Presentation is loading. Please wait.

Presentation is loading. Please wait.

Credit Card Data Security

Published byLambert Wells Modified over 8 years ago

Similar presentations

Presentation on theme: "Credit Card Data Security"— Presentation transcript:

1 Credit Card Data Security
CS7403, University of Tulsa Tyler Moore

2 Agenda How the Internet has changed credit card fraud
The quest to secure credit card data: PCI DSS Efforts to improve CNP e-commerce payments

3 Credit Card Networks

4 Credit Card Fraud Pre-Internet
Card-present fraud Criminals created counterfeit cards using copied magstrip details Card-based countermeasures: CVVs, then EMV Network-based countermeasures Terminal maintains hot card list of stolen card #s Merchant floor limits: any transaction over this limit requires online/phone authorization to card network

5 Card Fraud is Cyclical UK Card Fraud, Source: UK Payments Administration

6 Credit-card Fraud Pre-Internet
Card-not-present transactions Mail-order and telephone order transactions Higher risk because criminal simply needs CC#, expiry to carry out fraud, not load onto card Liability rules set by card networks for mag-strip cards Regulations limit cardholder liability for fraud Card-present fraud: issuer pays Card-not-present fraud: merchant pays Once commerce moves online, burden for fraud shifts from issuers to merchants

7 Recall: Shift from Card-Present to CNP Fraud following EMV deployment
UK Card Fraud, Source: UK Payments Administration

8 How the Internet has Changed the Nature of Card Fraud
Internet does not only raise share of CNP transactions 1990s web designers worried that network attacker could eavesdrop credit card payments and steal cards So SSL/TLS was born Banks pushed SET, which was more secure but never took off Network attacker stealing individual CC#s is rare

9 How the Internet has Changed the Nature of Card Fraud
Real threat to card fraud from Internet Phishing and social engineering make large-scale credential theft from consumers scalable Cybercriminals targeted merchant systems and databases to steal card data en masse, then sold in underground marketplaces online Regulators and banks have tried (with mixed success) to combat phishing Card networks established PCI DSS to raise operational security at merchants

10 PCI DSS Payment Card Industry Data Security Standard
Standard that is applied to: Merchants Service Providers (third-party vendor, gateways) Systems (Hardware, software) That: Stores cardholder data Transmits cardholder data Processes cardholder data Applies to: Electronic Transactions Paper Transactions Slide from Gregory Dove, Cal State

11 Slide from Gregory Dove, Cal State
PCI DSS Exempt Myth All merchants are subject to the standard and to card association rules (No exemption provided to anyone) Immunity does not apply because Requirement is contractual - not regulatory or statutory Card associations can be selective who they provide services to Merchants accept services on a voluntary basis Merchants agree to abide by association rules when they execute e-merchant bank agreement Acquiring banks are prohibited by association rules from indemnifying a merchant for non-compliance Slide from Gregory Dove, Cal State

12 PCI DSS Requirements

13 Req. 1: Install & maintain firewall to protect cardholder data
Must identify all connections between systems touching cardholder data and other networks Any such connection must be documented by business justification and technical description of configuration Diagram all cardholder data flows across systems and networks Review and revise every 6 months

14 Data Restriction Requirements
Merchants may not store “sensitive authentication data after authorization”, including: Security code (CVV) Mag-strip data PINs

15 Req. 3: Protect stored cardholder data
3.1: Limit storage and retention time 3.2: Do not store authentication data after authorization (even if encrypted) 3.3: Hide all but last 4 or first 6 digits of PAN from all employees unless “business need” 3.4: Make PAN unreadable anywhere stored (use hash functions or tokens)

16 Req. 3: Protect stored cardholder data

17 Merchant Levels and Compliance
Large (level 1 and 2 merchants) must be assessed by 3rd-party validation services Small (level 3 and 4 merchants) may self-assess

18 Fines Fines for non-compliance Fines following breach
Month Level 1 Level 2 1 to 3 $10,000 per month $5,000 per month 4 to 6 $50,000 per month $25,000 per month 7+ $100,000 per month $50,000 per mont Fines following breach $50-90 per account compromised Prohibition from accepting credit cards Fines levied on acquiring banks, who pass the fines onto merchants

19 Compliance != Security Most large merchants are PCI compliant
Compliance rates have increased over time Yet data breaches have increased 1,343 US data breaches in 2014 vs. 600 in 2009 512M records exposed in 2014 vs. 200M in 2009 Many of the largest breaches have occurred at PCI compliant merchants Breached companies can be found out-of-compliance retroactively Dulls incentive to become PCI compliant at all

20 Acquiring Banks’ Duty to Monitor
PCI rules oblige acquiring banks to monitor merchants for compliance with requirements Yet the incentive for acquirers to monitor their merchant customers is very weak Typical merchant-acquirer contracts make merchants responsible for fines

21 Efforts to improve CNP e-commerce payments
Given that securing card data is hard, it is likely that CNP fraud will continue so long as PAN, expiry and CVV can be used to make purchases Multi-factor authentication can mitigate card fraud One-time passwords texted to customer Card networks’ attempt: 3D Secure

22 3D Secure Password-augmented authentication
Cardholders register a password with issuer Provides password to issuer at checkout for participating merchants

23 3D Secure

24 UK and France have seen success with 3D Secure
By 2008, many card issuers agreed to accept fraud liability if merchants used 3DS for Internet sales By 2013, 95% of cardholders could use 3DS and 43% of merchants use it UK Simplified system to reduce cart abandonment 70% of merchants there now use 3DS

25 Fraud Loss Rate on Internet Transactions in UK and France

26 Issues with 3D Secure Authenticating a user on 1st use can be weak
Date of birth, billing ZIP, last 4 digits SSN This data is often stolen Design often embeds the form as an iframe Very difficult for customer to know which site is requesting credentials Doesn’t help that frequently the iframe loads content from obscure sites like securesuite.co.uk Phishing attacks now regularly impersonate 3DS Some UK banks have used 3DS to shift liability to consumer

27 Conclusion (1) Credit card liability rules drive security practices
Card-present fraud: issuer pays Card-not-present fraud: merchant pays Cardholder: doesn’t pay (in US) Credit card fraud and the Internet Phishing and malware are powerful vectors to steal card information Infiltrating merchant systems can steal millions of cards, cash out via underground marketplaces online

28 Conclusion (2) PCI DSS is a compliance regime
Set up by credit card networks Goal is to improve merchant security and prevent large card thefts Mixed bag on effectiveness Improving authentication in CNP transactions 3D Secure (adding password) helps But beware: design is clunky, vulnerable to phishing, and can be used to shift liability

Download ppt "Credit Card Data Security"

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
National Bank of Dominica Ltd. 2011 Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.

National Bank of Dominica Ltd Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
PCI DSS for Retail Industry

PCI DSS for Retail Industry
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
ETA UNIVERSITY MARCH 19, 2015 Deana Rich R ICH C ONSULTING, I NC. Edward A. Marshall A RNALL G OLDEN G REGORY LLP Payments 101: Overview of the Payments.

ETA UNIVERSITY MARCH 19, 2015 Deana Rich R ICH C ONSULTING, I NC. Edward A. Marshall A RNALL G OLDEN G REGORY LLP Payments 101: Overview of the Payments.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005.

1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Jeff Williams Information Security Officer CSU, Sacramento

Jeff Williams Information Security Officer CSU, Sacramento
Visa Cemea Account Information Security (AIS) Programme

Visa Cemea Account Information Security (AIS) Programme
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
Verified by Visa and MasterCard SecureCode – or, How Not to Design Authentication Steven Murdoch and Ross Anderson Cambridge.

Verified by Visa and MasterCard SecureCode – or, How Not to Design Authentication Steven Murdoch and Ross Anderson Cambridge.

Similar presentations

Ads by Google