credit card cybersecurity - socal expo · 2018-04-19 · credit card cybersecurity insights to help...

4/19/2018

1

Credit Card Cybersecurity Insights to Help Safeguard your Multichannel Business

May 9, 2018

1

DisclosuresThis presentation is provided as a courtesy and is to be used for general information purposes only. Bank of America Merchant Services shall not be responsible for any inaccurate or incomplete information. The matters contained herein are subject to change. Individual circumstances may vary and procedures may be amended or supplemented as appropriate. This is not intended to be a complete listing of all applicable procedures. No information contained herein alters any existing contractual obligations between Bank of America Merchant Services and its clients. This presentation may not be copied, reproduced or distributed in any manner whatsoever without the express written consent of Bank of America Merchant Services.

Neither Bank of America nor its affiliates provide information security or information technology (IT) consulting services. This material is provided "as is", with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this material, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, quality and fitness for a particular purpose. This material should be regarded as general information on information security and IT considerations and is not intended to provide specific information security or IT advice nor is it any substitute for your own independent investigations. If you have questions regarding your particular IT system or information security concerns, please contact your IT or information security advisor. No information contained herein alters any existing contractual obligations between Bank of America and its clients

2Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES

4/19/2018

2

Credit Card Payments Process

Credit Card Payments Process


4/19/2018

3

Anatomy of Card Theft

How Cybercriminals Operate

Gain Entry• Thieves target internet‐exposed remote access systems • Conduct network reconnaissance using diagnostic tools • Create custom attack scripts inside the merchant’s network criminals

• Payment card data is extracted with malware• Traces of attacker activity is removed

Steal Credit Card Data

6

• Payment data is used to commit fraud• Cards carry a typical value of between $20‐$50 on markets for stolen data

Monetize Data

Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES

4/19/2018

4

The criminal:

1. Steals remote login credentials

2. Performs network reconnaissance

Anatomy of a Card Data Theft

3. Pivots and elevates privileges

4. Gains access to patch management or software distribution server

5. Distributes point‐of‐sale malware

6. Harvests payment card data

7. Exfiltrates payment card datap y

8. Payment card information is then sold on the DarkNet

Source: Visa Managing Network Segmentation for Payment Environments presentation, 7/22/2015, slide 12


FEAR FACTOR: Phishing, Skimming, Shimming and More

Fraud aimed at stealing information from consumers and businesses is increasing, both online and on the ground.

Phishing ‐ schemes to download personal information from

computers by disguising as a trustworthy entity in an electronic communication

Skimming ‐ use of devices which fit over legitimate credit card

readers to steal card data

Smishing ‐ use of SMS (short messaging services) technology to

phish for individuals' sensitive personal information

8


Shimming ‐ use of devices which are inserted into credit card



4/19/2018

5

Fraud Industry Trends Continue to Impact Merchants

7% of their annual revenue1

Total Fraud Costs

8 additional sales to make

up for it1

1 Fraudulent Order Requires

14.9% of merchant’s operational

Fraud Management Costs

results in $2.27 total losses1

$1 CNP Fraud Loss

It is up to 7 times more difficult to prevent fraud in remote channels than in person2

up for it1

False Positives Eat Into Revenue

30% of all transactions are declined1

pcosts1

9

By 2020, eCommerce transactions are expected to top $4 trillion3 and $7.2 billion in card not present losses4

1Javelin Group, The Financial Impact of Fraud: Merchants Challenged as E‐Commerce Fraud Rises Post‐EMC2FT Partners “Transaction Security at the Nexus of E‐Commerce, Payment Market Structure Complexity and Fraud”, LexisNexis “2015 True Cost of Fraud Study”3eMarketer, Worldwide Retail eCommerce Sales: The eMarketer Forecast, August 20164Aite, EMV Issuance Trajectory & Impact on Account Takeover and CNP, May 2016


Up to 7X more difficult

Criminals Exploiting New Channels/Increased Sophistication and Criminal Collaboration

Fraud Industry Trends Continue to Impact Merchants

pto prevent fraud in remote channels than in person1

“Use of Credit Card 'Skimmers' at Gas Stations, ATMs Is Exploding2”NBC News, July 1 , 2016

1Source: 2015 LexisNexis True Cost of Fraud Study

10

“All the criminal organizations — especially online — move way faster and are way more efficient than the real economy3”

Michael Reitblat, CEO and cofounder of Forter

Source: 2http://www.nbcnews.com/nightly‐news/use‐credit‐card‐skimmers‐gas‐stations‐atms‐exploding‐n4682163http://www.pymnts.com/matchmakers/2016/matchmaker‐is‐in‐forter‐fighting‐fraud/


4/19/2018

6

Criminal Activity Rising in Skimming Events

Automated Fuel Dispensers (AFDs)• Fraudsters continue to target AFDs• Stations in remote locations often targetedAFD li bilit hift t EMV® hi i 2020• AFD liability shift to EMV® chip in 2020

ATMs• White label ATM higher risk for skimming / overlay devices• Remote locations or foreign countries are at higher risk for fraud and attacks

Terminal Overlay Skimming Devices

Source: Visa Skimming at the Point of Sale, 6/28/16, slide 9

11

Terminal Overlay Skimming Devices• 3D printers leveraged to create devices• Takes a criminal only seconds to deploy

EMV is a registered trademark in the U.S. and other countries, and an unregistered trademark elsewhere. EMV® is a registered trademark owned by EMVCo LLC.


Ways to Help Thwart Skimming Attempts

• Dispatch teams to conduct and document daily checks of POS devices• Identify key risk areas where attacks may occur• Use tamper screws or cable locks on POS devices• Affix your devices with unique markings or stickers to quickly identify overlays

12

Source: Visa Managing Network Segmentation for Payment Environments presentation, 7/22/2015, slides 11‐13


4/19/2018

7

Trends in the Payments, eCommerce and Security Landscape

Retail ecommerce sales worldwide will continue to post solid gains in 2017, rising 23.2% to $2.290 trillion. This year, for the first time, ecommerce sales will account for one‐tenth of total retail sales worldwide1

1

By 2020, eCommerce transactions are expected to top $4 trillion6

and an expected $7.2 billion in card not present losses7

There will be an estimated 11.6 billion mobile connected devices by 2020, exceeding the world’s projected population at that time (7.8 billion).2

Mobile devices impact both offline and online buying decisions3

24

13

y g

1https://www.emarketer.com/Report/Worldwide‐Retail‐Ecommerce‐Sales‐eMarketers‐Estimates‐20162021/2002090 July 20172Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2015‐2020 White Paper, 2016

3TSG, The Internet of Payments Awakens, 20164Javelin Group, The Financial Impact of Fraud: Merchants Challenged as E‐Commerce Fraud Rises Post‐EMC

5FT Partners “Transaction Security at the Nexus of E‐Commerce, Payment Market Structure Complexity and Fraud”, LexisNexis “2015 True Cost of Fraud Study”6eMarketer, Worldwide Retail eCommerce Sales: The eMarketer Forecast, August 2016

7Aite, EMV Issuance Trajectory & Impact on Account Takeover and CNP, May 20168Passport to International Sales‐Ingenico White Paper, July 2016

3


It is up to 7 times more difficult to prevent

fraud in remote channels than in person.4

$1 Card Not Present Fraud Loss, results in

$2.27 total losses.5

What’s at stake when a breach occurs?

4/19/2018

8

Data Breaches Continue to Rise

Number of breacheswith exposed credit and debit cards was 160 in 2015, +15.9% increase over prior year. The Banking/Credit/Financial sector ranked third with 9.1 percent of the breaches.¹

$7.01 million is the average total cost of a data breach.²

Nearly 20 percent of consumers would permanently abandon a retailer that was the victim of a data breach.³

15

Merchants need to protect their systems and consumers.

1 Identity Theft Resource Center Multi Year Statistics 2016.² 2015 Cost of Data Breach Study: United States Ponemon Institute© Research Report Benchmark research sponsored by IBM May 2016. ³ KPMG Consumer Loss Barometer, 2016.


Breach Trends by Merchant Category Code (MCC)

Global Data Compromises

Certain Industries have higher data breach costs

Public Sector

Per capita cost by industry classification in 2017

Life Science

Retail

Industrial

Consumer

Hospitality

Media

US$

$‐ $50 $100 $150 $200 $250 $300 $350 $400

Health

Services

Source: 2017 Cost of Breach Study, Ponemon Institute


4/19/2018

9

The Public and Private Cost of a Data Breach

• Card Organization assessments

- Operational reimbursement (replacement of cards)

- Fraud recovery (reimbursement expenses associated with compromised cards)

• Forensics, PCI non‐compliance fines, and moreo e s cs, C o co p a ce es, a d o e

• Crisis communications management costs

• Loss of public trust and confidence

• Cost of legal representation


The Rising Cost of Data Breaches

$4.13 millionAverage cost of lost

business after a data breach

$225The average cost of data breach

per incident in the U.S.

$1.46 millionThe average detection and escalation cost in Canada

business after a data breach in the U.S.

18

$1.56 millionThe post data breach response

cost in the U.S. in 2017

$190The average cost of data breach

per incident in Canada

Source: 2017 Cost of Breach Study, Ponemon Institute


4/19/2018

10

Solutions to Consider

EMV Update

EMV chip cards and chip‐activated merchants combat counterfeit fraud in the U.S.

Counterfeit fraud down¹

66%

55%US

storefrontsaccepting

chip²

462million

Chip cards issued to consumers²

$59.6million

Amount of chip

transactions³

20

Source: Visa, “Visa Chip Card Update”, 09/2017

³Chip transactions continue to increase in the U.S, as of Sep 2017 there were 1257.2 million transactions amounting to $59.6 billion

¹For merchants who have completed the chip upgrade, counterfeit fraud dollars have dropped 66% (as of June 2017 compared to June 2015)²Financial institutions have issued 462 million chip cards to consumers, and 2.5 million, or 55 percent of U.S. storefronts, accept chip


4/19/2018

11

EMV Alone is Not Enough

Chip based technology (EMV) helps reduce the risk of accepting counterfeit cards, while a PIN reduces the risk of misuse of lost or stolen cards.

EMV will not protect online transactions. Consumers purchasing online are still open to fraudulent transactions.

EMV does not protect cardholder data once the payment method and consumer are validated; or during payment processing transmission or in your environment at rest.

Merchants need to consider multi‐layered security solutions to protect cardholder data from cyber criminals.


Help Protect Against Fraud with Target Tools Online

Address VerificationService (AVS)

Card Verification Service (CVV2)

3 digit code to verify cardholder has card in their possession

Fraud Detect®Real‐time fraud scoring and

3D Secure®Authentication options at checkout – Verified by Visa, SecureCode by MasterCard, Safekey by American Express

TokenizationRemoves sensitive cardholder

data from the merchants environment. Solutions can facilitate repeat business

Dispute Manager®

22

gmachine learning capabilities designed to help reduce a

merchant’s overall exposure and cost of fraud

Merchant responsible for selecting which tools to enable and for properly using those tools to effectively help reduce fraud.Availability by country may vary, please review with your business consultant

Dispute ManagerOnline tool that helps merchants automate the chargeback process


4/19/2018

12

Fraud Post EMV: Card Not Present (CNP), App Fraud, and Account Take Over (ATO) on the Rise

$1.0

ATO Fraud

U.S. ATO, Application and CNP Fraud Growth, 2015 to e2020 (in US$ Billions)$10 BN

$4 4$5.5

$5.9$1.4$1.6

$1.9

$2.2

$2.5

$2.8

$0.6

$0.7

$0.8

$0.8

$0.9Application Fraud

CNP Fraud

$5 BN

$7.5 BN

23

$3.2 $3.3$4.0

$4.4

2015 2016 e2017 e2018 e2019 e2020

$0

Source: Aite Group


Other Advancements in CNP Fraud Solutions

As EMV adoption drives more fraud towards eCommerce and CNP, it is critical for fraud detection solutions to keep pace.

Advances in fraud detection will leverage:Machine learning technologies vs rules based engines- Machine‐learning technologies vs. rules‐based engines

- Full integration with core eCommerce processing platforms

- Packaged, full‐service fraud offerings

New fraud solutions will help deliver important benefits to merchants:- Easy to get started with pre‐integration to key gateways- Easy to use with intuitive Accept or Decline

d irecommendations- Greater accuracy on fraud scores to help merchants save

money

CONFIDENTIAL ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES 24

4/19/2018

13

The Strength of Machine Learning Helps Combat Fraud

Facilitate Improve

Rapidly respond Help lower costs

Merchant benefits

Fraud Accept

real‐time decision‐making

Improve accuracy

to changing fraud trends

through automation

25

Order Machine Learningmodel

Fraud Risk

Estimate Reject


Solutions to Consider: Card Present

EMVData EMV DataEncryption

26

Tokenization PCICompliance


4/19/2018

14

Enhancing Data Security and Reducing Your PCI Validation Scope

Point to point encryption (P2PE) Tokenization technology EMV Chip TechnologyPoint‐to‐point encryption (P2PE) Tokenization technology EMV Chip Technology

• Encryption is designed to help protect cardholder data from the point of data entry.

• Uses a key management feature making cardholder data virtually unreadable to anyone who does not have the encryption key

• Replaces cardholder data (PAN) with surrogate values (token)

• Designed to work in concert with encryption to eliminate storage of cardholder data

• Allows merchant to limit storage of cardholder data with the tokenization system

• Helps protect against counterfeit cards by replacing static data with dynamic

• Works with card‐present transaction only

• Requires a dual processing terminal (mag strip and

27

yp y• Helps protect cardholder

data in transit• If properly implemented,

P2PE can reduce your scope of PCI DSS validation

y• If properly implemented,

tokenization can reduce your scope of PCI DSS validation

( g pchip)


What is End‐To‐End Encryption?

End‐to‐end encryption (E2EE) is the uninterrupted protection of data from the moment of swipe, through transit between the merchants point of sale and their processor.

No eavesdropper can access the cryptographic keys needed to decrypt the conversation, including telecom providers, Internet providers and the p , pcompany that runs the messaging service.


4/19/2018

15

What is End‐To‐End Encryption?

• Primary Account Number (PAN) Data encrypted at Tamper Resistant Security Module (TRSM) protected Point of Interaction (POI )(e.g. terminal) with Bank of America Merchant Services encryption key

M h t h t d ti k• Merchant has no access to decryption key

• Encryption helps protect PAN during transit or offline situations

• PAN is only decrypted once it arrives in Bank of America Merchant Services’ secure processing vault

• Key updates are embedded in transaction message responses


Tokenization is the process of substituting a sensitive data element with a non‐sensitive

i l t f d t t k th t h

What is Tokenization?

equivalent, referred to as a token, that has no monetary value.

Important caveat: Encryption and tokenization do not guarantee that your systems will not be breached. Using encryption and tokenization does not mean you are automatically compliant with the

30

not mean you are automatically compliant with the Payment Card Industry Data Security Standard or Card Organization Rules.


4/19/2018

16

What is Tokenization?

• Tokens help protect data at rest and in use.

• They differ from encryption because tokens have no direct relationship with the card data they replace.

• Tokens are card‐based and have a 1:1 relationship with an account number.

• Tokens do not expire, so the same token follows the card through the entire card lifecycle.


A multi‐pay token can be used in place of primary account number (PAN) to perform a financial transaction.

What is a Multi‐Pay Token?

• Because they can initiate a financial transaction without card b i hbeing present, they are:

- Valuable for ecommerce and card‐not‐present environments

- Useful in processing refunds and credits

• They allow merchants to track buying patterns based on card use for sales trending, marketing and loyalty programs – while remaining within PCI compliance


4/19/2018

17

Approaches to Transaction Data Encryption

MERCHANTMERCHANT DATA

CENTERACQUIRER DATA CENTER ISSUER

Encrypted Credit Card Request

Tokenized Credit Card

End‐to‐End Encryption (E2EE)

MERCHANTMERCHANT DATA

CENTERGATEWAY ISSUER

Tokenized Credit Card Response

Decrypted Credit Card Request

Non‐tokenized Credit Card Response

Vulnerability Point

THE LAST MILE

Point‐to‐Point Encryption (P2PE)

33

THE LAST MILE

ACQUIRER


Overall Security Strategy is Critical for an Organization

Securing Consumer Data

Remove card data from Merchant Benefits

Merchant Security

Remove card data from merchant environment: TransArmor® Data Protection

PCI requirements: Logging and monitoring, network access, etc.

Helping Reduce Fraud*

Enhanced Authentication: EMV

Fraud Mitigation Tools:

fHelps protect firm’s reputation and image

Industry BenefitsLess card data in market for potential fraud

Merchant BenefitsReduction in counterfeit fraud

eCommerce Fraud Tools, 3D Secure, Fraud Detect

fraud

Industry BenefitsDevalues stolen card data

*Enhanced authentication and fraud products are being developed in the industry for mobile and ecommerce e.g., device ID, payment tokens, risk scores.TransArmor data protection provides encryption and tokenization services. TransArmor Data Protection is not a guarantee that your systems will not be breached or cause you to be compliant with the Payment Card Industry Data Security Standard or Card Organization Rules. Requires eligible equipment.


credit card cybersecurity - socal expo · 2018-04-19 · credit card cybersecurity insights to help...

Documents