Retail Roundtable: Payment System Cyber Attacks Preparing, Protecting, and Responding June 11, 2014
Panel Members Craig Hoffman Partner T: 513.929.3491 C: 513.227.3286 cahoffman@bakerlaw.com www.dataprivacymonitor.com @BakerPrivacy @Craig_Hoffman Spencer Timmel Privacy Liability and Network Security T: 513-354-1656 C: 513-518-1535 spencer.timmel@hylant.com Jason Maloni SVP & Chair of the Litigation Practice T: 202.973.1335 C: 202.834.9677 jmaloni@levick.com @levick daily.levick.com David Damato Director david.damato@mandiant.com James Zerfas Chief of Security Technology James.Zerfas@vantiv.com
GLOSSARY PCI DSS = Payment Card Industry Data Security Standards PFI = PCI Forensic Investigator QSA = Qualified Security Assessor ROC = Report on Compliance ADCR = Account Data Compromise Recovery GCAR = Global Compromised Account Recovery CPP = Common Point of Purchase PAN = primary account number CVV = card verification value Track data = data in magnetic stripe
PCI Stakeholders Credit Card Brands (e.g. Visa, MasterCard) Issuing Banks Acquiring Banks/Credit Card Processors Merchants PCI Security Standards Council (SSC) Assessors Service Providers
Stages of a PCI Breach Discovery of incident (e.g. a CPP report) Engagement of PFI Calls with the acquirer/processor & card brands Preliminary PFI report Issuance of proactive alerts for at risk accounts Final PFI report Issuance of final alerts for at risk accounts Remediation & revalidation of PCI DSS GCAR, ADCR, DSOP process (fraud & reissuance costs) Fines and fees Appeal
Credit Card Skimming Devices
Card Brand Assessment Programs Fines for non-compliance with PCI DSS Case management fee Fines for non-cooperation Assessments to recover from the acquirer and reimburse issuers: Operating expenses (heightened monitoring and card reissuance) Incremental counterfeit fraud losses
Visa s Program is GCAR GCAR Qualification (Updated) Effective for Qualifying CAMS Events or VAB Events in which the first or only alert is sent on or after 15 May 2012, Visa will determine Account Data Compromise Event qualification, Counterfeit Fraud Recovery and Operating Expense Recovery amounts, Issuer eligibility, and Acquirer liability under the Global Compromised Account Recovery (GCAR) program, in accordance with the Visa Global Compromised Account Recovery (GCAR) Guide. To qualify an Account Data Compromise Event under GCAR, Visa must determine that all of the following criteria have been met: A Payment Card Industry Data Security Standard (PCI DSS), PIN Management Requirements Documents, or Visa PIN Security Program Guide violation has occurred that could have allowed a compromise of Account Number and Card Verification Value (CVV) Magnetic-Stripe Data, and PIN data for events also involving PIN compromise Account Number and CVV Magnetic-Stripe Data has been exposed to a compromise 15,000 or more eligible accounts were sent in CAMS Internet Compromise (IC) and/or Research and Analysis (RA) alerts indicating Account Number and CVV Magnetic-Stripe Data is potentially at Risk A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense Recovery for all Issuers involved in the event Elevated Magnetic-Stripe counterfeit fraud was observed in the population of eligible accounts sent in the CAMS Alert(s) associated with the Account Data Compromise Event ID#: 150413-150512-0026565
PCI DSS 3.0 & Third Parties
What Causes a Breach to go Viral Record Setting Loss Sensitive Community Affected Competitive Media Markets Concentration of Affected Parties in One Area Delay in Notification Customer Complaints Unanswered Failure to Respond to Social Media
Caution is Killing Response
Effective Response Clear and Thorough Compassionate Responsive to Audience (employees, customers, data holders) Aggressive Transparency but not a foolish Transparency
Great Customer Service
PCI Forensic Investigations Supported by PFI Requires reporting to card brands Both a preliminary report within 5 days Final report detailing the incident Can be expensive and resource intensive
Investigate Like a Pro Limit the cost / pain of the investigation Select the right PFI Mitigate risk / reduce a breach s scope Implement a secure network architecture Maintain proper logs and documentation Don t make assumptions Verify third party claims Verify internal actions
Retail Cyber Exposures & Insurability Credit Card Data Advertising & Social Media Other Forensics Defamation, Libel, Slander Employee Data Public Relations Product Disparagement Loss of other Sensitive Info Customer Notification Intellectual Property Infringement Virus Transmission Credit Monitoring Misleading Advertising Denial of Service Reg. Defence, Fines & Penalties PCI Fines & Penalties Business Interruption & EE Loss of Customers: Rep Injury Privacy Liability Class Actions Bank Card Reissuance Liability Data Restoration Extortion Demands
Card Data Breach Costs - What s the Right Number? Ponemon Institute Cost of a Data Breach, 2014 $201/record: US $105/record: Retail NetDiligence 2013 Cyber Paid Claims Study $97/record: median? $307/record: average? Public Information on Past Card Data Breaches 130 Million Cards: $150mm: $1.15 per card? 46 Million Cards: $250mm: $5.44 per card? 40 Million Cards: $61million in first 3 months: Total Cost: t.b.d.? Somewhere in between? Hylant/NetDiligence Data Breach Cost Calculator
Increasing Exposure 75% of automated opportunistic attacks hit the Retail/Trade or Accommodation/Food Service industries Verizon Data Breach Investigations Report Increased Regulatory Scrutiny: FTC, SEC, State AG Plaintiffs Bar continues to show their creativity Continued Legislation: State, Federal & International
Gap Analysis Traditional Coverage's Are Not Adequate General Liability Insurance Coverage for bodily injury or property damage - Intentional acts are excluded - Intangible property is excluded Property Insurance Coverage for loss of tangible property caused by a covered peril - Computer viruses are excluded - Intangible property is excluded - Business interruption coverage only applies if a direct physical loss or damage to covered property Crime Insurance Coverage for theft of money, securities or other property - No coverage for theft of information, trade secrets and other confidential information Directors & Officers Liability Insurance Coverage for claims alleging acts, errors and/or omissions committed by directors or officers of a company in their capacity: Errors & Omissions Liability Policies Coverage for claims resulting from an Insured s rendering or failure to render professional services to others for a fee.
Global Cyber Coverage Marketplace Global Annual Cyber Premiums estimated $1.0 to $1.5 billion Global Capacity: approximately $300 million: All industries Card Data Capacity post 2013 breaches: Best In Class Insured's: $175-200mm 40+ Domestic Carriers, 20+ Lloyds Syndicates and elsewhere Domestic vs Lloyd s Placements Developing Coverage
Loss Mitigation Tools Employee Training and Compliance Remote scanning of web-facing external infrastructure for vulnerabilities Plug-In technology that shuns bad IP addresses, preventing them from entering and exiting a company s network Limited Free Consultation Data Security Assessments
Spencer Timmel, CIPP/US, CIPM, CITRMS Spencer serves as the Network Security & Privacy Liability Product Leader. He provides risk management consultation and support to large revenue companies and manages the placements of their cyber programs. Spencer has over a 14 years of industry experience and holds several cyber industry designations; CIPP/US; CIPM; CITRMS
Merchant Risk and Security Copyright 2013 Vantiv, LLC. All rights reserved. Vantiv, and the Vantiv logo, and all other Vantiv product or service names and logos are registered trademarks or trademarks of Vantiv, LLC in the USA and other countries. Indicates USA registration.
The Cost of Crime Lost, Stolen, Counterfeit Cards Carding Fines, Remediation Costs, Reimbursements $10B Global Card Fraud Losses (2012) $3.4B Impact of Data Breaches (2012) Source: The Nilson Report, August 2013 Fraud Cardholder Data Theft Sources: - Verizon 2012 Data Breach Investigations Report - The Ponemon Institute, 2013 Cost of Data Breach Study Merchant
Risks and Solutions Theft Fraud Physical Attacks System Breach Account Data Compromise Counterfeit Cards Lost/ Stolen Cards Policy & Inspection P2PE / Tokens EMV Chip EMV PIN
Surrogate Values Encrypt Decrypt P2PE ISV Vantiv Tokenize DeTokenize
Risk Spectrum Compliant Risk Reducing Descoping Address Reduce Manage Non- Compliant Merchant Goals Active Risk Management
Atlanta Chicago Cincinnati Cleveland Columbus Costa Mesa Denver Houston Los Angeles New York Orlando Philadelphia Seattle Washington, DC www.bakerlaw.com These materials have been prepared by Baker & Hostetler LLP for informational purposes only and are not legal advice. The information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional counsel. You should consult a lawyer for individual advice regarding your own situation. 2014 Baker & Hostetler LLP. All Rights Reserved.