Prague Wednesday AM - Acquirer

Ryan Jones, Managing Consultant, Incident Response - SpiderLabs, Trustwave
John Yeo, Director, SpiderLabs - EMEA, Trustwave
The Breach Triad
Academy of Risk Management | Innovate. Collaborate. Educate.

Agenda
- Introduction
- About the Dataset
- Investigation Statistics
- Anatomy of a Data Breach
- Strategic Initiatives
- Conclusions
Academy of Risk Management | Innovate. Collaborate. Educate. ©2011 MasterCard.
Proprietary
Trustwave
• Solutions
– Risk Management, Mitigation
and Data Protection
• Worldwide Presence
• Financially Strong
• Experienced and Innovative
• Recognised for Excellence

Proprietary
Introduction
Incident
Response Application
Pentesting
Security
Research & Global Security

Development Security Report
Conferences
Proprietary
Introduction
About Trustwave’s Global Security Report:
• Issued annually
• Based on findings and evidence from work

conducted by Trustwave’s SpiderLabs in 2010
• Serves as a tool to educate and assist in planning

business security strategy
• More than 200 investigations and 2,000 penetration

test results contributed to the analysis and
conclusions
– Data gathered from Top 20 GDP countries
• Download report: https://www.trustwave.com/GSR

Proprietary
About the Dataset

Incident Response Investigations
• Australia, Brazil, Canada, China, Dominican

Republic, Germany, Ghana, Israel, Japan,
Malaysia, Mexico, Nepal, Philippines, United
Kingdom, USA

Proprietary
Investigation Statistics

Industries Represented
• 75% of cases - Food

& Beverage and
Retail
• Less focus on
hospitality than
previous year
• A group responsible
for the majority...
... increased their
scope

Proprietary
Data at Risk
• Payment Card Data

...simplest to monetise
• Sensitive data
– M&A activity
– Board minutes
– Intelligence
– Proprietary data
– Trade secrets

Proprietary
Compromise Detection
• Regulatory detection
down from 80%
• Self detection up
from 9%
• A positive trend

Proprietary
Time to Detection by Method
• As expected, those able to self detect, detect quicker

• Unable to self-detect, 5x longer exposure time Investigations
showed:
• Role based security training = improved detection capability
• Mature infosec programs & monitoring controls helped

Proprietary
Targeted Assets
• Ecommerce compromises
– Geographically agnostic
• ATM compromises
– Advanced malware
– USB deployed
– USB collected
– Physical access
• Employee workstations
– Foothold into environment
– End point security
– Segregation of internal networks

Proprietary
System Administration Responsibility
• Third party
implementation &
maintenance
agreement?
• Build non-functional
security requirements in

Proprietary
Window of Data Exposure
• Reality reflects intuition

• Storing data increases impact of breach average “compromised”
transactions
• In-transit data – 3 months
• Stored data – 18 months

Proprietary
Origin of Attack

Proprietary
Typical Compromised Entity & PCI
Compliance
• 97% insufficient firewall

policy
• 83% default/guessable
password

Proprietary
Anatomy of a Data Breach

Proprietary
Infiltration Method
1. Remote access
applications
2. Social Engineering
3. Email Trojans
4. SQL Injection

Proprietary
Data Harvest Method
Shift away from “smash & grab” of stored data

Why?
1. Less unsafe data being stored
– PCI-DSS, PA-DSS, OWASP
2. Card data expires
– More complex to harvest
– But the data is fresh
– Worthwhile trade-off for criminals
In-transit attacks and use of custom malware correlate

Proprietary
Exfiltration Method
• Some malware built to extract data too

• But often the method to break-in used
to extract
– E.g. collecting the malware output
file
• Native transfer tools used to extract
– FTP, SMB, HTTP etc.
• Common lack of controls:
– No network egress filtering
– No DLP solution

Proprietary
Attack Vector Evolution

Attack Vectors Over Time

9
8
7 Social Networking
6 Mobile
Client-Side
5
Wireless
4
Application
3
E-mail
2
Network
1
Physical
0
1950 1960 1970 1980 1990 2000 2010

Proprietary
2010: Network
1. Weak or Blank Administrator Passwords
2. Database Servers Accessible
3. ARP Cache Poisoning
4. Clear Text Transmission of data “on the wire”

Proprietary
2010: Application
1. SQL Injection
2. Logic Flaws
3. Authorization Bypass
– Not just about the low hanging fruit

Proprietary
Strategic Initiatives
1. Assess, Reduce and Monitor Client-side Attack Surface

2. Embrace Social Networking, but Educate Staff
3. Develop a Mobile Security Program
4. Use Multifactor Authentication
5. Eradicate Clear-text Traffic
6. Virtually Patch Web Applications Until Fixed
7. Empower Incident Response Teams
8. Enforce Security Upon Third Party Relationships
9. Implement Network Access Control
10. Analyze All Events
11. Implement an Organization-wide Security Awareness Program

Proprietary
Global Conclusions
In 2010, the security landscape changed:
• Targets shifted towards endpoints and users
• Individuals became easily identifiable to attackers
• Malicious tools became more sophisticated
• New attack vectors introduced as we innovate; old vectors never die
In 2011, organizations that are firmly committed to security will be:
• Resilient to attack
• Reduce risk of data compromise
• Protect sensitive data and brand reputation

Proprietary
Questions?

Proprietary
Joshua Knopp, Business Leader, MasterCard Worldwide
Risk Reducing Payment Technologies

MasterCard Risk Based Approach to EMV
Tokenization
Point to Point Encryption

Technologies in Payments
EMV Tokenization P2P Encryption

Proprietary
MasterCard’s Risk Based
Approach to EMV

Risk Based Approach to EMV
Updated – September, 2011
Reduced validation of DSS requirements for Non-US

EMV enabled merchants
– Transaction thresholds and regional requirements apply
– Full DSS compliance still required
EMV

Proprietary
Requirements
Majority of card present transactions must occur via an

EMV enabled terminal:
Europe – 95%
Other Regions – 75%
EMV

Proprietary
Requirements
• Merchant is not storing Sensitive Authentication Data

(SAD)
• Card-not-Present environment is segmented from
Card Present environment
• No ADC for past 12 months
• Annual testing of ADC Incident Response Plan
• Annual validation to Milestones 1 thru 4
EMV

Proprietary
Risks
Most common risks to Card Present environments:

• Improperly Configured Remote Access
• Poor Firewall Controls
• Lack of Up-To-Date Security Patching
EMV

Proprietary
Merchant Validation Requirements

Annually attest to Milestones 1-4 of PCI Prioritized Approach:
1. Remove sensitive authentication data and limit data retention.
2. Protect the perimeter, internal, and wireless networks.
3. Secure payment card applications.
4. Monitor and control access to your systems.
Validation requirements are based upon current risks to

Card Present environments
EMV

Proprietary
Merchant Validation Requirements
• Merchant Level 1 – Onsite Assessment via QSA or

current ISA
• Merchant Level 2 – SAQ via QSA or current ISA
• Merchant Level 3 – N/A – Ecommerce Merchant
• Merchant Level 4 – N/A – Not required to validate
EMV

Proprietary
PCI DSS and Tokenization

Tokenization Guidance
August 2011 - PCI SSC released high level

guidelines on tokenization and scoping:
“Information Supplement:
PCI DSS Tokenization
Guidelines”
Tokenization

Proprietary
Q: What is Tokenization?
A: Tokenization is a process by which the primary

account number (PAN) is replaced with a surrogate
value called a “token”.
Q: What is De-tokenization?
A: De-tokenization is the reverse process of

redeeming a token for its associated PAN value.
Tokens do not need to be reversible!

Tokenization

Proprietary
Tokens take many shapes and sizes
Random
PAN: 3124 005917 23387
Token: 7aF1Zx118523mw4cwl5x2
Numeric
PAN: 4959 0059 0172 3389
Token: 729129118523184663129
Format Preserving
PAN: 5994 0059 0172 3383
Token: 599400x18523mw4cw3383 Tokenization

Proprietary
Guidance
Built on community feedback
• Tokenization Special Interest Group made up of 60
industry experts
Addresses common forms of tokenization

• Not all forms are equal
Identifies Common Risks

• Focus placed on tokenization methodology
and systems performing tokenization and de-
tokenization
Tokenization

Proprietary
Scoping Considerations
Any system performing tokenization or de-
tokenization process
• Cardholder Data Environment
Any system connected to aforementioned system

• Segmentation
“High Value Tokens” – Any token that can be

used to initiate a transaction in lieu of PAN.
Likely to be in scope!
Tokenization

Proprietary

Breaking News!
New Point to Point Encryption program released
this week by PCI SSC at North American PCI
Community Meeting
• First Phase Validation Requirements Released –

“P2PE Hardware/Hardware”
• Additional resources in 2011 with full validation

program coming in early 2012
P2P Encryption

Proprietary
What is P2PE?
P2P Encryption

Proprietary
Overview
First payment industry P2PE standard
• Developed with the Encryption Task Force
• Based on industry accepted encryption standards
Optional Standard for Scope Reduction

• Above and Beyond DSS
Incorporates all PCI standards

• PTS for the Point of Interaction (POI) devices
• PA DSS for applications within POI
• PCI PIN for cryptographic key management
• PCI DSS for P2PE Solution Provider environment
P2P Encryption

Proprietary
Overview
Properly validated P2PE solutions help merchants reduce
• Risk of data compromise
• Scope their Cardholder Data Environment
• Scope of their PCI DSS assessment
Multiple parties involved in overall solution

• P2PE Service Provider holds primary solution responsibility
Merchant retains reduced level of DSS requirements

• Some requirements will still apply
• Merchant’s implementation must be validated
P2P Encryption

Proprietary
Merchant Requirements
• Merchant utilizes SSC listed P2PE solution implemented
per Solution Provider instructions
• Merchant has no access to account data within
encryption device (POI) or decryption environment (at
Solution Provider)
• Merchant has no involvement in encryption or decryption
operations, or cryptographic key management
• All cryptographic operations managed by Solution
Provider
• Additional payment channels are segregated
P2P Encryption

Proprietary
Solution Provider Requirements
• Provide compliant and validated solution,

assessed by P2PE QSA
• Operate solution within a PCI DSS compliant

environment
• Provide merchants with P2PE Instruction

Manual (PIM)
P2P Encryption

Proprietary
Requirement Structure
Six Domains
1. Encryption Device
2. Application Security
3. Encryption Environment
4. N/A for this phase
5. Decryption Environment
6. Cryptographic Key Operations
P2P Encryption

Proprietary
P2PE Roadmap
Initial Release -Validation Requirements–September, 2011
Final release -Validation Requirements with detailed testing

procedures –Q4, 2011
P2PE QSA and P2PE PA-QSA Qualification Process

• Qualification begins 4th quarter 2011
• Assessor Training begins 1st quarter 2012
P2PE solution listings

• Begins 2nd quarter 2012
P2P Encryption

Proprietary
Next Steps
Requirements for hardware-based encryption
and decryption, but where software manages
transaction-level decryption keys
The Council will work with key industry bodies to

evaluate feasibility of requirements for software-
only based solutions that encrypt CHD at point of
merchant acceptance and/or decrypt CHD at a
host system
P2P Encryption

Proprietary
Questions?

Proprietary
Pam DeMars, Senior Business Leader, MasterCard Worldwide
Robert Di Michiel, Chief Audit Executive, ConCardis GmbH
An Acquirer’s View to ADC Events

Day by Day, Step by Step

Agenda
Act Now
Have a Plan
Lessons Learned

Proprietary
Act Now - Acquirers
 Listen Daily for Warning Signs

The “grapevine”, chartrooms, forums, issuer e-
mail/telcos, news
Take information seriously even un-validated and
perhaps false
Issuer At-Risk
News Forums
Fraud Program
Enroll in MasterCard Alerts – Merchant At-Risk

Notification Program
VisitMasterCard Alerts News for recent trends and
criminal behavior

Proprietary
Act Now - MasterCard
 Continuous Leads and Analysis

 Multiple sources
Law Self
Issuers Analysis Media
Enforcement Reported
Law of Large Numbers

Accounts are analyzed for subsequent fraud based
on commonalities
Fraud statistics are prepared

Proprietary
1085 CPP’s Reported YTD
CPP's Reported to MasterCard

Acquirer Reported Issuer Reported
119
58 91
82 109
54
94
91
80
67
56 56 59
43
11 15
January February March April May June July August

Proprietary
Issuers May have Identified a CPP
Early detection and reporting
• Issuers with good fraud detection systems are “on-top”
• Issuers invest in real time state-of-the-art systems!
• Attend MasterCard Fraud Management Training!
• Why ? Expert System & Fraud Team is a definite ROI!
• Jointly we can and must “detect”, “stop” and “protect”

Proprietary
Have a Plan

MasterCard’s Role
• Prevent, detect, and remediate compromise

events
• Protect the integrity of the system
• Enforce existing data security rules
• Communicate with Members
• Assess fraud risk from new technologies
• Work with Law Enforcement and regulators

Proprietary
Have a Plan
 Invoke Emergency Plan Immediately
 When the “twitter” begins, it is a matter of days

before you get a call from MasterCard! “Do
not” wait for this call but act now!
 Immediate “same day” action is essential. Lay
the ground- work “step-by-step”. Time is of
essence.
 Every day means GREATER RISK. More is at
stake with each further day – more data
stolen, more fraud, more problems
 It will most likely not go away!

Proprietary
Have a Plan
Have an Emergency Plan in Place

Your ADC Team
• CEO
• General Manager
• ADC “dedicated” staff
• Sales
• PCI Forensic Investigator
• Merchant
• Internal Auditor
• Lawyer

Proprietary
Day by Day and Step by Step
Day 1 – The initial Steps…

• Call the Merchant (Or the Merchant called you?)
– Break/understand the news and get prepared!
– Schedule a 2nd follow-up call in the afternoon
• Notify MasterCard & other Brands
– Utilize the ADC reporting form in MasterCard Alerts
• Follow-up Call with the Merchant
– Review the 12 PCI Requirements & Status
– Access Risk and if immediate need to go “Off-Line”
– The PCI Forensic Investigator (PFI) / PCI Status
Questionnaire
Proprietary
Day 1 – The initial Steps… the 2nd call
• You’ve got the merchant CEO, GM, CIO on the

phone
• Discuss in detail the situation as known
• Discuss PFI/PCI Checklist / Questionnaire & Details
• “Prepare your merchant”
• Agree on joint calls with PFI and merchant
• Schedule the next call… the next day…

Proprietary
MasterCard’s Procedures
What to do if Compromised?
• MasterCard Security Rules and Procedures manual
section 10.2 and ADC User Guide
– ADC Event Management
– Time Sensitive Procedures
– Forensic Investigation Requirements
• Prompt Reporting of an ADC Event will help:
– Protect Cardholders and Minimize Risk to Payment
System
– Stop Use of Compromised Card Data and Prevent Fraud

Proprietary
Day 1
Acquirer 1st Analysis & Action Plan (after 2nd call)
• What could be the worst case scenario? Get prepared!
• Obtain Transaction Data for MasterCard Upload –within 24h
− Request for “all” locations and at least 12 months

− Include card acceptance type E-Com, EMV, PMS or POS
• Brief your ADC Team, plan and agree on the next steps
• Call the PFIs you have established contacts

Proprietary
Day One
The PCI Forensic Investigator (PFI)
• Determine “immediate” availability, resources & cost
• Discuss available information (the checklist)
• Ask PFI to be on “Standby” for a phone call same/next

day
• Do you have PFI sample contracts & conditions?

Proprietary
Day Two
Acquirer First Analysis and Action Plan
 What new information is available from all sources?
 Has your merchant returned the PFI/PCI questionnaire?
 Format and upload TRX data – one year (why? ...)
 Do not limit TRX data (dates, TIDs) based on speculation!

 The ADC Team makes decisions to limit and stop risk!
(E-Com, PMS, POS, Local or Multi-Location Network etc.)
 The ADC Team makes decision to require PFI Investigation

Proprietary
Day Two and Next Days…

Acquirer, Merchant, PFI Communication
 Inform merchant of current situation & decisions
 Advise further process of PFI Investigation
 Advise merchant “offline” necessities with your solutions
 Costs: PFI, POS terminals, further merchant demands
 Risks: Penalty+Liability, merchant damages & bankruptcy
 You and MasterCard can work with the merchant

Proprietary
MasterCard Notification to Affected Issuers

• MasterCard obtains:
– Details of the suspected compromise
– List of potentially compromised account numbers
• E-mail communication directs affected issuers to
access MasterCard Alerts
• Account Data Compromise Notification
– Compromised Account Numbers
– Case summary on compromise event

Proprietary
Day Two and Next Days…

Acquirer, Merchant, PFI Communication
 Request merchant confirmation of:
 Offline status with date (advice of TID deactivation)
 Card readers have been rendered unusable (taped
shut)
 Verify what the merchant has told you

Proprietary
PFI Contracted and Investigation
 For E-Com ask PFI to do a PFI Security Scan first

 Is URL-site is “secure” with PCI-DSS compliant PSP
If this is determined merchant can remain / go online
 PFIs have their standard procedures (company/PCI-SSC)
 Ask PFI for initial security & risk assessment “asap”
 Regular joint telcos PFI & MasterCard – Keep us informed!
 The “good” and the “bad” news!

Proprietary
Conventional Methods
IT Investigation Objectives:
• Mobilize quickly to identify source

• Containment – limiting continued exposure
• Determine full extent of informational losses
• Furnish at-risk account to brands
• Set the stage for arrest and prosecution
Onsite Offsite
PFI Contracts & Final
evidence forensics
contacted scheduling reporting
collection analysis

Proprietary
Final Evaluation
Completion of Investigations
– Evaluate totality of circumstances with respect to the
compromise
– Analyze findings of reports, audits, and forensic analysis
– Determine extent MasterCard rules have been violated
Operational Reimbursement and Fraud Recovery
– Determine acquirer responsibility for compromise
– Exercise appropriate initiatives under MasterCard rules

Proprietary
Operational Reimbursement
• Rate per Card Type

Total Number of
Tier Accounts MagStripe Chip PayPass* Combo**
1 2,000,000 or more USD 1.60 USD 2.38 USD 2.20 USD 2.68
2 400,000 to 1,999,999 USD 1.85 USD 2.63 USD 2.45 USD 2.93
3 Less than 400,000 USD 2.15 USD 2.93 USD 2.75 USD 3.23
• Card Type Determination

• Standard Deductible
• Merchant Cap
• MasterCard Administrative Fee
• Reports

Proprietary
Fraud Recovery
• Timeframe
• Disqualification of Accounts published
in previous MasterCard Alerts
• Incremental Fraud Calculation
• Deduction for Chargeback's
• Acquirer Cap
• MasterCard Fee
• Reports

Proprietary
Lessons Learned

Potential Problems
 Merchant not cooperating with investigation
 Merchant not truthful
 Unknown security vulnerabilities
 Merchant Leaves without paying the bill
 PFI
 OR/FR

Proprietary
Consequences of Poor ADC
Management
 Additional and “avoidable” financial liability to your bank

 Internal/External Audit of Case Mgt. & Consequences
(Personal liability for gross negligence may be possible)
 Your internal Auditors ? Their role and can they help ?
– Have your auditors audit internal procedures
− Have your auditors always in consultancy & guidance
− Auditors are “worst case” but realistic & logical thinkers
− PFI & your Auditor have “professional” standards
− Be sure to have complete documentation of everything

Proprietary
Detect / Reduce ADC Risk Exposure
 As a service, MasterCard provides estimate of OR/FR
 Join and offer Merchants MasterCard and PFI “Webinars“
 Keep “up-to-date“ on current events – Maintain PFI contact
 Offer “data and leakage“ discovery toolkits & trials!

- Systems are or become PCI-DSS out-of-compliance
- Card data no longer in secure environment (high risk!)
- Non-compliant entities (bank, processor, PSP, merchant)
- Risk of data leakage and theft (internal & external)
- See the vendor boths and visit the PFIs and QSAs!

Proprietary
The Cost of Not Re-acting
Counterfeit Fraud
$300,000
$250,000
$200,000
$150,000
Merchant $100,000
identified as
at-risk –
$50,000
$109k fraud
loss -1700
accounts $0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
MasterCard Notified
of a Potential ADC -
Total Financial Liability
$520k fraud loss – $232,000!
16,750 accounts

Proprietary
Conclusion
• All entities involved in the bank card value chain are

accountable for security
• Know your merchants and the agents they employ
to facilitate transaction processing
• Understand what every entity in the value chain is
doing with data and security measures in place
• Assess risks in your environment periodically and
implement solutions and controls
• Comply with Data Security rules and be aware of
risks of noncompliance

Proprietary
Questions?

Proprietary

Prague Wednesday AM - Acquirer

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Prague Wednesday AM - Acquirer

Uploaded by

Copyright:

Available Formats

Ryan Jones, Managing Consultant, Incident Response - SpiderLabs, Trustwave

John Yeo, Director, SpiderLabs - EMEA, Trustwave

The Breach Triad

Academy of Risk Management | Innovate. Collaborate. Educate.

Academy of Risk Management | Innovate. Collaborate. Educate. ©2011 MasterCard.

Research & Global Security

About Trustwave’s Global Security Report:

• Based on findings and evidence from work

• Serves as a tool to educate and assist in planning

• More than 200 investigations and 2,000 penetration

– Data gathered from Top 20 GDP countries

• Download report: https://www.trustwave.com/GSR

Academy of Risk Management | Innovate. Collaborate. Educate. ©2011 MasterCard.

Academy of Risk Management | Innovate. Collaborate. Educate.

• Australia, Brazil, Canada, China, Dominican

Academy of Risk Management | Innovate. Collaborate. Educate. ©2011 MasterCard.

Academy of Risk Management | Innovate. Collaborate. Educate.

• 75% of cases - Food

Academy of Risk Management | Innovate. Collaborate. Educate. ©2011 MasterCard.

• Payment Card Data

Academy of Risk Management | Innovate. Collaborate. Educate. ©2011 MasterCard.

Academy of Risk Management | Innovate. Collaborate. Educate. ©2011 MasterCard.

• As expected, those able to self detect, detect quicker

Academy of Risk Management | Innovate. Collaborate. Educate. ©2011 MasterCard.

Academy of Risk Management | Innovate. Collaborate. Educate. ©2011 MasterCard.

Academy of Risk Management | Innovate. Collaborate. Educate. ©2011 MasterCard.

• Reality reflects intuition

Academy of Risk Management | Innovate. Collaborate. Educate. ©2011 MasterCard.

Academy of Risk Management | Innovate. Collaborate. Educate. ©2011 MasterCard.

• 97% insufficient firewall

Academy of Risk Management | Innovate. Collaborate. Educate. ©2011 MasterCard.

Academy of Risk Management | Innovate. Collaborate. Educate. ©2011 MasterCard.

Academy of Risk Management | Innovate. Collaborate. Educate. ©2011 MasterCard.

Shift away from “smash & grab” of stored data

In-transit attacks and use of custom malware correlate

Academy of Risk Management | Innovate. Collaborate. Educate. ©2011 MasterCard.

• Some malware built to extract data too

Academy of Risk Management | Innovate. Collaborate. Educate. ©2011 MasterCard.

Academy of Risk Management | Innovate. Collaborate. Educate.

Attack Vectors Over Time

Academy of Risk Management | Innovate. Collaborate. Educate. ©2011 MasterCard.

Academy of Risk Management | Innovate. Collaborate. Educate. ©2011 MasterCard.

Academy of Risk Management | Innovate. Collaborate. Educate. ©2011 MasterCard.

1. Assess, Reduce and Monitor Client-side Attack Surface

Academy of Risk Management | Innovate. Collaborate. Educate. ©2011 MasterCard.

In 2010, the security landscape changed:

• Targets shifted towards endpoints and users

• Individuals became easily identifiable to attackers

• Malicious tools became more sophisticated

• New attack vectors introduced as we innovate; old vectors never die

In 2011, organizations that are firmly committed to security will be:

• Reduce risk of data compromise

• Protect sensitive data and brand reputation

Academy of Risk Management | Innovate. Collaborate. Educate. ©2011 MasterCard.

Academy of Risk Management | Innovate. Collaborate. Educate. ©2011 MasterCard.

Risk Reducing Payment Technologies

Academy of Risk Management | Innovate. Collaborate. Educate.

EMV Tokenization P2P Encryption

Academy of Risk Management | Innovate. Collaborate. Educate. ©2011 MasterCard.

Academy of Risk Management | Innovate. Collaborate. Educate.

Updated – September, 2011

Reduced validation of DSS requirements for Non-US

Academy of Risk Management | Innovate. Collaborate. Educate. ©2011 MasterCard.