Professional Documents
Culture Documents
- Introduction
- About the Dataset
- Investigation Statistics
- Anatomy of a Data Breach
- Strategic Initiatives
- Conclusions
Academy of Risk Management | Innovate. Collaborate. Educate. ©2011 MasterCard.
Proprietary
Trustwave
• Solutions
– Risk Management, Mitigation
and Data Protection
• Worldwide Presence
• Financially Strong
• Experienced and Innovative
• Recognised for Excellence
Incident
Response Application
Pentesting
Security
• Issued annually
• Sensitive data
– M&A activity
– Board minutes
– Intelligence
– Proprietary data
– Trade secrets
• Regulatory detection
down from 80%
• Self detection up
from 9%
• A positive trend
• Ecommerce compromises
– Geographically agnostic
• ATM compromises
– Advanced malware
– USB deployed
– USB collected
– Physical access
• Employee workstations
– Foothold into environment
– End point security
– Segregation of internal networks
• Third party
implementation &
maintenance
agreement?
• Build non-functional
security requirements in
1. Remote access
applications
2. Social Engineering
3. Email Trojans
4. SQL Injection
2010: Network
1. Weak or Blank Administrator Passwords
2. Database Servers Accessible
3. ARP Cache Poisoning
4. Clear Text Transmission of data “on the wire”
2010: Application
1. SQL Injection
2. Logic Flaws
3. Authorization Bypass
– Not just about the low hanging fruit
• Resilient to attack
EMV
Requirements
Europe – 95%
Other Regions – 75%
EMV
Requirements
EMV
Risks
EMV
EMV
EMV
“Information Supplement:
PCI DSS Tokenization
Guidelines”
Tokenization
Q: What is Tokenization?
Q: What is De-tokenization?
Random
PAN: 3124 005917 23387
Token: 7aF1Zx118523mw4cwl5x2
Numeric
PAN: 4959 0059 0172 3389
Token: 729129118523184663129
Format Preserving
PAN: 5994 0059 0172 3383
Token: 599400x18523mw4cw3383 Tokenization
Guidance
Built on community feedback
• Tokenization Special Interest Group made up of 60
industry experts
Scoping Considerations
Any system performing tokenization or de-
tokenization process
• Cardholder Data Environment
Breaking News!
New Point to Point Encryption program released
this week by PCI SSC at North American PCI
Community Meeting
P2P Encryption
What is P2PE?
P2P Encryption
Overview
First payment industry P2PE standard
• Developed with the Encryption Task Force
• Based on industry accepted encryption standards
Overview
Properly validated P2PE solutions help merchants reduce
• Risk of data compromise
• Scope their Cardholder Data Environment
• Scope of their PCI DSS assessment
P2P Encryption
Merchant Requirements
• Merchant utilizes SSC listed P2PE solution implemented
per Solution Provider instructions
• Merchant has no access to account data within
encryption device (POI) or decryption environment (at
Solution Provider)
• Merchant has no involvement in encryption or decryption
operations, or cryptographic key management
• All cryptographic operations managed by Solution
Provider
• Additional payment channels are segregated
P2P Encryption
P2P Encryption
Requirement Structure
Six Domains
1. Encryption Device
2. Application Security
3. Encryption Environment
4. N/A for this phase
5. Decryption Environment
6. Cryptographic Key Operations
P2P Encryption
P2PE Roadmap
Initial Release -Validation Requirements–September, 2011
Next Steps
Requirements for hardware-based encryption
and decryption, but where software manages
transaction-level decryption keys
P2P Encryption
Act Now
Have a Plan
Lessons Learned
Issuer At-Risk
News Forums
Fraud Program
Law Self
Issuers Analysis Media
Enforcement Reported
119
58 91
82 109
54
94
91
80
67
56 56 59
43
11 15
• CEO
• General Manager
• ADC “dedicated” staff
• Sales
• PCI Forensic Investigator
• Merchant
• Internal Auditor
• Lawyer
What to do if Compromised?
• MasterCard Security Rules and Procedures manual
section 10.2 and ADC User Guide
– ADC Event Management
– Time Sensitive Procedures
– Forensic Investigation Requirements
• Prompt Reporting of an ADC Event will help:
– Protect Cardholders and Minimize Risk to Payment
System
– Stop Use of Compromised Card Data and Prevent Fraud
Day 1
Acquirer 1st Analysis & Action Plan (after 2nd call)
• What could be the worst case scenario? Get prepared!
• Brief your ADC Team, plan and agree on the next steps
Day One
The PCI Forensic Investigator (PFI)
Day Two
Acquirer First Analysis and Action Plan
IT Investigation Objectives:
Onsite Offsite
PFI Contracts & Final
evidence forensics
contacted scheduling reporting
collection analysis
Final Evaluation
Completion of Investigations
– Evaluate totality of circumstances with respect to the
compromise
– Analyze findings of reports, audits, and forensic analysis
– Determine extent MasterCard rules have been violated
Operational Reimbursement and Fraud Recovery
– Determine acquirer responsibility for compromise
– Exercise appropriate initiatives under MasterCard rules
• Timeframe
• Disqualification of Accounts published
in previous MasterCard Alerts
• Incremental Fraud Calculation
• Deduction for Chargeback's
• Acquirer Cap
• MasterCard Fee
• Reports
PFI
OR/FR
Counterfeit Fraud
$300,000
$250,000
$200,000
$150,000
Merchant $100,000
identified as
at-risk –
$50,000
$109k fraud
loss -1700
accounts $0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
MasterCard Notified
of a Potential ADC -
Total Financial Liability
$520k fraud loss – $232,000!
16,750 accounts