Upload
clay-chatelain
View
218
Download
4
Embed Size (px)
Citation preview
Session 4: Data Privacy and Fraud
Moderator:Bill Houck, Director, Risk Management, UATPPanelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta, Vice Manager, United AirlinesHerman Mensink, EVP, Prism Group, EMEAPaul Buelens, Fraud Manager, MasterCard International, Risk & Security Services, ESAMEA
Hacking
• Yes they do - but organised criminals do it for profit !
• A single database compromise in a payment card processor or a major on-line retailer can reap millions of card details
• Which the criminals can use to commit payment card fraud
Hackers do it for Fun!
The Cost?
• Aside from the fraud losses which on average are $1,000 per card account
• The payment card schemes impose substantial penalties on the compromised company to compensate the card issuers for replacing the card ($25 per card) or monitoring the account activity more closely ($5 per account)
• For example if 1 million accounts are compromised of which only 1,000 or 0.1% are used fraudulently the organisation responsible will face costs of– $1,000,000 in fraud losses
– Up to $25,000,000 in penalties
• And suffer the consequential reputational risk
Ready for Export
• 99% of all known Account Data Compromise events were on US institutions
• Of these 68% were at Merchant Service Providers (MSP’s)
• And 32% were at Merchants
Unnecessary & insecure data storage must be eliminated
in order to minimise the risk
The Real Cost of e-commerce Fraud for Airlines
Lost revenue:
Lost ticket sales to fraud
Rejecting, insulting and losing genuine airline customers
Lost repeat ticket sales to competitors
Rejecting third party bookings as risk prone
Turning away cross border transactions from highrisk destinations
Seats blocked to good customers by fraudsters testing cards (Alicante)
Increased fraud:
Chargebacks, surcharges and fines
Increased Costs:
Cost of sale (postage, ticket sales time)
High manual review costs to minimise fraud
Warning
• Many hacks are not reported
• Many more are not detected
• And internal fraud is often involved
Top 5 Reasons for Compromise
1. Ineffective patch management
2. No security scanning
3. Weak network level security
4. SQL injection
5. Lack of real-time security monitoring…………………………………………………………………….
• Security professionals use scans to find vulnerabilities
• Hackers also scan systems to find vulnerabilities and exploit them using well-known and widely available tools
PCI Compliance – Some Observations
• ReD were already BS 7799 compliant when PCI programme was started.
– Basic infra-structure was already in place
– Saved a considerable amount of documentation work (e.g. process definition etc.)
• HOWEVER, PCI Compliance took longer than we originally planned due to:
– Production Network Reconfiguration
– Installation of an Intrusion Detection System
– Implementation of a full Network Monitoring system
– Number of planned maintenance windows required to accomplish this (our customers
commented on this).
• Need to select a Quality Audit Partner
– Need access to a dedicated resource
– Make sure that resource is available throughout the audit process
PCI Compliance – The Trickle Down Theory
• Need to assess the impact on your Supply Chain– Vendors have been slow to recognise the importance of PCI Compliance
– Vendors have been slow to modify their products and services to be PCI
Compliant
– Examples:
• Off-Site Tape Storage and liability
• Database Encryption
• Communications
• Need to assess the impact on your Customers– PCI Compliance message has not gone out to everyone
PCI Compliance – In Summary
• PCI Compliance is expensive but necessary
– Smaller Payment Service Providers may be forced
out of business
– Benefit to out-sourcing Payment Service
Processing
• Staying PCI Compliant requires strict adherence to
change management processes
The Impact of Account Data Compromise
• Counterfeits cards and fraud
• Significant chargeback risk
• Penalties, fines, losses
• Negative media coverage
• Loss of reputation
• Re-issuance and monitoring of cards
• Loss of consumer confidence
• Threat of new legislation