For: Seneca College FCA240

1
Visa Account Information Security

• For Seneca College FCA240
• By John Florinis
• Date March 19th, 2003

2
Agenda

• What is AIS?
• Why AIS?
• Hackers
• Credit Card Fraud
• Identity Theft
• AIS 15 Points
• AIS Process
• Case Studies

3
What is the Visa AIS Program?

• AIS is a Visa International Operating Regulation
  that outlines the requirements, disclosure, use,
  storage and disposition of account and
  transaction information

4
What is the Visa AIS Program?

• Objective to protect card account and
  transaction data at rest.
• AIS impacts all entities that store card account
  and transaction data, including
• Merchants, acquirers, processors, embossers, etc.
• AIS is an international mandate that affects
  businesses in all Visas operating regions.

5
Why AIS?

• Mass digitization of personal information
• Threat of Hackers
• Credit card fraud
• Rise in identity fraud
• Protect the Visa brand

The Visa AIS Program is intended to prevent data
theft and protect businesses and individuals
6
Hackers on the Rise

• 82,094 reported instances in 2002
• 52,658 in 2001 and 21,756 in 2000 (Source CERT,
  2003))
• 55 increase How many go unreported?
• Symantec reported 689 attacks on FIs
• 48 of those attacks were severe (Source
  Symantec, 2003)
• Symantec reported 616 attacks on e-commerce
  merchants
• 19 of those attacks were severe (Source
  Symantec, 2003)

7
Hackers

• 24 of hacker attacks are intended
• 76 are opportunistic (Symantec, 2003)
• Hackers fall into 2 groups
• Thrill Seekers hack for the challenge
• Professionals usually work for foreign
  governments and organized criminal gangs

8
Credit Card Fraud

• Projected Visa fraud in Canada is over 92
  million
• 330,686 fraudulent transactions
• Average sale 105.91
• Average loss 278.83
• lt1 of transactions are fraudulent
• Internet fraud accounts for 5 (4.6 MM) of Visa
  Canadas total fraud loss

Source Visa Canada
9
Credit Card Fraud
10
Credit Card Fraud
11
Identity Theft

• Definition
• Identity theft or fraud involves stealing
  another persons identifying information, such as
  SIN number, DOB and mothers maiden name, in
  order to to fraudulently establish credit, run up
  debt, and take over any financial or
  miscellaneous accounts, and obtain false
  documents
• - Ariana-Michele Moore
• Celent Communications

12
Identity Theft

• Over 100,000 identities are stolen every year in
  the U.S. (Source Celent Communications)
• Rising at a CAGR of 20.7 from 2002 2006
  (Source Celent Communications)
• The Internet has given criminals a new way to
  obtain personal information
• Example Criminals created a spoof eBay site and
  had customers enter credit card details and
  personal information.
• Example Job posting sites

13
Identity Theft
14
Identity Theft

• Impact on Financial Services Industry
• Over the past 5 years identity fraud has cost
  close to 2 billion USD. (Source Celent
  Communications)
• Intangible loss brand equity and consumer
  confidence.
• Increase in security spending and employee
  training.

15
Identity Theft
16
15 Steps of AIS

• Establish a hiring policy for staff and
  contractors
• Restrict access to data on a need-to-know
  basis.
• Assign each person a unique ID to be validated
  when accessing data.
• Track access to data, including read access, by
  each person.
• Install and maintain a network firewall, if data
  can be accessed via the Internet.
• Encrypt data maintained on databases or files
  accessible from the Internet
• Encrypt data sent across networks.
• Protect systems and data from viruses.
• Keep security patches for software up-to-date.
• Dont use vendor-supplied defaults for system
  passwords and other security parameters.
• Dont leave paper/diskettes/computers with data
  unsecured.
• Securely destroy data when its no longer needed
  for business reasons.
• Regularly test security systems and procedures.
• Immediately investigate and report to Visa any
  suspected loss of Account or Transaction
  information.
• Use only service providers that meet these
  security standards.

17
The Process

• A business that stores card account or
  transaction data must go through the AIS audit
• There are 3 transactional thresholds
• lt 5,000 (monthly) Self-Assessment Questionnaire
• 5,000-50,000 (monthly) SAQ and remote scan
• gt 50,000 (monthly) SAQ, remote scan, full
  on-site review.
• Every Visa acquirer in Canada is participating
• Each is responsible for enrolling their own
  merchants

18
The Process

• Failing the AIS program could result in
• Being fined (if you lied)
• Not being able to process Visa cards
• Most businesses are given a chance to fix their
  weak spots remedial plan

19
Approved AIS Auditing Firms
20
AIS Benefits

• Helps protect a business against hacker attacks
• Protects against credit card fraud and identity
  theft that could damage a business reputation
  and ability to accept Visa cards.
• AIS 15 points can serve as standard operating
  procedures for any company in any industry.

21
Case Study ISM Canada

• A hard disk went missing that contained customer
  profiles from several businesses
• The Co-operators lost 180,000 customer profiles
• Government of Manitoba lost tax information for
  43,000 businesses.
• Other companies include Investors Group, Sasktel
  and Saskatchewan Power Corp.
• Over 1,000,000 personal records were on the hard
  disk, including, bank account numbers, insurance
  and pension plan data.
• A 41-year old employee stole it. Working with ISM
  for 6 years. Told police he wanted an extra hard
  disk.
• ISM is a subsidiary of IBM!

22
Case Study - DPI

• A hacker gained access to 8 million credit cards
  DPI is based in Omaha
• 60,000 Canadian Visas were compromised
• 8,000 belonged to Scotiabank
• DPI processes credit cards for Internet, retail,
  MOTO merchants
• Luckily
• Stolen credit card numbers have not been used
• Merchants that use DPI have not been named

23

• Questions?

24
Source Links

• www.visa.com/secured
• www.cyberfraudsolutions.com
• www.cybersource.com
• http//news.com.com/2100-1017-966835.html
• www.celent.com
• http//www.securitystats.com/reports/Symantec
  Internet_Security_Threat_Report_vIII.20030201.pdf
• http//www.cert.org/stats/cert_stats.html
• http//www.usatoday.com/money/perfi/credit/2003-02
  -19-credit-card-hacker_x.html

25
Contact Info

• John Florinis
• Product Analyst, Internet Commerce
• Paymentech Canada
• 416.933.2590
• john.florinis_at_paymentech.ca