Session 4: Data Privacy and Fraud

Moderator:Bill Houck, Director, Risk Management, UATPPanelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta, Vice Manager, United AirlinesHerman Mensink, EVP, Prism Group, EMEAPaul Buelens, Fraud Manager, MasterCard International, Risk & Security Services, ESAMEA

Risk Management ThroughPCI ComplianceMarch 2006

Peter Warner

EVP, Business Development

Hacking Is Fast Becoming The “Crime Of The Century”

Hacking

• Yes they do - but organised criminals do it for profit !

• A single database compromise in a payment card processor or a major on-line retailer can reap millions of card details

• Which the criminals can use to commit payment card fraud

Hackers do it for Fun!

The Cost?

• Aside from the fraud losses which on average are $1,000 per card account

• The payment card schemes impose substantial penalties on the compromised company to compensate the card issuers for replacing the card ($25 per card) or monitoring the account activity more closely ($5 per account)

• For example if 1 million accounts are compromised of which only 1,000 or 0.1% are used fraudulently the organisation responsible will face costs of– $1,000,000 in fraud losses

– Up to $25,000,000 in penalties

• And suffer the consequential reputational risk

Ready for Export

• 99% of all known Account Data Compromise events were on US institutions

• Of these 68% were at Merchant Service Providers (MSP’s)

• And 32% were at Merchants

Unnecessary & insecure data storage must be eliminated

in order to minimise the risk

The Real Cost of e-commerce Fraud for Airlines

Lost revenue:

Lost ticket sales to fraud

Rejecting, insulting and losing genuine airline customers

Lost repeat ticket sales to competitors

Rejecting third party bookings as risk prone

Turning away cross border transactions from highrisk destinations

Seats blocked to good customers by fraudsters testing cards (Alicante)

 Increased fraud: 

Chargebacks, surcharges and fines

  Increased Costs:

Cost of sale (postage, ticket sales time)

High manual review costs to minimise fraud

Warning

• Many hacks are not reported

• Many more are not detected

• And internal fraud is often involved

Top 5 Reasons for Compromise

1. Ineffective patch management

2. No security scanning

3. Weak network level security

4. SQL injection

5. Lack of real-time security monitoring…………………………………………………………………….

• Security professionals use scans to find vulnerabilities

• Hackers also scan systems to find vulnerabilities and exploit them using well-known and widely available tools

2005 known hacks

Source: Cybertrust

PCI Compliance – Some Observations

• ReD were already BS 7799 compliant when PCI programme was started.

– Basic infra-structure was already in place

– Saved a considerable amount of documentation work (e.g. process definition etc.)

• HOWEVER, PCI Compliance took longer than we originally planned due to:

– Production Network Reconfiguration

– Installation of an Intrusion Detection System

– Implementation of a full Network Monitoring system

– Number of planned maintenance windows required to accomplish this (our customers

commented on this).

• Need to select a Quality Audit Partner

– Need access to a dedicated resource

– Make sure that resource is available throughout the audit process

PCI Compliance – The Trickle Down Theory

• Need to assess the impact on your Supply Chain– Vendors have been slow to recognise the importance of PCI Compliance

– Vendors have been slow to modify their products and services to be PCI

Compliant

– Examples:

• Off-Site Tape Storage and liability

• Database Encryption

• Communications

• Need to assess the impact on your Customers– PCI Compliance message has not gone out to everyone

PCI Compliance – In Summary

• PCI Compliance is expensive but necessary

– Smaller Payment Service Providers may be forced

out of business

– Benefit to out-sourcing Payment Service

Processing

• Staying PCI Compliant requires strict adherence to

change management processes

The Impact of Account Data Compromise

• Counterfeits cards and fraud

• Significant chargeback risk

• Penalties, fines, losses

• Negative media coverage

• Loss of reputation

• Re-issuance and monitoring of cards

• Loss of consumer confidence

• Threat of new legislation

Thank you

March 2006

Peter Warner

EVP, Business Development