Visa Inc'

1
Cardholder Data Security and Fraud Prevention

• Visa Inc.
• September 9, 2008

2
Security A Customer POV
1.
Cardholder awareness of security issues at
record high levels. Concerns permeate all facets
of their financial life and could impact their
spending at the checkout line. Maintaining
consumer confidence in electronic payments is
mutually beneficial.
2.
3.
3
Cardholder Concerns
67 Worried
Cardholders will be more cautious how and where
they use their credit cards in the future.
29 Not Worried
Cardholders say they dont worry too much. They
will continue to use their credit cards as they
have in the past.

• Based on Visa nationwide cardholder research
  June 20-21, 2005, n1,000

4
Importance of Data Security for Businesses
Damaged reputation to your brand
1.
Potential loss of consumer good will
2.
Financial liability for fraud/chargebacks
3.
4.
5.
Fines and penalties
Potential legal liability
5
Security Environment

• Hackers are attacking
• Brick-and-mortar merchants
• Small businesses increasingly targeted
• E-commerce merchants
• Processors and Agents
• Hackers are looking for
• Software that stores sensitive cardholder data
• Personal information to perpetrate identity theft
• Track data, payment account numbers and PINs

6
Is Your Business a Target?

• ASK YOURSELF
• Is your POS terminal software based or is it
  connected to other computers or devices?
• Do you have multiple systems connected with any
  having Internet access?
• Do you have wireless access points?
• Do you have an e-commerce component of your
  business?
• Do you accept PIN debit (Interlink) transactions?

• If you said yes to any of these questions, you
  may be a target for data thieves.
• If no, you still may be the victim of a criminal
  trying to use a fraudulent card in your store.

7
What the Data Criminals are After
Important, sensitive information is stored on the
cards magnetic stripe and Cardholder PINs
If this information is compromised, it can enable
criminals to counterfeit cards and/or use the
cards fraudulently online.
8
Protecting
Cardholder Data
9
How Businesses Can Protect Cardholder Data
Dont Store It If You Dont Need It!
1.

• Know exactly what you NEED to store and store
  ONLY that. Most businesses dont need to store
  any payment card data.
• Know what your POS application is storing, if
  anything.
• Know what your vendors are storing.
• NEVER store Track I or Track II data.
• NEVER store PIN data.

2.
3.
4.
5.
10
How Businesses Can Protect Cardholder Data
1.

• Know what payment application(s) you use and
  make sure they are not storing inappropriate
  data.
• Determine if payment application vendors or
  other parties have remote access to your systems
  and ensure secure methods of access are used.
• Be aware of how the Payment Card Industry Data
  Security Standard (PCI DSS) and PCI PIN Security
  Requirements apply to you.

2.
3.
11
PCI Data Security Standard
12
Merchant Compliance Validation
12
13
PCI PIN Security Requirements

• Established by Visa in 1995 for the secure
  protection of PINs accepted at POS PIN Entry
  Devices (PEDs) and ATMs
• Requires the use of secure lab-evaluated POS
  PEDs
• Requires compliance for all aspects of secure
  key management
• Requires the use of Triple-DES at all POS PEDs
  by July 1, 2010

7/1/2010
1/1/2009
10/1/2007
1/1/2004
All newly purchased attended POS PEDs must be
evaluated by a Visa-recognized laboratory,
approved by Visa (pre-PCI) and be TDES-capable
All POS PEDs must be using TDES. All attended POS
PEDs must be pre-PCI or PCI approved
Newly deployed US AFDs must have a PCI approved
EPP
All newly deployed unattended POS PEDs must have
a PCI approved EPP (excludes US AFDs)
14
Top 7 PCI DSS and PCI PIN Violations

• Based on compromises of cardholder data, Visa
  has found the following common issues
• Vulnerable payment applications (e.g.,
  inappropriate storage of full track, CVV2 and PIN
  data, insecure remote access)
• Inadequate perimeter security (e.g., improperly
  managed firewall)
• Out of date system security patches
• Vendor default settings and passwords (e.g.,
  unsecured wireless)
• Poorly coded web-facing applications resulting in
  SQL injection
• Poor cryptographic key management used for PIN
  encryption
• Use of vulnerable POS PIN entry devices

15
Preventing
Payment Card Fraud
16
Merchant Fraud Prevention
At the checkout line
Match receipt with card
Liability

• Look at the card

• Flying Dove hologram

• The name, account number and signature on the
  receipt should match the card.
• Merchants can ask for identification, but may not
  make providing it a condition of the sale.

• In face-to-face transactions, merchants are not
  liable for fraud when the transaction is properly
  authorized, which includes getting an electronic
  authorization. This represents the vast majority
  of Visa transactions.

17
Merchant Fraud Prevention
For Internet/Catalog Sales
Authenticate the Cardholder
Authenticate the Card
Liability

• CVV2
• The three-digit code printed on the signature
  panel, helps internet merchants verify their
  customers have the actual card in their
  possession.

• Liability
• Merchants may be liable for card not present
  fraud.

• Address Verification Service
• A fraud prevention system that allows merchants
  to compare the billing address of the purchaser
  with the billing address on file with the card
  issuing financial institution.
• Verified by Visa
• A cardholder authentication service, to help
  online merchants reduce fraud. Participating
  merchants are not liable for certain fraudulent
  transactions that make up roughly 70 of online
  fraud.
• For more information visit www.visa.com/verifiedm
  erchants

CVV2
18
Merchant Fraud Prevention
Employee Fraud Skimming / PED Tampering

• Skimming is an illegal act that helps criminals
  obtain card account information to produce
  counterfeit cards.
• Typically, someone in the workplace uses a small
  device to steal information from a cards
  magnetic stripe. That information is put onto a
  counterfeit card and used to make fraudulent
  purchases.
• Skimming devices are small, portable not much
  bigger than a pager or cell phone.
• Vulnerable POS PEDs are being modified to capture
  track and PINs See November 2007 Security Alert
  on www.visa.com/cisp
• Visa will pay a reward of up to 1,000 for
  information leading to the arrest and conviction
  of anyone involved in the manufacture or use of
  counterfeit cards.

19
For More Information

• Contact your acquiring institution

Visit www.visa.com/CISP www.visa.com/PIN
Visit www.visa.com/usmerchant