Upload
tyler-hannan
View
566
Download
1
Embed Size (px)
DESCRIPTION
The recorded version of this webinar is available at: http://www.practicalecommerce.com/webinars/60-The-Easy-Way-to-Accept-and-Protect-Credit-Card-Data "The Easy Way to Accept & Protect Credit Card Data" is a free, educational webinar. The moderator is Kerry Murdock, editor and publisher of Practical eCommerce. The presenters are Tyler Hannan, platform evangelist for IP Commerce, a leading cloud-computing payment platform, and David Herrald, an information security consultant with Global Technology Resources, Inc., an international security and technology firm. e-Similate, a leading provider of payment integration tools, is the sponsor of the webinar.
Citation preview
The Easy Way to Accept and Protect Payment Account Data
Commerce Security Fundamentals
July 12, 2011
Kerry Murdock
Editor and Publisher
Practical eCommerce
Who You Are Interacting with Today
Tyler Hannan
Platform Evangelist
IP Commerce
Who You Are Interacting with Today
David Herrald
Consulting Architect – Information Security
Global Technology Resources, Inc.
Who You Are Interacting with Today
Sponsored by
• Consequences of a Data Breach
• What Is PCI Compliance?• Status of Payment Card Industry Data Security Standard
• PCI responsibilities of the merchant and developer
• Tools to Assist with Security and Compliance• Tokenization
• Hosted payment solutions
Agenda
Consequences of a Data Breach
What Data Compromise Looks Like
TJX Data Breach, Announced January 2007
• TJX owns retail companies: T.J. Max, Marshalls, Bob’s Stores• Data breach called the “biggest ever”• Initial estimates have the number of breached accounts at a
few million• By December 2007, it has been confirmed that at least 94
million customers have had their information stolen
What did it cost?• Credibility• $4.5 billion (estimated)
TJX: Anatomy of a Data Breach
Sony: Anatomy of a Data BreachSony Data Breach, 2011
• Sony Playstation network is targeted by a malicious hacker groups
• Proved to be an easy target• SQL injection vulnerabilities• Unencrypted or poorly encrypted stored passwords
• 77 million records compromised• Ongoing attacks against other Sony business units - Sony
Pictures (1 million users accounts hacked)
What did it cost?• Credibility• Estimates range from $1.5 billion to $4.6 billion
Data Breach Statistics
• 85% of attacks were not considered highly difficult
• 86% of victims had evidence of attack in their log files however
• 61% of breaches discovered by a third party
• 96% of breaches were avoidable through simple or intermediate controls
• 79% of victims subject to PCI had not achieved compliance
• 30% of victims met PCI requirement 3 to Protect Stored Card Data
Source: Verizon 2010 Data Breach Investigations Report
Consequences for the MerchantCATEGORY DESCRIPTION
LOW-PROFILE BREACH NON-
REGULATED INDUSTRY
LOW-PROFILE BREACH
REGULATED INDUSTRY
HIGH-PROFILE BREACH HIGHLY
REGULATED INDUSTRY
Discovery, Notification and Response
Outside legal counsel; mail notification, calls, call center and discounted product offers
$50 $50 $50
Lost Employee Productivity
Employees diverted from other tasks $20 $25 $30
Opportunity Cost Customer churn and difficulty in getting new customers
$20 $50 $100
Regulatory Fines FTC, PCI, SOX $0 $25 $60
Restitution Civil courts may require you to put this money aside
$0 $0 $30
Additional Security and Audit Requirements
The security and audit requirements levied as a result of a breach $0 $5 $10
Other Liabilities Credit card replacement costs; civil penalties if specific fraud can be traced to the breach
$0 $0 $25
COST PER COMPROMISED RECORD $90 $155 $305
Source: “Calculating the Cost of a Security Breach,” Forrester Research.
Consequences for the Merchant
Source: “Calculating the Cost of a Security Breach,” Forrester Research.
If I am a small merchant…does this really matter? Why is there a focus on the smallest of merchants?
• 5% of all exposed accounts
• 80% of software breaches
• 99% of Visa’s merchant base
• 64% feel invulnerable to attack*
• 1 million est. small business victims *
• 60% of small businesses do not
understand fines they are subject to*
*National Retail Federation (NRF) and First Data Corporation 2010 survey of US Small Business
Focus on Small Merchants
What Is PCI Compliance?
“The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards…
“All five payment brands share equally in the Council’s governance, have equal input into the PCI Security Standards Council and share responsibility for carrying out the work of the organization.”- https://www.pcisecuritystandards.org/organization_info/index.php
PCI Security Standards Council
What Does PCI-DSS Consist Of?1
1. Install and maintain a firewall to protect cardholder data.2. Do not use vendor-supplied defaults for system passwords
and other security parameters.
Build and Maintain a Secure
Network
23. Protect stored cardholder data.4. Encrypt transmission of cardholder data across
open, public networks.
Protect Cardholder Data
3 5. Use and regularly update anti-virus software or programs.6. Develop and maintain secure systems and applications.
Maintain a Vulnerability
Management Program
47. Restrict access to cardholder data by business need to know.8. Assign a unique ID to each person with computer access.9. Restrict physical access to cardholder data.
Implement Strong Access
Control Measures
510. Track and monitor all access to network resources and cardholder data.11. Regularly test security systems and processes.
Regularly Monitor and Test
Networks
6 12. Maintain a policy that addresses information security for all personnel.
Maintain an Information
Security Policy
“Is there anyone who can save me from all this?”
Tools to Assist with Security and Compliance
Where Should a Merchant Start?
• The PCI DSS contains over 200 individual requirements.
• The PCI Council has released the Prioritized Approach to Pursue PCI DSS Compliance.
• Milestone 1: Remove cardholder data and sensitive authentication data.
• Helps integrate the concept of risk management with PCI DSS compliance.
• Remember: There are a total of 6 milestones in the prioritized approach, and every requirement in the PCI DSS must be met to be compliant.
Prioritized Approach
Eliminate the Complexity of Secure Data Storage• Protect sensitive customer payment account data by encrypting and assigning it a
unique token.
• Token can be leveraged for future use, such as recurring payments.
• The data is stored in a PCI Compliant data center, removing that element of risk.
How It Works1. Payment Account data is sent from the merchant’s website, POS system to the Platform
for tokenizing.
2. A copy of the payment account data is assigned a token and stored securely.
3. The Platform securely passes payment account data to the desired payment service provider.
4. A token is returned in the transaction response and can be stored, instead of the payment account data, and used for subsequent transactions.
Tokenization
What is a Value-Added Service?• Services that are injected into the payment transaction
• Services that do not “remove” compliance but “address” risk
• Capabilities that can be added “point-in-time” when appropriate for the Merchant customer without additive integration work
Examples of Value-Added Services• Risk Management
• Each transaction is inspected
• Each transaction returns a approve/decline based on risk thresholds
• ChargeBack Management
• Transaction information is provided, securely, to chargeback specialist
• People, product, and process manage chargeback behavior on the merchant ‘s behalf
Value-Added Services
PCI-Compliant Payment Page• PCI Compliance obligation is reduced to completion of a Self-Assessment Questionnaire
(SAQ A)
Fully Customizable• No harsh transitions from retailer site to another checkout page
• Fewer abandoned shopping carts
Simple Integration• One method call to initiation (http-post)
• Callback to hidden URL upon payment completion
• Easy to implement CSS to support merchant look/feel
• Adding payments is a matter of hours from conception to “go live”
Commerce Hosted Payment Page
Choose Your Product
Populate Your Cart
Check Out Securely
Return to Website
Tyler Hannan
Platform Evangelist, IP Commerce
@tylerhannan
David Herrald
Consulting Architect - Information Security,
Global Technology Resources Inc.
@daveherrald
Q&A
http://www.e-similate.com