CYBERCRIME: What your Organization should be doing to

Protect your Citizens

David Wallace MBA, CISA, CISM, CISSP GM, Global Merchant Compliance

Chase Paymentech

Agenda – What are the risks? – What can you do?

What are the Risks?

Increasing Threat Complexity

Malicious individuals continue to evolve attacks in an effort to obtain cardholder data that is processed, stored or transmitted

TRANSMISSION

Time

Com

plex

ity

Sniffers/Memory Parsers Wireless Intrusion

Database Hack Stolen Receipts/Cards

Source: 2008 PCI SSC Community Meeting

Custom Malware Phishing

???????

Who Are The Opposition?

Top 5 Reasons Breaches Happen • #5 – Vulnerable Hardware & Software • #4 – Default Passwords • #3 – No Anti-Virus protection • #2 – Known vulnerabilities not patched • #1 – No Firewall

6 ©2011, Chase Paymentech Solutions, LLC. All

rights reserved

7

Put them all together… • Remote (Internet) attack

– Attacker finds a system directly connected to the Internet – Exploits an un-patched vulnerability to take control of the

system – Downloads cardholder data from the payment application – Installs malware on the system to steal future transactions

• Point-of-Sale terminal theft and/or swap – Attacker steals a terminal – Extracts existing cardholder data – Installs a skimmer – Swaps compromised terminal with new

terminal at another location and repeats

©2011, Chase Paymentech Solutions, LLC. All rights reserved

What does it cost?

Source: Forrester Research, April 2007

What can you do?

Fix your processes Physical security

The Three Gs Cameras and alarms

Identity verification/KYC Background checks User on-boarding and off-boarding Document/data retention Payment acceptance & processing

Have an Information Security Program A single, comprehensive set of enterprise

information security polices, standards, baselines, and procedures: Simplifies culture change Simplifies compliance mandate responses by

Cataloging existing controls Speeding gap analysis Limiting expense and churn caused by new mandates

Reduce “compliance” to a single core competency: Security

PCI DSS

ISO 27002

FFIEC OCC, FDIC,NCUA, FRB, OTS

GLBA HIPAA SOX 404 FISMA

Excel at the Fundamentals Breaches happen because organizations don’t execute

fundamentals well Access control polices (free) User management and verification Strong passwords, changes, and lockouts

Anti-virus and patching Network boundaries Firewalls Remote Access

No one ever got breached because they didn’t have the latest security tool!

Protect the Endpoints

13

Overlay Front Overlay Rear

Pinhole Camera

Front Rear

Skimming Attack – Public Transit

Packaging Secondary MSR

Skimming Attack – Modification

PIN Capture Membrane Bluetooth Module

Adopt and Use Proven Technologies Secure payment acceptance products PTS Validated payment terminals PA DSS Validated Payment Applications

Strong Authentication Encryption Tokenization EMV

David Wallace, VP, Group Manager, Global Merchant Compliance,

Chase Paymentech

T: 214.849.3394 David.Wallace@ChasePaymentech.com

w w w . c h a s e p a y m e n t e c h . c o m

Questions?

Additional Resources

28

Chase Paymentech http://www.chasepaymentech.com Cardholder Data Security http://www.chasepaymentech.com/datasecurity

PCI Security Standards Council https://www.pcisecuritystandards.org/ Validated Payment Applications https://www.pcisecuritystandards.org/security_standards/vpa/ PTS Certified devices https://www.pcisecuritystandards.org/security_standards/ped/ Self-Assessment Questionnaires https://www.pcisecuritystandards.org/saq/index.shtml Prioritized Approach https://www.pcisecuritystandards.org/education/prioritized.shtml

Visa Cardholder Info Security Program http://www.visa.com/

MasterCard Site Data Protection Program https://sdp.mastercardintl.com/