Identifying Security Iss es in the Retail Issues in the Retail - - PowerPoint PPT Presentation

identifying security iss es in the retail issues in the
SMART_READER_LITE
LIVE PREVIEW

Identifying Security Iss es in the Retail Issues in the Retail - - PowerPoint PPT Presentation

Jan 29, 2024 440 likes •550 views

Identifying Security Iss es in the Retail Issues in the Retail Payment System Federal Reserve Bank Chicago Chicago Ellen Richey Chief Enterprise Risk Officer Visa Inc. J June 5, 2008 5 2008 Visa Public Agenda 1. The Data Security

slide-1
SLIDE 1

Identifying Security Iss es in the Retail Issues in the Retail Payment System Federal Reserve Bank Chicago Chicago

Ellen Richey Chief Enterprise Risk Officer Visa Inc. J 5 2008 June 5, 2008

Visa Public

slide-2
SLIDE 2

Agenda

  • 1. The Data Security Landscape
  • 2. Recent Trends

3 Visa’s Strategy

  • 3. Visa s Strategy
  • 4. Working with the Public Sector

Chicago Federal Reserve Visa Public

slide-3
SLIDE 3

Complex Payment Landscape

Direct Mail POS Aggregator/ Direct Marketers >1,000 Loyalty Vendors <100 Chargeback Vendors <100 Call Center Vendors >1,000 Other Vendors 1,000’s Archiving Vendors >100 Fulfillment Vendors 100’s Mail/ Couriers >100 Telecom POS Risk Reporting Vendors <50 Direct Marketers >1,000 D t E t Direct Mail Marketers >100 Data Entry Vendors >100 POS Hardware Vendors <50 Aggregator/ Master Merchants 100’s Telecom Infrastructure Vendors 100’s POS Software Vendors ~ 1000 Gateway Provider >1,000 Risk Scoring Vendors <100 Other Other Bill Data Entry >100 Reporting Vendors <50 Collections Vendors Call Center Vendors >1,000 Financial Relationships 1,000’s Other Networks <50 Payment 1,000’s Chargeback Vendors Call Center Vendors <50 Loyalty 1,000’s ISO >1,000 Issuer Processors <25 Card Embossers <50 Statement Vendors

Merchant >5 million Visa Cards >400 million

<25 Loyalty Vendors <100 Vendors <50 Loyalty Vendors <100 Archiving Vendors >100 Visa Vendors 100’s Acquirer P Other Vendors Archiving Vendors >100 Gateway Providers Fraud Monitoring Vendors 100 s Processor <50 Mail / Couriers >100 Other Vendors Fraud Monitoring V d

Acquirer 250+ Issuer 13,000+

Chicago Federal Reserve Visa Public

Vendors <100 <50 <50 <100 Vendors <50

Visa Inc. and Visa Europe

Numbers illustrative, US Market only

slide-4
SLIDE 4

Sophisticated and Organized Criminals

Estimated market value of compromised accounts* Recon / Hacker accounts

Account number and CVV2 Classic track data Gold/Plat/Corp track data

Data Cleanser / Aggregator

No Plastic

$1

No Plastic

$15

No Plastic

$30 Seller Cracker $1 $15 $30

Semi-finished blank plastic Complete counterfeit Gold plastic Track data and PIN

Seller Cracker

White-Plastic

$80 $100

Finished Finished

$250 $1 000** Customer / Reseller

*Source: The United States Secret Service **Typically track data and PIN not for sale; profit share

$80 - $100 $250 $1,000**

Chicago Federal Reserve Visa Public

**Typically track data and PIN not for sale; profit share arrangement amongst criminals; estimated criminal profit per card

slide-5
SLIDE 5

Cardholder Concerns About Card Use

Security and protection of personal information now tops consumer concerns…Despite concerns, Visa cardholders recognize they are protected from fraud protected from fraud

43% That your card may be used to make a That you may become a victim of identity theft 14% 15% 16% That your personal information may be stored by the merchant You may be accumulating too much debt That your card may be used to make a fraudulent transaction 2% 3% The store doesn’t accept your card brand You might be charged a transaction fee by the merchant 3% 3% 1% Don’t Know/Refused None of these Your card may be declined

Chicago Federal Reserve Visa Public

Source: Security and Fraud: National Survey of Cardholders, Fabrizio, McLaughlin & Assoc., Dec 2007

3%

0% 10% 20% 30% 40% 50%

Don t Know/Refused

slide-6
SLIDE 6

Recent Trends

  • The number of compromise incidents in the U.S. is rising

p g

– Trend suggests Level 4 merchants targeted L l 1 h t i b idi – Level 1 merchant compromises subsiding

  • Incidents outside the U.S. are also increasing
  • But global fraud rates have remained stable since 2002

Visa and system participants have been more effective at combating fraud – Visa and system participants have been more effective at combating fraud – Mix of fraud is changing

L t d St l i th d li

  • Lost and Stolen is on the decline
  • Counterfeit and Card-Not-Present are now category leaders

Chicago Federal Reserve Visa Public

slide-7
SLIDE 7

Visa’s strategy gy

Maintain Trust in Visa Payments Maintain Trust in Visa Payments

PROTECT Prevent Thieves from Using Stolen Data PREVENT Keep Data Out of Using Stolen Data p Criminal Hands RESPOND Monitor and Manage Incidents to Reduce Impact

Presentation Identifier.7 Information Classification as Needed

Chicago Federal Reserve Visa Public

Partner with Clients & Stakeholders

slide-8
SLIDE 8

Top System Vulnerabilities

Vulnerability Remediation Efforts

Storing prohibited data (Track, CVV2, PIN)

PCI DSS; PCI PA-DSS, PCI PED, PIN Security Requirements Delete stored data; prevent future storage; replace vulnerable software

(Track, CVV2, PIN)

vulnerable software

Out of date security / systems patches

PCI DSS, PCI PA-DSS Establish policies, procedures and processes for maintaining and updating systems that handle sensitive

patches

maintaining and updating systems that handle sensitive data

Inadequate perimeter

PCI DSS Execute disciplined firewall policy management and network

security

Execute disciplined firewall policy management and network security; conduct routine penetration tests of all systems

Weak wireless it

PCI DSS Utili t ti t t t i l i t

security

Utilize strong encryption to protect wireless environments

SQL injection attacks

PCI DSS Conduct regular testing of susceptibility to SQL injection

Chicago Federal Reserve Visa Public 8

attacks

utilizing automated tools or manual techniques

slide-9
SLIDE 9

Working with the Public Sector

  • Public Officials:

Public Officials:

– Consistent public policy to effectively and efficiently secure the payment system – Data security legislation with reasonable security requirements, risk- based notifications, and national uniform standards – Global law enforcement initiatives to prosecute criminal p

  • rganizations
  • Visa:

– Education and training for public agencies, regulators, and law enforcement enforcement – Investigative support for law enforcement and other stakeholders

Chicago Federal Reserve Visa Public

slide-10
SLIDE 10

Final Thoughts on Security

Protecting the payment system is a shared Protecting the payment system is a shared responsibility for all payment system participants E h i t t l t l Everyone has an important role to play:

  • Processors
  • Third Party Agents
  • Issuers
  • Acquirers
  • Public / Government Officials
  • Merchants
  • Law Enforcement
  • Cardholders

Chicago Federal Reserve Visa Public