1. Card Data Fraud

2. External Compromise and Trends
The theft of card data (hacking) has been increasing over the last few years and has been one of the main reasons for the introduction of PCI DSS.
However PCI has meant that the methods used have changed and become more technical.
At first the targets where large holders of card data, such as processors in the US.
Attacks where often against live and test systems as the companies where using large volumes of live data to test.
January 19
Caribbean Electronic Payments LLC

3. External Compromise and Trends
Targets have included:
Processors, Heartlands, CardSystems Solutions Inc
Banks, JP Morgan Chase, BNY Mellon
Retailers TJ Maxx, AOL, Home Deport, Sony
Governments, US Military, Greek Government
Often running into millions of card data lost.
130 million Heartlands
94 million TJ Maxx
January 19
Caribbean Electronic Payments LLC

4. The Underground Fraud Market
These details would be sold on the underground and dark web to crooks – anybody
Call centres would sell spreadsheets of data at the gates of the centre in India
Any data stolen can be sold. Even if the price was a dollar a number that’s a lot of money when you have stolen 94 million.

5. Top Attacks Vectors
Originally – large unencrypted databases with poor fire walls
Later breaches, after databases had been encrypted, used SQL Sniffers to identify when data was in the clear for Customer Service Calls

6. Prevention through Simple Controls
The rules applied via PCI DSS are simple and could have been used 25 years ago:
Encrypted databases
Secure networks and firewalls
Sensitive data encrypted at source – tokenisation
Sensitive data not retained by retailer, processor, card scheme, etc.
January 19
Caribbean Electronic Payments LLC