pci security best practices and payment trends · "pci dss applies to all entities involved in...
TRANSCRIPT
PCI Security Best Practicesand Payment Trends
By Lisa Fennell & Randy Schroder, NISC
Objectives
DISCOVER THE METHODS HACKERS ARE USING TO STEAL
YOUR CREDIT CARD DATA
REVIEW PAYMENT CARDHOLDER INDUSTRY DATA SECURITY
STANDARDS (PCI-DSS)
DISCUSS SECURITY BEST PRACTICES FOR PAYMENT
PROCESSING TO REDUCE RISK
TAKE A LOOK AT SOME OF THE LATEST TRENDS IN PAYMENT
SOLUTIONS
what we think we look like TO AN ATTACKER…
services(web/mail/dns)
web applications(java, php, .net)
employees
what we REALLY look like TO AN ATTACKER…
Data Compromise - internal
Statistics
• $50 Billion stolen annually from U.S. businesses by employees
• 7% of annual revenues lost to theft or fraud
• 75% of employees have stolen at least once from their employer
• 37.5% of employees who have stolen at least twice from their employer
• 33% of all business bankruptcies caused by employee theft
Data Compromise - Internal
Employee Access
• In 2007 an employee (Database Administrator) of FIS subsidiary Certegy Check Services stole 3.2 million customer records including credit card, banking and personal information.
• Another means a dishonest employee can steal a customer's card is through use of a small, battery-operated "card skimmer." This hand-held device reads a card's magnetic stripe and records the cardholder data for later download to a computer. From there, the numbers can be used to make unauthorized purchases or create counterfeit cards.
Data Compromise - External
External Vulnerabilities
• Firewall and Wireless network security
• Point of Sale system compromises
• Data decryption point and data storage
• Network communications sniffers
• Malware (Trojan Viruses)
• Social Engineering (Phishing)
Data Compromise -External
Firewall
• Capital One announced a massive data breach on July 29, 2019 reporting that a hacker accessed the information of over 100 million Americans and 6 million Canadians who have applied for credit cards since 2005.
• The breach took advantage of a misconfigured firewall to access the bank’s credit card customer data.
Data Compromise -External
Wireless
• In 2007, thieves used retailer TJX’s wireless networks to access systems that were used to store payment transactions at stores across the country for more than 45 million customer credit and debit cards.
Data Compromise -External
Card Terminals
• Older magnetic strip card POS systems still vulnerable to malware that haven’t been upgraded to chip-and-PIN.
• Deep insert skimmers are different from typical insert skimmers because they are hidden within the card reader transport.
Skimmers found at WalmartAn overlay skimmer made to be fitted to an Ingenico credit card terminal has a PIN pad overlay to capture the user’s PIN, and a mechanism for recording the data stored on a card’s magnetic stripe when customers swipe their cards at self-checkout aisles.
*Image provided by Brian Krebs of krebsonsecurity.com
Skimmers found at Walmart• Here’s how this overlay skimmer looks when it’s attached.
• Think you’d be able to spot it?
*Image provided by Brian Krebs of krebsonsecurity.com
Data Compromise -External
Point of Sale
• Home Depot had 56 million credit and debit cards stolen in 2014, costing the company $63 million.
• Hackers used a vendor's stolen log-on credentials to penetrate Home Depot's computer network and install custom-built malware on self-checkout registers that stole customer payment-card data and e-mail addresses.
Data Compromise -External
Data Decryption
• Target had 40 million credit and debit cards stolen in 2013 when hackers compromised Target’s environment where card data was decrypted. Hackers used a vendor's sign-in credentials to install malicious software.
• Millions of the card accounts stolen were for sale on the black market, going from $20 to more than $100 per card.
Data Compromise -External
Network Sniffers
• In 2008, Heartland Payment Systems had the then largest-ever data breach of 130 million credit cards stolen
• The breach occurred when criminal hackers managed to sneak malware onto Heartland's network that sniffed card data that was processed and stored
Data Compromise -External
Malware/Viruses
• In 2013, visitors to NBC.com affiliated websites were infected by a Citadel malware trojan virus through an Ad Banner from a third-party company
• Once injected, it seeks to capture personal information, including banking credentials
• The Citadel virus was only picked up by 3 out of 46 scanners (Fortinet, Panda and Rising), so it was very effective at eluding detection
• This virus invades computers through vulnerabilities in PDF and Java software
• To avoid being a victim, you should use the latest versions of Java or Adobe PDF
Data Compromise: Social Engineering• Verizon Data Breach Report
• Cybercriminals increasingly using social engineering and phishing attacks to steal account credentials
• Stolen credentials used in 4 out of 5 breaches
• Attackers not creating new accounts
• Using accounts already there
• They’ve broken passwords and can hide out in regular traffic
The scope of PCI
Major payment card companies formed the PCI
Council
Requirements are not a law - industry
self-regulated
Acquirer (ie. Fiserv) is authority for SAQ selection
•Merchants are contractually obligated to Acquirer to maintain compliance
Mission is to protect card data
and limit scope and risk
PCISecurityStandards
.org
The scope of PCI
The primary account number (PAN) is the defining factor for cardholder data.
Cardholder Data also includes Cardholder
Name, Expiration Date, and Service Code when
combined with PAN.
The scope of PCI
Sensitive Authentication Data for additional data
elements may be transmitted or processed
(but not stored).
Mag-stripe or chip data
CAV2/CVC2/CVV2/CID
PINs/PIN blocks
PCI-DSS Requirements
Who does it apply to?
"PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD)." (Emphasis PCI Council)
Payment Card Industry (PCI) Data Security Standard
Merchant Penalties for Non-compliance
• Merchant categories:• Level 3 Merchants are over 20,000 e-transactions
• Level 4 Merchants are under 20,000 e-transactions
• Credit card penalties for PCI non-compliance:
Visa Monthly Fines:
(only level 3)
$5,000 for months 1-3
$25,000 for months 4-6
$50,000 for months 7 & beyond
MasterCard Monthly Fines:
(only level 3)
1st year: $10,000
2nd year: $20,000
3rd year: $40,000
4th year: $80,000
Fiserv Monthly Fines:
(both level 3 and level 4)
$19.95 per MID
Path to PCI Compliance
NISC has developed a Centralized Payment Gateway to transmit credit card data to First Data and is a level 1 service provider audited annually by Trustwave
Encryption and
TokenizationFISERV’S
TRANSARMORSOLUTION REPLACES
THE PERMANENT ACCOUNT NUMBER
(PAN) WITH A “TOKEN”
COMBINES ENCRYPTION AND TOKENIZATION TO
PROTECT DATA
FISERV WARRANTS THE TOKEN AGAINST COMPROMISE AND FRAUDULENT USE
What are my options?
Determine which Self-Assessment Questionnaire (SAQ):
• SAQ A: e-Commerce Only as Customer Self-Service
• (Smarthub web/mobile, Pay Now and/or IVR SecurePay)
• SAQ B or B-IP: Card Terminals (Verifone) – only if no e-Commerce
• SAQ C-VT: PC-based Virtual Terminals - only if no e-Commerce
• SAQ D: e-Commerce + Card Terminals (Verifone) and/or PC-based Virtual Terminals
Note: PCI Compliance rules only apply to your employees and equipment handling cards, not to customer’s equipment.
Fiserv® Clover® Security Solution
• Easy-to-use online tool helps merchants quickly and easily achieve and
maintain PCI DSS compliance
• Includes network scanning for merchants for quarterly scans
How does NISC help members with this?• NISC has a CyberSecurity team for PCI
assistance
• Subscribe to the NISC Community Cybersecurity and Payment spaces
• NISC’s PCI Toolkit provides clear direction and relevant downloads
NISC’s five-tier Cybersecurity Services arsenal
NISC’s CyberSecurity Educational Kit NISC has developed a free
tool kit available to Members which includes educational animations, social media options and other marketing materials such as bill inserts to help share the message of cyber security awareness.
NISC Payment Options for Customers
SmartHub Web or Mobile App
CallCapture Secure Payments IVR*
Pay Now Website (no registration required)
Auto-Pay Recurring Payments
NISC Payment Options for Employees
iVUE Cash Register with Verifone device*
One time payments can be keyed, swiped or contactless on Verifone
New iVUE Connect Cashier Persona with Verifone Device*
Signing up for auto-pay is available
*No Network Isolation of PC required since card data is encrypted on Verifone card terminal and does not pass through PC
iVUE Connect or Cash Register with Verifone
Verifone MX925 and P200Plus • EMV and Contactless Compliant
Front Counter with Glass using two Verifones
PCI & EMV - What’s the difference?
"PCI DSS provides a baseline of technical and operational requirements designed to protect account data."
Payment Card Industry (PCI) Data Security Standard, v3.2.1: https://www.pcisecuritystandards.org/document_library
"EMV® Chip Specifications describe the requirements...to enable secure contact and contactless transactions…"
EMV Payment Acceptance: https://www.emvco.com/about/overview/
Verifone’s VHQ web toolVHQ is Verifone’s solution for monitoring/managing the devices
• Any software updates will be pushed from VHQ
Auto-Pay File Upload
Auto-pay file card numbers are tokenized in iVUEand not in PCI scope
Mobile Devices
Future integration of AppSuite with Verifone card terminal
• Keeps phone or tablet out of PCI scope
• Secure encrypted transmission of card data
Prepaid Billing Solution
Easy and Convenient
Increased control over energy costs
Smaller, incremental payments
Avoid security deposit
Appealing to all income brackets and age levels
NISC’s Prepaid Customers in 37 states
• 245 Live
• 36 in Progress or Scheduled
NISC’s Prepaid Customers
Payment Considerations for Prepaid
Typical customer pays 4 – 5 times per month
Payments must be convenient, 24/7 access
Higher percentage of unbanked customers
Consider credit card fees (4 times normal)
Consider # NSF checks for check payments
Payment arrangements are % based
US Payments Kiosks
• Indoor, Outdoor, and Through-the-wall models.
• Cash, check or charge payments.
• For more information please contact:
Tyler Bush, USP
Ph: 918-728-3822
MoneyGram real-time Payment interface
• Real-time cash payment interface for utilities at Walmart, CVS Pharmacy, and many other retail outlets.
• No setup or monthly costs to the utility
• Customer charged a $1.50 fee
Fidelity Express real-time Payment interface
• Fidelity Express real-time cash payment solution available at many “mom and pop” stores in 18 states.
• $2,500 setup fee from NISC.
• Customer fee is negotiated with FE (typically $1.50)
Western Union real-time Payment interface
• Western Union real-time cash payment solution at Walgreens and many other stores.
• No setup or monthly costs to the utility
• Customer pays $1.50 fee
• Online Locator select -“Quick Collect”
NISC Confidential
Online Bill Payment Services
A customer can enroll on their bill payment service for viewing their bill, or can simply pay it without enrolling
Online Bill Payment Services• Enrolled customers can see the PDF image of their bill and make payments
• Funds are deposited to utility’s account within 24 hours.
• Exception Handling for Rejects and Returns
Incomm/Cashtie future option in 2020
• “Vanilla Direct” will provide a real-time cash payment solution at Dollar General, Family Dollar, CVS Pharmacy and others.
• Barcode Integration with SmartHub Web & Mobile and AMS bill print.
Barcode Delivery Methods
55 CONFIDENTIAL AND PROPRIETARY
Bill Statements Prepaid CardSmartHub Mobile SmartHub Web