1 / 28

Credit Card Data Security

This article explores how the internet has changed credit card fraud and discusses the efforts made to secure credit card data. It also examines the Payment Card Industry Data Security Standard (PCI DSS) and the impact of online transactions on card fraud.

emccracken
Download Presentation

Credit Card Data Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Credit Card Data Security CS7403, University of Tulsa Tyler Moore

  2. Agenda • How the Internet has changed credit card fraud • The quest to secure credit card data: PCI DSS • Efforts to improve CNP e-commerce payments

  3. Credit Card Networks

  4. Credit Card Fraud Pre-Internet • Card-present fraud • Criminals created counterfeit cards using copied magstrip details • Card-based countermeasures: CVVs, then EMV • Network-based countermeasures • Terminal maintains hot card list of stolen card #s • Merchant floor limits: any transaction over this limit requires online/phone authorization to card network

  5. Card Fraud is Cyclical UK Card Fraud, Source: UK Payments Administration

  6. Credit-card Fraud Pre-Internet • Card-not-present transactions • Mail-order and telephone order transactions • Higher risk because criminal simply needs CC#, expiry to carry out fraud, not load onto card • Liability rules set by card networks for mag-strip cards • Regulations limit cardholder liability for fraud • Card-present fraud: issuer pays • Card-not-present fraud: merchant pays • Once commerce moves online, burden for fraud shifts from issuers to merchants

  7. Recall: Shift from Card-Present to CNP Fraud following EMV deployment UK Card Fraud, Source: UK Payments Administration

  8. How the Internet has Changed the Nature of Card Fraud • Internet does not only raise share of CNP transactions • 1990s web designers worried that network attacker could eavesdrop credit card payments and steal cards • So SSL/TLS was born • Banks pushed SET, which was more secure but never took off • Network attacker stealing individual CC#s is rare

  9. How the Internet has Changed the Nature of Card Fraud • Real threat to card fraud from Internet • Phishing and social engineering make large-scale credential theft from consumers scalable • Cybercriminals targeted merchant systems and databases to steal card data en masse, then sold in underground marketplaces online • Regulators and banks have tried (with mixed success) to combat phishing • Card networks established PCI DSS to raise operational security at merchants

  10. PCI DSS Payment Card Industry Data Security Standard • Standard that is applied to: • Merchants • Service Providers (third-party vendor, gateways) • Systems (Hardware, software) • That: • Stores cardholder data • Transmits cardholder data • Processes cardholder data • Applies to: • Electronic Transactions • Paper Transactions Slide from Gregory Dove, Cal State

  11. PCI DSS Exempt Myth • All merchants are subject to the standard and to card association rules (No exemption provided to anyone) • Immunity does not apply because • Requirement is contractual - not regulatory or statutory • Card associations can be selective who they provide services to • Merchants accept services on a voluntary basis • Merchants agree to abide by association rules when they execute e-merchant bank agreement • Acquiring banks are prohibited by association rules from indemnifying a merchant for non-compliance Slide from Gregory Dove, Cal State

  12. PCI DSS Requirements

  13. Req. 1: Install & maintain firewall to protect cardholder data • Must identify all connections between systems touching cardholder data and other networks • Any such connection must be documented by business justification and technical description of configuration • Diagram all cardholder data flows across systems and networks • Review and revise every 6 months

  14. Data Restriction Requirements • Merchants may not store “sensitive authentication data after authorization”, including: • Security code (CVV) • Mag-strip data • PINs

  15. Req. 3: Protect stored cardholder data 3.1: Limit storage and retention time 3.2: Do not store authentication data after authorization (even if encrypted) 3.3: Hide all but last 4 or first 6 digits of PAN from all employees unless “business need” 3.4: Make PAN unreadable anywhere stored (use hash functionsor tokens)

  16. Req. 3: Protect stored cardholder data

  17. Merchant Levels and Compliance • Large (level 1 and 2 merchants) must be assessed by 3rd-party validation services • Small (level 3 and 4 merchants) may self-assess

  18. Fines Fines for non-compliance • Fines following breach • $50-90 per account compromised • Prohibition from accepting credit cards • Fines levied on acquiring banks, who pass the fines onto merchants

  19. Compliance != Security • Most large merchants are PCI compliant • Compliance rates have increased over time • Yet data breaches have increased • 1,343 US data breaches in 2014 vs. 600 in 2009 • 512M records exposed in 2014 vs. 200M in 2009 • Many of the largest breaches have occurred at PCI compliant merchants • Breached companies can be found out-of-compliance retroactively • Dulls incentive to become PCI compliant at all

  20. Acquiring Banks’ Duty to Monitor • PCI rules oblige acquiring banks to monitor merchants for compliance with requirements • Yet the incentive for acquirers to monitor their merchant customers is very weak • Typical merchant-acquirer contracts make merchants responsible for fines

  21. Efforts to improve CNP e-commerce payments • Given that securing card data is hard, it is likely that CNP fraud will continue so long as PAN, expiry and CVV can be used to make purchases • Multi-factor authentication can mitigate card fraud • One-time passwords texted to customer • Card networks’ attempt: 3D Secure

  22. 3D Secure • Password-augmented authentication • Cardholders register a password with issuer • Provides password to issuer at checkout for participating merchants

  23. 3D Secure

  24. UK and France have seen success with 3D Secure • France • By 2008, many card issuers agreed to accept fraud liability if merchants used 3DS for Internet sales • By 2013, 95% of cardholders could use 3DS and 43% of merchants use it • UK • Simplified system to reduce cart abandonment • 70% of merchants there now use 3DS

  25. Fraud Loss Rate on Internet Transactions in UK and France

  26. Issues with 3D Secure • Authenticating a user on 1st use can be weak • Date of birth, billing ZIP, last 4 digits SSN • This data is often stolen • Design often embeds the form as an iframe • Very difficult for customer to know which site is requesting credentials • Doesn’t help that frequently the iframe loads content from obscure sites like securesuite.co.uk • Phishing attacks now regularly impersonate 3DS • Some UK banks have used 3DS to shift liability to consumer

  27. Conclusion (1) • Credit card liability rules drive security practices • Card-present fraud: issuer pays • Card-not-present fraud: merchant pays • Cardholder: doesn’t pay (in US) • Credit card fraud and the Internet • Phishing and malware are powerful vectors to steal card information • Infiltrating merchant systems can steal millions of cards, cash out via underground marketplaces online

  28. Conclusion (2) • PCI DSS is a compliance regime • Set up by credit card networks • Goal is to improve merchant security and prevent large card thefts • Mixed bag on effectiveness • Improving authentication in CNP transactions • 3D Secure (adding password) helps • But beware: design is clunky, vulnerable to phishing, and can be used to shift liability

More Related