Data Security, Fraud Prevention, and Cost Control

Mike Dorland, CPPRegional Marketing Representative

Michigan Retailers Association

Michigan Retailers Association Incorporated in 1940

Represent retail interests in Lansing, Michigan

The oldest, non-bank organization operating in the merchant acquiring space, now specializing in all types of non-cash treasury management solutions. 5500 merchants in 48 states and the District of Columbia, processing almost $1 billion

annually ACH transactions Gift cards (storewide and community-wide solutions)

2

Payment Card Industry Data Security Standards

(PCI-DSS)

What is PCI-DSS? Payment Card Industry Data Security Standard is the

evolution of the various payment networks’ attempts to create individual security protocols and procedures.

The standard is now “owned” and controlled by the PCI Security Standards Council. The PCI Council will continue to evaluate any changes that

need to be made to the PCI standard through input from stakeholders.

Updated standards can be reviewed at www.pcisecuritystandards.org

PCI Compliance PCI compliance is a journey, not a destination. All businesses

that accept or process credit card transactions should be constantly reviewing and identifying areas where data might accumulate. Stand back and watch who “touches” a transaction and what they

do with that data. Many times data accumulate in unexpected areas in a business.

Staff members collect card data for many different reasons that seem legitimate at the time. Anytime a staff member is collecting card data, someone should be questioning is it really needed?

PCI Compliance for most merchants is simply the completion of a Self Assessment Questionnaire (SAQ). The completed SAQ should be held in the merchant’s office for presentation, if demanded by the card networks.

SAQs should be completed on an annual basis.

Data Security – Processor Level Processors have started to see an increasing number of

“hacking” attempts. These attempts have become more subtle instead of the brute force data grabs.

Processors (and merchants) have become much better at protecting data that is “at rest”, through encryption, firewalls, and other methods. Data in motion is still a problem.

Hackers have learned that accessing the system and lurking in the system for days, weeks or months to collect data is more profitable than reaching in and simply grabbing a data file.

Data Security – Merchant Level Merchants storing the complete and “UNALTERED” (non-

encrypted) card data from a swiped transaction Protect data “at rest” AND “in motion”

With card stripe data, a perfect duplicate can be created and used before the cardholder even suspects a problem.

This allows someone to use a counterfeit card (with fake ID) anywhere he/she wants with little or no risk of capture.

Data Security – Merchant POS Hackers have learned that they can also “lurk” in a retailers POS

system and collect a significant amount of data. Remote access has become a major exposure point, businesses

have legitimate business needs for allowing remote access. If you have opened the door for remote access by your employees or

vendors, you have also opened the door for a hacker! In one case of a remote access hack, the bad guys hacked the

POS vendor and used the login credentials on that system to access hundreds of retail POS systems. They were on the retailer’s local systems for less than 5 minutes Custom made software was installed which simply captured the consumers

mag stripe data and sent it each night to eastern Europe

What is Carding? Carding is the underground industry of selling and trading stolen

card numbers.

In less than 5 minutes, on the Internet… “Good” card numbers, sold in lots of 100, with a money back

guarantee! Card network “plastic” available by the box Skimming equipment and card encoding equipment

PCI-DSS -- Limit the “Scope” First!

Server Credit CardProcessing

ALL machines have to be PCI compliant?

Server Credit CardProcessing

What is the scope of PCI compliance here?Just one machine has to be PCI compliant

Firewall

What Data Can I Keep?• Data falls into two different categories

• Protected (that which you can keep but must ALWAYS protect) • Card Number• Expiration Date

• Prohibited (which is never stored after the authorization of the transaction and settlement of the batch)

• Mag stripe data• CVV2 data• PIN numbers

29

12 Points of PCI-DSS Compliance• Install and maintain a firewall configuration to protect data• Do not use vendor defaults for system passwords• Protect cardholder data• Encrypt transmission of cardholder data across public networks• Use updated anti-virus software• Develop and maintain secure systems• Restrict access to data by business need-to-know• Assign a unique ID to each person with computer access• Restrict physical access to data• Track and monitor all access to networks and data• Regularly test the systems and processes• Maintain policies that address information security

30

What Happens If….? Bad things happen to good people, how

do you protect from a data breach? Data breach insurance is available and covers

expenses related to a data breach Forensic Audit Card Replacement expenses PCI assessments and fines Government fines

Usually $50,000 or $100,000 in coverage