global payment acceptance Hotel webinar - 25th July 2011 1 Security Matters - 29th June 2011 1 Safe & Sound - 29th March 2011 1
PCI DSS – Investing wisely...
Hotel webinar
Leading the way in secure payments
Neira Jones Head of Payment Security Barclaycard Global Payment Acceptance 25th July 2011
global payment acceptance Hotel webinar - 25th July 2011 2
News round up…
Sony Lulzsec
Citigroup Lush
Epsilon RSA
Lockheed Martin
Dropbox
Travelodge
Data breaches have almost become a
statistical certainty
ESSEX
Wordpress
global payment acceptance Hotel webinar - 25th July 2011 3
Panic!
Companies feel under pressure to meet compliance deadlines of one type or another.
Panic to implement solutions they believe will address the most visible, urgent or potentially costly to ignore regulation looming on the horizon.
With requirements evolving, companies find themselves with discrete solutions for PCI DSS, Data Protection, FSA, SOX and others.
Many businesses are now on their 2nd or 3rd cycle of trying to automate processes related to compliance with specific policies, industry standards, and government regulations.
RESULT:
– Some successes with initial projects, but short lived, and costly.
– Suppliers often guilty of perpetrating a vicious circle by describing their offering as the next “silver bullet” (expensive to maintain and impossible to integrate or scale)
– Investments in infosec more difficult to secure as sustainability can’t be demonstrated to the Board.
– COMPLIANCE IN SILOS
global payment acceptance
How can I justify PCI DSS expenditure?...
global payment acceptance Hotel webinar - 25th July 2011 5
The cost depends on a number of factors…
TECHNICAL
• How are payments processed (face-to-face, mail order/ telephone order (MOTO), e-commerce etc.)
• In each channel, how compliant are your third parties and applications in the payment value chain?
• How mature the organisation is in terms of IT / IS security, policies and procedures, staff training and awareness etc.
• Centralised or distributed (multiple sites)
ORGANISATIONAL / CULTURAL COSTS
• Size of organisation
• Staff training
global payment acceptance Hotel webinar - 25th July 2011 6
PCI DSS merchant levels
Merchants are classified according to the volume of card payments they process and the nature of their business
LEVEL HOW TO DETERMINE MERCHANT LEVEL
1 • Any merchant processing over 6,000,000 Visa or MasterCard
transactions per year, • OR, any compromised merchant.
2 • Any merchant processing one to six million Visa or MasterCard transactions per year.
3 • Any merchant processing 20,000 to one million Visa or MasterCard e-commerce transactions per year.
4
• Any merchant processing less than 20,000 Visa or MasterCard e-commerce transactions per year,
• and all other merchants processing up to one million Visa or MasterCard transactions per year.
global payment acceptance Hotel webinar - 25th July 2011 7
It’s war Jim, but not as we know it...
Today’s cybercrime industry has evolved and automated itself to improve efficiency, scalability, and profitability with a clear intent on obtaining information that can be monetised.
The hackers’ best friends are businesses with inadequate and often outdated information security practices.
Cybercrime/ data protection not high on the Board’s agenda.
But... Governance & Risk Management are familiar to the Board.
global payment acceptance Hotel webinar - 25th July 2011 8
Monetising card data
Online ordering systems for stolen credit card data available 24/7
– Inventories of as many as 800,000 stolen credit cards per site
– Tiered pricing available
– Pre-purchase testing validation available
– Can sell same data on many times
Current market value:
global payment acceptance Hotel webinar - 25th July 2011 9
We’re all in it together…
When personal information is stolen, it goes viral...
global payment acceptance Hotel webinar - 25th July 2011 10
Public social concerns...
Preventing crime 94%
Protecting personal information 94%
NHS 88%
Equal rights 88%
Improving education 87%
National security 87%
Environmental issues 87%
Protecting freedom of speech 85%
Source: ICO Annual Track 2008
global payment acceptance Hotel webinar - 25th July 2011 11
Cause of data breaches in the hotel sector
Default passwords
SQL injection
Malware on payment server
Some hotels take a swipe of the magnetic stripe on the back of the card at check-in data is stored (probably in the hotel Property Management System). A pre-auth is done and the cardholder charged when they leave. Perhaps done via Express Check-out.
This data is extremely valuable and is one of the reasons criminals are targeting the hotel industry.
global payment acceptance
Happy 10th Birthday SQL Injection!!!
global payment acceptance Hotel webinar - 25th July 2011 13
And now for the science...
Malware represented 80% of all data lost in 2010 and within that case load, 81% was performed via SQL injections.
Hacking represented 89% of records stolen and 76% of these were due to lax password management and authentication procedures.
Most data breaches are not discovered by the organisation suffering the attack.
The Verizon DBIR 2011 further claimed that 87% of attacks could be prevented using simple, proactive measures.
global payment acceptance Hotel webinar - 25th July 2011 14
Seeing the wood from the trees...
The 2011 Verizon DBIR concluded that being prepared remains the best defense against security breaches.
Organisations still remain slow in detecting and responding to incidents.
Most organisations that have suffered a breach will have evidence of it in their logs, but these often get overlooked due to a lack of staff, tools or processes.
global payment acceptance Hotel webinar - 25th July 2011 15
One step at a time...
Are my employees taking information outside of the organisation? How can they do this?
Can I limit access to this information to only those who need it?
What types of attackers would be interested in infiltrating my systems? What would they seek? Why?
If any web server was compromised, how difficult would it be for an attacker to work its way to those systems containing information? How easy would it be to take this information out?
How quickly would I know this has happened? How quickly can I stop it?
How quickly do I need to respond to the market?
global payment acceptance
Threat/ scenario modelling is only practiced by a few organisations
global payment acceptance Hotel webinar - 25th July 2011 17
The reality
Protect brand and reputation – If card data is lost it is highly likely that other data has also been lost e.g. name and address etc. This could lead to identity theft as well as card fraud.
If customers lose trust, they often take their business elsewhere.
It is a Card Scheme requirement that merchants comply with PCI DSS and is incorporated in to the T & Cs.
Cost and business impact of a data breach.
PCI DSS non-compliance fees.
global payment acceptance Hotel webinar - 25th July 2011 18
Data breaches and fines…
global payment acceptance Hotel webinar - 25th July 2011 19
Cost of a small data breach… Small data loss
Item Conservative (L4 Merchant)
Cost (GBP)
Forensic Investigation 10,000
Card Scheme penalties 8,000
QSA On-Site Audit 12,000
Total 30,000
Item Conservative (L4 Merchant)
Cost (GBP)
Remediation ?
Brand & Reputation ?
Opportunity Cost ?
Total ?
global payment acceptance
To gain understanding and trust, businesses will promote how they safeguard their customers personal information. Investment in information security will be driven by business reality.
global payment acceptance
Only 4% of breaches assessed in the Verizon Business Data Breach Investigation Report 2011(DBIR 2011) required difficult and expensive protective measures.
global payment acceptance Hotel webinar - 25th July 2011 22
It’s all about risk...
the identification, assessment and prioritisation of risks
followed by coordinated and economical application of resources
to minimise, monitor, and control the probability and/or impact of unfortunate events.
global payment acceptance Hotel webinar - 25th July 2011 23
PCI DSS – What is it all about? 6 goals, 12 requirements
global payment acceptance Hotel webinar - 25th July 2011 24
Key messages
1. Data compromises do happen!
2. The criminals are 5 years ahead of us. It is now organised crime, not geeky teenagers like in the film “War Games”
3. PCI DSS is a business / cultural change and will require a multi-disciplinary team to implement
4. Ensure that Third Parties are contractually liable to you
5. Try not to store card data, what you don’t have you can’t lose (part of scope reduction)
6. Never ever store card sensitive authentication data post authorisation
7. Identify the parts of your business with the greatest risk of being compromised and secure them first e.g. e-commerce sites
8. Use the PCI SSC Risk Prioritised Approach
9. PCI DSS is a continuous process a bit like an MOT check , but you still need to ensure that your car is road worthy in between MOTs
global payment acceptance Hotel webinar - 25th July 2011 25
What can we learn?...
Lesson 1. Understand your risk profile
Lesson 2. Make risk management your objective, compliance will come naturally
Lesson 3. Avoid quick fixes and silos (i.e. don’t panic!)
Lesson 4. Automate
Lesson 5. Educate
global payment acceptance
In the months and years to come, we can expect increased scrutiny of corporate risk management practices. In response to this, businesses will strive to understand their risk profiles and whether the risks taken are within the enterprise’s risk appetite and tolerance thresholds.
global payment acceptance
How Barclaycard can help…
global payment acceptance Hotel webinar - 25th July 2011 28
Barclaycard and the PCI SSC
The PCI SSC is a global organisation formed by the Card Schemes to develop global security standards for the protection of card data.
Barclaycard sits on the PCI SSC Board of Advisors, is a Participating Organisation and is involved in SIGs.
Barclaycard welcomes feedback from the merchant community and is actively working with the PCI SSC to raise issues concerning European merchants.
global payment acceptance Hotel webinar - 25th July 2011 29
Barclaycard Risk Reduction Programme
Over the past 8 months, Barclaycard and IRM plc have researched and developed a risk reduction programme for Level 1 and Level 2 merchants.
PCI DSS is a good information security framework.
Use PCI DSS controls in the context of a recognised risk management framework (i.e. ISO 27001, Cobit, ITIL, CLAS, etc.)
The first step is a risk assessment.
global payment acceptance Hotel webinar - 25th July 2011 30
Leaflets, white papers, tools, etc…
Our website: www.barclaycard.co.uk/pcidss
global payment acceptance
Don’t spend £100 protecting a £1 asset, know your risk, fix the basics first, and be prepared… Neira Jones Head of Payment Security Barclaycard, Global Payment Acceptance [email protected]
http://uk.linkedin.com/pub/neira-jones/0/7a5/140
neirajones