Identifying Security Iss es in the Retail Issues in the Retail Payment System Federal Reserve Bank Chicago Chicago Ellen Richey Chief Enterprise Risk Officer Visa Inc. J June 5, 2008 5 2008 Visa Public
Agenda 1. The Data Security Landscape 2. Recent Trends 3 3. Visa s Strategy Visa’s Strategy 4. Working with the Public Sector Chicago Federal Reserve Visa Public
Complex Payment Landscape Direct Reporting Call Center Fulfillment Chargeback Archiving Mail/ Other Loyalty Marketers Vendors Vendors Vendors Vendors Vendors Couriers Vendors Vendors >1,000 >1,000 <50 100’s <100 <100 >100 >100 1,000’s Direct Mail Direct Mail Risk Risk Telecom Telecom POS POS POS POS Aggregator/ Aggregator/ Marketers Infrastructure Software Hardware Master Scoring Gateway >100 Direct Vendors Vendors Vendors Merchants Vendors Provider Marketers 100’s ~ 1000 <50 100’s <100 Data Entry >1,000 >1,000 Vendors >100 Other Bill Other Other D t Data Entry E t Financial Payment Call Center Networks Relationships 1,000’s >100 Vendors <50 1,000’s >1,000 Reporting Vendors Collections <50 Vendors 1,000’s Statement Issuer Visa Cards Merchant Call Center ISO Vendors Processors Vendors Card >400 million >5 million <25 <25 >1,000 Embossers <50 <50 Chargeback Loyalty Loyalty Vendors Vendors Vendors <50 <100 Loyalty Archiving Visa Vendors Vendors Vendors <100 Acquirer >100 100’s 100 s P Processor Issuer Acquirer Archiving Mail / <50 13,000+ 250+ Vendors Couriers >100 >100 Fraud Gateway Fraud Other Monitoring Other Providers Monitoring Vendors Vendors Vendors Vendors V Vendors d <50 <100 <50 <100 <50 Visa Inc. and Visa Europe Numbers illustrative, US Market only Chicago Federal Reserve Visa Public
Sophisticated and Organized Criminals Estimated market value of compromised accounts* accounts Recon / Hacker Account number Classic Gold/Plat/Corp and CVV2 track data track data Data Cleanser / Aggregator No Plastic No Plastic No Plastic $1 $1 $15 $15 $30 $30 Semi-finished Complete counterfeit Track data blank plastic Gold plastic and PIN Seller Seller Cracker Cracker White-Plastic Finished Finished $80 - $100 $80 $100 $250 $250 $1,000** $1 000** Customer / Reseller *Source: The United States Secret Service **Typically track data and PIN not for sale; profit share **Typically track data and PIN not for sale; profit share arrangement amongst criminals; estimated criminal profit per card Chicago Federal Reserve Visa Public
Cardholder Concerns About Card Use Security and protection of personal information now tops consumer concerns…Despite concerns, Visa cardholders recognize they are protected from fraud protected from fraud That you may become a victim of identity theft 43% That your card may be used to make a That your card may be used to make a 16% fraudulent transaction You may be accumulating too much debt 15% That your personal information may be stored 14% by the merchant by the merchant You might be charged a transaction fee 3% The store doesn’t accept your card brand 2% Your card may be declined 1% None of these 3% Don t Know/Refused Don’t Know/Refused 3% 3% 0% 10% 20% 30% 40% 50% Source: Security and Fraud: National Survey of Cardholders, Fabrizio, McLaughlin & Assoc., Dec 2007 Chicago Federal Reserve Visa Public
Recent Trends • The number of compromise incidents in the U.S . is rising p g – Trend suggests Level 4 merchants targeted – Level 1 merchant compromises subsiding L l 1 h t i b idi • Incidents outside the U.S. are also increasing • But global fraud rates have remained stable since 2002 – Visa and system participants have been more effective at combating fraud Visa and system participants have been more effective at combating fraud – Mix of fraud is changing • L Lost and Stolen is on the decline t d St l i th d li • Counterfeit and Card-Not-Present are now category leaders Chicago Federal Reserve Visa Public
Visa’s strategy gy Maintain Trust in Visa Payments Maintain Trust in Visa Payments PROTECT PREVENT Prevent Thieves from Keep Data Out of p Using Stolen Data Using Stolen Data Criminal Hands RESPOND Monitor and Manage Incidents to Reduce Impact Partner with Clients & Stakeholders Chicago Federal Reserve Information Classification as Needed Visa Public Presentation Identifier.7
Top System Vulnerabilities Vulnerability Remediation Efforts PCI DSS; PCI PA-DSS, PCI PED, PIN Security Requirements Storing prohibited data Delete stored data; prevent future storage; replace (Track, CVV2, PIN) (Track, CVV2, PIN) vulnerable software vulnerable software PCI DSS, PCI PA-DSS Out of date security / systems Establish policies, procedures and processes for patches patches maintaining and updating systems that handle sensitive maintaining and updating systems that handle sensitive data PCI DSS Inadequate perimeter Execute disciplined firewall policy management and network Execute disciplined firewall policy management and network security security; conduct routine penetration tests of all systems Weak wireless PCI DSS security it Utilize strong encryption to protect wireless environments Utili t ti t t t i l i t PCI DSS SQL injection Conduct regular testing of susceptibility to SQL injection attacks attacks utilizing automated tools or manual techniques 8 Chicago Federal Reserve Visa Public
Working with the Public Sector • Public Officials: Public Officials: – Consistent public policy to effectively and efficiently secure the payment system – Data security legislation with reasonable security requirements, risk- based notifications, and national uniform standards – Global law enforcement initiatives to prosecute criminal p organizations • Visa: – Education and training for public agencies, regulators, and law enforcement enforcement – Investigative support for law enforcement and other stakeholders Chicago Federal Reserve Visa Public
Final Thoughts on Security Protecting the payment system is a shared Protecting the payment system is a shared responsibility for all payment system participants Everyone has an important role to play: E h i t t l t l • Processors • Issuers • Third Party Agents • Acquirers • Public / Government Officials • Merchants • Law Enforcement • Cardholders Chicago Federal Reserve Visa Public
Recommend
More recommend