retail roundtable - bakerhostetler · • a combined total of us $150,000 or more counterfeit fraud...

Retail Roundtable: Payment System Cyber Attacks – Preparing, Protecting, and Responding June 11, 2014

Panel Members

Craig Hoffman Partner T: 513.929.3491 C: 513.227.3286 cahoffman@bakerlaw.com www.dataprivacymonitor.com @BakerPrivacy @Craig_Hoffman

James Zerfas Chief of Security Technology James.Zerfas@vantiv.com

David Damato Director david.damato@mandiant.com

Jason Maloni SVP & Chair of the Litigation Practice T: 202.973.1335 C: 202.834.9677 jmaloni@levick.com @levick daily.levick.com

Spencer Timmel Privacy Liability and Network Security T: 513-354-1656 C: 513-518-1535 spencer.timmel@hylant.com

GLOSSARY

• PCI DSS = Payment Card Industry Data Security Standards

• PFI = PCI Forensic Investigator • QSA = Qualified Security Assessor • ROC = Report on Compliance • ADCR = Account Data Compromise Recovery • GCAR = Global Compromised Account Recovery • CPP = Common Point of Purchase • PAN = primary account number • CVV = card verification value • Track data = data in magnetic stripe

PCI Stakeholders

• Credit Card Brands (e.g. Visa, MasterCard) • Issuing Banks • Acquiring Banks/Credit Card Processors • Merchants • PCI Security Standards Council (SSC) • Assessors • Service Providers

Stages of a PCI Breach

• Discovery of incident (e.g. a CPP report) • Engagement of PFI • Calls with the acquirer/processor & card brands • Preliminary PFI report • Issuance of proactive alerts for at risk accounts • Final PFI report • Issuance of final alerts for at risk accounts • Remediation & revalidation of PCI DSS • GCAR, ADCR, DSOP process (fraud & reissuance

costs) • Fines and fees • Appeal

Credit Card Skimming Devices

Card Brand Assessment Programs

• Fines for non-compliance with PCI DSS • Case management fee • Fines for non-cooperation • Assessments to recover from the acquirer

and reimburse issuers: – Operating expenses (heightened monitoring

and card reissuance) – Incremental counterfeit fraud losses

Visa’s Program is GCAR GCAR Qualification (Updated) Effective for Qualifying CAMS Events or VAB Events in which the first or only alert is sent on or after 15 May 2012, Visa will determine Account Data Compromise Event qualification, Counterfeit Fraud Recovery and Operating Expense Recovery amounts, Issuer eligibility, and Acquirer liability under the Global Compromised Account Recovery (GCAR) program, in accordance with the Visa Global Compromised Account Recovery (GCAR) Guide. To qualify an Account Data Compromise Event under GCAR, Visa must determine that all of the following criteria have been met: • A Payment Card Industry Data Security Standard (PCI DSS), PIN Management Requirements Documents, or Visa PIN Security Program Guide violation has occurred that could have allowed a compromise of Account Number and Card Verification Value (CVV) Magnetic-Stripe Data, and PIN data for events also involving PIN compromise • Account Number and CVV Magnetic-Stripe Data has been exposed to a compromise • 15,000 or more eligible accounts were sent in CAMS Internet Compromise (IC) and/or Research and Analysis (RA) alerts indicating Account Number and CVV Magnetic-Stripe Data is potentially at Risk • A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense Recovery for all Issuers involved in the event • Elevated Magnetic-Stripe counterfeit fraud was observed in the population of eligible accounts sent in the CAMS Alert(s) associated with the Account Data Compromise Event ID#: 150413-150512-0026565

PCI DSS 3.0 & Third Parties

What Causes a Breach to go Viral

• Record Setting Loss • Sensitive Community Affected • Competitive Media Markets • Concentration of Affected Parties in One Area • Delay in Notification • Customer Complaints Unanswered • Failure to Respond to Social Media

Caution is Killing Response

Effective Response

• Clear and Thorough • Compassionate • Responsive to Audience (employees,

customers, data holders) • Aggressive • Transparency but not a foolish Transparency

Great Customer Service

PCI Forensic Investigations

• Supported by PFI • Requires reporting to card brands

– Both a preliminary report within 5 days – Final report detailing the incident

• Can be expensive and resource intensive

Investigate Like a Pro

• Limit the cost / pain of the investigation – Select the right PFI

• Mitigate risk / reduce a breach’s scope – Implement a secure network architecture – Maintain proper logs and documentation

• Don’t make assumptions – Verify third party claims – Verify internal actions

Retail Cyber Exposures & Insurability

Credit Card Data Advertising & Social Media Other Forensics Defamation, Libel, Slander Employee Data

Public Relations Product Disparagement Loss of other Sensitive Info

Customer Notification Intellectual Property Infringement Virus Transmission

Credit Monitoring Misleading Advertising Denial of Service

Reg. Defence, Fines & Penalties

PCI Fines & Penalties

Business Interruption & EE

Loss of Customers: Rep Injury

Privacy Liability Class Actions

Bank Card Reissuance Liability

Data Restoration

Extortion Demands

Card Data Breach Costs - What’s the Right Number? Ponemon Institute Cost of a Data Breach, 2014

• $201/record: US • $105/record: Retail

NetDiligence 2013 Cyber Paid Claims Study • $97/record: median? • $307/record: average?

Public Information on Past Card Data Breaches • 130 Million Cards: $150mm: $1.15 per card? • 46 Million Cards: $250mm: $5.44 per card? • 40 Million Cards: $61million in first 3 months: Total Cost: t.b.d.?

• Somewhere in between? Hylant/NetDiligence Data Breach Cost Calculator

Increasing Exposure

• 75% of automated opportunistic attacks hit the Retail/Trade or Accommodation/Food Service industries

Verizon Data Breach Investigations Report

• Increased Regulatory Scrutiny: FTC, SEC, State AG

• Plaintiffs Bar continues to show their creativity

• Continued Legislation: State, Federal & International

Gap Analysis Traditional Coverage's Are Not Adequate General Liability Insurance – Coverage for bodily injury or property damage - Intentional acts are excluded - Intangible property is excluded Property Insurance – Coverage for loss of tangible property caused by a covered peril - Computer viruses are excluded - Intangible property is excluded - Business interruption coverage only applies if a direct physical loss or damage to covered property Crime Insurance – Coverage for theft of money, securities or other property - No coverage for theft of information, trade secrets and other confidential information Directors & Officers Liability Insurance – Coverage for claims alleging acts, errors and/or omissions committed by directors or officers of a company in their capacity:

Errors & Omissions Liability Policies – Coverage for claims resulting from an Insured’s rendering or failure to render professional services to others for a fee.

Global Cyber Coverage Marketplace • Global Annual Cyber Premiums estimated $1.0 to $1.5

billion

• Global Capacity: approximately $300 million: All industries • Card Data Capacity post 2013 breaches:

– Best In Class Insured's: $175-200mm

• 40+ Domestic Carriers, 20+ Lloyds Syndicates and elsewhere

• Domestic vs Lloyd’s Placements

• Developing Coverage

Loss Mitigation Tools

• Employee Training and Compliance • Remote scanning of web-facing external

infrastructure for vulnerabilities • Plug-In technology that shuns bad IP

addresses, preventing them from entering and exiting a company’s network

• Limited Free Consultation • Data Security Assessments

Spencer Timmel, CIPP/US, CIPM, CITRMS Spencer serves as the Network Security & Privacy Liability Product Leader. He provides risk management consultation and support to large revenue companies and manages the placements of their cyber programs. Spencer has over a 14 years of industry experience and holds several cyber industry designations; CIPP/US; CIPM; CITRMS

Merchant Risk and Security

© Copyright 2013 Vantiv, LLC. All rights reserved. Vantiv, and the Vantiv logo, and all other Vantiv product or service names and logos are registered trademarks or trademarks of Vantiv, LLC in the USA and other countries.® Indicates USA registration.

The Cost of Crime

TheftFraud

Carding

Merchant

Cardholder Data

$10B Global Card Fraud Losses (2012) Source: The Nilson Report, August 2013

$3.4B Impact of Data Breaches (2012) Sources: - Verizon 2012 Data Breach Investigations Report - The Ponemon Institute, 2013 Cost of Data Breach Study

Lost, Stolen, Counterfeit Cards

Fines, Remediation Costs, Reimbursements

Risks and Solutions

FraudTheft

Physical Attacks

System Breach

AccountData

Compromise

Counterfeit Cards

Lost/Stolen Cards

P2PE / Tokens

EMVChip

EMVPIN

Policy &Inspection

Surrogate Values

ISVVantiv

P2PE

Encrypt Decrypt

Tokenize

DeTokenize

Risk Spectrum

Merchant GoalsNon-

Compliant

Compliant

RiskReducing Descoping

Active Risk Management

AddressReduce

Manage

Atlanta Chicago Cincinnati Cleveland Columbus Costa Mesa Denver Houston Los Angeles New York Orlando Philadelphia Seattle Washington, DC www.bakerlaw.com

These materials have been prepared by Baker & Hostetler LLP for informational purposes only and are not legal advice. The information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional counsel. You should consult a lawyer for individual advice regarding your own situation. ©2014 Baker & Hostetler LLP. All Rights Reserved.