1 / 18

Payment Card Industry (PCI) and Security

Payment Card Industry (PCI) and Security. Crowe Horwath LLP Anatomy of Recent Card Breaches. Presentation Objectives. Provide insight into possible or likely root causes behind public cases of card data breaches Discuss how specific PCI violations contributed to or prolonged the fraud

dorie
Download Presentation

Payment Card Industry (PCI) and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Payment Card Industry (PCI) and Security Crowe Horwath LLP Anatomy of Recent Card Breaches

  2. Presentation Objectives • Provide insight into possible or likely root causes behind public cases of card data breaches • Discuss how specific PCI violations contributed to or prolonged the fraud • Discuss technical and non-technical measures to decrease the risk and impact of a card fraud. • Provide suggestions on how to make your organization a “hard target.”

  3. Root Cause Analysis • No Payment Card Industry (PCI)-compliant organization is known to have suffered a card-related data security related breach • Not all the locations where card holder data (CHD) resides were known or secured • Servers containing or providing CHD were configured with superfluous application programs and were not properly scoped and audited by a qualified security assessor (QSA) • Delays in arranging scans and assessments • There were inappropriate distinctions between test versus production servers and networks • Due to weak encryption and poor access controls, wireless networks were electronically “pried open” to reveal private areas of the network which store CHD

  4. Root Cause Analysis • Audit trails were not enabled to tie misconduct to a specific employee or consultant. Lack of audit trails hindered criminal investigations because it was not possible to tie an individual time or time of day to the incursion. • A group user ID was used instead of a unique user ID. • Point-of-sale (POS) terminals were not physically and logically hardened to prevent surreptitious removal and inserting of a monitoring or sniffing device. The terminals were later returned to the retail locations, where they were used to capture PIN blocks.

  5. What are some of the factors which increase the possibility of a successful fraud? • They are not just technical reasons ! • Lack of policies • No antifraud program • Technology controls not driven by business process controls • Not learning from past industry frauds

  6. Vulnerability Management Cardholder Centric Document Destruction Document Retention CHD Suppression Adequate Policies Deter Fraud Wireless Control PED Management PED Approval Vendor Oversight Contracts PCI and Your Data and Information Security Policy • Required Elements • Approval • Annual Updating • Training

  7. PCI Data Storage Tips • Locate all your CHD • CHD not located is CHD not secured • Don’t forget to test and to QA servers • Single purpose devices are a must • Encrypt, encrypt, encrypt • Data at rest • Data in transit • Don’t forget log files of every sort • What about your ISP? What do they store?

  8. Log File Integrity Check Strong Authentication Fraud Deterrence Use Anti Fraud Controls Leverage Physical Security Using PCI to Springboard Your Anti Fraud Program

  9. Physical Security Hardened Terminals Deployment Controls Tamper Resilience Web Application Review Fraud Separation of Duties Incident Response Strong Encryption Separate Production Environment Separate Test Environment Point of Sale (POS) Fraud and PCI • Factors reducing POS risks

  10. Source: Card Alert Fraud Manager Transactional Fraud Statistics: Counterfeit PIN Card Fraud

  11. Key Components of a PCI Anti Fraud Program

  12. People Process Technology Using PCI Controls to Prevent Phishing and Identity Theft • Tone at The Top • Honest Ethical Culture • Staff Trained to Look for Red Flags • Data Analysis • Strong Authentication • Encryption • Adaptive Security Procedures and Counter Measures • Fraud Check-ups • Fraud Hotline • Defined Incident Handling Process • Risk Assessment – Check for Red Flags

  13. Past Fraud Events Provide a Roadmap for Helping Clients Avoid Common PCI Compliance Pitfalls • Do not retain unneeded data. After authorization and settlement, very little CHD need remain for inquiry and adjustment purposes. Securely dispose of CHD. • CHD not located is CHD not secured. Perform a reliable inventory of all the servers, databases, test facilities, networks, paper records, and transaction and activity logs. Include all service providers and contractors in your search. • Don’t look for a silver bullet solution. There is no single product or service that can alleviate an enterprise's PCI DSS compliance woes. Every business and every network is different, and PCI DSS controls must be tailored to an organization. There is no “one-size-fits-all approach."

  14. Past Fraud Events Provide a Roadmap for Helping Clients Avoid Common PCI Compliance Pitfalls • Prevent data leaks. Identify all physical and logical points through which CHD enters and leaves your client’s organization. This will mean scrutinizing data reports, log files, servers, email and file transfers. • Develop specific policies for handling and secure all data, networks and physical records which contain or provide access to CHD. • Train staff to prevent data leaks to establish a last line of defense to ensure sensitive information stays put. • Perform fraud check-ups.

  15. Policies Deficient • Improve Code of Conduct • Create Conflicts of Interest Increase Data Analysis and Reaction Ability Increase Data Access Controls • Incident Response • Data Mining • Log File Analysis • Authentication • Encryption Develop Anti Fraud Policy • Create Fraud Hotlines • Oversight Committee What Could You Do if Your Fraud Check-Up Reveals Issues?

  16. Regulatory and Legislative Responses to Fraud

  17. Fraud Prevention Program Components Board or Management Approved Policy Look for the Red Fraud Flags React to the Flags of Fraud Employ Prevention Techniques Systems Monitoring Response Plan Employee Training New Product Fraud Reviews Annual – Independent Fraud Check-Up Summary: Become a Hard Target

  18. Any Questions? Contact Information Bruce Sussman 973.422.7151 bruce.sussman@crowehorwath.com Crowe Horwath LLP

More Related