The Easy Way to Accept and Protect Payment Account Data

Commerce Security Fundamentals

July 12, 2011

Kerry Murdock

Editor and Publisher

Practical eCommerce

Who You Are Interacting with Today

Tyler Hannan

Platform Evangelist

IP Commerce

Who You Are Interacting with Today

David Herrald

Consulting Architect – Information Security

Global Technology Resources, Inc.

Who You Are Interacting with Today

Sponsored by

• Consequences of a Data Breach

• What Is PCI Compliance?• Status of Payment Card Industry Data Security Standard

• PCI responsibilities of the merchant and developer

• Tools to Assist with Security and Compliance• Tokenization

• Hosted payment solutions

Agenda

Consequences of a Data Breach

What Data Compromise Looks Like

TJX Data Breach, Announced January 2007

• TJX owns retail companies: T.J. Max, Marshalls, Bob’s Stores• Data breach called the “biggest ever”• Initial estimates have the number of breached accounts at a

few million• By December 2007, it has been confirmed that at least 94

million customers have had their information stolen

What did it cost?• Credibility• $4.5 billion (estimated)

TJX: Anatomy of a Data Breach

Sony: Anatomy of a Data BreachSony Data Breach, 2011

• Sony Playstation network is targeted by a malicious hacker groups

• Proved to be an easy target• SQL injection vulnerabilities• Unencrypted or poorly encrypted stored passwords

• 77 million records compromised• Ongoing attacks against other Sony business units - Sony

Pictures (1 million users accounts hacked)

What did it cost?• Credibility• Estimates range from $1.5 billion to $4.6 billion

Data Breach Statistics

• 85% of attacks were not considered highly difficult

• 86% of victims had evidence of attack in their log files however

• 61% of breaches discovered by a third party

• 96% of breaches were avoidable through simple or intermediate controls

• 79% of victims subject to PCI had not achieved compliance

• 30% of victims met PCI requirement 3 to Protect Stored Card Data

Source: Verizon 2010 Data Breach Investigations Report

Consequences for the MerchantCATEGORY DESCRIPTION

LOW-PROFILE BREACH NON-

REGULATED INDUSTRY

LOW-PROFILE BREACH

REGULATED INDUSTRY

HIGH-PROFILE BREACH HIGHLY

REGULATED INDUSTRY

Discovery, Notification and Response

Outside legal counsel; mail notification, calls, call center and discounted product offers

$50 $50 $50

Lost Employee Productivity

Employees diverted from other tasks $20 $25 $30

Opportunity Cost Customer churn and difficulty in getting new customers

$20 $50 $100

Regulatory Fines FTC, PCI, SOX $0 $25 $60

Restitution Civil courts may require you to put this money aside

$0 $0 $30

Additional Security and Audit Requirements

The security and audit requirements levied as a result of a breach $0 $5 $10

Other Liabilities Credit card replacement costs; civil penalties if specific fraud can be traced to the breach

$0 $0 $25

COST PER COMPROMISED RECORD $90 $155 $305

Source: “Calculating the Cost of a Security Breach,” Forrester Research.

Consequences for the Merchant

Source: “Calculating the Cost of a Security Breach,” Forrester Research.

If I am a small merchant…does this really matter? Why is there a focus on the smallest of merchants?

• 5% of all exposed accounts

• 80% of software breaches

• 99% of Visa’s merchant base

• 64% feel invulnerable to attack*

• 1 million est. small business victims *

• 60% of small businesses do not

understand fines they are subject to*

*National Retail Federation (NRF) and First Data Corporation 2010 survey of US Small Business

Focus on Small Merchants

What Is PCI Compliance?

“The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards…

“All five payment brands share equally in the Council’s governance, have equal input into the PCI Security Standards Council and share responsibility for carrying out the work of the organization.”- https://www.pcisecuritystandards.org/organization_info/index.php

PCI Security Standards Council

What Does PCI-DSS Consist Of?1

1. Install and maintain a firewall to protect cardholder data.2. Do not use vendor-supplied defaults for system passwords

and other security parameters.

Build and Maintain a Secure

Network

23. Protect stored cardholder data.4. Encrypt transmission of cardholder data across

open, public networks.

Protect Cardholder Data

3 5. Use and regularly update anti-virus software or programs.6. Develop and maintain secure systems and applications.

Maintain a Vulnerability

Management Program

47. Restrict access to cardholder data by business need to know.8. Assign a unique ID to each person with computer access.9. Restrict physical access to cardholder data.

Implement Strong Access

Control Measures

510. Track and monitor all access to network resources and cardholder data.11. Regularly test security systems and processes.

Regularly Monitor and Test

Networks

6 12. Maintain a policy that addresses information security for all personnel.

Maintain an Information

Security Policy

“Is there anyone who can save me from all this?”

Tools to Assist with Security and Compliance

Where Should a Merchant Start?

• The PCI DSS contains over 200 individual requirements.

• The PCI Council has released the Prioritized Approach to Pursue PCI DSS Compliance.

• Milestone 1: Remove cardholder data and sensitive authentication data.

• Helps integrate the concept of risk management with PCI DSS compliance.

• Remember: There are a total of 6 milestones in the prioritized approach, and every requirement in the PCI DSS must be met to be compliant.

Prioritized Approach

Eliminate the Complexity of Secure Data Storage• Protect sensitive customer payment account data by encrypting and assigning it a

unique token.

• Token can be leveraged for future use, such as recurring payments.

• The data is stored in a PCI Compliant data center, removing that element of risk.

How It Works1. Payment Account data is sent from the merchant’s website, POS system to the Platform

for tokenizing.

2. A copy of the payment account data is assigned a token and stored securely.

3. The Platform securely passes payment account data to the desired payment service provider.

4. A token is returned in the transaction response and can be stored, instead of the payment account data, and used for subsequent transactions.

Tokenization

What is a Value-Added Service?• Services that are injected into the payment transaction

• Services that do not “remove” compliance but “address” risk

• Capabilities that can be added “point-in-time” when appropriate for the Merchant customer without additive integration work

Examples of Value-Added Services• Risk Management

• Each transaction is inspected

• Each transaction returns a approve/decline based on risk thresholds

• ChargeBack Management

• Transaction information is provided, securely, to chargeback specialist

• People, product, and process manage chargeback behavior on the merchant ‘s behalf

Value-Added Services

PCI-Compliant Payment Page• PCI Compliance obligation is reduced to completion of a Self-Assessment Questionnaire

(SAQ A)

Fully Customizable• No harsh transitions from retailer site to another checkout page

• Fewer abandoned shopping carts

Simple Integration• One method call to initiation (http-post)

• Callback to hidden URL upon payment completion

• Easy to implement CSS to support merchant look/feel

• Adding payments is a matter of hours from conception to “go live”

Commerce Hosted Payment Page

Choose Your Product

Populate Your Cart

Check Out Securely

Return to Website

Tyler Hannan

Platform Evangelist, IP Commerce

thannan@ipcommerce.com

@tylerhannan

David Herrald

Consulting Architect - Information Security,

Global Technology Resources Inc.

dherrald@gtri.com

@daveherrald

Q&A

http://www.e-similate.com