PCI DSS Investing wisely...

Transcription

1 PCI DSS Investing wisely... Hotel webinar Neira Jones Head of Payment Security Barclaycard Global Payment Acceptance 25 th July 2011 Leading the way in secure payments global payment acceptance Hotel Security Safe & webinar Sound Matters th 29March July th June

2 News round up ESSEX Sony RSA Citigroup Data breaches have almost become a statistical certainty Travelodge Lulzsec Lush Epsilon Lockheed Martin Wordpress Dropbox global payment acceptance Hotel webinar - 25 th July

3 Panic! Companies feel under pressure to meet compliance deadlines of one type or another. Panic to implement solutions they believe will address the most visible, urgent or potentially costly to ignore regulation looming on the horizon. With requirements evolving, companies find themselves with discrete solutions for PCI DSS, Data Protection, FSA, SOX and others. Many businesses are now on their 2 nd or 3 rd cycle of trying to automate processes related to compliance with specific policies, industry standards, and government regulations. RESULT: Some successes with initial projects, but short lived, and costly. Suppliers often guilty of perpetrating a vicious circle by describing their offering as the next silver bullet (expensive to maintain and impossible to integrate or scale) Investments in infosec more difficult to secure as sustainability can t be demonstrated to the Board. COMPLIANCE IN SILOS global payment acceptance Hotel webinar - 25 th July

4 How can I justify PCI DSS expenditure?... global payment acceptance

5 The cost depends on a number of factors TECHNICAL How are payments processed (face-to-face, mail order/ telephone order (MOTO), e-commerce etc.) In each channel, how compliant are your third parties and applications in the payment value chain? How mature the organisation is in terms of IT / IS security, policies and procedures, staff training and awareness etc. Centralised or distributed (multiple sites) ORGANISATIONAL / CULTURAL COSTS Size of organisation Staff training global payment acceptance Hotel webinar - 25 th July

6 PCI DSS merchant levels Merchants are classified according to the volume of card payments they process and the nature of their business LEVEL HOW TO DETERMINE MERCHANT LEVEL Any merchant processing over 6,000,000 Visa or MasterCard transactions per year, OR, any compromised merchant. Any merchant processing one to six million Visa or MasterCard transactions per year. Any merchant processing 20,000 to one million Visa or MasterCard e- commerce transactions per year. Any merchant processing less than 20,000 Visa or MasterCard e- commerce transactions per year, and all other merchants processing up to one million Visa or MasterCard transactions per year. global payment acceptance Hotel webinar - 25 th July

7 It s war Jim, but not as we know it... Today s cybercrime industry has evolved and automated itself to improve efficiency, scalability, and profitability with a clear intent on obtaining information that can be monetised. The hackers best friends are businesses with inadequate and often outdated information security practices. Cybercrime/ data protection not high on the Board s agenda. But... Governance & Risk Management are familiar to the Board. global payment acceptance Hotel webinar - 25 th July

8 Monetising card data Online ordering systems for stolen credit card data available 24/7 Inventories of as many as 800,000 stolen credit cards per site Tiered pricing available Pre-purchase testing validation available Can sell same data on many times Current market value: global payment acceptance Hotel webinar - 25 th July

9 We re all in it together When personal information is stolen, it goes viral... global payment acceptance Hotel webinar - 25 th July

10 Public social concerns... Preventing crime 94% Protecting personal information 94% NHS 88% Equal rights 88% Improving education 87% National security 87% Environmental issues 87% Protecting freedom of speech 85% Source: ICO Annual Track 2008 global payment acceptance Hotel webinar - 25 th July

11 Cause of data breaches in the hotel sector Default passwords SQL injection Malware on payment server Some hotels take a swipe of the magnetic stripe on the back of the card at check-in data is stored (probably in the hotel Property Management System). A pre-auth is done and the cardholder charged when they leave. Perhaps done via Express Check-out. This data is extremely valuable and is one of the reasons criminals are targeting the hotel industry. global payment acceptance Hotel webinar - 25 th July

12 Happy 10 th Birthday SQL Injection!!! global payment acceptance

13 And now for the science... Malware represented 80% of all data lost in 2010 and within that case load, 81% was performed via SQL injections. Hacking represented 89% of records stolen and 76% of these were due to lax password management and authentication procedures. Most data breaches are not discovered by the organisation suffering the attack. The Verizon DBIR 2011 further claimed that 87% of attacks could be prevented using simple, proactive measures. global payment acceptance Hotel webinar - 25 th July

14 Seeing the wood from the trees... The 2011 Verizon DBIR concluded that being prepared remains the best defense against security breaches. Organisations still remain slow in detecting and responding to incidents. Most organisations that have suffered a breach will have evidence of it in their logs, but these often get overlooked due to a lack of staff, tools or processes. global payment acceptance Hotel webinar - 25 th July

15 One step at a time... Are my employees taking information outside of the organisation? How can they do this? Can I limit access to this information to only those who need it? What types of attackers would be interested in infiltrating my systems? What would they seek? Why? If any web server was compromised, how difficult would it be for an attacker to work its way to those systems containing information? How easy would it be to take this information out? How quickly would I know this has happened? How quickly can I stop it? How quickly do I need to respond to the market? global payment acceptance Hotel webinar - 25 th July

16 Threat/ scenario modelling is only practiced by a few organisations global payment acceptance

17 The reality Protect brand and reputation If card data is lost it is highly likely that other data has also been lost e.g. name and address etc. This could lead to identity theft as well as card fraud. If customers lose trust, they often take their business elsewhere. It is a Card Scheme requirement that merchants comply with PCI DSS and is incorporated in to the T & Cs. Cost and business impact of a data breach. PCI DSS non-compliance fees. global payment acceptance Hotel webinar - 25 th July

18 Data breaches and fines global payment acceptance Hotel webinar - 25 th July

19 Cost of a small data breach Small data loss Item Conservative (L4 Merchant) Cost (GBP) Forensic Investigation 10,000 Card Scheme penalties 8,000 QSA On-Site Audit 12,000 Total 30,000 Item Conservative (L4 Merchant) Cost (GBP) Remediation? Brand & Reputation? Opportunity Cost? Total? global payment acceptance Hotel webinar - 25 th July

20 global payment acceptance To gain understanding and trust, businesses will promote how they safeguard their customers personal information. Investment in information security will be driven by business reality.

21 global payment acceptance Only 4% of breaches assessed in the Verizon Business Data Breach Investigation Report 2011(DBIR 2011) required difficult and expensive protective measures.

22 It s all about risk... the identification, assessment and prioritisation of risks followed by coordinated and economical application of resources to minimise, monitor, and control the probability and/or impact of unfortunate events. global payment acceptance Hotel webinar - 25 th July

23 PCI DSS What is it all about? 6 goals, 12 requirements global payment acceptance Hotel webinar - 25 th July

24 Key messages 1. Data compromises do happen! 2. The criminals are 5 years ahead of us. It is now organised crime, not geeky teenagers like in the film War Games 3. PCI DSS is a business / cultural change and will require a multi-disciplinary team to implement 4. Ensure that Third Parties are contractually liable to you 5. Try not to store card data, what you don t have you can t lose (part of scope reduction) 6. Never ever store card sensitive authentication data post authorisation 7. Identify the parts of your business with the greatest risk of being compromised and secure them first e.g. e-commerce sites 8. Use the PCI SSC Risk Prioritised Approach 9. PCI DSS is a continuous process a bit like an MOT check, but you still need to ensure that your car is road worthy in between MOTs global payment acceptance Hotel webinar - 25 th July

25 What can we learn?... Lesson 1. Understand your risk profile Lesson 2. Make risk management your objective, compliance will come naturally Lesson 3. Avoid quick fixes and silos (i.e. don t panic!) Lesson 4. Automate Lesson 5. Educate global payment acceptance Hotel webinar - 25 th July

26 global payment acceptance In the months and years to come, we can expect increased scrutiny of corporate risk management practices. In response to this, businesses will strive to understand their risk profiles and whether the risks taken are within the enterprise s risk appetite and tolerance thresholds.

27 global payment acceptance How Barclaycard can help

28 Barclaycard and the PCI SSC The PCI SSC is a global organisation formed by the Card Schemes to develop global security standards for the protection of card data. Barclaycard sits on the PCI SSC Board of Advisors, is a Participating Organisation and is involved in SIGs. Barclaycard welcomes feedback from the merchant community and is actively working with the PCI SSC to raise issues concerning European merchants. global payment acceptance Hotel webinar - 25 th July

29 Barclaycard Risk Reduction Programme Over the past 8 months, Barclaycard and IRM plc have researched and developed a risk reduction programme for Level 1 and Level 2 merchants. PCI DSS is a good information security framework. Use PCI DSS controls in the context of a recognised risk management framework (i.e. ISO 27001, Cobit, ITIL, CLAS, etc.) The first step is a risk assessment. global payment acceptance Hotel webinar - 25 th July

30 Leaflets, white papers, tools, etc Our website: global payment acceptance Hotel webinar - 25 th July

31 Don t spend 100 protecting a 1 asset, know your risk, fix the basics first, and be prepared Neira Jones Head of Payment Security Barclaycard, Global Payment Acceptance neira.jones@barclaycard.co.uk neirajones global payment acceptance