The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development
Presentation Agenda Items we will cover: 1. Background on Payment Card Industry Data Security Standards 2. What is PCI-DSS and 3 Ways it Differs From HIPAA 3. Various PCI "Merchant" Classification Levels and Implications 4. How Does Your Data Get Stolen? 5. Cost of Non-Compliance vs. Compliance 6. DIY vs. Outsource: Audits, Concerns, Risk, Data Storage concerns 7. Creating a Compliance Roadmap for Your Institution in 7 Simple Steps
Initial Questions? By a show of hands How many of you are responsible for or are involved in processing credit cards for your organization? How many of you write down patient credit card numbers to process at a later time? How many of you store credit card numbers for clients? How many are familiar with the term PCI DSS? How many of your organizations are PCI DSS compliant?
Payment Data Security History Payment Card Industry Security Standards Council Founded in 2006 Compliance areas for Healthcare PCI-DSS PA-DSS Oversee standards for the industry for handling credit card data Web site - https://www.pcisecuritystandards.org/ Represented by all major credit card companies American Express: www.americanexpress.com/datasecurity Discover : http://www.discovernetwork.com/fraudsecurity/disc.html JCB International: http://www.jcb-global.com/english/pci/index.html MasterCard: http://www.mastercard.com/sdp Visa: http://www.visa.com/cisp
What is PCI DSS? PCI DSS = Payment Card Industry Data Security Standards Credit Card processing only, not electronic check at this time (NACHA) This is the global data security standard that ANY business of any size must adhere to in order to accept payment cards, and to store, process, and/or transmit cardholder data. Encompasses compliant processing of credit card payments made by: Mail Phone CSR or automated Web site POS Devices Kiosk OTC
PCI DSS Requirements Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications
PCI DSS Requirements Cont. Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-toknow Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security BEST POLICY DO NOT STORE CREDIT CARD DATA!
What is PA-DSS Compliance? PA-DSS relates to secure processing for Payment Application compliance. Your organization purchases and installs a third party piece of payment hardware or software in your environment that processes credit card related data and the vendor you purchased from is responsible for PA-DSS compliance. Requirements for the vendor Their responsibility not yours!: 1. Do not retain full magnetic stripe, card validation, code or value, or PIN block data. 2. Protect stored cardholder data. 3. Provide secure authentication features. 4. Log payment application activity. 5. Develop secure payment applications. 6. Protect wireless transmissions. 7. Test payment applications to address vulnerabilities. 8. Facilitate secure network implementation. 9. Cardholder data must never be stored on a server connected to the internet. 10. Facilitate secure remote software updates. 11. Facilitate secure remote access to payment application. 12. Encrypt sensitive traffic over public networks. 13. Encrypt all non-console administrative access. 14. Maintain instructional documentation and training programs for customers, resellers, and integrators.
Differences from HIPAA Source: Juniper Networks: WHITE PAPER - Healthcare and Compliance The New Reality August 2010
Differences from HIPAA Isn t it enough to be HIPAA compliant? Must I be PCI compliant, too? Please keep in mind that HIPAA is not about the privacy and protection of data; it s about the portability and accountability of patient data. That data includes financial records as well and all too often, that data is not adequately protected. Is a financial data breach as serious as a patient health data breach? Any data breach is serious. Under the PCI DSS, an organization that does not perform due diligence with respect to protecting data faces not only onerous fines but also the loss of card-processing rights. Imagine telling a patient (as you are required to do), We do not accept credit cards for payment because we ve experienced a data breach. The negative publicity alone would be devastating. Why do you merge HIPAA and PCI compliance solutions together? Any PCI breach is now a HIPAA violation as well. So it simply makes sense to offer the whole HIPAA/PCI solution. Source: http://www.pcihipaa.com/pcihipaa-faq.html
Merchant Levels (VISA) Level Description 1 Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year. 2 Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year. 3 Any merchant processing 20,000 to 1,000,000 Visa e- commerce transactions per year. 4 Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year Source: http://usa.visa.com/merchants/risk_management/cisp_merchants.html
Verizon 2011 Study Verizon study states that majority of breaches in 2011 were level 3 and level 4 merchants that were not compliant! 855 companies Source: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigationsreport-2012_en_xg.pdf
Verizon 2011 Study
Most Common Breach Methods
EMPLOYEES!!! Source: http://www.businessweek.com/news/2011-09-22/theft-of-digital-health-data-moreoften-inside-job-report-finds.html
EMPLOYEES!!! Source: http://www.businessweek.com/news/2011-09-22/theft-of-digital-health-data-moreoften-inside-job-report-finds.html
EMPLOYEES!!! From:4/10/2012 Gulf News.com Two hospital employees arrested on credit card fraud charges Sharjah: Police on Monday arrested two men who worked at a private hospital in Sharjah for allegedly stealing credit card information from patients to make online transactions. An official at the Criminal Investigation Department (CID) at Sharjah Police said that one suspect worked as an accountant while the other was employed as a janitor, although he declined to reveal the name of the hospital involved in the case. "The two men stole the information of credit cards that were used by patients while they paid for the hospital bills, so that they could buy expensive cameras, mobile phones, watches and electronic items on the internet," said the CID official, pointing out that the suspects, both Filipinos, were charged with several counts of fraud, theft, forgery and deception..
Lack of Knowledge Lack of knowledge of PCI and proper handling credit card data Writing down credit cards Storing Card Security Code/Magnetic Strip Data Storing data in unencrypted files on servers Fax of information E-mail credit card data Not completing annual self assessments Recording phone conversations and keeping them unencrypted No internal policy on card data management Lack of understanding of difference from HIPAA Storing credit cards in a locked safe for recurring payments
Web Site Compromise No SSL encryption on the web site and form is collecting sensitive data
Stolen Device Most Frequently Reported: 6/2/2012 Howard University Hospital Located: Washington, D.C. No. of records exposed: Health information on 34,503 patients due to personal laptop of a former contractor for the hospital being stolen. Source: http://www.washingtonpost.com/national/health-science/medicaldata-breaches-raise-alarms/2012/06/02/gjqavpwt9u_story.html 4/20/2012 Emory Healthcare, Inc. Located: Georgia No. of records exposed: Data related to 315,000 patients, including Social Security numbers, had been stored on 10 computer disks but went missing from a storage facility; a class-action lawsuit underway could cost the hospital $200 million. Source: http://news.emory.edu/stories/2012/04/ehc_missing_data/campus.html
Lost or Stolen Documents Key areas where sensitive Financial Data are located Dumpster Diving Fax Pile Sensitive Financial Documents are not Shredded
Hacker Attempts Accessing your network or stored systems via sniffers, virus, or other means: Global Payments March 2012-1,500,000 credit cards stolen Zappos January 2012 24,000,000 credit cards stolen SONY April 2011 100,000,000 credit card records stolen Heartland Payment Systems January 2009 130,000,000 credit cards stolen
Costs of a Breach A security breach and subsequent compromise of payment card data has far-reaching consequences for affected organizations, including 1 : 1. Regulatory notification requirements, 2. Loss of reputation, 3. Loss of customers, 4. Litigation. 5. Potential financial liabilities (for example, regulatory and other fees and fines), and 1 From PCI DSS Self-Assessment Questionnaire Instructions and Guidelines, v2.0 October 2010
Financial Cost of Non Compliance? Noncompliance Fines - The consequences of not being PCI compliant range from $5,000 to $500,000, which is levied by banks and credit card institutions. Banks may fine based on forensic research they must perform to remediate noncompliance. Credit card institutions may levy fines as a punishment for noncompliance and propose a timeline of increasing fines. What are the penalties if your organization does not comply with PCI-DSS? Failure to comply with PCI-DSS requirements can result in stiff contractual penalties or sanctions from members of the payment card industry, including:» Fines of $500,000 per data security incident» Fines of $50,000 per day for non-compliance with published standards» Liability for all fraud losses incurred from compromised account numbers» Liability for the cost of reissuing cards associated with the compromise» Suspension of merchant accounts And this doesn t even begin to touch on HIPAA fines and regulatory actions!!!
What If We Are Compliant and Still Have a Breach? Breach Consequences- Even if a company is 100% PCI compliant and validated, a breach in cardholder data may still occur. Cardholder Breaches can result in the following losses for a merchant. $50-$90 fine per cardholder data compromised Suspension of credit card acceptance by a merchant s credit card account provider Loss of reputation with customers, suppliers, and partners Possible civil litigation from breached customers Loss of customer trust which effects future sales
DIY vs. Outsource: Audits, Concerns, Risk, Data Storage concerns You cannot avoid PCI-DSS compliance if you take credit cards today. You need to determine your Merchant Level and follow those requirements, or outsource your services to a third party vendor or service. Average DIY costs: Resources, Hardware, Software, etc: Level Assessment Cost Implementation Cost 1* $237,000 $2,800,000 2 $135,000 $1,100,000 3 $44,000 $155,000 4 $10,000 (est) $25,000 (est) Level 1 also requires an external QSA review Source: http://www.braintreepayments.com/blog/what-does-it-cost-to-become-pci-compliant
Outsourcing should be considered! If you decide to outsource instead of doing it in house, you need to look for a PCI-DSS compliant vendor or a PA-DSS compliant product. PCI: http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf PA: https://www.pcisecuritystandards.org/security_standards/vpa/ Benefits: Reduced Cost for Compliance Outsourced Risk Outsourced Compliance Focused Adherence to PCI related changes Expert PCI related Consultation Services Proven Compliance Services Proven Solution IMPORTANT: Your organization is still responsible for maintaining internal compliant policies and procedures even with outsourcing!!!
Next Steps 1. Assess your credit card processing procedures a) Verify where you stand today, how many cards you process, how the data is handled. 2. Talk to your merchant bank partner about their process 3. Determine your merchant Level and complete the SAQ form * 4. Determine if you will proceed yourself or need to outsource 5. Remediate correct any exposure based on assessment 6. Report provide completed documentation to your merchant 7. Repeat this process on a regular basis, minimum yearly * https://www.pcisecuritystandards.org/documents/pci_dss_saq_instr_guide_v2.0.pdf
Thank You! Aaron Lego, PMP Director of Business Development aaron@cboss.com (330) 866-0429 (Office) (330) 360-9769 (Cell) www.cboss.com CBOSS is a certified Level 1 Service Provider offering outsourced online payment solution services via our Central Payment Portal (CPP) product for our many customers in public and private sectors. We currently process over 4 million transactions a year.