Payment Card Industry (PCI) and Security - PowerPoint PPT Presentation

About This Presentation
Title:

Payment Card Industry (PCI) and Security

Description:

Title: Presentation Title Author: Andy Shalhoub Last modified by: Jason Lewin Created Date: 1/22/2004 7:50:05 PM Document presentation format: Letter Paper (8.5x11 in) – PowerPoint PPT presentation

Number of Views:148
Avg rating:3.0/5.0
Slides: 19
Provided by: AndySh2
Learn more at: https://www.utica.edu
Category:

less

Transcript and Presenter's Notes

Title: Payment Card Industry (PCI) and Security


1
Payment Card Industry (PCI) and Security
Crowe Horwath LLP Anatomy of Recent Card
Breaches
2
Presentation Objectives
  • Provide insight into possible or likely root
    causes behind public cases of card data breaches
  • Discuss how specific PCI violations contributed
    to or prolonged the fraud
  • Discuss technical and non-technical measures to
    decrease the risk and impact of a card fraud.
  • Provide suggestions on how to make your
    organization a hard target.

3
Root Cause Analysis
  • No Payment Card Industry (PCI)-compliant
    organization is known to have suffered a
    card-related data security related breach
  • Not all the locations where card holder data
    (CHD) resides were known or secured
  • Servers containing or providing CHD were
    configured with superfluous application programs
    and were not properly scoped and audited by a
    qualified security assessor (QSA)
  • Delays in arranging scans and assessments
  • There were inappropriate distinctions between
    test versus production servers and networks
  • Due to weak encryption and poor access controls,
    wireless networks were electronically pried
    open to reveal private areas of the network
    which store CHD

4
Root Cause Analysis
  • Audit trails were not enabled to tie misconduct
    to a specific employee or consultant. Lack of
    audit trails hindered criminal investigations
    because it was not possible to tie an individual
    time or time of day to the incursion.
  • A group user ID was used instead of a unique user
    ID.
  • Point-of-sale (POS) terminals were not physically
    and logically hardened to prevent surreptitious
    removal and inserting of a monitoring or sniffing
    device. The terminals were later returned to the
    retail locations, where they were used to capture
    PIN blocks.

5
What are some of the factors which increase the
possibility of a successful fraud?
  • They are not just technical reasons !
  • Lack of policies
  • No antifraud program
  • Technology controls not driven by business
    process controls
  • Not learning from past industry frauds

6
PCI and Your Data and Information Security Policy
  • Required Elements
  • Approval
  • Annual Updating
  • Training

7
PCI Data Storage Tips
  • Locate all your CHD
  • CHD not located is CHD not secured
  • Dont forget to test and to QA servers
  • Single purpose devices are a must
  • Encrypt, encrypt, encrypt
  • Data at rest
  • Data in transit
  • Dont forget log files of every sort
  • What about your ISP? What do they store?

8
Using PCI to Springboard Your Anti Fraud Program
9
Point of Sale (POS) Fraud and PCI
  • Factors reducing POS risks

10
Transactional Fraud Statistics Counterfeit PIN
Card Fraud
11
Key Components of a PCI Anti Fraud Program
PREVENTION
Tone at the Top
Value System / Code of Conduct
Positive Workplace Environment
Training/ Awareness
Whistleblower Program
Incident Response
Disciplinary Examples
DETERRENCE
Oversight
Risk Assessment
Internal Audit
Data Analysis
DETECTION
Monitoring
Computer Aided Tools
Loss Mitigation
12
Using PCI Controls to Prevent Phishing and
Identity Theft
  • Data Analysis
  • Strong Authentication
  • Encryption
  • Adaptive Security Procedures and Counter Measures
  • Tone at The Top
  • Honest Ethical Culture
  • Staff Trained to Look for Red Flags
  • Fraud Check-ups
  • Fraud Hotline
  • Defined Incident Handling Process
  • Risk Assessment Check for Red Flags

13
Past Fraud Events Provide a Roadmap for Helping
Clients Avoid Common PCI Compliance Pitfalls
  • Do not retain unneeded data. After authorization
    and settlement, very little CHD need remain for
    inquiry and adjustment purposes. Securely
    dispose of CHD.
  • CHD not located is CHD not secured. Perform a
    reliable inventory of all the servers, databases,
    test facilities, networks, paper records, and
    transaction and activity logs. Include all
    service providers and contractors in your search.
  • Dont look for a silver bullet solution. There
    is no single product or service that can
    alleviate an enterprise's PCI DSS compliance
    woes. Every business and every network is
    different, and PCI DSS controls must be tailored
    to an organization. There is no
    one-size-fits-all approach."

14
Past Fraud Events Provide a Roadmap for Helping
Clients Avoid Common PCI Compliance Pitfalls
  • Prevent data leaks. Identify all physical and
    logical points through which CHD enters and
    leaves your clients organization. This will
    mean scrutinizing data reports, log files,
    servers, email and file transfers.
  • Develop specific policies for handling and secure
    all data, networks and physical records which
    contain or provide access to CHD.
  • Train staff to prevent data leaks to establish a
    last line of defense to ensure sensitive
    information stays put.
  • Perform fraud check-ups.

15
What Could You Do if Your Fraud Check-Up Reveals
Issues?
16
Regulatory and Legislative Responses to Fraud
17
Summary Become a Hard Target
18
Any Questions?
  • Contact Information
  • Bruce Sussman
  • 973.422.7151
  • bruce.sussman_at_crowehorwath.com
  • Crowe Horwath LLP
Write a Comment
User Comments (0)
About PowerShow.com