Payment Card Industry (PCI) and Security

1
Payment Card Industry (PCI) and Security
Crowe Horwath LLP Anatomy of Recent Card
Breaches
2
Presentation Objectives

• Provide insight into possible or likely root
  causes behind public cases of card data breaches
• Discuss how specific PCI violations contributed
  to or prolonged the fraud
• Discuss technical and non-technical measures to
  decrease the risk and impact of a card fraud.
• Provide suggestions on how to make your
  organization a hard target.

3
Root Cause Analysis

• No Payment Card Industry (PCI)-compliant
  organization is known to have suffered a
  card-related data security related breach
• Not all the locations where card holder data
  (CHD) resides were known or secured
• Servers containing or providing CHD were
  configured with superfluous application programs
  and were not properly scoped and audited by a
  qualified security assessor (QSA)
• Delays in arranging scans and assessments
• There were inappropriate distinctions between
  test versus production servers and networks
• Due to weak encryption and poor access controls,
  wireless networks were electronically pried
  open to reveal private areas of the network
  which store CHD

4
Root Cause Analysis

• Audit trails were not enabled to tie misconduct
  to a specific employee or consultant. Lack of
  audit trails hindered criminal investigations
  because it was not possible to tie an individual
  time or time of day to the incursion.
• A group user ID was used instead of a unique user
  ID.
• Point-of-sale (POS) terminals were not physically
  and logically hardened to prevent surreptitious
  removal and inserting of a monitoring or sniffing
  device. The terminals were later returned to the
  retail locations, where they were used to capture
  PIN blocks.

5
What are some of the factors which increase the
possibility of a successful fraud?

• They are not just technical reasons !
• Lack of policies
• No antifraud program
• Technology controls not driven by business
  process controls
• Not learning from past industry frauds

6
PCI and Your Data and Information Security Policy

• Required Elements
• Approval
• Annual Updating
• Training

7
PCI Data Storage Tips

• Locate all your CHD
• CHD not located is CHD not secured
• Dont forget to test and to QA servers
• Single purpose devices are a must
• Encrypt, encrypt, encrypt
• Data at rest
• Data in transit
• Dont forget log files of every sort
• What about your ISP? What do they store?

8
Using PCI to Springboard Your Anti Fraud Program
9
Point of Sale (POS) Fraud and PCI

• Factors reducing POS risks

10
Transactional Fraud Statistics Counterfeit PIN
Card Fraud
11
Key Components of a PCI Anti Fraud Program
PREVENTION
Tone at the Top
Value System / Code of Conduct
Positive Workplace Environment
Training/ Awareness
Whistleblower Program
Incident Response
Disciplinary Examples
DETERRENCE
Oversight
Risk Assessment
Internal Audit
Data Analysis
DETECTION
Monitoring
Computer Aided Tools
Loss Mitigation
12
Using PCI Controls to Prevent Phishing and
Identity Theft

• Data Analysis
• Strong Authentication
• Encryption
• Adaptive Security Procedures and Counter Measures

• Tone at The Top
• Honest Ethical Culture
• Staff Trained to Look for Red Flags

• Fraud Check-ups
• Fraud Hotline
• Defined Incident Handling Process
• Risk Assessment Check for Red Flags

13
Past Fraud Events Provide a Roadmap for Helping
Clients Avoid Common PCI Compliance Pitfalls

• Do not retain unneeded data. After authorization
  and settlement, very little CHD need remain for
  inquiry and adjustment purposes. Securely
  dispose of CHD.
• CHD not located is CHD not secured. Perform a
  reliable inventory of all the servers, databases,
  test facilities, networks, paper records, and
  transaction and activity logs. Include all
  service providers and contractors in your search.
• Dont look for a silver bullet solution. There
  is no single product or service that can
  alleviate an enterprise's PCI DSS compliance
  woes. Every business and every network is
  different, and PCI DSS controls must be tailored
  to an organization. There is no
  one-size-fits-all approach."

14
Past Fraud Events Provide a Roadmap for Helping
Clients Avoid Common PCI Compliance Pitfalls

• Prevent data leaks. Identify all physical and
  logical points through which CHD enters and
  leaves your clients organization. This will
  mean scrutinizing data reports, log files,
  servers, email and file transfers.
• Develop specific policies for handling and secure
  all data, networks and physical records which
  contain or provide access to CHD.
• Train staff to prevent data leaks to establish a
  last line of defense to ensure sensitive
  information stays put.
• Perform fraud check-ups.

15
What Could You Do if Your Fraud Check-Up Reveals
Issues?
16
Regulatory and Legislative Responses to Fraud
17
Summary Become a Hard Target
18
Any Questions?

• Contact Information
• Bruce Sussman
• 973.422.7151
• bruce.sussman_at_crowehorwath.com
• Crowe Horwath LLP