cybercrime: what your organization should be doing to
TRANSCRIPT
CYBERCRIME: What your Organization should be doing to
Protect your Citizens
David Wallace MBA, CISA, CISM, CISSP GM, Global Merchant Compliance
Chase Paymentech
Increasing Threat Complexity
Malicious individuals continue to evolve attacks in an effort to obtain cardholder data that is processed, stored or transmitted
TRANSMISSION
Time
Com
plex
ity
Sniffers/Memory Parsers Wireless Intrusion
Database Hack Stolen Receipts/Cards
Source: 2008 PCI SSC Community Meeting
Custom Malware Phishing
???????
Top 5 Reasons Breaches Happen • #5 – Vulnerable Hardware & Software • #4 – Default Passwords • #3 – No Anti-Virus protection • #2 – Known vulnerabilities not patched • #1 – No Firewall
6 ©2011, Chase Paymentech Solutions, LLC. All
rights reserved
7
Put them all together… • Remote (Internet) attack
– Attacker finds a system directly connected to the Internet – Exploits an un-patched vulnerability to take control of the
system – Downloads cardholder data from the payment application – Installs malware on the system to steal future transactions
• Point-of-Sale terminal theft and/or swap – Attacker steals a terminal – Extracts existing cardholder data – Installs a skimmer – Swaps compromised terminal with new
terminal at another location and repeats
©2011, Chase Paymentech Solutions, LLC. All rights reserved
Fix your processes Physical security
The Three Gs Cameras and alarms
Identity verification/KYC Background checks User on-boarding and off-boarding Document/data retention Payment acceptance & processing
Have an Information Security Program A single, comprehensive set of enterprise
information security polices, standards, baselines, and procedures: Simplifies culture change Simplifies compliance mandate responses by
Cataloging existing controls Speeding gap analysis Limiting expense and churn caused by new mandates
Reduce “compliance” to a single core competency: Security
PCI DSS
ISO 27002
FFIEC OCC, FDIC,NCUA, FRB, OTS
GLBA HIPAA SOX 404 FISMA
Excel at the Fundamentals Breaches happen because organizations don’t execute
fundamentals well Access control polices (free) User management and verification Strong passwords, changes, and lockouts
Anti-virus and patching Network boundaries Firewalls Remote Access
No one ever got breached because they didn’t have the latest security tool!
Protect the Endpoints
13
Overlay Front Overlay Rear
Pinhole Camera
Front Rear
Skimming Attack – Public Transit
Packaging Secondary MSR
Skimming Attack – Modification
PIN Capture Membrane Bluetooth Module
Adopt and Use Proven Technologies Secure payment acceptance products PTS Validated payment terminals PA DSS Validated Payment Applications
Strong Authentication Encryption Tokenization EMV
David Wallace, VP, Group Manager, Global Merchant Compliance,
Chase Paymentech
T: 214.849.3394 [email protected]
w w w . c h a s e p a y m e n t e c h . c o m
Questions?
Additional Resources
28
Chase Paymentech http://www.chasepaymentech.com Cardholder Data Security http://www.chasepaymentech.com/datasecurity
PCI Security Standards Council https://www.pcisecuritystandards.org/ Validated Payment Applications https://www.pcisecuritystandards.org/security_standards/vpa/ PTS Certified devices https://www.pcisecuritystandards.org/security_standards/ped/ Self-Assessment Questionnaires https://www.pcisecuritystandards.org/saq/index.shtml Prioritized Approach https://www.pcisecuritystandards.org/education/prioritized.shtml
Visa Cardholder Info Security Program http://www.visa.com/
MasterCard Site Data Protection Program https://sdp.mastercardintl.com/