Title: Payment Card Industry (PCI) and Security
1Payment Card Industry (PCI) and Security
Crowe Horwath LLP Anatomy of Recent Card
Breaches
2Presentation Objectives
- Provide insight into possible or likely root
causes behind public cases of card data breaches - Discuss how specific PCI violations contributed
to or prolonged the fraud - Discuss technical and non-technical measures to
decrease the risk and impact of a card fraud. - Provide suggestions on how to make your
organization a hard target.
3Root Cause Analysis
- No Payment Card Industry (PCI)-compliant
organization is known to have suffered a
card-related data security related breach - Not all the locations where card holder data
(CHD) resides were known or secured - Servers containing or providing CHD were
configured with superfluous application programs
and were not properly scoped and audited by a
qualified security assessor (QSA) - Delays in arranging scans and assessments
- There were inappropriate distinctions between
test versus production servers and networks - Due to weak encryption and poor access controls,
wireless networks were electronically pried
open to reveal private areas of the network
which store CHD
4Root Cause Analysis
- Audit trails were not enabled to tie misconduct
to a specific employee or consultant. Lack of
audit trails hindered criminal investigations
because it was not possible to tie an individual
time or time of day to the incursion. - A group user ID was used instead of a unique user
ID. - Point-of-sale (POS) terminals were not physically
and logically hardened to prevent surreptitious
removal and inserting of a monitoring or sniffing
device. The terminals were later returned to the
retail locations, where they were used to capture
PIN blocks.
5What are some of the factors which increase the
possibility of a successful fraud?
- They are not just technical reasons !
- Lack of policies
- No antifraud program
- Technology controls not driven by business
process controls - Not learning from past industry frauds
6PCI and Your Data and Information Security Policy
- Required Elements
- Approval
- Annual Updating
- Training
7PCI Data Storage Tips
- Locate all your CHD
- CHD not located is CHD not secured
- Dont forget to test and to QA servers
- Single purpose devices are a must
- Encrypt, encrypt, encrypt
- Data at rest
- Data in transit
- Dont forget log files of every sort
- What about your ISP? What do they store?
8Using PCI to Springboard Your Anti Fraud Program
9Point of Sale (POS) Fraud and PCI
- Factors reducing POS risks
10Transactional Fraud Statistics Counterfeit PIN
Card Fraud
11Key Components of a PCI Anti Fraud Program
PREVENTION
Tone at the Top
Value System / Code of Conduct
Positive Workplace Environment
Training/ Awareness
Whistleblower Program
Incident Response
Disciplinary Examples
DETERRENCE
Oversight
Risk Assessment
Internal Audit
Data Analysis
DETECTION
Monitoring
Computer Aided Tools
Loss Mitigation
12Using PCI Controls to Prevent Phishing and
Identity Theft
- Data Analysis
- Strong Authentication
- Encryption
- Adaptive Security Procedures and Counter Measures
- Tone at The Top
- Honest Ethical Culture
- Staff Trained to Look for Red Flags
- Fraud Check-ups
- Fraud Hotline
- Defined Incident Handling Process
- Risk Assessment Check for Red Flags
13Past Fraud Events Provide a Roadmap for Helping
Clients Avoid Common PCI Compliance Pitfalls
- Do not retain unneeded data. After authorization
and settlement, very little CHD need remain for
inquiry and adjustment purposes. Securely
dispose of CHD. - CHD not located is CHD not secured. Perform a
reliable inventory of all the servers, databases,
test facilities, networks, paper records, and
transaction and activity logs. Include all
service providers and contractors in your search. - Dont look for a silver bullet solution. There
is no single product or service that can
alleviate an enterprise's PCI DSS compliance
woes. Every business and every network is
different, and PCI DSS controls must be tailored
to an organization. There is no
one-size-fits-all approach."
14Past Fraud Events Provide a Roadmap for Helping
Clients Avoid Common PCI Compliance Pitfalls
- Prevent data leaks. Identify all physical and
logical points through which CHD enters and
leaves your clients organization. This will
mean scrutinizing data reports, log files,
servers, email and file transfers. - Develop specific policies for handling and secure
all data, networks and physical records which
contain or provide access to CHD. - Train staff to prevent data leaks to establish a
last line of defense to ensure sensitive
information stays put. - Perform fraud check-ups.
15What Could You Do if Your Fraud Check-Up Reveals
Issues?
16Regulatory and Legislative Responses to Fraud
17Summary Become a Hard Target
18Any Questions?
- Contact Information
- Bruce Sussman
- 973.422.7151
- bruce.sussman_at_crowehorwath.com
- Crowe Horwath LLP