payment card industry (pci) and security

The Unique Alternative to the Big Four®

Audit | Tax | Advisory | Risk | Performance

Payment Card Industry (PCI) and SecurityCrowe Horwath LLP

Anatomy of Recent Card Breaches

© 2010 Crowe Horwath LLP 2Audit | Tax | Advisory | Risk | Performance


Presentation Objectives Provide insight into possible or likely root causes behind public cases of card

data breaches

Discuss how specific PCI violations contributed to or prolonged the fraud

Discuss technical and non-technical measures to decrease the risk and impact of a card fraud.

Provide suggestions on how to make your organization a “hard target.”



Root Cause Analysis No Payment Card Industry (PCI)-compliant organization is known to have

suffered a card-related data security related breach

Not all the locations where card holder data (CHD) resides were known or secured

Servers containing or providing CHD were configured with superfluous application programs and were not properly scoped and audited by a qualified security assessor (QSA)

Delays in arranging scans and assessments

There were inappropriate distinctions between test versus production servers and networks

Due to weak encryption and poor access controls, wireless networks were electronically “pried open” to reveal private areas of the network which store CHD



Root Cause Analysis Audit trails were not enabled to tie misconduct to a specific employee or

consultant. Lack of audit trails hindered criminal investigations because it was not possible to tie an individual time or time of day to the incursion.

A group user ID was used instead of a unique user ID.

Point-of-sale (POS) terminals were not physically and logically hardened to prevent surreptitious removal and inserting of a monitoring or sniffing device. The terminals were later returned to the retail locations, where they were used to capture PIN blocks.



What are some of the factors which increase the possibility of a successful fraud?

They are not just technical reasons !

Lack of policies

No antifraud program

Technology controls not driven by business process controls

Not learning from past industry frauds



PCI and Your Data and Information Security Policy

Required Elements

Approval

Annual Updating

Training

Vulnerability Vulnerability ManagementManagementVulnerability Vulnerability ManagementManagement

Cardholder Cardholder CentricCentric

Cardholder Cardholder CentricCentric

Document Document DestructionDestructionDocument Document

DestructionDestructionDocument Document RetentionRetentionDocument Document RetentionRetention

CHD CHD SuppressionSuppression

CHD CHD SuppressionSuppression

Wireless Wireless ControlControl

Wireless Wireless ControlControl

PED PED ManagementManagement

PED PED ManagementManagement PED ApprovalPED ApprovalPED ApprovalPED Approval Vendor Vendor

OversightOversightVendor Vendor

OversightOversight ContractsContractsContractsContracts

Adequate Policies Deter

Fraud

Adequate Policies Deter

Fraud



PCI Data Storage Tips Locate all your CHD

CHD not located is CHD not secured

Don’t forget to test and to QA servers

Single purpose devices are a must

Encrypt, encrypt, encrypt

Data at rest

Data in transit

Don’t forget log files of every sort

What about your ISP? What do they store?



Using PCI to Springboard Your Anti Fraud Program

Log File Log File Integrity CheckIntegrity Check

Log File Log File Integrity CheckIntegrity Check

Strong Strong AuthenticationAuthentication

Strong Strong AuthenticationAuthentication

Use Anti Fraud Use Anti Fraud ControlsControls

Use Anti Fraud Use Anti Fraud ControlsControls

Leverage Leverage Physical Physical SecuritySecurity

Leverage Leverage Physical Physical SecuritySecurity

Fraud Deterrence

Fraud Deterrence



Point of Sale (POS) Fraud and PCI Factors reducing POS risks

Hardened Hardened TerminalsTerminalsHardened Hardened TerminalsTerminals

Deployment Deployment ControlsControls

Deployment Deployment ControlsControls

Physical Physical SecuritySecurityPhysical Physical SecuritySecurity

Tamper Tamper Resilience Resilience

Tamper Tamper Resilience Resilience

Web Web Application Application

ReviewReview

Web Web Application Application

ReviewReview

Incident Incident ResponseResponseIncident Incident

ResponseResponse Strong Strong

EncryptionEncryption Strong Strong

EncryptionEncryptionSeparate Test Separate Test EnvironmentEnvironment

Separate Test Separate Test EnvironmentEnvironment

Separate Separate Production Production

EnvironmentEnvironment

Separate Separate Production Production

EnvironmentEnvironmentSeparation of Separation of

DutiesDutiesSeparation of Separation of

DutiesDuties

FraudFraud



Transactional Fraud Statistics: Counterfeit PIN Card Fraud

0

50,000

100,000

150,000

200,000

250,000

300,000

1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006

Block & Reissue Cards

Fraud Cards Reported

Suspect Cards Identified

Source: Card Alert Fraud Manager



Key Components of a PCI Anti Fraud Program

PREVENTION

Tone at the Top

Value System / Code of Conduct

Positive Workplace Environment

Training/ Awareness

Whistleblower Program

Incident Response

Disciplinary Examples

DETERRENCE

Oversight

Risk Assessment

Internal Audit

Data AnalysisDETECTION

Monitoring

Computer Aided Tools

Loss Mitigation



PeoplePeople

ProcessProcess TechnologyTechnology

Using PCI Controls to Prevent Phishing and Identity Theft

Data Analysis Strong Authentication Encryption Adaptive Security

Procedures and Counter Measures

Tone at The Top Honest Ethical Culture Staff Trained to Look

for Red Flags

Fraud Check-ups Fraud Hotline Defined Incident

Handling Process Risk Assessment –

Check for Red Flags



Past Fraud Events Provide a Roadmap for Helping Clients Avoid Common PCI Compliance Pitfalls Do not retain unneeded data. After authorization and settlement, very little CHD

need remain for inquiry and adjustment purposes. Securely dispose of CHD.

CHD not located is CHD not secured. Perform a reliable inventory of all the servers, databases, test facilities, networks, paper records, and transaction and activity logs. Include all service providers and contractors in your search.

Don’t look for a silver bullet solution. There is no single product or service that can alleviate an enterprise's PCI DSS compliance woes. Every business and every network is different, and PCI DSS controls must be tailored to an organization. There is no “one-size-fits-all approach."



Past Fraud Events Provide a Roadmap for Helping Clients Avoid Common PCI Compliance Pitfalls Prevent data leaks. Identify all physical and logical points through which CHD

enters and leaves your client’s organization. This will mean scrutinizing data reports, log files, servers, email and file transfers.

Develop specific policies for handling and secure all data, networks and physical records which contain or provide access to CHD.

Train staff to prevent data leaks to establish a last line of defense to ensure sensitive information stays put.

Perform fraud check-ups.



What Could You Do if Your Fraud Check-Up Reveals Issues?

Increase Data AccessIncrease Data AccessControlsControls

Increase Data AccessIncrease Data AccessControlsControls

Increase Data AnalysisIncrease Data Analysisand Reaction Abilityand Reaction Ability

Increase Data AnalysisIncrease Data Analysisand Reaction Abilityand Reaction Ability

Develop Anti FraudDevelop Anti FraudPolicyPolicy

Develop Anti FraudDevelop Anti FraudPolicyPolicy

Policies DeficientPolicies DeficientPolicies DeficientPolicies Deficient

Incident Response Data Mining Log File Analysis

Authentication Encryption

Improve Code of Conduct Create Conflicts of Interest

Create Fraud Hotlines Oversight Committee



Regulatory and Legislative Responses to Fraud



Summary: Become a Hard Target

Look for the Red Fraud Flags Look for the Red Fraud Flags

Systems MonitoringSystems Monitoring

Employee TrainingEmployee Training

React to the Flags of FraudReact to the Flags of Fraud

Response PlanResponse Plan

New Product Fraud ReviewsNew Product Fraud Reviews

Board or Management Approved PolicyBoard or Management Approved Policy

Fraud Prevention Program ComponentsFraud Prevention Program ComponentsFraud Prevention Program ComponentsFraud Prevention Program Components

Employ Prevention TechniquesEmploy Prevention Techniques

Annual – Independent Fraud Check-UpAnnual – Independent Fraud Check-Up



Any Questions?

Contact Information

Bruce Sussman

973.422.7151

[email protected]

Crowe Horwath LLP

payment card industry (pci) and security

Documents