to view the presentation - MasterCard Global Risk Leadership

Louann Glunt, Law and Franchise Integrity
Jonathan Uzzo, Law and Franchise Integrity
April 21, 2015
Level 4 Merchant Vulnerabilities
©2015 MasterCard.
Proprietary Information
Disclaimer
MasterCard believes the information shared during this presentation
is accurate as of the date of the presentation. MasterCard cannot
and does not, however, represent or warrant that the information is
either complete or accurate. Please be advised, therefore, that
MasterCard disclaims any responsibility for and you assume all risk
associated with your reliance on or use of the information shared
with you during the presentation.
©2015 MasterCard.
Proprietary Information
April 21, 2015
Agenda Items
Introductions/Objectives
Account Data Compromise (ADC) Event Trends
Timeline of Public High-Profile Events
ADC Event or Potential ADC Event Obligations
Incident Response
Safeguard your POS Systems
Payment Security and Fraud Management
Resources
Q&A
©2015 MasterCard.
Proprietary Information
April 21, 2015
Introduction/Objectives
Educate stakeholders on exploits and vulnerabilities
that led to payment card data theft
Provide best practices and actionable intelligence to
mitigate a data breach
Educate stakeholders on MasterCard’s requirements
in the event of a data breach
©2015 MasterCard.
Proprietary Information
April 21, 2015
ADC Event Trends Global 2011-2014
Source: Based on ADC Events with Published At-Risk Account Alerts
©2015 MasterCard.
Proprietary Information
April 21, 2015
ADC Event Trends Global: 2010 – 2014
Number of Potential At-Risk
Accounts Published
2010
2011
2012
2013
Number of ADC Events Globally
2014
2010
2011
2012
2013
2014
Source: Based on ADC Events with Published At-Risk Account Alerts
©2015 MasterCard.
Proprietary Information
April 21, 2015
ADC Event Trends Global 2013-2014
Accounts put at-risk by category
Law
Enforcement
Recovery
4.71%
Other
15.53%
System
Breach
78.15%
2013
2014
At-risk accounts during system breaches are significantly higher than other
categories
©2015 MasterCard.
Proprietary Information
April 21, 2015
Organizations Targeted
2013
2014
Restaurant Cases
2%
12%
4%
Fast Food Restaurant Cases
16%
17%
13%
Hotel Cases
3%
5%
10%
e-commerce merchants
10%
7%
Grocery Stores and Supermarkets
8%
30%
41%
17%
5%
Brick & Mortar Retailers
Service Provider
Other Merchant Types
Source Data: MasterCard investigated Account Data Compromises resulting in
forensic investigations with conclusive evidence of a security breach
©2015 MasterCard.
Proprietary Information
April 21, 2015
Primary Attack Vector for
Brick & Mortar Merchants
Based on MasterCard Forensic Examinations of Hacked Entities
2013
2014
3%
9%
4%
18%
8%
Insecure Firewalls
23%
Insecure Remote
Access
Weak Passwords
E-mail phishing
70%
65%
Source Data: MasterCard investigated Account Data Compromises resulting in
forensic investigations with conclusive evidence of a security breach
©2015 MasterCard.
Proprietary Information
April 21, 2015
Timeline of Public High-Profile Events
December 2013 – October 2014
Dec 2013
Jan 2014
Mar 2014
Jul 2014
Aug 2014
Sept 2014
Oct 2014
Target
Neiman Marcus
Sally Beauty
Goodwill
SuperValu
Home Depot
Dairy Queen
Michael’s
Taxis
PF Chang’s
Kmart
CA DMV
UPS
Staples
Timeline Based on Public Disclosure and/or Media Coverage
©2015 MasterCard.
Proprietary Information
April 21, 2015
What is a Security Incident?
Defined as a Security Event
per the PCI DSS, it is an
occurrence considered by an
organization to have potential
security implications to a
system or its environment.
©2015 MasterCard.
Proprietary Information
April 21, 2015
What is a Security Incident?
Security Incident Examples*
Unintentional and/or Malicious Access
Individual Error
Password Sharing
Email Forgery
Unauthorized Use of Resources
Data Compromise
System Compromise
*Examples for illustrative purposes only. Specific examples would be dependent on an entity’s specific policies (such as an Information Security
Policy per Requirement 12.1) and any applicable laws
©2015 MasterCard.
Proprietary Information
April 21, 2015
Security Incidents & Account Data
Compromise (ADC)
The Difference
1
Security incidents are broader
in scope
2
Per 10.2 of the MasterCard
Security Rules & Procedures
Manual (July 31, 2014), an
Account Data Compromise
Event or ADC Event is defined as:
3
ADC events require specific
actions to be taken per the
MasterCard Security Rules &
Procedures Manual
•A security incident may or may not be an ADC
event
•Any occurrence that results, directly or indirectly,
in the unauthorized access to or disclosure of
MasterCard account data
•Rules will apply if there is an ADC or potential
ADC event
•Only MasterCard, following an investigation, will
determine whether an occurrence is an ADC event
©2015 MasterCard.
Proprietary Information
April 21, 2015
Incident Response Plan Lifecycle
Source: NIST SP800-61R2 Computer Security Incident Handing Guide August 2012
©2015 MasterCard.
Proprietary Information
April 21, 2015
Safeguard Your POS Systems
• Implement multiple layers of protection
• Comply with PCI DSS
–
Annual Self-Assessment
–
Quarterly Network Scan by an ASV
Protect Network Perimeter
Harden POS and
Authentication Systems
Protect Administrative
Users and Applications
Require 3rd-party vendors
to secure remote access
Implement P2PE and EMV
enabled terminals
©2015 MasterCard.
Proprietary Information
April 21, 2015
ADC Event or Potential ADC Event
Obligations
If you become aware of an ADC or potential ADC event:
Evidence must be preserved throughout the process
Immediately notify
acquirer and
MasterCard
Within 24 hours
investigate and
contain incident
Within 24 hours
submit At –Risk
Account Numbers
Within 72 hours
engage a PFI (as
deemed necessary
by MasterCard)
Within 20 days from
commencement of
the forensic
investigation,
provide PFI Report
to MasterCard
Comply with PCI
DSS
Responsible Customer must ensure full cooperation with MasterCard’s Investigation
©2015 MasterCard.
Proprietary Information
April 21, 2015
Advancing Fraud Management
For More Secure Payments
Payment Security and Fraud Management
Site Data
Protection
and PCI DSS
Expert
Monitoring
Solutions
Global Risk
Leadership
Expert
Resources
©2015 MasterCard.
Proprietary Information
April 21, 2015
Layered Approach Builds on Existing
Security Infrastructure
Channel
Network Upgrades
Network Defense and Fraud/
Risk Management
Cardholder Benefits
Network Defense Tools
POS
EMV
Limit Fraud Exposure
Catastrophic Fraud Protection
Chip
PIN
Fraud Management Tools
Cryptography
Fraud Scoring Tools
Ecommerce
Authentication Services
Mobile
Zero Liability
Added Acceptance Intelligence
MDES & MasterPass
In App
Consumer and SMB
Protection
ID Theft Resolution
Merchant Fraud Protection
Tokenization
EMV Cryptography
Card on File
CVC3
Meet Strategic
Objectives
Performance Measures
and Targets
Safeguard Card
Credentials
Positive Consumer
Experience
Risk Management Tools
Authorization Risk Policy
Cardholder
Confidence
Issuer Spend Policy
Fraud Management Tools:
Network Defense Tools:
Catastrophic Fraud Protection – SafetyNet
Fraud Scoring Tools – EMS/FRM
Fraud Management Tools:
Authentication Services – MasterPass, SecureCode
Authorization Risk Policy – MasterCard Advisors
Added Intelligence – Auth IQ, Assurance Exchange
Issuer Spend Policy - MasterCard Advisors
Merchant Fraud Protection – EMS for Merchants
©2015 MasterCard.
Proprietary Information
More Information and Additional
Resources
• The MasterCard Site Data Protection website:
–
www.mastercard.com/sdp
– SDP Program information
– Level definitions and compliance requirements
– sdp@mastercard.com with questions
• MasterCard Security Rules and Procedures Manual
http://www.mastercard.com/us/merchant/pdf/SPME-Entire_Manual_public.pdf
• MasterCard Security and Fraud Management website:
–
http://www.mastercard.com/us/company/en/whatwedo/security_fraud_management
.html?cmp=ilc-mc.us.index.thumbnail.CARDSECURITY
• National Institutes of Standards & Technology (NIST) Publication SP800-61R2:
–
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
• PCI Security Standards Council:
–
www.pcisecuritystandards.org
• Global Risk Leadership
–
www.mastercard.com/globalrisk
©2015 MasterCard.
Proprietary Information
April 21, 2015
Q&A
Thank you!
©2015 MasterCard.
Proprietary Information