For: Seneca College FCA240 - PowerPoint PPT Presentation

About This Presentation
Title:

For: Seneca College FCA240

Description:

AIS is a Visa International Operating Regulation that ... http://www.securitystats.com/reports/Symantec Internet_Security_Threat_Report_vIII.20030201.pdf ... – PowerPoint PPT presentation

Number of Views:75
Avg rating:3.0/5.0
Slides: 26
Provided by: theba5
Category:

less

Transcript and Presenter's Notes

Title: For: Seneca College FCA240


1
Visa Account Information Security
  • For Seneca College FCA240
  • By John Florinis
  • Date March 19th, 2003

2
Agenda
  • What is AIS?
  • Why AIS?
  • Hackers
  • Credit Card Fraud
  • Identity Theft
  • AIS 15 Points
  • AIS Process
  • Case Studies

3
What is the Visa AIS Program?
  • AIS is a Visa International Operating Regulation
    that outlines the requirements, disclosure, use,
    storage and disposition of account and
    transaction information

4
What is the Visa AIS Program?
  • Objective to protect card account and
    transaction data at rest.
  • AIS impacts all entities that store card account
    and transaction data, including
  • Merchants, acquirers, processors, embossers, etc.
  • AIS is an international mandate that affects
    businesses in all Visas operating regions.

5
Why AIS?
  • Mass digitization of personal information
  • Threat of Hackers
  • Credit card fraud
  • Rise in identity fraud
  • Protect the Visa brand

The Visa AIS Program is intended to prevent data
theft and protect businesses and individuals
6
Hackers on the Rise
  • 82,094 reported instances in 2002
  • 52,658 in 2001 and 21,756 in 2000 (Source CERT,
    2003))
  • 55 increase How many go unreported?
  • Symantec reported 689 attacks on FIs
  • 48 of those attacks were severe (Source
    Symantec, 2003)
  • Symantec reported 616 attacks on e-commerce
    merchants
  • 19 of those attacks were severe (Source
    Symantec, 2003)

7
Hackers
  • 24 of hacker attacks are intended
  • 76 are opportunistic (Symantec, 2003)
  • Hackers fall into 2 groups
  • Thrill Seekers hack for the challenge
  • Professionals usually work for foreign
    governments and organized criminal gangs

8
Credit Card Fraud
  • Projected Visa fraud in Canada is over 92
    million
  • 330,686 fraudulent transactions
  • Average sale 105.91
  • Average loss 278.83
  • lt1 of transactions are fraudulent
  • Internet fraud accounts for 5 (4.6 MM) of Visa
    Canadas total fraud loss

Source Visa Canada
9
Credit Card Fraud
10
Credit Card Fraud
11
Identity Theft
  • Definition
  • Identity theft or fraud involves stealing
    another persons identifying information, such as
    SIN number, DOB and mothers maiden name, in
    order to to fraudulently establish credit, run up
    debt, and take over any financial or
    miscellaneous accounts, and obtain false
    documents
  • - Ariana-Michele Moore
  • Celent Communications

12
Identity Theft
  • Over 100,000 identities are stolen every year in
    the U.S. (Source Celent Communications)
  • Rising at a CAGR of 20.7 from 2002 2006
    (Source Celent Communications)
  • The Internet has given criminals a new way to
    obtain personal information
  • Example Criminals created a spoof eBay site and
    had customers enter credit card details and
    personal information.
  • Example Job posting sites

13
Identity Theft
14
Identity Theft
  • Impact on Financial Services Industry
  • Over the past 5 years identity fraud has cost
    close to 2 billion USD. (Source Celent
    Communications)
  • Intangible loss brand equity and consumer
    confidence.
  • Increase in security spending and employee
    training.

15
Identity Theft
16
15 Steps of AIS
  • Establish a hiring policy for staff and
    contractors
  • Restrict access to data on a need-to-know
    basis.
  • Assign each person a unique ID to be validated
    when accessing data.
  • Track access to data, including read access, by
    each person.
  • Install and maintain a network firewall, if data
    can be accessed via the Internet.
  • Encrypt data maintained on databases or files
    accessible from the Internet
  • Encrypt data sent across networks.
  • Protect systems and data from viruses.
  • Keep security patches for software up-to-date.
  • Dont use vendor-supplied defaults for system
    passwords and other security parameters.
  • Dont leave paper/diskettes/computers with data
    unsecured.
  • Securely destroy data when its no longer needed
    for business reasons.
  • Regularly test security systems and procedures.
  • Immediately investigate and report to Visa any
    suspected loss of Account or Transaction
    information.
  • Use only service providers that meet these
    security standards.

17
The Process
  • A business that stores card account or
    transaction data must go through the AIS audit
  • There are 3 transactional thresholds
  • lt 5,000 (monthly) Self-Assessment Questionnaire
  • 5,000-50,000 (monthly) SAQ and remote scan
  • gt 50,000 (monthly) SAQ, remote scan, full
    on-site review.
  • Every Visa acquirer in Canada is participating
  • Each is responsible for enrolling their own
    merchants

18
The Process
  • Failing the AIS program could result in
  • Being fined (if you lied)
  • Not being able to process Visa cards
  • Most businesses are given a chance to fix their
    weak spots remedial plan

19
Approved AIS Auditing Firms
20
AIS Benefits
  • Helps protect a business against hacker attacks
  • Protects against credit card fraud and identity
    theft that could damage a business reputation
    and ability to accept Visa cards.
  • AIS 15 points can serve as standard operating
    procedures for any company in any industry.

21
Case Study ISM Canada
  • A hard disk went missing that contained customer
    profiles from several businesses
  • The Co-operators lost 180,000 customer profiles
  • Government of Manitoba lost tax information for
    43,000 businesses.
  • Other companies include Investors Group, Sasktel
    and Saskatchewan Power Corp.
  • Over 1,000,000 personal records were on the hard
    disk, including, bank account numbers, insurance
    and pension plan data.
  • A 41-year old employee stole it. Working with ISM
    for 6 years. Told police he wanted an extra hard
    disk.
  • ISM is a subsidiary of IBM!

22
Case Study - DPI
  • A hacker gained access to 8 million credit cards
    DPI is based in Omaha
  • 60,000 Canadian Visas were compromised
  • 8,000 belonged to Scotiabank
  • DPI processes credit cards for Internet, retail,
    MOTO merchants
  • Luckily
  • Stolen credit card numbers have not been used
  • Merchants that use DPI have not been named

23
  • Questions?

24
Source Links
  • www.visa.com/secured
  • www.cyberfraudsolutions.com
  • www.cybersource.com
  • http//news.com.com/2100-1017-966835.html
  • www.celent.com
  • http//www.securitystats.com/reports/Symantec
    Internet_Security_Threat_Report_vIII.20030201.pdf
  • http//www.cert.org/stats/cert_stats.html
  • http//www.usatoday.com/money/perfi/credit/2003-02
    -19-credit-card-hacker_x.html

25
Contact Info
  • John Florinis
  • Product Analyst, Internet Commerce
  • Paymentech Canada
  • 416.933.2590
  • john.florinis_at_paymentech.ca
Write a Comment
User Comments (0)
About PowerShow.com