Data Security, Fraud Prevention, and Cost Control Mike Dorland, CPP Regional Marketing Representative Michigan Retailers Association
Michigan Retailers Association Incorporated in 1940 Represent retail interests in Lansing, Michigan The oldest, non-bank organization operating in the merchant acquiring space, now specializing in all types of non-cash treasury management solutions. 5500 merchants in 48 states and the District of Columbia, processing almost $1 billion annually ACH transactions Gift cards (storewide and community-wide solutions) 2
Payment Card Industry Data Security Standards (PCI-DSS)
What is PCI-DSS? Payment Card Industry Data Security Standard is the evolution of the various payment networks attempts to create individual security protocols and procedures. The standard is now owned and controlled by the PCI Security Standards Council. The PCI Council will continue to evaluate any changes that need to be made to the PCI standard through input from stakeholders. Updated standards can be reviewed at www.pcisecuritystandards.org
PCI Compliance PCI compliance is a journey, not a destination. All businesses that accept or process credit card transactions should be constantly reviewing and identifying areas where data might accumulate. Stand back and watch who touches a transaction and what they do with that data. Many times data accumulate in unexpected areas in a business. Staff members collect card data for many different reasons that seem legitimate at the time. Anytime a staff member is collecting card data, someone should be questioning is it really needed? PCI Compliance for most merchants is simply the completion of a Self Assessment Questionnaire (SAQ). The completed SAQ should be held in the merchant s office for presentation, if demanded by the card networks. SAQs should be completed on an annual basis.
Data Security Processor Level Processors have started to see an increasing number of hacking attempts. These attempts have become more subtle instead of the brute force data grabs. Processors (and merchants) have become much better at protecting data that is at rest, through encryption, firewalls, and other methods. Data in motion is still a problem. Hackers have learned that accessing the system and lurking in the system for days, weeks or months to collect data is more profitable than reaching in and simply grabbing a data file.
Data Security Merchant Level Merchants storing the complete and UNALTERED (nonencrypted) card data from a swiped transaction Protect data at rest AND in motion With card stripe data, a perfect duplicate can be created and used before the cardholder even suspects a problem. This allows someone to use a counterfeit card (with fake ID) anywhere he/she wants with little or no risk of capture.
Data Security Merchant POS Hackers have learned that they can also lurk in a retailers POS system and collect a significant amount of data. Remote access has become a major exposure point, businesses have legitimate business needs for allowing remote access. If you have opened the door for remote access by your employees or vendors, you have also opened the door for a hacker! In one case of a remote access hack, the bad guys hacked the POS vendor and used the login credentials on that system to access hundreds of retail POS systems. They were on the retailer s local systems for less than 5 minutes Custom made software was installed which simply captured the consumers mag stripe data and sent it each night to eastern Europe
What is Carding? Carding is the underground industry of selling and trading stolen card numbers. In less than 5 minutes, on the Internet Good card numbers, sold in lots of 100, with a money back guarantee! Card network plastic available by the box Skimming equipment and card encoding equipment
PCI-DSS -- Limit the Scope First!
ALL machines have to be PCI compliant? Server Credit Card Processing
Just one machine has What is the scope of PCI compliance to be PCI compliant here? Server Firewall Credit Card Processing
What Data Can I Keep? Data falls into two different categories Protected (that which you can keep but must ALWAYS protect) Card Number Expiration Date Prohibited (which is never stored after the authorization of the transaction and settlement of the batch) Mag stripe data CVV2 data PIN numbers 29
12 Points of PCI-DSS Compliance Install and maintain a firewall configuration to protect data Do not use vendor defaults for system passwords Protect cardholder data Encrypt transmission of cardholder data across public networks Use updated anti-virus software Develop and maintain secure systems Restrict access to data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to data Track and monitor all access to networks and data Regularly test the systems and processes Maintain policies that address information security 30
What Happens If.? Bad things happen to good people, how do you protect from a data breach? Data breach insurance is available and covers expenses related to a data breach Forensic Audit Card Replacement expenses PCI assessments and fines Government fines Usually $50,000 or $100,000 in coverage