Louann Glunt, Law and Franchise Integrity Jonathan Uzzo, Law and Franchise Integrity April 21, 2015 Level 4 Merchant Vulnerabilities ©2015 MasterCard. Proprietary Information Disclaimer MasterCard believes the information shared during this presentation is accurate as of the date of the presentation. MasterCard cannot and does not, however, represent or warrant that the information is either complete or accurate. Please be advised, therefore, that MasterCard disclaims any responsibility for and you assume all risk associated with your reliance on or use of the information shared with you during the presentation. ©2015 MasterCard. Proprietary Information April 21, 2015 Agenda Items Introductions/Objectives Account Data Compromise (ADC) Event Trends Timeline of Public High-Profile Events ADC Event or Potential ADC Event Obligations Incident Response Safeguard your POS Systems Payment Security and Fraud Management Resources Q&A ©2015 MasterCard. Proprietary Information April 21, 2015 Introduction/Objectives Educate stakeholders on exploits and vulnerabilities that led to payment card data theft Provide best practices and actionable intelligence to mitigate a data breach Educate stakeholders on MasterCard’s requirements in the event of a data breach ©2015 MasterCard. Proprietary Information April 21, 2015 ADC Event Trends Global 2011-2014 Source: Based on ADC Events with Published At-Risk Account Alerts ©2015 MasterCard. Proprietary Information April 21, 2015 ADC Event Trends Global: 2010 – 2014 Number of Potential At-Risk Accounts Published 2010 2011 2012 2013 Number of ADC Events Globally 2014 2010 2011 2012 2013 2014 Source: Based on ADC Events with Published At-Risk Account Alerts ©2015 MasterCard. Proprietary Information April 21, 2015 ADC Event Trends Global 2013-2014 Accounts put at-risk by category Law Enforcement Recovery 4.71% Other 15.53% System Breach 78.15% 2013 2014 At-risk accounts during system breaches are significantly higher than other categories ©2015 MasterCard. Proprietary Information April 21, 2015 Organizations Targeted 2013 2014 Restaurant Cases 2% 12% 4% Fast Food Restaurant Cases 16% 17% 13% Hotel Cases 3% 5% 10% e-commerce merchants 10% 7% Grocery Stores and Supermarkets 8% 30% 41% 17% 5% Brick & Mortar Retailers Service Provider Other Merchant Types Source Data: MasterCard investigated Account Data Compromises resulting in forensic investigations with conclusive evidence of a security breach ©2015 MasterCard. Proprietary Information April 21, 2015 Primary Attack Vector for Brick & Mortar Merchants Based on MasterCard Forensic Examinations of Hacked Entities 2013 2014 3% 9% 4% 18% 8% Insecure Firewalls 23% Insecure Remote Access Weak Passwords E-mail phishing 70% 65% Source Data: MasterCard investigated Account Data Compromises resulting in forensic investigations with conclusive evidence of a security breach ©2015 MasterCard. Proprietary Information April 21, 2015 Timeline of Public High-Profile Events December 2013 – October 2014 Dec 2013 Jan 2014 Mar 2014 Jul 2014 Aug 2014 Sept 2014 Oct 2014 Target Neiman Marcus Sally Beauty Goodwill SuperValu Home Depot Dairy Queen Michael’s Taxis PF Chang’s Kmart CA DMV UPS Staples Timeline Based on Public Disclosure and/or Media Coverage ©2015 MasterCard. Proprietary Information April 21, 2015 What is a Security Incident? Defined as a Security Event per the PCI DSS, it is an occurrence considered by an organization to have potential security implications to a system or its environment. ©2015 MasterCard. Proprietary Information April 21, 2015 What is a Security Incident? Security Incident Examples* Unintentional and/or Malicious Access Individual Error Password Sharing Email Forgery Unauthorized Use of Resources Data Compromise System Compromise *Examples for illustrative purposes only. Specific examples would be dependent on an entity’s specific policies (such as an Information Security Policy per Requirement 12.1) and any applicable laws ©2015 MasterCard. Proprietary Information April 21, 2015 Security Incidents & Account Data Compromise (ADC) The Difference 1 Security incidents are broader in scope 2 Per 10.2 of the MasterCard Security Rules & Procedures Manual (July 31, 2014), an Account Data Compromise Event or ADC Event is defined as: 3 ADC events require specific actions to be taken per the MasterCard Security Rules & Procedures Manual •A security incident may or may not be an ADC event •Any occurrence that results, directly or indirectly, in the unauthorized access to or disclosure of MasterCard account data •Rules will apply if there is an ADC or potential ADC event •Only MasterCard, following an investigation, will determine whether an occurrence is an ADC event ©2015 MasterCard. Proprietary Information April 21, 2015 Incident Response Plan Lifecycle Source: NIST SP800-61R2 Computer Security Incident Handing Guide August 2012 ©2015 MasterCard. Proprietary Information April 21, 2015 Safeguard Your POS Systems • Implement multiple layers of protection • Comply with PCI DSS – Annual Self-Assessment – Quarterly Network Scan by an ASV Protect Network Perimeter Harden POS and Authentication Systems Protect Administrative Users and Applications Require 3rd-party vendors to secure remote access Implement P2PE and EMV enabled terminals ©2015 MasterCard. Proprietary Information April 21, 2015 ADC Event or Potential ADC Event Obligations If you become aware of an ADC or potential ADC event: Evidence must be preserved throughout the process Immediately notify acquirer and MasterCard Within 24 hours investigate and contain incident Within 24 hours submit At –Risk Account Numbers Within 72 hours engage a PFI (as deemed necessary by MasterCard) Within 20 days from commencement of the forensic investigation, provide PFI Report to MasterCard Comply with PCI DSS Responsible Customer must ensure full cooperation with MasterCard’s Investigation ©2015 MasterCard. Proprietary Information April 21, 2015 Advancing Fraud Management For More Secure Payments Payment Security and Fraud Management Site Data Protection and PCI DSS Expert Monitoring Solutions Global Risk Leadership Expert Resources ©2015 MasterCard. Proprietary Information April 21, 2015 Layered Approach Builds on Existing Security Infrastructure Channel Network Upgrades Network Defense and Fraud/ Risk Management Cardholder Benefits Network Defense Tools POS EMV Limit Fraud Exposure Catastrophic Fraud Protection Chip PIN Fraud Management Tools Cryptography Fraud Scoring Tools Ecommerce Authentication Services Mobile Zero Liability Added Acceptance Intelligence MDES & MasterPass In App Consumer and SMB Protection ID Theft Resolution Merchant Fraud Protection Tokenization EMV Cryptography Card on File CVC3 Meet Strategic Objectives Performance Measures and Targets Safeguard Card Credentials Positive Consumer Experience Risk Management Tools Authorization Risk Policy Cardholder Confidence Issuer Spend Policy Fraud Management Tools: Network Defense Tools: Catastrophic Fraud Protection – SafetyNet Fraud Scoring Tools – EMS/FRM Fraud Management Tools: Authentication Services – MasterPass, SecureCode Authorization Risk Policy – MasterCard Advisors Added Intelligence – Auth IQ, Assurance Exchange Issuer Spend Policy - MasterCard Advisors Merchant Fraud Protection – EMS for Merchants ©2015 MasterCard. Proprietary Information More Information and Additional Resources • The MasterCard Site Data Protection website: – www.mastercard.com/sdp – SDP Program information – Level definitions and compliance requirements – sdp@mastercard.com with questions • MasterCard Security Rules and Procedures Manual http://www.mastercard.com/us/merchant/pdf/SPME-Entire_Manual_public.pdf • MasterCard Security and Fraud Management website: – http://www.mastercard.com/us/company/en/whatwedo/security_fraud_management .html?cmp=ilc-mc.us.index.thumbnail.CARDSECURITY • National Institutes of Standards & Technology (NIST) Publication SP800-61R2: – http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf • PCI Security Standards Council: – www.pcisecuritystandards.org • Global Risk Leadership – www.mastercard.com/globalrisk ©2015 MasterCard. Proprietary Information April 21, 2015 Q&A Thank you! ©2015 MasterCard. Proprietary Information
© Copyright 2024