Fighting Today’s Cybercrime
Ongoing PCI Compliance Using Data-Centric
Security Technologies
•
All phone lines have been muted for the duration of the webinar.
•
At any time, you can type questions in the Q&A box at the
bottom of your screen.
•
A recording of this webinar will be available at:
http://www.fishnetsecurity.com/6labs/resource-library
.
INTRODUCTIONS
Brian Serra, PCIP, CISSP, ASV
PCI Practice Director
FishNet Security
Mark Bower
Vice President of Product Management
WHY PROTECT CONSUMER
CREDIT CARD DATA?
WHY SECURE?
•
630+ million computer records containing sensitive personal
information have been involved in security breaches in the U.S.
since 2005.
•
Criminals are shifting sights to large merchants because of the
massive amount of records.
•
The public’s opinion is if you are at fault for a security breach,
you will be held liable.
FALLOUT FROM A DATA BREACH
As a merchant, you face many potential negative impacts following a
cardholder data breach.
•
Fines & Penalties ($5,000–$500,000) + Legal & Reissuing Fees
•
Termination of ability to accept payment cards
•
Loss of confidence as customers go to other merchants
•
Lost sales
•
Cost of reissuing new payment cards
•
Legal cost, settlements and judgments
•
Fraud losses
•
Higher subsequent compliance costs
•
Going out of business
WORLDWIDE BREACH COSTS
The most costly breaches occurred in the U.S. and Germany
at $201 and $195 per compromised record, respectively.
AVERAGE BREACH COST
•
A strong security posture was
critical to decreasing the cost of
data breach.
•
On average, companies with a
strong security posture were able
to reduce the cost by as much as
$14/record.
TOP TARGET COUNTRIES OF 2013
TARGETS
RISKY BEHAVIOR
A survey of businesses in the U.S. and Europe revealed activities that
may put cardholder data at risk:
•
81% store payment card numbers.
•
73% store payment card expiration dates.
•
71% store payment card verification codes
(PROHIBITED)
.
•
57% store customer data from the payment card magnetic stripe
(PROHIBITED)
.
•
16% store other personal data.
WHAT DATA THIEVES ARE AFTER
The object of desire is cardholder data.
•
By obtaining the Primary Account Number (PAN) and sensitive
authentication data, a thief can impersonate the cardholder using
the number for fraudulent transactions, leaving you with the bill.
Cardholder data can be stolen from many places:
•
Compromised Card Reader
•
POS/Register or Back Office Systems
•
Filing Cabinets
•
Payment System Database
•
Hidden Camera Recording Data Entry
•
Secret Tap into Network
RECENT RETAIL ATTACK VECTOR
Back-Store Systems
Register
Credit Card Processor
Credit Card is
Exposed
Credit Card is
Protected
ENCRYPTED
UNENCRYPTED
UNENCRYPTED
POS Terminal
POSRAM
BlackPOS
TrojanPOS
P2PE/E2EE SOLUTION
Back-Store Systems
Register
Credit Card Processor
Credit Card is
Protected
from Swipe to Bank
ENCRYPTED
ENCRYPTED
ENCRYPTED
POS Terminal with P2PE/E2EE
POSRAM
BlackPOS
TrojanPOS
WHAT TO SECURE?
You are responsible for protecting cardholder data at the point-of-sale
and as it flows into the payment system.
•
The best step you can take is to not store any cardholder data.
•
Compliance with the PCI standards includes protecting:
−
Card Readers
−
Point-of-Sale Systems
−
Store Networks & Wireless Access Routers
−
Payment Card Data Storage & Transmission
−
Payment Card Data Stored in Paper-based Records
Ensuring Ongoing
PCI Compliance
What you need to know when you accept credit cards.
NEUTRALIZING BREACH RISK
Leading retailers and enterprises are implementing the vision of data-centric security today.
Card Present
Card Not Present
Inside the Enterprise
With Payment processors or as an internal implementation for agility
and control over data flows and choice of acquirer
NEUTRALIZING BREACH RISK
Leading retailers and enterprises are implementing the vision of data-centric security today.
Card Present
Card Not Present
Inside the Enterprise
With Payment processors or as an Internal
Implementation for agility and control over data flows
How can this be achieved with
minimal disruption and cost ?
CARD DATA FLOWS
CARD DATA RISKS
In the Merchant Ecosystem
POS Malware Risk
Insider Risk
Server Malware Risk
Network Sniffing
Skimming Risk
THREATS TO SENSITIVE DATA
THREATS TO SENSITIVE DATA
Source:
http://www.verizonenterprise.com/DBIR/2013/
- data from 47,000 incidents
Breaches will happen. The best defense strategy is to neutralize the data.
MAJOR SECURITY BREACHES
Impossible to protect against every vulnerability –
IT infrastructures will continue to be breached.
Impossible to keep all data behind a firewall –
there is no longer the concept of a “perimeter.”
The data must be pervasively protected.
Why has this not happened to date?
PROBLEMS WITH TRADITIONAL DATA PROTECTION
Need to change data structures and applications.
7412 3456 7890 0000
8juYE%Uks&dDFa2345^WFLERG
AE
S
Fully encrypted data is unusable until decrypted.
Ija&3k24kQotugDF2390^320OWioNu2(*872weWaasIUahjw2%quiFIBw3tug^5a
…
?
Key Management can be a nightmare.
Requires multiple piecemeal solutions,
which create multiple security gaps.
MULTIPLE SOLUTIONS
With Multiple Security Gaps
Storage
File Systems
Databases
Data & Applications
Traditional IT
Infrastructure Security
Disk Encryption
Database Encryption
SSL/TLS/Firewalls
Security Gap
Security Gap
Security Gap
Security Gap
SSL/TLS/Firewalls
Authentication
Management
Middleware
Threats to
Data
Malware,
Insiders
SQL Injection,
Malware
Traffic
Interceptors
Malware,
Insiders
Credential
Compromise
Data
Ecosystem
D
ata
Se
cu
ri
ty
C
ov
er
ag
e
Security
Gaps
WHAT IF?
•
Reduced risk of sensitive
data loss.
•
Reduced costs of compliance.
•
Increased value of your data.
•
Say “yes” more often!
Such that if stolen, it had
No Value?
Data could be
Persistently Protected?
While maintaining
Data Usability?
© 2014 FishNet Security Inc. All rights reserved.
DATA PROTECTION ADVANTAGES
Minimal change to data structures and applications.
7412 3423 3526
0000
7412 3456 7890 0000
FP
E
7412 3456 7890 0000
8juYE%Uks&dDFa2345^WFLERG
AE
S
versus
Protected data behaves correctly in applications and analytics.
Ija&3k24kQotugDF2390^320OWioNu2(*872weWaasIUahjw2%quiFIBw3tug^5a
…
?
Preserve format, structure and
behavior
versus
Name
SS#
Salary
Address
Enroll Date
Kwfdv Cqvzgk
161-82-
1292
100000 2890 Ykzbpoi Clpppn,
CA
10/17
/2005
Simplified operations via Stateless Key Management.
Policy controlled,
dynamically generated keys
Key Database
versus
End-to-end security within a consistent
data protection framework.
VOLTAGE PROVIDES PROTECTION
Storage
File Systems
Databases
Data & Applications
Traditional IT
Infrastructure Security
Disk Encryption
Database Encryption
SSL/TLS/Firewalls
Security Gap
Security Gap
Security Gap
Security Gap
SSL/TLS/Firewalls
Authentication
Management
Middleware
Threats to
Data
Malware,
Insiders
SQL Injection,
Malware
Traffic
Interceptors
Malware,
Insiders
Credential
Compromise
Data
Ecosystem
D
ata
Se
cu
ri
ty
C
ov
er
ag
e
Security
Gaps
Voltage Data-Centric
Security
En
d-to
-En
d
D
at
a Pr
ot
ec
ti
on
VOLTAGE PRODUCT LINES
DATA-CENTRIC TECHNOLOGIES
Format-Preserving Encryption (FPE)
Secure Stateless Tokenization (SST)
Page-Integrated Encryption (PIE)
•
Protect structured data while maintaining
functional and analytic integrity of the data.
•
High-octane tokenization performance without
database management headaches.
•
Extends end-to-end protection to browser, through
and beyond the SSL tunnel.
•
Minimizes implementation time while maximizing
data value.
First Name: Gunther
Last Name: Robertson
DOB: 02-07-1966
SSN: 934-72-2356
First Name: Uywjlqo
Last Name: Muwruwwbp
DOB:
08-06-1972
SSN:
298-24-
2356
Ija&3k24kQotugDF2390^32
0OWioNu2(*872weWaasIUahjw2%qui
FIWUYBw3
Oiuqwriuweuwr%oIUOw1@
Live Data
Traditional Encryption
Voltage FPE
CARD PRESENT DATA
Securing card present data from advanced threats.
Secure
Payment
Card Readers
Retail Store
IT
Authorization
Gateway
Merchant
Acquirer
Point of
Sale (POS)
Issuing
Bank &
Merchant
Banks
Once the card is
processed,
Tokenization
replaces the live
card data after
authorization.
CARD NOT PRESENT
End-to-End Protection with PIE
Consumer
Browser
e-com Apps
Merchant
Authorization
Gateway
Merchant
Acquirer
Merchant
Web Server
Issuing
Bank &
Merchant
Banks
TOKENIZATION
Securing Data After Payment Authorization
PAN:
7412 3477 6024
2273
Tokenized PAN:
7412 34
23 3526
495
3
Format Preserved Protected Data
Using Data-Centric Technology
Tokenized PAN:
7412 34
23 3526
495
3
Tokenized PAN:
7412 34
95 9493
929
3
Tokenized PAN:
7412 34
95 9493
929
3
Enterprise
Applications
Logs & Reports,
Fraud Detection
Payment
Applications
Customer Service
Applications
Outsourced
Customer
Service
Payment
Front End
Processors
Financial
Data
Systems
Data Warehouse,
Hadoop, CRM,
Analytics
Payment Feeds
Files
Payment API
IVR
e-Commerce
Stores/Branches
Small
CDE
MAJOR SECURITY BREACHES
End-to-end encryption and tokenization neutralize breach risks.
Remove
Live Data
Remove
Live Data
End-to-End Encrypt
Data
Upstream
Tokenize Data Back
Downstream
Encrypt/Tokenize
in the acquirer or
internal enterprise
© 2014 FishNet Security Inc. All rights reserved.