Retail Roundtable: Payment System Cyber Attacks Preparing, Protecting, and Responding. June 11, 2014

(1)

Retail Roundtable:

Payment System

Cyber Attacks – Preparing, Protecting, and

Responding

(2)

Panel Members

Craig Hoffman

Partner

T: 513.929.3491 C: 513.227.3286 [email protected] www.dataprivacymonitor.com @BakerPrivacy @Craig_Hoffman

James Zerfas

Chief of Security

Technology

[email protected]

David Damato

Director

[email protected]

Jason Maloni

SVP & Chair of the Litigation

Practice

T: 202.973.1335 C: 202.834.9677 [email protected] @levick daily.levick.com

Spencer Timmel

Privacy Liability and Network

Security

T: 513-354-1656 C: 513-518-1535

(3)

(4)

GLOSSARY

• PCI DSS = Payment Card Industry Data Security

Standards

• PFI = PCI Forensic Investigator

• QSA = Qualified Security Assessor

• ROC = Report on Compliance

• ADCR = Account Data Compromise Recovery

• GCAR = Global Compromised Account Recovery

• CPP = Common Point of Purchase

• PAN = primary account number

• CVV = card verification value

(5)

PCI Stakeholders

• Credit Card Brands (e.g. Visa, MasterCard)

• Issuing Banks

• Acquiring Banks/Credit Card Processors

• Merchants

• PCI Security Standards Council (SSC)

• Assessors

(6)

(7)

(8)

Stages of a PCI Breach

• Discovery of incident (e.g. a CPP report)

• Engagement of PFI

• Calls with the acquirer/processor & card brands

• Preliminary PFI report

• Issuance of proactive alerts for at risk accounts

• Final PFI report

• Issuance of final alerts for at risk accounts

• Remediation & revalidation of PCI DSS

• GCAR, ADCR, DSOP process (fraud & reissuance

costs)

• Fines and fees

(9)

(10)

(11)

(12)

Card Brand Assessment Programs

• Fines for non-compliance with PCI DSS

• Case management fee

• Fines for non-cooperation

• Assessments to recover from the acquirer

and reimburse issuers:

– Operating expenses (heightened monitoring

and card reissuance)

(13)

Visa’s Program is GCAR

GCAR Qualification (Updated)

Effective for Qualifying CAMS Events or VAB Events in which the first or only alert is sent on or after 15 May 2012, Visa will determine Account Data Compromise Event qualification, Counterfeit Fraud Recovery and Operating Expense Recovery amounts, Issuer eligibility, and Acquirer liability under the Global Compromised Account Recovery (GCAR) program, in accordance with the Visa

Global Compromised Account Recovery (GCAR) Guide. To qualify an Account Data Compromise Event under GCAR, Visa must determine that all of the following criteria have been met:

• A Payment Card Industry Data Security Standard (PCI DSS), PIN Management Requirements Documents, or Visa PIN Security Program Guide violation has occurred that could have allowed a compromise of Account Number and Card Verification Value (CVV) Magnetic-Stripe Data, and PIN data for events also involving PIN compromise

• Account Number and CVV Magnetic-Stripe Data has been exposed to a compromise

• 15,000 or more eligible accounts were sent in CAMS Internet Compromise (IC) and/or Research and Analysis (RA) alerts indicating Account Number and CVV Magnetic-Stripe Data is potentially at Risk

• A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense Recovery for all Issuers involved in the event

• Elevated Magnetic-Stripe counterfeit fraud was observed in the population of eligible accounts sent in the CAMS Alert(s) associated with the Account Data Compromise Event

(14)

(15)

(16)

What Causes a Breach to go Viral

• Record Setting Loss

• Sensitive Community Affected

• Competitive Media Markets

• Concentration of Affected Parties in One Area

• Delay in Notification

• Customer Complaints Unanswered

(17)

(18)

Effective Response

• Clear and Thorough

• Compassionate

• Responsive to Audience (employees,

customers, data holders)

• Aggressive

(19)

(20)

(21)

PCI Forensic Investigations

• Supported by PFI

• Requires reporting to card brands

– Both a preliminary report within 5 days

– Final report detailing the incident

(22)

Investigate Like a Pro

• Limit the cost / pain of the investigation

– Select the right PFI

• Mitigate risk / reduce a breach’s scope

– Implement a secure network architecture

– Maintain proper logs and documentation

• Don’t make assumptions

– Verify third party claims

– Verify internal actions

(23)

(24)

Retail Cyber Exposures & Insurability

Credit Card Data

Advertising & Social Media

Other

Forensics

Defamation, Libel, Slander

_{Employee Data}

Public Relations

Product Disparagement

Loss of other Sensitive Info

Customer Notification

Intellectual Property Infringement

Virus Transmission

Credit Monitoring

Misleading Advertising

Denial of Service

Reg. Defence, Fines & Penalties

PCI Fines & Penalties

Business Interruption & EE

Loss of Customers: Rep Injury

Privacy Liability Class Actions

Bank Card Reissuance Liability

Data Restoration

Extortion Demands

(25)

Card Data Breach Costs -

What’s the Right Number?

Ponemon Institute Cost of a Data Breach, 2014

• $201/record: US

• $105/record: Retail

NetDiligence 2013 Cyber Paid Claims Study

• $97/record: median?

• $307/record: average?

Public Information on Past Card Data Breaches

• 130 Million Cards: $150mm: $1.15 per card?

• 46 Million Cards: $250mm: $5.44 per card?

• 40 Million Cards: $61million in first 3 months: Total Cost:

t.b.d.?

• Somewhere in between?

(26)

Increasing Exposure

• 75% of automated opportunistic attacks hit the

Retail/Trade or Accommodation/Food Service

industries

Verizon Data Breach Investigations Report

• Increased Regulatory Scrutiny: FTC, SEC, State AG

• Plaintiffs Bar continues to show their creativity

(27)

Gap Analysis

Traditional Coverage's Are Not Adequate

General Liability Insurance

– Coverage for bodily injury or property damage

- Intentional acts are excluded

- Intangible property is excluded

Property Insurance

– Coverage for loss of tangible property caused by a covered peril

- Computer viruses are excluded

- Intangible property is excluded

- Business interruption coverage only applies if a direct physical loss or damage to

covered property

Crime Insurance

– Coverage for theft of money, securities or other property

- No coverage for theft of information, trade secrets and other confidential

information

Directors & Officers Liability Insurance

– Coverage for claims alleging acts, errors and/or

omissions committed by directors or officers of a company in their capacity:

Errors & Omissions Liability Policies

– Coverage for claims resulting from an Insured’s

rendering or failure to render professional services to others for a fee.

(28)

Global Cyber Coverage Marketplace

• Global Annual Cyber Premiums estimated $1.0 to $1.5

billion

• Global Capacity: approximately $300 million: All industries

• Card Data Capacity post 2013 breaches:

–

Best In Class Insured's: $175-200mm

• 40+ Domestic Carriers, 20+ Lloyds Syndicates and

elsewhere

• Domestic vs Lloyd’s Placements

• Developing Coverage

(29)

Loss Mitigation Tools

• Employee Training and Compliance

• Remote scanning of web-facing external

infrastructure for vulnerabilities

• Plug-In technology that shuns bad IP

addresses, preventing them from entering

and exiting a company’s network

• Limited Free Consultation

• Data Security Assessments

(30)

Spencer Timmel

, CIPP/US, CIPM, CITRMS

Spencer serves as the Network Security & Privacy Liability Product Leader. He

provides risk management consultation and support to large revenue

companies and manages the placements of their cyber programs.

Spencer has over a 14 years of industry experience and holds several cyber

industry designations; CIPP/US; CIPM; CITRMS

(31)

(32)

Merchant Risk and Security

© Copyright 2013 Vantiv, LLC. All rights reserved. Vantiv, and the Vantiv logo, and all other Vantiv product or service names and logos are registered trademarks or trademarks of Vantiv, LLC in the USA and other countries.® Indicates USA registration.

(33)

The Cost of Crime

Theft

Fraud

Carding

Merchant

Cardholder Data

$10B Global

Card Fraud

Losses (2012)

Source: The Nilson Report, August 2013

$3.4B Impact of

Data Breaches

(2012)

Sources: - Verizon 2012 Data Breach Investigations Report - The Ponemon Institute, 2013 Cost of Data Breach Study

Lost, Stolen,

Counterfeit

Cards

Fines,

Remediation

Costs,

Reimbursements

(34)

Risks and Solutions

Fraud

Theft

Physical

Attacks

System

Breach

Account

Data

Compromise

Counterfeit

Cards

Lost/

Stolen

Cards

P2PE / Tokens EMV Chip EMV PIN Policy & Inspection

(35)

Surrogate Values

ISV

Vantiv

P2PE

Encrypt

Decrypt

Tokenize

DeTokenize

(36)

Risk Spectrum

Merchant Goals

Non-Compliant

Compliant

Risk

Reducing

_Descoping

Active Risk

Management

Address

Reduce

Manage

(37)

Atlanta

Chicago

Cincinnati

Cleveland

Columbus

Costa Mesa

Denver

Houston

Los Angeles

New York

Orlando

Philadelphia

Seattle

Washington, DC

www.bakerlaw.com

These materials have been prepared by Baker & Hostetler LLP for informational purposes only and are not legal advice. The information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional counsel. You should consult a lawyer for individual advice regarding your own situation. ©2014 Baker & Hostetler LLP. All Rights Reserved.