Presentation Title
Download
Report
Transcript Presentation Title
The Unique Alternative to the Big Four®
Payment Card Industry (PCI) and Security
Crowe Horwath LLP
Anatomy of Recent Card Breaches
Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
Presentation Objectives
Provide insight into possible or likely root causes behind public cases of card
data breaches
Discuss how specific PCI violations contributed to or prolonged the fraud
Discuss technical and non-technical measures to decrease the risk and impact of
a card fraud.
Provide suggestions on how to make your organization a “hard target.”
Audit | Tax | Advisory | Risk | Performance
© 2010 Crowe Horwath LLP
2
The Unique Alternative to the Big Four®
Root Cause Analysis
No Payment Card Industry (PCI)-compliant organization is known to have
suffered a card-related data security related breach
Not all the locations where card holder data (CHD) resides were known or
secured
Servers containing or providing CHD were configured with superfluous
application programs and were not properly scoped and audited by a qualified
security assessor (QSA)
Delays in arranging scans and assessments
There were inappropriate distinctions between test versus production servers
and networks
Due to weak encryption and poor access controls, wireless networks were
electronically “pried open” to reveal private areas of the network which store
CHD
Audit | Tax | Advisory | Risk | Performance
© 2010 Crowe Horwath LLP
3
The Unique Alternative to the Big Four®
Root Cause Analysis
Audit trails were not enabled to tie misconduct to a specific employee or
consultant. Lack of audit trails hindered criminal investigations because it was
not possible to tie an individual time or time of day to the incursion.
A group user ID was used instead of a unique user ID.
Point-of-sale (POS) terminals were not physically and logically hardened to
prevent surreptitious removal and inserting of a monitoring or sniffing device. The
terminals were later returned to the retail locations, where they were used to
capture PIN blocks.
Audit | Tax | Advisory | Risk | Performance
© 2010 Crowe Horwath LLP
4
The Unique Alternative to the Big Four®
What are some of the factors which increase the possibility of
a successful fraud?
They are not just technical reasons !
Lack of policies
No antifraud program
Technology controls not driven by business process controls
Not learning from past industry frauds
Audit | Tax | Advisory | Risk | Performance
© 2010 Crowe Horwath LLP
5
The Unique Alternative to the Big Four®
PCI and Your Data and Information Security Policy
Required Elements
Approval
Annual Updating
Training
Vulnerability
Management
Cardholder
Centric
Document
Destruction
Document
Retention
CHD
Suppression
Vendor
Oversight
Contracts
Adequate
Policies Deter
Fraud
Wireless
Control
PED
Management
Audit | Tax | Advisory | Risk | Performance
PED Approval
© 2010 Crowe Horwath LLP
6
The Unique Alternative to the Big Four®
PCI Data Storage Tips
Locate all your CHD
CHD not located is CHD not secured
Don’t forget to test and to QA servers
Single purpose devices are a must
Encrypt, encrypt, encrypt
Data at rest
Data in transit
Don’t forget log files of every sort
What about your ISP? What do they store?
Audit | Tax | Advisory | Risk | Performance
© 2010 Crowe Horwath LLP
7
The Unique Alternative to the Big Four®
Using PCI to Springboard Your Anti Fraud Program
Log File
Integrity Check
Strong
Authentication
Fraud
Deterrence
Use Anti Fraud
Controls
Audit | Tax | Advisory | Risk | Performance
Leverage
Physical
Security
© 2010 Crowe Horwath LLP
8
The Unique Alternative to the Big Four®
Point of Sale (POS) Fraud and PCI
Factors reducing POS risks
Hardened
Terminals
Deployment
Controls
Physical
Security
Tamper
Resilience
Web
Application
Review
Separate
Production
Environment
Separation of
Duties
Fraud
Incident
Response
Strong
Encryption
Audit | Tax | Advisory | Risk | Performance
Separate Test
Environment
© 2010 Crowe Horwath LLP
9
The Unique Alternative to the Big Four®
Transactional Fraud Statistics: Counterfeit PIN Card Fraud
Block & Reissue Cards
300,000
Fraud Cards Reported
Suspect Cards Identified
250,000
200,000
150,000
100,000
50,000
0
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
Source: Card Alert Fraud Manager
Audit | Tax | Advisory | Risk | Performance
© 2010 Crowe Horwath LLP
10
The Unique Alternative to the Big Four®
Key Components of a PCI Anti Fraud Program
PREVENTION
DETERRENCE
Tone at the Top
Oversight
Value System / Code of
Conduct
Positive Workplace
Environment
Risk Assessment
Training/ Awareness
Data Analysis
Internal Audit
Whistleblower Program
DETECTION
Incident Response
Monitoring
Disciplinary Examples
Computer Aided Tools
Loss Mitigation
Audit | Tax | Advisory | Risk | Performance
© 2010 Crowe Horwath LLP
11
The Unique Alternative to the Big Four®
Using PCI Controls to Prevent Phishing and Identity Theft
Tone at The Top
Honest Ethical Culture
Staff Trained to Look
for Red Flags
People
Fraud Check-ups
Fraud Hotline
Defined Incident
Handling Process
Risk Assessment –
Check for Red Flags
Audit | Tax | Advisory | Risk | Performance
Process
Data Analysis
Strong Authentication
Encryption
Adaptive Security Procedures
and Counter Measures
Technology
© 2010 Crowe Horwath LLP
12
The Unique Alternative to the Big Four®
Past Fraud Events Provide a Roadmap for Helping Clients
Avoid Common PCI Compliance Pitfalls
Do not retain unneeded data. After authorization and settlement, very little CHD
need remain for inquiry and adjustment purposes. Securely dispose of CHD.
CHD not located is CHD not secured. Perform a reliable inventory of all the
servers, databases, test facilities, networks, paper records, and transaction and
activity logs. Include all service providers and contractors in your search.
Don’t look for a silver bullet solution. There is no single product or service that
can alleviate an enterprise's PCI DSS compliance woes. Every business and
every network is different, and PCI DSS controls must be tailored to an
organization. There is no “one-size-fits-all approach."
Audit | Tax | Advisory | Risk | Performance
© 2010 Crowe Horwath LLP
13
The Unique Alternative to the Big Four®
Past Fraud Events Provide a Roadmap for Helping Clients
Avoid Common PCI Compliance Pitfalls
Prevent data leaks. Identify all physical and logical points through which CHD
enters and leaves your client’s organization. This will mean scrutinizing data
reports, log files, servers, email and file transfers.
Develop specific policies for handling and secure all data, networks and physical
records which contain or provide access to CHD.
Train staff to prevent data leaks to establish a last line of defense to ensure
sensitive information stays put.
Perform fraud check-ups.
Audit | Tax | Advisory | Risk | Performance
© 2010 Crowe Horwath LLP
14
The Unique Alternative to the Big Four®
What Could You Do if Your Fraud Check-Up Reveals Issues?
Policies Deficient
Improve Code of Conduct
Create Conflicts of Interest
Increase Data Analysis
and Reaction Ability
Incident Response
Data Mining
Log File Analysis
Increase Data Access
Controls
Develop Anti Fraud
Policy
Authentication
Encryption
Create Fraud Hotlines
Oversight Committee
Audit | Tax | Advisory | Risk | Performance
© 2010 Crowe Horwath LLP
15
The Unique Alternative to the Big Four®
Regulatory and Legislative Responses to Fraud
Privacy / Data Security
Anti Money Laundering
(AML)
• Federal and state bills to
regulate non bank acquirers.
• Examiners and law enforcement
link AML and fraud.
Fraud
Breach Disclosure
Reverse ATM PIN
• 35 states require issuers and/or
data owners to notify account
owners.
• Completely unsupported 3
states introduced reverse PIN
bills.
Audit | Tax | Advisory | Risk | Performance
© 2010 Crowe Horwath LLP
16
The Unique Alternative to the Big Four®
Summary: Become a Hard Target
Fraud Prevention Program Components
Board or Management Approved Policy
Look for the Red Fraud Flags
React to the Flags of Fraud
Employ Prevention Techniques
Systems Monitoring
Response Plan
Employee Training
New Product Fraud Reviews
Annual – Independent Fraud Check-Up
Audit | Tax | Advisory | Risk | Performance
© 2010 Crowe Horwath LLP
17
The Unique Alternative to the Big Four®
Any Questions?
Contact Information
Bruce Sussman
973.422.7151
[email protected]
Crowe Horwath LLP
Audit | Tax | Advisory | Risk | Performance
© 2010 Crowe Horwath LLP
18