Fighting Today s Cybercrime

45  Download (0)

Full text

(1)

Fighting Today’s Cybercrime

Ongoing PCI Compliance Using Data-Centric

Security Technologies

(2)

All phone lines have been muted for the duration of the webinar.

At any time, you can type questions in the Q&A box at the

bottom of your screen.

A recording of this webinar will be available at:

http://www.fishnetsecurity.com/6labs/resource-library

.

(3)

INTRODUCTIONS

Brian Serra, PCIP, CISSP, ASV

PCI Practice Director

FishNet Security

Mark Bower

Vice President of Product Management

(4)

WHY PROTECT CONSUMER

CREDIT CARD DATA?

(5)

WHY SECURE?

630+ million computer records containing sensitive personal

information have been involved in security breaches in the U.S.

since 2005.

Criminals are shifting sights to large merchants because of the

massive amount of records.

The public’s opinion is if you are at fault for a security breach,

you will be held liable.

(6)
(7)
(8)

FALLOUT FROM A DATA BREACH

As a merchant, you face many potential negative impacts following a

cardholder data breach.

Fines & Penalties ($5,000–$500,000) + Legal & Reissuing Fees

Termination of ability to accept payment cards

Loss of confidence as customers go to other merchants

Lost sales

Cost of reissuing new payment cards

Legal cost, settlements and judgments

Fraud losses

Higher subsequent compliance costs

Going out of business

(9)

WORLDWIDE BREACH COSTS

The most costly breaches occurred in the U.S. and Germany

at $201 and $195 per compromised record, respectively.

(10)

AVERAGE BREACH COST

A strong security posture was

critical to decreasing the cost of

data breach.

On average, companies with a

strong security posture were able

to reduce the cost by as much as

$14/record.

(11)

TOP TARGET COUNTRIES OF 2013

(12)

TARGETS

(13)

RISKY BEHAVIOR

A survey of businesses in the U.S. and Europe revealed activities that

may put cardholder data at risk:

81% store payment card numbers.

73% store payment card expiration dates.

71% store payment card verification codes

(PROHIBITED)

.

57% store customer data from the payment card magnetic stripe

(PROHIBITED)

.

16% store other personal data.

(14)

WHAT DATA THIEVES ARE AFTER

The object of desire is cardholder data.

By obtaining the Primary Account Number (PAN) and sensitive

authentication data, a thief can impersonate the cardholder using

the number for fraudulent transactions, leaving you with the bill.

Cardholder data can be stolen from many places:

Compromised Card Reader

POS/Register or Back Office Systems

Filing Cabinets

Payment System Database

Hidden Camera Recording Data Entry

Secret Tap into Network

(15)

RECENT RETAIL ATTACK VECTOR

Back-Store Systems

Register

Credit Card Processor

Credit Card is

Exposed

Credit Card is

Protected

ENCRYPTED

UNENCRYPTED

UNENCRYPTED

POS Terminal

POSRAM

BlackPOS

TrojanPOS

(16)

P2PE/E2EE SOLUTION

Back-Store Systems

Register

Credit Card Processor

Credit Card is

Protected

from Swipe to Bank

ENCRYPTED

ENCRYPTED

ENCRYPTED

POS Terminal with P2PE/E2EE

POSRAM

BlackPOS

TrojanPOS

(17)

WHAT TO SECURE?

You are responsible for protecting cardholder data at the point-of-sale

and as it flows into the payment system.

The best step you can take is to not store any cardholder data.

Compliance with the PCI standards includes protecting:

Card Readers

Point-of-Sale Systems

Store Networks & Wireless Access Routers

Payment Card Data Storage & Transmission

Payment Card Data Stored in Paper-based Records

(18)

Ensuring Ongoing

PCI Compliance

What you need to know when you accept credit cards.

(19)

NEUTRALIZING BREACH RISK

Leading retailers and enterprises are implementing the vision of data-centric security today.

Card Present

Card Not Present

Inside the Enterprise

With Payment processors or as an internal implementation for agility

and control over data flows and choice of acquirer

(20)

NEUTRALIZING BREACH RISK

Leading retailers and enterprises are implementing the vision of data-centric security today.

Card Present

Card Not Present

Inside the Enterprise

With Payment processors or as an Internal

Implementation for agility and control over data flows

How can this be achieved with

minimal disruption and cost ?

(21)

CARD DATA FLOWS

(22)

CARD DATA RISKS

In the Merchant Ecosystem

POS Malware Risk

Insider Risk

Server Malware Risk

Network Sniffing

Skimming Risk

(23)

THREATS TO SENSITIVE DATA

(24)

THREATS TO SENSITIVE DATA

Source:

http://www.verizonenterprise.com/DBIR/2013/

- data from 47,000 incidents

Breaches will happen. The best defense strategy is to neutralize the data.

(25)

MAJOR SECURITY BREACHES

Impossible to protect against every vulnerability –

IT infrastructures will continue to be breached.

Impossible to keep all data behind a firewall –

there is no longer the concept of a “perimeter.”

The data must be pervasively protected.

Why has this not happened to date?

(26)

PROBLEMS WITH TRADITIONAL DATA PROTECTION

Need to change data structures and applications.

7412 3456 7890 0000

8juYE%Uks&dDFa2345^WFLERG

AE

S

Fully encrypted data is unusable until decrypted.

Ija&3k24kQotugDF2390^320OWioNu2(*872weWaasIUahjw2%quiFIBw3tug^5a

?

Key Management can be a nightmare.

Requires multiple piecemeal solutions,

which create multiple security gaps.

(27)

MULTIPLE SOLUTIONS

With Multiple Security Gaps

Storage

File Systems

Databases

Data & Applications

Traditional IT

Infrastructure Security

Disk Encryption

Database Encryption

SSL/TLS/Firewalls

Security Gap

Security Gap

Security Gap

Security Gap

SSL/TLS/Firewalls

Authentication

Management

Middleware

Threats to

Data

Malware,

Insiders

SQL Injection,

Malware

Traffic

Interceptors

Malware,

Insiders

Credential

Compromise

Data

Ecosystem

D

ata

Se

cu

ri

ty

C

ov

er

ag

e

Security

Gaps

(28)

WHAT IF?

Reduced risk of sensitive

data loss.

Reduced costs of compliance.

Increased value of your data.

Say “yes” more often!

Such that if stolen, it had

No Value?

Data could be

Persistently Protected?

While maintaining

Data Usability?

(29)

© 2014 FishNet Security Inc. All rights reserved.

DATA PROTECTION ADVANTAGES

Minimal change to data structures and applications.

7412 3423 3526

0000

7412 3456 7890 0000

FP

E

7412 3456 7890 0000

8juYE%Uks&dDFa2345^WFLERG

AE

S

versus

Protected data behaves correctly in applications and analytics.

Ija&3k24kQotugDF2390^320OWioNu2(*872weWaasIUahjw2%quiFIBw3tug^5a

?

Preserve format, structure and

behavior

versus

Name

SS#

Salary

Address

Enroll Date

Kwfdv Cqvzgk

161-82-

1292

100000 2890 Ykzbpoi Clpppn,

CA

10/17

/2005

Simplified operations via Stateless Key Management.

Policy controlled,

dynamically generated keys

Key Database

versus

End-to-end security within a consistent

data protection framework.

(30)

VOLTAGE PROVIDES PROTECTION

Storage

File Systems

Databases

Data & Applications

Traditional IT

Infrastructure Security

Disk Encryption

Database Encryption

SSL/TLS/Firewalls

Security Gap

Security Gap

Security Gap

Security Gap

SSL/TLS/Firewalls

Authentication

Management

Middleware

Threats to

Data

Malware,

Insiders

SQL Injection,

Malware

Traffic

Interceptors

Malware,

Insiders

Credential

Compromise

Data

Ecosystem

D

ata

Se

cu

ri

ty

C

ov

er

ag

e

Security

Gaps

Voltage Data-Centric

Security

En

d-to

-En

d

D

at

a Pr

ot

ec

ti

on

(31)

VOLTAGE PRODUCT LINES

(32)

DATA-CENTRIC TECHNOLOGIES

Format-Preserving Encryption (FPE)

Secure Stateless Tokenization (SST)

Page-Integrated Encryption (PIE)

Protect structured data while maintaining

functional and analytic integrity of the data.

High-octane tokenization performance without

database management headaches.

Extends end-to-end protection to browser, through

and beyond the SSL tunnel.

Minimizes implementation time while maximizing

data value.

First Name: Gunther

Last Name: Robertson

DOB: 02-07-1966

SSN: 934-72-2356

First Name: Uywjlqo

Last Name: Muwruwwbp

DOB:

08-06-1972

SSN:

298-24-

2356

Ija&3k24kQotugDF2390^32

0OWioNu2(*872weWaasIUahjw2%qui

FIWUYBw3

Oiuqwriuweuwr%oIUOw1@

Live Data

Traditional Encryption

Voltage FPE

(33)

CARD PRESENT DATA

Securing card present data from advanced threats.

Secure

Payment

Card Readers

Retail Store

IT

Authorization

Gateway

Merchant

Acquirer

Point of

Sale (POS)

Issuing

Bank &

Merchant

Banks

Once the card is

processed,

Tokenization

replaces the live

card data after

authorization.

(34)

CARD NOT PRESENT

End-to-End Protection with PIE

Consumer

Browser

e-com Apps

Merchant

Authorization

Gateway

Merchant

Acquirer

Merchant

Web Server

Issuing

Bank &

Merchant

Banks

(35)

TOKENIZATION

Securing Data After Payment Authorization

PAN:

7412 3477 6024

2273

Tokenized PAN:

7412 34

23 3526

495

3

Format Preserved Protected Data

Using Data-Centric Technology

Tokenized PAN:

7412 34

23 3526

495

3

Tokenized PAN:

7412 34

95 9493

929

3

Tokenized PAN:

7412 34

95 9493

929

3

Enterprise

Applications

Logs & Reports,

Fraud Detection

Payment

Applications

Customer Service

Applications

Outsourced

Customer

Service

Payment

Front End

Processors

Financial

Data

Systems

Data Warehouse,

Hadoop, CRM,

Analytics

Payment Feeds

Files

Payment API

IVR

e-Commerce

Stores/Branches

Small

CDE

(36)

MAJOR SECURITY BREACHES

End-to-end encryption and tokenization neutralize breach risks.

Remove

Live Data

Remove

Live Data

End-to-End Encrypt

Data

Upstream

Tokenize Data Back

Downstream

Encrypt/Tokenize

in the acquirer or

internal enterprise

(37)

© 2014 FishNet Security Inc. All rights reserved.

HOW DOES EMV HELP?

EMV is coming to the United States.*

Already well established in Europe.

Fraud liability shift in 2015 to U.S. merchants.

Provides transaction authenticity.

Card authentication, but no PAN encryption.

Enables card and terminal risk decisions.

Reduces Card Present fraud as cloning is hard.

Card Not Present is unchanged.

Fraud shifts to e-commerce.

What is the best approach?

EMV + P2PE + Tokenization together.

Source:

*http://usa.visa.com/download/merchants/bulletin-us-participation-liability-shift-080911.pdf

(38)

SUCCESS

Success at a Top Five National U.S. Retailer

PCI scope and risk reduction project.

Opportunity for huge annual cost savings.

Reduce risks in legacy POS.

More than 65,000 POS terminals across 35,000 locations.

Integrated with POS & Multi-function checkout systems.

Total control for the merchant over data flow to third party host.

High Performance transaction processing.

Replace card readers with end-to-end encryption Ingenico and Voltage technology.

Secures payment data from read to third party host.

End-to-end with no gaps or exposure.

POS never sees live data and operates on protected data.

Dual business benefit:

Dramatic PCI compliance cost reduction.

(39)

SUCCESS

Success at a Global Acquirer – Risk Reduction & Compliance

Top Global Internet Payment Processor

Competitive Driver, Compliance & Risk Reduction

End-to-End Encryption: Card present and card not present (e-commerce).

Tokenization: replace in-house.

Card not present (SecureData Web).

Critical Requirements

Global solution: high scale, high volume.

More than 500,000 merchants.

Approximately 50% of internet e-commerce.

Solution & Benefits

Data-centric security for all payments transactions – Reduced threats.

PCI Scope Reduction for merchants and payment acquirer.

(40)

DATA-CENTRIC SECURITY ROI*

$800,000 investment over 5 years

Phased in data-centric approach

Cost savings over 5 years is more than

$4.25 million

3-4 month audit in less than two weeks

Approximately 0.1 FTE per Datacenter

Multiple applications

Mainframe, Open Systems, CRM

Travel, banking and insurance

More than 600 retail locations

Annual Cost

($U.S.)

$1.2m

$0.15m

$0.35m

$0.70m

2009

2010

2011

2012

2013

$0.15m

PCI Compliance net cost

Data-centric security investment

(41)

PCI COMPLIANCE & SCOPE REDUCTION

Provide end-to-end security of credit/debit card data for:

Payment processors.

Merchant and issuing banks.

Retailers and on-line merchants.

Use tokenization to reduce audit scope and decrease compliance costs

up to 95%.

Go beyond compliance to full data security.

Authorization

Gateway

Issuing &

Merchant

Banks

Consumer

(42)

CONCLUSION

Organizations are continuing to suffer data breaches.

Infrastructure security is just not enough.

Voltage provides a unique set of data-centric solutions that:

Offer format-preserving encryption and stateless tokenization to simplify

implementation and operation.

Provide consistent data protection within and between data environments

and devices.

Offer scalable, high-performance solutions that have been broadly adopted

across the industry.

Deploy your data where, when and to whom you need,

(43)

REDUCE SCOPE, COST & RISK

Tokenization

P2PE/E2EE: Point-to-Point Encryption or End-to-End Encryption

Outsourcing to PCI-Compliant Third Party

(44)

FINAL RECOMMENDATIONS

Review the v3.0 DSS closely with your QSA to determine if a gap analysis is

recommended.

Incorporate Business-as-Usual to maintain security and compliance.

Maintain a documented CDE inventory and network diagrams with data flows.

Ensure in-house developed payment apps securely handle PAN/SAD in memory.

Physically secure and inspect POS terminals periodically, including validating

any third parties’ authorization to access devices.

(45)

THANK YOU

Brian Serra, CISSP | PCIP | ASV

PCI Practice Director

FishNet Security

Brian.Serra@fishnetsecurity.com

Mark Bower

Vice President of Product Management

Voltage Security

Figure

Updating...

References

Related subjects :