Our System - Food and Fuel Expo
Download
Report
Transcript Our System - Food and Fuel Expo
© Worldpay 2014. All rights reserved.
The Next Target: Shifting Liabilities &
Merchant Compliance Under New Credit
Card Rules
Agenda
What is PCI?
The Costs of a Data Breach
The Target Breach
Security Products to
Mitigate Risk
EMV – What Is It?
Preparing For EMV Now
Apple Pay Digital Payments
2
© Worldpay 2014. All rights reserved.
Proprietary and Confidential
What is PCI?
PCI Stands for “Payment Card Industry”
•
Shorthand for “PCI DSS” – Payment Card Industry Data Security Standards
•
Data Security Requirements for –all- credit- and debit-card accepting
merchant
•
Created by a payments industry group dedicated to securing sensitive
cardholder information
•
3
More information at https://www.pcisecuritystandards.org/
© Worldpay 2014. All rights reserved.
Proprietary and Confidential
What is PCI?
PCI Requirements (see https://www.pcisecuritystandards.org )
1. Build and Maintain a Secure Network
4. Implement Strong Access Control Measures
•
•
Requirement 1: Install and maintain a firewall
by business need –to-know
configuration to protect cardholder data
•
Requirement 2: Do not use vendor-supplied defaults for
•
•
2. Protect Cardholder Data
Requirement 3: Protect stored cardholder data
•
Requirement 4: Encrypt transmission of cardholder data
across open, public networks
3. Maintain Vulnerability Mgmt Program
5. Regularly Monitor and Test Networks
•
Requirement 10: Track and monitor all access to
network resources and cardholder data
•
Requirement 11: Regularly test security systems
and processes
Requirement 5: Use and regularly update anti-virus
software
6. Maintain an Information Security Policy
Requirement 6: Develop and maintain secure systems
•
and applications
4
Requirement 9: Restrict physical access to
cardholder data
•
•
Requirement 8: Assign a unique ID to each person
with computer access
system passwords and other security parameters
•
Requirement 7: Restrict access to cardholder data
Requirement 12: Maintain a policy that addresses
information security
© Worldpay 2014. All rights reserved.
Proprietary and Confidential
Can You Afford the Cost of a Data Breach?
Breaches Affect Businesses in Many Ways
•
•
Brand Risk
•
A data breach can negatively impact reputation
•
Local media looking for events to report
•
47 States require public notification of a breach
Operational Risk
•
Card association-imposed operational restrictions
•
Potential loss of card processing privileges
•
Involvement of law enforcement (FBI, Secret Service); quarantining
of affected systems
5
© Worldpay 2014. All rights reserved.
Proprietary and Confidential
Can You Afford the Cost of a Data Breach?
Breaches Affect Businesses in Many Ways
•
Financial Risk
•
Forensic investigation fees of $10,000 - $25,000
•
Payment network fines of $5,000 - $600,000 per data breach event
•
Monthly non-compliance fees from the payment card associations
•
Civil liability
•
Acquirers can pass on association fines for non-compliance to
merchants
6
•
Cardholder and issuer reimbursement, fraud-related chargebacks
•
Average cost for small business merchant is $85,000
© Worldpay 2014. All rights reserved.
Proprietary and Confidential
The Target Breach
A National Retailer Has Paid The Price
Announced in December 2013: 40MM+ Cards Compromised
•
Sophisticated RAM scraper; access gained via compromised
vendor logins
•
In the quarter following the breach:
•
Transactions down 5.5%
•
$61MM in breach related expenses 1Q2014; $148MM in
2Q2014
•
Issuers spent over $200MM
•
D&O Lawsuits; CIO and CEO replaced
•
Satisfaction with Target down 9% in a Consumer Tracking
Survey
7
© Worldpay 2014. All rights reserved.
Sources:
Wall Street Journal, February 18, 2014
Wall Street Journal, February 26, 2014
Wall Street Journal, August 5, 2014
MarketWatch.com, April 2, 2014
Proprietary and Confidential
The Threat Is to Everyone
Breaches Occur at Merchants Large and Small
•
In 2013 alone, Basha’s, Sprouts, Schnuck’s, Raley’s, Harbor Freight, and
Nordstrom also victimized
•
•
76% of breaches businesses < 1000 employees
•
99% of POS intrusions in areas covered by PCI
“Such [criminal] groups… eat POSs
•
99% of intrusions discovered externally
like yours for breakfast, then wash
•
51% occurred within seconds
•
88% exfiltrations within minutes
•
85% discovery took weeks
‘em down with a shot of vodka.”
Industries most victimized by POS Intrusions: restaurants, hotels, grocery,
and other brick-and-mortar
Sources:
Verizon 2014 Data Breach Investigations Report
8
© Worldpay 2014. All rights reserved.
Proprietary and Confidential
Security Products to Mitigate Risk
Industry Tools to Help Protect You and Your Customers
•
End-to-End Encryption
•
Reduces PCI scope by eliminating usable cardholder data from the
POS applications, networks and servers
•
•
•
9
Even if compromised, bad guys won’t get usable information
Online PCI Evaluation/Attestation Tools
•
Ease understanding of requirements
•
Highlight areas of concern
Managed Firewall Services
•
Lock down your network
•
Identify and repel external intrusions AND exfiltrations
© Worldpay 2014. All rights reserved.
Proprietary and Confidential
Security Products to Mitigate Risk
End-to-End Encryption
VeriShield Protect
Decryption Service
Card Present
Transaction Flow
Authorization Request
Card Data
(Encrypted)
Integrated
POS
Authorization Request
WorldPay
Stratus
MX or Vx
Terminal
Authorization
Response
Card Data
Associations and Issuers
1) Credit card is
swiped at
merchant’s POS
2) PAN/Track data/exp
dates encrypted
using Format
Preserving
Encryption in the
POS device and sent
to WorldPay Stratus
3) Encrypted
Transaction is
Decrypted at the
Decryption Service
and sent back to the
Stratus
4) Card number is
passed to bank for
authorization
5) Authorization is
returned to the
merchant
VeriShield Protect
10
© Worldpay 2014. All rights reserved.
Proprietary and Confidential
Security Products to Mitigate Risk
Online PCI Attestation Programs
Program Benefits Include
11
For Level 3 and 4 Merchants
Network Scans
Online Self-Assessment Questionnaire and Assistance
PCI DSS Customer Phone Support
PCI DSS Fraud Manager
Confirmation of PCI DSS Validation
Compliance Dashboard
Access to Security Policy Templates
© Worldpay 2014. All rights reserved.
Proprietary and Confidential
Security Products to Mitigate Risk
Online PCI Attestation Programs
Program Benefits Include
12
For Level 3 and 4 Merchants
Network Scans
Online Self-Assessment Questionnaire and Assistance
PCI DSS Customer Phone Support
PCI DSS Fraud Manager
Confirmation of PCI DSS Validation
Compliance Dashboard
Access to Security Policy Templates
© Worldpay 2014. All rights reserved.
Proprietary and Confidential
Security Products to Mitigate Risk
Managed Firewall Solution
•
Protects both PCI and corporate traffic through a state-of-the-art firewall
platform
•
Simplicity! One stop management of multiple locations
•
PCI compliance achieved and maintained
•
Automated output to SAQ and other PCI reporting requirements
•
Changes to PCI DSS standards are easily implemented and enforced
•
Productivity gains through limitation/tracking of employee/store Internet
access
13
© Worldpay 2014. All rights reserved.
Proprietary and Confidential
Security Products to Mitigate Risk
Managed Firewall Solution
14
© Worldpay 2014. All rights reserved.
Proprietary and Confidential
A Brief Look At EMV
What Is EMV?
•
EMV stands for EuroPay, MasterCard and Visa, the entities that originally
pushed for this standard. Also known as “Chip and Pin” and “Smart Cards”
•
Dynamic two-factor authentication.
•
Card has EMV chip embedded in it.
– Cardholder swipes card and either enters PIN or signs receipt
(determined by Issuer)
– Smart Card capable terminal needed to recognize chip inside of card
•
Different from existing “Contactless” cards, which have a chip, but no
authentication (i.e. non-EMV)
•
15
Over 1 billion cards have been issued worldwide (100MM in the US).
© Worldpay 2014. All rights reserved.
Proprietary and Confidential
A Brief Look At EMV
EMV in the UK
Originally deployed in the UK in 2004 – “Chip and PIN” flavor
•
Beginning Jan 2005 merchants bore cost of face-to-face fraud if they were not EMV compliant
Source: “Financial Fraud Action UK, Fraud the Facts 2012
16
© Worldpay 2014. All rights reserved.
Proprietary and Confidential
A Brief Look At EMV
EMV Is Coming To The US
EMV support has and will occur over several phases through 2017
October 2015 is a key date for merchants - Counterfeit Card and Lost or Stolen liability shift
17
© Worldpay 2014. All rights reserved.
Proprietary and Confidential
A Brief Look At EMV
What Is The Liability Shift?
In order to incent Issuers and Merchants to deploy EMV compliant technology:
•
Following October 2015, the Issuer bears liability for counterfeit card
transactions (Visa and MC) or lost or stolen cards (MC) which occur at
EMV certified devices
•
The Merchant bears liability for counterfeit card transactions (Visa and
MC) or lost or stolen cards (MC) if the genuine card was EMV capable
and the merchant did not use an EMV certified device
Note that EMV adoption is NOT a mandate for Merchants or Issuers
18
© Worldpay 2014. All rights reserved.
Proprietary and Confidential
A Brief Look At EMV
Risk of Liability Shift?
•
•
19
Liability shift ONLY applies if card was reissued with chip or terminal supports EMV
•
Dec 2014: Approx 100MM cards issued in the US
•
Approx 570MM cards delivered to US cardholders in 2015
•
Approx 1 B cards in US by end of 2016 (1.6B cards issued today)
Baseline risk TODAY is very low but will increase
•
Visa counterfeit card estimate: 0.012% of transactions; 0.028% of value
•
Shift only applies when cards or terminals support EMV
•
Risk will increase as more terminals are deployed
•
Risk will increase as more cards are reissued
•
Fraud follows the path of least resistance
© Worldpay 2014. All rights reserved.
Sources: Digital Transactions, Jan 8 2015,
Jan 14 2015
Visa study for Worldpay
Proprietary and Confidential
A Brief Look At EMV
Preparing For EMV Now
•
Be sure to consult with your vendors and acquirer now if there are
any POS equipment purchases/equipment refreshes soon
•
While EMV is still being implemented at the application level,
EMV-ready hardware is available today – and any hardware MUST
be supported by your POS vendor!
•
EMV will NOT supplant the need for PCI compliance
•
Though the EMV chip will provide two-factor authentication, the
“card number” itself is generally not encrypted as a result of EMV
implementation
•
Card Present fraud will migrate away from EMV-compliant locations –
you don’t want to be the “last on the block” to implement
•
20
E-Commerce transactions are vulnerable to fraud migration
© Worldpay 2014. All rights reserved.
Proprietary and Confidential
Thought Leadership
Apple Launches Digital Payments in October
What is Apple Pay?
• Apple Pay is a mobile wallet that allows consumers
to pay for goods with their smartphones instead of
credit cards.
What does this mean for merchants in general?
•
Merchants with Near Field Communication (NFC) enabled
payment terminals will be able to accept Apple Pay mobile
wallet
What does this mean for the payment industry?
•
Apple’s entry into mobile payments could expedite
mainstream acceptance of mobile wallets and contactless
payment
Benefits of Apple Pay to Merchants
• Enhanced security with digital payments
• Simplified consumer purchase experience
•
On mobile platform, computer or smart device
Apple Pay Mobile Wallet in
Passbook Application on iPhone 6
21
© Worldpay 2014. All rights reserved.
Apple Pay Digital Payment
How does Apple Pay Work for Consumers?
Tap and go contactless payment in the store with
the iPhone 6 and an NFC device reader
1.
Consumer sets up iPhone for digital payment
•
•
22
Consumers load their card data to the Apple Pay
wallet by photographing the card with the iPhone 6.
Card data in the iPhone is tokenized (replaced with a
random digital number called a token) so that it is not
recognizable.
© Worldpay 2014. All rights reserved.
2.
Consumer pays in the store with the iPhone
•
•
Consumers wave their iPhone 6 within a few inches
of an NFC-enabled POS terminal, then press the
phone’s home button for biometric identity
verification.
This initiates the payment transaction, which
continues through the normal authorization
process.
Apple Pay Digital Payment
How does Apple Pay Work for Merchants with
Integrated POS Systems?
For integrated terminals
1. Merchants should work with their dealer to
determine what equipment should be used for
NFC enablement
• The recommendation will be different for
each dealer, depending on their hardware
offerings
2. Merchants can upgrade to NFC by adding NFCenabled peripherals
• Many vendors will limit their PIN pad
options to one or two models (because
EMV requires certification on every point of
entry)
23
© Worldpay 2014. All rights reserved.
Thank You For Your Time!
Questions?
24
© Worldpay 2014. All rights reserved.
Proprietary and Confidential