Credit Card Data Security CS7403, University of Tulsa Tyler Moore

Agenda How the Internet has changed credit card fraud The quest to secure credit card data: PCI DSS Efforts to improve CNP e-commerce payments

Credit Card Networks

Credit Card Fraud Pre-Internet Card-present fraud Criminals created counterfeit cards using copied magstrip details Card-based countermeasures: CVVs, then EMV Network-based countermeasures Terminal maintains hot card list of stolen card #s Merchant floor limits: any transaction over this limit requires online/phone authorization to card network

Card Fraud is Cyclical UK Card Fraud, Source: UK Payments Administration

Credit-card Fraud Pre-Internet Card-not-present transactions Mail-order and telephone order transactions Higher risk because criminal simply needs CC#, expiry to carry out fraud, not load onto card Liability rules set by card networks for mag-strip cards Regulations limit cardholder liability for fraud Card-present fraud: issuer pays Card-not-present fraud: merchant pays Once commerce moves online, burden for fraud shifts from issuers to merchants

Recall: Shift from Card-Present to CNP Fraud following EMV deployment UK Card Fraud, Source: UK Payments Administration

How the Internet has Changed the Nature of Card Fraud Internet does not only raise share of CNP transactions 1990s web designers worried that network attacker could eavesdrop credit card payments and steal cards So SSL/TLS was born Banks pushed SET, which was more secure but never took off Network attacker stealing individual CC#s is rare

How the Internet has Changed the Nature of Card Fraud Real threat to card fraud from Internet Phishing and social engineering make large-scale credential theft from consumers scalable Cybercriminals targeted merchant systems and databases to steal card data en masse, then sold in underground marketplaces online Regulators and banks have tried (with mixed success) to combat phishing Card networks established PCI DSS to raise operational security at merchants

PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (third-party vendor, gateways) Systems (Hardware, software) That: Stores cardholder data Transmits cardholder data Processes cardholder data Applies to: Electronic Transactions Paper Transactions Slide from Gregory Dove, Cal State

Slide from Gregory Dove, Cal State PCI DSS Exempt Myth All merchants are subject to the standard and to card association rules (No exemption provided to anyone) Immunity does not apply because Requirement is contractual - not regulatory or statutory Card associations can be selective who they provide services to Merchants accept services on a voluntary basis Merchants agree to abide by association rules when they execute e-merchant bank agreement Acquiring banks are prohibited by association rules from indemnifying a merchant for non-compliance Slide from Gregory Dove, Cal State

PCI DSS Requirements

Req. 1: Install & maintain firewall to protect cardholder data Must identify all connections between systems touching cardholder data and other networks Any such connection must be documented by business justification and technical description of configuration Diagram all cardholder data flows across systems and networks Review and revise every 6 months

Data Restriction Requirements Merchants may not store “sensitive authentication data after authorization”, including: Security code (CVV) Mag-strip data PINs

Req. 3: Protect stored cardholder data 3.1: Limit storage and retention time 3.2: Do not store authentication data after authorization (even if encrypted) 3.3: Hide all but last 4 or first 6 digits of PAN from all employees unless “business need” 3.4: Make PAN unreadable anywhere stored (use hash functions or tokens)

Req. 3: Protect stored cardholder data

Merchant Levels and Compliance Large (level 1 and 2 merchants) must be assessed by 3rd-party validation services Small (level 3 and 4 merchants) may self-assess

Fines Fines for non-compliance Fines following breach Month Level 1 Level 2 1 to 3 $10,000 per month $5,000 per month 4 to 6 $50,000 per month $25,000 per month 7+ $100,000 per month $50,000 per mont Fines following breach $50-90 per account compromised Prohibition from accepting credit cards Fines levied on acquiring banks, who pass the fines onto merchants

Compliance != Security Most large merchants are PCI compliant Compliance rates have increased over time Yet data breaches have increased 1,343 US data breaches in 2014 vs. 600 in 2009 512M records exposed in 2014 vs. 200M in 2009 Many of the largest breaches have occurred at PCI compliant merchants Breached companies can be found out-of-compliance retroactively Dulls incentive to become PCI compliant at all

Acquiring Banks’ Duty to Monitor PCI rules oblige acquiring banks to monitor merchants for compliance with requirements Yet the incentive for acquirers to monitor their merchant customers is very weak Typical merchant-acquirer contracts make merchants responsible for fines

Efforts to improve CNP e-commerce payments Given that securing card data is hard, it is likely that CNP fraud will continue so long as PAN, expiry and CVV can be used to make purchases Multi-factor authentication can mitigate card fraud One-time passwords texted to customer Card networks’ attempt: 3D Secure

3D Secure Password-augmented authentication Cardholders register a password with issuer Provides password to issuer at checkout for participating merchants

3D Secure

UK and France have seen success with 3D Secure By 2008, many card issuers agreed to accept fraud liability if merchants used 3DS for Internet sales By 2013, 95% of cardholders could use 3DS and 43% of merchants use it UK Simplified system to reduce cart abandonment 70% of merchants there now use 3DS

Fraud Loss Rate on Internet Transactions in UK and France

Issues with 3D Secure Authenticating a user on 1st use can be weak Date of birth, billing ZIP, last 4 digits SSN This data is often stolen Design often embeds the form as an iframe Very difficult for customer to know which site is requesting credentials Doesn’t help that frequently the iframe loads content from obscure sites like securesuite.co.uk Phishing attacks now regularly impersonate 3DS Some UK banks have used 3DS to shift liability to consumer

Conclusion (1) Credit card liability rules drive security practices Card-present fraud: issuer pays Card-not-present fraud: merchant pays Cardholder: doesn’t pay (in US) Credit card fraud and the Internet Phishing and malware are powerful vectors to steal card information Infiltrating merchant systems can steal millions of cards, cash out via underground marketplaces online

Conclusion (2) PCI DSS is a compliance regime Set up by credit card networks Goal is to improve merchant security and prevent large card thefts Mixed bag on effectiveness Improving authentication in CNP transactions 3D Secure (adding password) helps But beware: design is clunky, vulnerable to phishing, and can be used to shift liability