV... 6 2.2 Why EMV... 7 3 THE HISTORY OF EMV... 8
More informationCardControl. Credit Card Processing 101. Overview. Contents
CardControl Credit Card Processing 101 Overview Credit card processing is a very complex and important system for anyone that sells goods. This guide will hopefully help educate and inform new and old
More informationU.S. Bank. U.S. Bank Chip Card FAQs for Program Administrators. In this guide you will find: Explaining Chip Card Technology (EMV)
U.S. Bank U.S. Bank Chip Card FAQs for Program Administrators Here are some frequently asked questions Program Administrators have about the replacement of U.S. Bank commercial cards with new chip-enabled
More informationPlotting a Course for EMV Compliance
Plotting a Course for EMV Compliance Plotting a Course for EMV Compliance PCI compliance...emv compliance by now, you ve heard repeatedly that your store or restaurant must be EMV-compliant by the recently
More informationCredit Card Processing Overview
CardControl 3.0 Credit Card Processing Overview Overview Credit card processing is a very complex and important system for anyone that sells goods. This guide will hopefully help educate and inform new
More informationAcceptance to Minimize Fraud
Best Practices for Credit Card Acceptance to Minimize Fraud By implementing best practices in credit card processing, you decrease the likelihood of fraudulent transactions and chargebacks. In general,
More informationYour Reference Guide to EMV Integration: Understanding the Liability Shift
Your Reference Guide to EMV Integration: Understanding the Liability Shift UNDERSTANDING EMV EMVCo was formed in February 1999 by Europay, MasterCard and Visa to establish and maintain global interoperability
More informationThe Adoption of EMV Technology in the U.S. By Dave Ewald Global Industry Sales Consultant Datacard Group
The Adoption of EMV Technology in the U.S. By Dave Ewald Global Industry Sales Consultant Datacard Group Abstract: Visa Inc. and MasterCard recently announced plans to accelerate chip migration in the
More informationKey Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking
Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed
More informationEMV FAQs. Contact us at: CS@VancoPayments.com. Visit us online: VancoPayments.com
EMV FAQs Contact us at: CS@VancoPayments.com Visit us online: VancoPayments.com What are the benefits of EMV cards to merchants and consumers? What is EMV? The acronym EMV stands for an organization formed
More informationSecuring the Payments System. The facts about fraud prevention
Securing the Payments System The facts about fraud prevention Contents Introduction 3 Visa s Security Programme 4 Fraud Types and Threats 6 Fraud Statistics and Research 7 Visa s Security Agenda for New
More informationPREPARING FOR THE MIGRATION TO EMV IN
PREPARING FOR THE MIGRATION TO EMV IN THE U.S. A Mercator Advisory Group Research Brief Sponsored by Merchant Warehouse 2010 Mercator Advisory Group, Inc. 8 Clock Tower Place, Suite 420 Maynard, MA 01754
More informationSecure Payments Framework Workgroup
Secure Payments Framework Workgroup EMV for the US Hospitality Industry Version 1.0 About HTNG Hotel Technology Next Generation (HTNG) is a non-profit association with a mission to foster, through collaboration
More informationOpenEdge Research & Development Group April 2015
2015: Development, Merchant Readiness & the Coming Liability Shift OpenEdge Research & Development Group April 2015 developers@openedgepay.com openedgepay.com 2015: Development, Merchant Table of Contents
More informationFAQ EMV. EMV Overview
FAQ EMV EMV Overview What are the benefits of EMV cards? A: Several factors are driving the U.S. card market to migrate to chip-based cards using the EMV specifications. EMV offers advantages for consumers,
More informationTestimony of Scott Talbott, Sr. V.P. for Government Relations, Electronic Transactions Association (ETA)
Testimony of Scott Talbott, Sr. V.P. for Government Relations, Electronic Transactions Association (ETA) House Small Business Committee Hearing on the EMV Deadline and What It Means for Small Business
More informationAndroid pay. Frequently asked questions
Android pay Frequently asked questions June 2015 Android Pay - FAQs In May 2015, Android Pay was announced by Google. Android Pay is Google s payments solution that allows consumers to do in-store and
More informationFAQ on EMV Chip Debit Card and Online Usage
FAQ on EMV Chip Debit Card and Online Usage Security enhancement on HSBC India Debit Card A Secure Debit Card HSBC India Debit Cards are more secure and enabled with the Chip and PIN technology? You can
More informationNewtek, The Small Business Authority 855-2thesba www.thesba.com. thesba.com 855-2thesba
thesba.com 855-2thesba EMV Chip Technology, Secure Electronic Payments The world of payments is evolving. We are starting to see an evolution from typical static magnetic strip cards to more intelligent
More informationTHE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP
THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP WHERE IS THE U.S. PAYMENT CARD INDUSTRY NOW? WHERE IS IT GOING? Today, payment and identification cards of all types (credit
More informationAmerican Express Contactless Payments
PRODUCT CAPABILITY GUIDE American Express Contactless Payments American Express Contactless Payments Help Enable Increased Convenience For Card Members At The Point Of Sale American Express contactless
More informationMULTI-LAYERED SECURITY STRENGTHENS PAYMENT STRUCTURES
MULTI-LAYERED SECURITY STRENGTHENS PAYMENT STRUCTURES How to Prepare a Comprehensive Strategy How to Prepare a Comprehensive Strategy The lines have been drawn in retail data security. While security threats
More informationEMV FAQs for developers
EMV FAQs for developers You accept the Information presented herein as is, without any representation as to its accuracy or completeness. What are the three levels of EMV certification? There are three
More informationSellWise User Group. Thursday, February 19, 2015
SellWise User Group Thursday, February 19, 2015 Slides and recording posted on scouting.org/financeimpact Look on the Council Fiscal Management Tab, then look at the bottom left for Sellwise Support/User
More informationAIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009
AIS Webinar Payment Application Security Hap Huynh Business Leader Visa Inc. 1 April 2009 1 Agenda Security Environment Payment Application Security Overview Questions and Comments Payment Application
More informationEMV GATHERS STEAM AS U.S. MOVES TOWARD LIABILITY SHIFT
W H I T E P A P E R EMV GATHERS STEAM AS U.S. MOVES TOWARD LIABILITY SHIFT Approaching deadlines will shift liability of card-present counterfeit fraud from issuers to acquirers and merchants. That combined
More informationSolutions For Higher Education: Reducing Compliance Scope Across Campus With PCI Validated P2PE
Solutions For Higher Education: Reducing Compliance Scope Across Campus With PCI Validated P2PE Complete Campus Coverage With the complexity of a college campus ecosystem as varied as the development office
More informationFrequently Asked Questions
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
More informationHow To Spot & Prevent Fraudulent Credit Card Activity
Datalink Bankcard Services How To Spot & Prevent Fraudulent Credit Card Activity White Paper 2013 According to statistics from the U.S. Department of Justice and the Consumer Sentinel Network, credit card
More informationStronger(Security(and( Mobile'Payments'! Dramatically*Faster!and$ Cheaper'to'Implement"
!!!! Stronger(Security(and( Mobile'Payments'! Dramatically*Faster!and$ Cheaper'to'Implement" Here$is$a$simple,$cost$effective$way$to$achieve$transaction$security$for$ mobile$payments$that$allows$easy$and$secure$provisioning$of$cards.$
More information1. Ask what your financial institution knows or has personally experienced with regard to internal and external data breaches.
Part 1: Internal & External Data Breach Vulnerabilities Presented on: Thursday, February 12, 2 3 ET Co presented by: Ann Davidson VP of Risk Consulting at Allied Solutions Joe Majka CSO at Verifone 1 Breakdown
More informationGuide to Data Field Encryption
Guide to Data Field Encryption Contents Introduction 2 Common Concepts and Glossary 3 Encryption 3 Data Field Encryption 3 Cryptography 3 Keys and Key Management 5 Secure Cryptographic Device 7 Considerations
More informationmobile payment acceptance Solutions Visa security best practices version 3.0
mobile payment acceptance Visa security best practices version 3.0 Visa Security Best Practices for, Version 3.0 Since Visa s first release of this best practices document in 2011, we have seen a rapid
More informationInitial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance
Emerging Technology Whitepaper Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance For Transmissions of Cardholder Data and Sensitive Authentication Data Program Guide Version
More informationNEWS BULLETIN 2015-16
NEWS BULLETIN Maine Automobile Dealers Association 180 Civic Center Drive P. O. Box 2667 Augusta, Maine 04338-2667 DIAL 623-3882 e-mail:info@maineautodealers.com FAX 623-2318 DISTRIBUTION General Manager
More informationWHY DO HACKERS INCREASINGLY STEAL U.S. CARD DATA?
INTRODUCTION On December 18, 2013, security blogger and former journalist for The Washington Post, Brian Krebs, of Krebs on Security broke the story that Target had experienced what was the largest breach
More informationCITGO CHIP & MOBILE TM. Quick-Start Guide YOUR CUSTOMERS. are
CITGO CHIP & MOBILE TM Quick-Start Guide are YOUR CUSTOMERS EMV CHIP CARD This... plus this... MOBILE PAYMENTS 1 Equals Success GET AHEAD FOR YOUR CUSTOMERS STAY AHEAD FOR YOUR BUSINESS. Fast Convenient
More informationThe Cost of Compliance
The Cost of Compliance The Payment Card Industry Data Security Standard (PCI DSS) aims to protect sensitive cardholder data throughout the life cycle of ecommerce transactions. The standard puts heavy
More informationWhat Merchants Need To Know About The New Credit Card Processing Liability Regulations
What Merchants Need To Know About The New Credit Card Processing Liability Regulations How To Be Compliant: Post-October 1st EMV Deadline An ebook by MerchantPro Express www.merchantproexpress.com Meet
More informationUnderstanding the Role of Hardware Data Encryption in EMV and P2PE from the CEO s Perspective
Understanding the Role of Hardware Data Encryption in EMV and P2PE from the CEO s Perspective Futurex. An Innovative Leader in Encryption Solutions. For over 30 years, more than 15,000 customers worldwide
More informationFraud Protection, You and Your Bank
Fraud Protection, You and Your Bank Maximize your chances to minimize your losses Presentation for Missouri GFOA April 2011 By: Terry Endres, VP, Government Treasury Solutions Phone: 314-466-6774 Terry.m.endres@baml.com
More informationWhite Paper: Are there Payment Threats Lurking in Your Hospital?
White Paper: Are there Payment Threats Lurking in Your Hospital? With all the recent high profile stories about data breaches, payment security is a hot topic in healthcare today. There s been a steep
More informationPCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data
PCI Training for Retail Jamboree Staff Volunteers Securing Cardholder Data Securing Cardholder Data Introduction This PowerPoint presentation is designed to educate Retail Jamboree Staff volunteers on
More informationEMV in Hotels Observations and Considerations
EMV in Hotels Observations and Considerations Just in: EMV in the Mail Customer Education: Credit Card companies have already started customer training for the new smart cards. 1 Questions to be Answered
More informationBecoming PCI Compliant
Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History
More information