180 likes | 385 Views
Payment Card Industry (PCI) and Security. Crowe Horwath LLP Anatomy of Recent Card Breaches. Presentation Objectives. Provide insight into possible or likely root causes behind public cases of card data breaches Discuss how specific PCI violations contributed to or prolonged the fraud
E N D
Payment Card Industry (PCI) and Security Crowe Horwath LLP Anatomy of Recent Card Breaches
Presentation Objectives • Provide insight into possible or likely root causes behind public cases of card data breaches • Discuss how specific PCI violations contributed to or prolonged the fraud • Discuss technical and non-technical measures to decrease the risk and impact of a card fraud. • Provide suggestions on how to make your organization a “hard target.”
Root Cause Analysis • No Payment Card Industry (PCI)-compliant organization is known to have suffered a card-related data security related breach • Not all the locations where card holder data (CHD) resides were known or secured • Servers containing or providing CHD were configured with superfluous application programs and were not properly scoped and audited by a qualified security assessor (QSA) • Delays in arranging scans and assessments • There were inappropriate distinctions between test versus production servers and networks • Due to weak encryption and poor access controls, wireless networks were electronically “pried open” to reveal private areas of the network which store CHD
Root Cause Analysis • Audit trails were not enabled to tie misconduct to a specific employee or consultant. Lack of audit trails hindered criminal investigations because it was not possible to tie an individual time or time of day to the incursion. • A group user ID was used instead of a unique user ID. • Point-of-sale (POS) terminals were not physically and logically hardened to prevent surreptitious removal and inserting of a monitoring or sniffing device. The terminals were later returned to the retail locations, where they were used to capture PIN blocks.
What are some of the factors which increase the possibility of a successful fraud? • They are not just technical reasons ! • Lack of policies • No antifraud program • Technology controls not driven by business process controls • Not learning from past industry frauds
Vulnerability Management Cardholder Centric Document Destruction Document Retention CHD Suppression Adequate Policies Deter Fraud Wireless Control PED Management PED Approval Vendor Oversight Contracts PCI and Your Data and Information Security Policy • Required Elements • Approval • Annual Updating • Training
PCI Data Storage Tips • Locate all your CHD • CHD not located is CHD not secured • Don’t forget to test and to QA servers • Single purpose devices are a must • Encrypt, encrypt, encrypt • Data at rest • Data in transit • Don’t forget log files of every sort • What about your ISP? What do they store?
Log File Integrity Check Strong Authentication Fraud Deterrence Use Anti Fraud Controls Leverage Physical Security Using PCI to Springboard Your Anti Fraud Program
Physical Security Hardened Terminals Deployment Controls Tamper Resilience Web Application Review Fraud Separation of Duties Incident Response Strong Encryption Separate Production Environment Separate Test Environment Point of Sale (POS) Fraud and PCI • Factors reducing POS risks
Source: Card Alert Fraud Manager Transactional Fraud Statistics: Counterfeit PIN Card Fraud
People Process Technology Using PCI Controls to Prevent Phishing and Identity Theft • Tone at The Top • Honest Ethical Culture • Staff Trained to Look for Red Flags • Data Analysis • Strong Authentication • Encryption • Adaptive Security Procedures and Counter Measures • Fraud Check-ups • Fraud Hotline • Defined Incident Handling Process • Risk Assessment – Check for Red Flags
Past Fraud Events Provide a Roadmap for Helping Clients Avoid Common PCI Compliance Pitfalls • Do not retain unneeded data. After authorization and settlement, very little CHD need remain for inquiry and adjustment purposes. Securely dispose of CHD. • CHD not located is CHD not secured. Perform a reliable inventory of all the servers, databases, test facilities, networks, paper records, and transaction and activity logs. Include all service providers and contractors in your search. • Don’t look for a silver bullet solution. There is no single product or service that can alleviate an enterprise's PCI DSS compliance woes. Every business and every network is different, and PCI DSS controls must be tailored to an organization. There is no “one-size-fits-all approach."
Past Fraud Events Provide a Roadmap for Helping Clients Avoid Common PCI Compliance Pitfalls • Prevent data leaks. Identify all physical and logical points through which CHD enters and leaves your client’s organization. This will mean scrutinizing data reports, log files, servers, email and file transfers. • Develop specific policies for handling and secure all data, networks and physical records which contain or provide access to CHD. • Train staff to prevent data leaks to establish a last line of defense to ensure sensitive information stays put. • Perform fraud check-ups.
Policies Deficient • Improve Code of Conduct • Create Conflicts of Interest Increase Data Analysis and Reaction Ability Increase Data Access Controls • Incident Response • Data Mining • Log File Analysis • Authentication • Encryption Develop Anti Fraud Policy • Create Fraud Hotlines • Oversight Committee What Could You Do if Your Fraud Check-Up Reveals Issues?
Fraud Prevention Program Components Board or Management Approved Policy Look for the Red Fraud Flags React to the Flags of Fraud Employ Prevention Techniques Systems Monitoring Response Plan Employee Training New Product Fraud Reviews Annual – Independent Fraud Check-Up Summary: Become a Hard Target
Any Questions? Contact Information Bruce Sussman 973.422.7151 bruce.sussman@crowehorwath.com Crowe Horwath LLP