Data Security Update - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

Data Security Update

Description:

This presentation is furnished to you solely in your capacity ... Interlink merchants. No known compromised PIN devices. Validate use of unique key per device ... – PowerPoint PPT presentation

Number of Views:38
Avg rating:3.0/5.0
Slides: 20
Provided by: pem57
Category:

less

Transcript and Presenter's Notes

Title: Data Security Update


1
Data Security Update
Hector RodriguezDirectorPayment System Risk
March 11, 2008
2
NOTICE OF CONFIDENTIALITY
  • This presentation is furnished to you solely in
    your capacity as a customer of Visa USA and
    participant in the Visa payments system. By
    accepting this presentation, you acknowledge that
    the information contained herein (the
    Information) is confidential and subject to the
    confidentiality restrictions contained in Visas
    operating regulations, which limit your use of
    the Information. You agree to keep the
    Information confidential and not to use the
    Information for any purpose other than in your
    capacity as a customer of Visa USA or as a
    participant in the Visa payments system. The
    Information may only be disseminated within your
    organization on a need-to-know basis to enable
    your participation in the Visa payments
    system. Please be advised that the Information
    may constitute material nonpublic information
    under U.S. federal securities laws and that
    purchasing or selling securities of Visa Inc.
    while being aware of material nonpublic
    information would constitute a violation of
    applicable U.S. federal securities laws.

3
Agenda
  • Security Landscape
  • Visa Security Strategy
  • PCI DSS Update
  • Payment Application Mandates
  • PCI SSC

4
Security Environment
Increasing industry, regulatory and legislative
focus on security due to high profile data
compromises
  • Criminals are targeting full track data, Card
    Verification Value 2 (CVV2) and PINs in data
    compromises
  • Merchant compliance with the Payment Card
    Industry Data Security Standard (PCI DSS) is
    growing among large merchants
  • Industry-wide coordination is increasing with the
    establishment of the PCI Security Standards
    Council (SSC)
  • Legislators and regulators have become involved
    and there are a number of state laws, as well as
    pending federal legislative initiatives
  • Consumer confidence is impacted by data
    compromises

5
Industry Fraud Trends
15 Year Historical View
Visa fraud prevention programs have been
effective at helping members drive and maintain
relatively low rates of fraud
Fraud Reporting Expansion
Card Verification Value
29
Terminal Utilization Program
Cardholder Risk Identification Service
Risk Identification Service Enhancements
Fraud Reduction Programs
Issuer Risk Key Indicators
Advanced ID Solutions
Verified By Visa
CVV2
CISP
Advanced Auth
CAMS
Account Data Compromises
Net Fraud Chargeoffs As a Percent of Total Volume
Source U.S. Member Quarterly Operating
Certificates
based on preliminary results for 2Q07. This
number is subject to change.
6
System Compromises
  • Notable increase in compromise (U.S.) frequency
  • 2005 59 incidents / 5 per month
  • 2006 84 incidents / 7 per month
  • 2007 201 incidents / 17 per month
  • 2008 9 incidents in January
  • 55 / 45 split brick mortar vs. e-commerce
    merchants
  • Network intrusions impacting full track data
    account for 76 of all exposed accounts.
  • Food services account for 44 of compromises
    followed by direct marketing at 8, universities
    at 6, computer equipment at 4 and clothing
    retailers at 4
  • In terms of number of accounts exposed, clothing
    retailers account for 68 of accounts, while food
    services account for about 2

7
Global Compromises Number of Incidents
Number of compromise incidents clearly rising
both in the US and globally
Total Intrusions 84 Average per month 7
Total Intrusions 59 Average per month 5
Total Intrusions 201 Average per month 17
Began tracking non-U.S. alert distributions in
January 2007. There were 69 non-US events for
2007.
8
Card Compromise Trends
Top 5 most common vulnerabilities contributing to
system breaches include
  • Storage of prohibited data (e.g., full track,
    CVV2, PIN blocks)
  • Use of vulnerable payment applications
  • Prohibited data storage in logs and other system
    files
  • Unpatched systems
  • Unsecured remote access
  • Vendor or employee remote access
  • Vendor default settings and passwords
  • Unsecured wireless settings
  • Poorly coded web-facing applications resulting in
    SQL injection

9
Five-Part Security Strategy
10
Security Initiatives for 2007 2008
  • Secure the Payment System
  • Foster communication and collaboration with key
    stakeholders to improve overall payment system
    security
  • Eliminate prohibited data retention, including
    track, CVV2 and PIN data
  • Dont store it, if you dont need it!
  • Drive merchant, processor and agent compliance
    with the PCI DSS
  • Support small merchant awareness and use of
    secure payment applications
  • Establish payment application mandates

www.visa.com/cisp
11
PCI Compliance Acceleration Program
Provide monetary incentives and administer fines
to accelerate U.S. merchant PCI DSS compliance
12
U.S. Level 1 Merchant Compliance
Visa PCI CAP contributes to increasing large
merchant PCI DSS compliance and eliminating
prohibited data storage as of 1/31/08
n 232
n 326
  • 99 of Level 1 and 2 merchants confirmed that
    they do not store prohibited data, up from 93 as
    of March 31, 2007

Excludes 38 Level 1 merchants identified in
2007 required to validate by September 30, 2008
13
U.S. PCI DSS Compliance Status
PCI DSS effective in protecting data and
supporting fraud prevention
As of January 31, 2008 Excludes 38 Level
1 and 305 Level 2 merchants identified in 2007
due 9/30/08 and 12/31/08 respectively
Represents merchant acceptance locations
14
Level 4 Small Merchant Initiatives
Executing a plan to address small merchants in
the U.S.
  • Level 4 merchants account for more than 80 of
    all compromises identified since 2005, but less
    than 5 of potentially exposed accounts
  • Most small merchant compromises involve
    vulnerable payment applications  
  • Outreach to all active acquirers to promote small
    merchant security
  • Education and awareness campaign including a
    webinar series, regular data security alerts and
    bulletins
  • Publish list of vulnerable payment applications
    quarterly and promote use of PABP-validated
    applications
  • 100 of 231 acquirers provided Visa with Level 4
    compliance plans
  • Updated progress reports due from acquirers by
    June 30, 2008

15
Payment Application Security
Milestones in the adoption of secure payment
applications
  • List of validated payment applications published
    monthly since January 2006
  • As of January 2008, 270 products across 119
    vendors independently validated by a Qualified
    Security Assessor (QSA)
  • List of vulnerable payment applications published
    quarterly since February 2007
  • Visa organized and hosted a PABP Vendor
    Conference December 2006 attended by over 100
    product vendors
  • Session planned for 2008
  • Elevate PABP to an industry standard through PCI
    SSC while driving Visa mandates

www.visa.com/pabp
16
Payment Application Mandates
Visa plans to aggressively drive the adoption of
secure payment applications in the U.S.
marketplace
In-house use only developed applications
stand-alone POS terminals are not applicable
VisaNet Processors and agents must decertify
vulnerable payment applications within 12 months
of identification Date is aligned with TDES
mandate for all POS PEDs to support TDES and be
Visa-Approved/Lab-Evaluated
17
Industry Collaboration
  • PCI Security Standards Council, founded by major
    card brands and launched in September 2006, is a
    global forum for managing ongoing development of
    security standards for account data protection,
    including PCI DSS
  • Council will evaluate and adopt additional
    security standards and plans to release the
    Payment Application Data Security Standard in
    2008
  • Updated Self-Assessment Questionnaires designed
    to promote ease of use for small merchants were
    released in February 2008
  • Responsible for certification and training for
    assessors and scan vendors
  • Payment card industry stakeholders are invited to
    join as Participating Organizations and can be
    elected to an Advisory Board
  • Participating organizations are invited to attend
    community meetings, comment on DSS revisions and
    future security standards and participate in
    implementation "best practice" discussions

18
Reference Tools
  • Visa CISP
  • Archive of Data Security Alerts, bulletins and
    webinars
  • What To Do If Compromised guide
  • Qualified CISP Incident Response Assessor List
  • List of CISP-Compliant Service Providers
  • Payment Application Best Practices
  • List of Validated Payment Applications
  • PCI Security Standards Council (PCI SSC)
  • Data Security Standard
  • Security Audit Procedures
  • Self-Assessment Questionnaire
  • Security Scanning Procedures
  • Qualified Security Assessor List 
  • Approved Scan Vendor List
  • Glossary of Terms

www.visa.com/cisp www.visa.com/pabp
www.pcisecuritystandards.org
19
Questions?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Data Security Update" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!