What to Do if Compromised Liberty Picataggio First Data Merchant Services October 30, 2012
What Is A Data Breach ? A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve financial information such as credit card or bank details and/or personal information.
How Do Data Breaches Occur ? 81% utilized some form of hacking (+31%) 69% incorporated malware (+20%) 10% involved physical attacks (-19%) 7% employed social tactics (-4%) 5% resulted from privileged misuses (-12%) Data from Verizon’s 2012 Data Breach Investigations Report
Who Is Behind Data Breaches ? 98% stemmed from external agents (+6%) 4% implicated internal employees (-13%) <1% committed by business partners (<>) 58% of all data theft tied to activist groups Data from Verizon’s 2012 Data Breach Investigations Report
What Information Do They Want ? Magnetic Stripe Data PIN / PIN Block Primary Account Number Expiration Date Cardholder Verification Number (CVN) Visa (CVV2) MasterCard (CVC2) Discover/Amex (CID)
Protecting Cardholder Data In accordance With PCI Standards
Category Of Stolen Information Of the total amount of records reported in Verizon’s 2012 report (855 incidents, 174 million compromised records): 83% were payment card data/numbers. 13% were bank account data. 4% were personal information. <1% other. Data from Verizon’s 2012 Data Breach Investigations Report
What Commonalities Exist ? 79% of victims were targets of opportunity. 96% of attacks were not highly difficult. 85% of breaches took weeks to discover. 92% of incidents were discovered by 3rd party. 97% of breaches were easily avoidable. 96% of victims were not PCI compliant. Data from Verizon’s 2012 Data Breach Investigations Report
The merchant/vendor was not PCI compliant. What Does This Mean ? The merchant/vendor was not PCI compliant. Most breaches could have been easily prevented. Self detection identified attacks an average of 43 days after initial compromise. When not self-detected, the attackers had an average of 173 days within the environment before being detected. Data from Verizon’s 2012 Data Breach Investigations Report
Some Signs Of A Breach Unknown or unexpected outgoing internet traffic. Unknown files, software and devices installed. Anti-virus programs malfunctioning or becoming disabled. Unexplained modifications or deletions of data. Excessive failed login attempts in system authentication and event logs. Suspicious after-hours file system activity. Systems rebooting or shutting down for unknown reasons. Unexplained new user accounts. Any unknown or unexpected activity.
How To Minimize The Potential For A Data Breach Ensure your POS environment remains PCI compliant. This includes, but is not limited to: Make sure firewalls and antivirus is updated regularly. Change administrative passwords on all POS systems. Continually upgrade to PCI compliant software. Implement access control list on remote access services. If 3rd party is handling any of the above ..confirm it. Avoid using the POS system to browse the internet. Change default credentials of all POS systems. Eliminate unnecessary data on your system. Ensure essential controls are met. Verify that any 3rd party vendor is compliant. Monitor Event Logs. Again. Ensure your POS environment is PCI compliant and that you validate compliance.
What To Have In Place Prior To A Compromise Create an action plan on what to do if you are breached. Practice that plan periodically. Have a list of all relevant contacts, emails, numbers, etc. Potential agreement with forensic firms already prepared. Identify all third parties that touch, store or transmit card data on your behalf. Be familiar with your vendor agreements to understand your/their responsibilities in regards to PCI compliance and breach notification. Have an alternative payment solution available in case of a breach (dial-up terminals, etc.). Pay attention to customer/staff complaints of subsequent cardholder fraud.
What To Do If Compromised 1. Immediately contain and limit the exposure. Minimize data loss. Do not access or alter the compromised system. Do not log on to the compromised system and don’t change passwords. Do not turn the compromised system off, just isolate compromised system from the network(unplug network cable) Switch to dial up terminals until the breach is remediated. Preserve evidence and logs. Document all actions taken. Be on high alert and monitor traffic on all systems with cardholder data. 2. Alert all necessary parties immediately. Your internal incident response team and Information Security group. Your merchant bank/acquirer. If you do not know your merchant bank/acquirer, notify the Card Brands immediately. Notify the appropriate law enforcement agency..(local police, Secret Service, FBI). Your legal counsel. Data from Visa’s What to Do If Compromised Fraud Control and Investigative Procedures Version 3.0
What To Do If Compromised 3. Within 3 business days of the compromise provide a written statement of the incident to the Card Brands via your Merchant bank/ Acquirer or yourself. 4. Provide all compromised cards to your Merchant Bank/Acquirer within 10 days.
What To Do If Compromised 5. The incident report should be as detailed as possible and include the following info, as well as any other relevant info specific to the breach: Name of entity. How did the compromise occur? When and how was it identified? Has the compromise been contained? if so, how? What Card Brands are involved? How many cards are at risk? What is the at-risk time frame of the compromised cards? What type of data was stolen (account #, expiry date, track data, CVV2,PIN, SS#, etc.)? Are any other locations/affiliated companies effected? Was law enforcement contacted? If so, provide contact info and case #. If breach was employee related, status of the employee.(terminated, still employed, arrested)? Is it a skimming event or an actual breach of the POS system? Type of POS system.
What To Do If Compromised 6. Once the Card Brands receive the incident report they will review and then notify the acquiring bank of their recommendation and/or mandatory next steps including: Merchant provides a more detailed questionnaire. Merchant provides PCI validation documentation. Merchant engages a Card Brand approved forensic examination. Merchant bank provides Card Brands all possible compromised card numbers to be canceled or monitored for fraud.
Forensic Examination If a forensic examination is required by the Card Brands, the merchant may only utilize an approved Payment Card Industry Forensic Investigator (PFI). If the merchant’s third party vendor is the suspected source of the compromise, the merchant will be responsible for ensuring the engagement of the forensic examiner. The Card Brands typically do not accept forensic reports from other parties, including the Secret Service. It is the compromised entity’s responsibility to pay for the cost of the forensic (including travel/boarding costs) For a list of PFI’s go to: https//www.pcisecuritystandards.org/approved_companies_provideres/pci_forensic_investigator.php
Potential Financial Impact To Compromised Merchant Forensic examination. Remediation efforts, including installation of new systems and procedures. Fines and penalties from Card Brands. Termination of the ability to accept payment cards. Legal settlements. Loss of customer/public confidence. Loss of business.
Visa MasterCard Data Compromise Fines 1. Non-Compliance Fines. 2. ADCR (Account Data Compromise Recover) -Must be over 15,000 cards and over $150,000 in reported fraud. -Comprised of Operating Expenses and Fraud Recovery fines. MasterCard Non-Compliance Fines. Case Management Fees. ADC (Account Data Compromise) -Must be over 10,000 cards (No minimum reported fraud amount)
Typical Data Compromise Identification Cardholder realizes fraud on his/her card. Cardholder notifies their issuing bank. Issuing Bank notifies the Card Brands. The Card Brands notify the Merchant’s Acquirer. The Acquirer notifies the Merchant. The Card Brands may require a forensic exam. Merchant needs to address and remediate. Merchant needs to validate PCI compliance. Card Brands assess Fines. And some really large fines.
Validating PCI Compliance Any Merchant that accepts credit cards needs to be PCI compliant in accordance with PCI DSS (Payment Card Industry Data Security Standards). To validate PCI compliance the merchant needs to provide the following: Self Assessment Questionnaire(SAQ) or Report of Compliance(ROC). Vulnerability Scan (if applicable). Attestation of Compliance. Information regarding PCI can be found at https://www.pcisecuritystandards.org/merchants/index.php
Merchant Level and Validation Requirements
Goals PCI DSS Requirements Build and Maintain a Secure Network. Protect Cardholder Data . Maintain a Vulnerability Management Program. Implement Strong Access Control Measures. Regularly Monitor and Test Networks. Maintain an Information Security Policy. 1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameter. 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across open public networks. 5. Use and regularly update anti-virus software or programs. 6. Develop and maintain secure systems and applications. 7. Restrict access to cardholder data by business need to know. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data. 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. 12. Maintain a policy that addresses information security for all personnel.
Card Brand Websites The PCI SSC sets the PCI security standards, but each Card Brand has its own program for compliance, validation levels and enforcement. More information about compliance can be found at these links: American Express: www.americanexpress.com/datasecurity Discover Financial Services: www.discovernetwork.com/fraudsecurity/disc.html JCB International: www.jcb-global.com/english/pci/index.html MasterCard Worldwide: www.mastercard.com/sdp Visa, Inc: www.visa.com/cisp
Web Resources PCI Security Standards Council Web site, including Frequently Asked Questions (FAQs): www.pcisecuritystandards.org PCI SSC approved applications and devices Payment Applications: www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php PCI Data Security Standard (PCI DSS) The Standard: https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf Supporting Documents: https://www.pcisecuritystandards.org/security_standards/documents.php Approved Assessors and Scanning Vendors: https://www.pcisecuritystandards.org/approved_companies_providers/index.php Navigating the Standard: https://www.pcisecuritystandards.org/documents/navigating_dss_v20.pdf Self-Assessment Questionnaire: https://www.pcisecuritystandards.org/merchants/self_assessment_form.php Glossary: https://www.pcisecuritystandards.org/security_standards/glossary.php Approved QSAs: https://www.pcisecuritystandards.org/approved_companies_providers/qualified_security_assessors.php Approved ASVs: https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php Link to Verizon’s 2012 Data Breach Investigations Report. http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-20 Link to Visa’s What to do if Compromised. http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf12_en_xg.pdf
Be prepared in case you are compromised. Have a back-up plan in place. In Summary Understand what PCI is. Be prepared in case you are compromised. Have a back-up plan in place. Ensure you validate and remain PCI compliant. Don’t think it can’t happen to you.
Questions ?