280 likes | 304 Views
This article explores how the internet has changed credit card fraud and discusses the efforts made to secure credit card data. It also examines the Payment Card Industry Data Security Standard (PCI DSS) and the impact of online transactions on card fraud.
E N D
Credit Card Data Security CS7403, University of Tulsa Tyler Moore
Agenda • How the Internet has changed credit card fraud • The quest to secure credit card data: PCI DSS • Efforts to improve CNP e-commerce payments
Credit Card Fraud Pre-Internet • Card-present fraud • Criminals created counterfeit cards using copied magstrip details • Card-based countermeasures: CVVs, then EMV • Network-based countermeasures • Terminal maintains hot card list of stolen card #s • Merchant floor limits: any transaction over this limit requires online/phone authorization to card network
Card Fraud is Cyclical UK Card Fraud, Source: UK Payments Administration
Credit-card Fraud Pre-Internet • Card-not-present transactions • Mail-order and telephone order transactions • Higher risk because criminal simply needs CC#, expiry to carry out fraud, not load onto card • Liability rules set by card networks for mag-strip cards • Regulations limit cardholder liability for fraud • Card-present fraud: issuer pays • Card-not-present fraud: merchant pays • Once commerce moves online, burden for fraud shifts from issuers to merchants
Recall: Shift from Card-Present to CNP Fraud following EMV deployment UK Card Fraud, Source: UK Payments Administration
How the Internet has Changed the Nature of Card Fraud • Internet does not only raise share of CNP transactions • 1990s web designers worried that network attacker could eavesdrop credit card payments and steal cards • So SSL/TLS was born • Banks pushed SET, which was more secure but never took off • Network attacker stealing individual CC#s is rare
How the Internet has Changed the Nature of Card Fraud • Real threat to card fraud from Internet • Phishing and social engineering make large-scale credential theft from consumers scalable • Cybercriminals targeted merchant systems and databases to steal card data en masse, then sold in underground marketplaces online • Regulators and banks have tried (with mixed success) to combat phishing • Card networks established PCI DSS to raise operational security at merchants
PCI DSS Payment Card Industry Data Security Standard • Standard that is applied to: • Merchants • Service Providers (third-party vendor, gateways) • Systems (Hardware, software) • That: • Stores cardholder data • Transmits cardholder data • Processes cardholder data • Applies to: • Electronic Transactions • Paper Transactions Slide from Gregory Dove, Cal State
PCI DSS Exempt Myth • All merchants are subject to the standard and to card association rules (No exemption provided to anyone) • Immunity does not apply because • Requirement is contractual - not regulatory or statutory • Card associations can be selective who they provide services to • Merchants accept services on a voluntary basis • Merchants agree to abide by association rules when they execute e-merchant bank agreement • Acquiring banks are prohibited by association rules from indemnifying a merchant for non-compliance Slide from Gregory Dove, Cal State
Req. 1: Install & maintain firewall to protect cardholder data • Must identify all connections between systems touching cardholder data and other networks • Any such connection must be documented by business justification and technical description of configuration • Diagram all cardholder data flows across systems and networks • Review and revise every 6 months
Data Restriction Requirements • Merchants may not store “sensitive authentication data after authorization”, including: • Security code (CVV) • Mag-strip data • PINs
Req. 3: Protect stored cardholder data 3.1: Limit storage and retention time 3.2: Do not store authentication data after authorization (even if encrypted) 3.3: Hide all but last 4 or first 6 digits of PAN from all employees unless “business need” 3.4: Make PAN unreadable anywhere stored (use hash functionsor tokens)
Merchant Levels and Compliance • Large (level 1 and 2 merchants) must be assessed by 3rd-party validation services • Small (level 3 and 4 merchants) may self-assess
Fines Fines for non-compliance • Fines following breach • $50-90 per account compromised • Prohibition from accepting credit cards • Fines levied on acquiring banks, who pass the fines onto merchants
Compliance != Security • Most large merchants are PCI compliant • Compliance rates have increased over time • Yet data breaches have increased • 1,343 US data breaches in 2014 vs. 600 in 2009 • 512M records exposed in 2014 vs. 200M in 2009 • Many of the largest breaches have occurred at PCI compliant merchants • Breached companies can be found out-of-compliance retroactively • Dulls incentive to become PCI compliant at all
Acquiring Banks’ Duty to Monitor • PCI rules oblige acquiring banks to monitor merchants for compliance with requirements • Yet the incentive for acquirers to monitor their merchant customers is very weak • Typical merchant-acquirer contracts make merchants responsible for fines
Efforts to improve CNP e-commerce payments • Given that securing card data is hard, it is likely that CNP fraud will continue so long as PAN, expiry and CVV can be used to make purchases • Multi-factor authentication can mitigate card fraud • One-time passwords texted to customer • Card networks’ attempt: 3D Secure
3D Secure • Password-augmented authentication • Cardholders register a password with issuer • Provides password to issuer at checkout for participating merchants
UK and France have seen success with 3D Secure • France • By 2008, many card issuers agreed to accept fraud liability if merchants used 3DS for Internet sales • By 2013, 95% of cardholders could use 3DS and 43% of merchants use it • UK • Simplified system to reduce cart abandonment • 70% of merchants there now use 3DS
Issues with 3D Secure • Authenticating a user on 1st use can be weak • Date of birth, billing ZIP, last 4 digits SSN • This data is often stolen • Design often embeds the form as an iframe • Very difficult for customer to know which site is requesting credentials • Doesn’t help that frequently the iframe loads content from obscure sites like securesuite.co.uk • Phishing attacks now regularly impersonate 3DS • Some UK banks have used 3DS to shift liability to consumer
Conclusion (1) • Credit card liability rules drive security practices • Card-present fraud: issuer pays • Card-not-present fraud: merchant pays • Cardholder: doesn’t pay (in US) • Credit card fraud and the Internet • Phishing and malware are powerful vectors to steal card information • Infiltrating merchant systems can steal millions of cards, cash out via underground marketplaces online
Conclusion (2) • PCI DSS is a compliance regime • Set up by credit card networks • Goal is to improve merchant security and prevent large card thefts • Mixed bag on effectiveness • Improving authentication in CNP transactions • 3D Secure (adding password) helps • But beware: design is clunky, vulnerable to phishing, and can be used to shift liability