from bad to worse: how to stay protected from a mega data breach

April 10, 2023 ©2014. Paymetric. All Rights Reserved. 1

From Bad to Worse: How to Stay Protected from a Mega Data Breach

Presenter: Jennifer Rossi, Vice President , Channel Sales, Paymetric

April 10, 2023©2014. Paymetric. All Rights Reserved.

2

Webinar Agenda

About Paymetric Data Breaches in the News Data Breach Impact and Cost The Myth of the “Silver Bullet” Prevailing PCI Solution Options Tokenization Technology Five Best Practices for an SAP-based Enterprise


3

About Paymetric


4

Award-Winning Company

Paymetric is Recognized for Electronic Payments Innovation

Paymetric is an award-winning company built onshared purpose, an unremitting pursuit of excellence, lasting collaboration, accountability and integrity. For more than 15 years, we have been recognized for our work and honored with awards for technical innovation and thought leadership.


5

Data Breaches in the News

• More than 37 percent of data breach incidents involved a malicious or criminal attack

• 35 percent of data breach incidents involved a negligent employee or contractor (human factor)

• 29 percent of data breach incidents involved system glitches that includes both IT and business process failures

*Distribution of the benchmark sample by root cause of the data breach

Source: Ponemon Institute

Human factor

Malicious or criminal attack

System glitches


6

Data Breach Impact and Cost

Source: Ponemon Institute 2013 Cost of Data Breach Study: Global Analysis

Overview Dollars spent per data record when

there is a data breach All industries are at risk, even

though Retail makes the news the most

Healthcare breaches are the most expensive by far due to personal identifiable data (PII) being exposed


7

The Impact to Your Organization

Fines and Litigation Cost of investigation and audit Loss of business/customer trust Potential decline in share value Brand reputation


8

Getting Negative

Dominant industry rule of thumb:

1. There is no “silver bullet” single solution to prevent a data breach

2. It is not “if”, but “when” you will be breached

So, now what?


9

So, Now What?

• Thieves cannot steal what is no longer there to steal– i.e. Render what is left in the system...worthless

• Even if they can see it and exfiltrate it, they cannot use it outside of the merchant

• Understand the prevailing PCI solutions– Tokenization– P2PE – EMV


10

Prevailing PCI Solution Options

PCI solutions and their primary application scenario

Ecommerce (CNP)

Call Center (CNP: MOTO)

Retail (CP)

Tokenization ✔ ✔ ✔

P2PE ✔

EMV ✔

Most SAP-based Enterprise Environments


11

What is Tokenization?

• A token is a substitute value: sensitive data is replaced with data that is of no value to hackers or thieves

• Protected systems no longer store the RAW sensitive or encrypted data• Unlike encryption – tokens can’t be reverse engineered to the original data

• Tokens are not mathematically created; they are random• If system is compromised the real data can’t be taken, only tokens


12

Tokens for the Enterprise

Multi-use token Same data same token Data consistency for secure reporting, queries, customer service

Usable parts of the original data retained in the token Token has business meaning so processes continue securely Token retains permitted parts of the original, e.g. last 4 digits of a

credit card Tokenize only what is needed

Tokenize the sensitive data only Enterprise retains full control of separate data fields

A neutral credit card token vault Token is NOT processor specific


13

Tokenize at the Edge; Then Share & Reuse

WEB

ERPCRM


14

Tokens Protect More Than Card Data

PII is information that can be used uniquely or with other sources to identify, contact or locate a single person. For example: Social Security Number Bank Account Email Drivers License Number

PII Tokenization Format Preserving Tokens Protect PII Affordably Achieve Safe Harbor from Data Breach Notifications Laws Employee, vendor and customer data


15

An Overview of Card Tokenization Technology

EncryptionCentralized/

Non-centralized


16

5 Best Practices for an SAP-based Enterprise

EncryptionCentralized/

Non-centralized


17

#1: Understand Enterprise Decision Drivers

Project Priority,

Budget & Visibility

PCI DSS Compliance

C-Level Visibility

Internal Security &

Compliance Team

Risk Mitigation

Brand Reputation/C

ustomer Perception

PII Protection


18

#2: Identify the Enterprise Risk Workflows

Identify workflows, entry points and use cases where payment cards are being used


19

#3: Protect Data in Transit and at Entry

Once you understand the workflows – now understand what data is in those workflows • Is data at rest, at entry, and

in transit?• Where is it entered?• Where is it being

transmitted – communicated?

• Where is it being stored?


20

#4: Avoid Technology Lock-In

• Focus on being processor agnostic• Keep your options open• Avoid processor lock in• Separate processing requirements from security requirements• This allows you to be covered for expansion and change – be able to

scale up for security and payments


21

#5: Understand Your C-Level Criteria

• Increased breach activity has brought new players into the payment security space

• Payment security is critical to the enterprise– Getting this wrong has serious impact

• What are your C-Level vendor selection criteria for this mission critical solution?– Vendor product suite functionality?– Vendor and product scalability?– Vendor technology investment?– Vendor resource focus?– Vendor experience and reputation?– Vendor stability?– Vendor cost?


22

Best Practice Summary

① Understand Enterprise Decision Drivers② Identify the Enterprise Risk Workflows③ Protect Data in Transit and at Entry (& Stored Data)④ Avoid Technology Lock-In⑤ Understand Your C-level Criteria


23

Questions? Contact our presenter:

Jennifer RossiVice President, Channel Sales

[email protected]

from bad to worse: how to stay protected from a mega data breach

Business

paymetric data breaches

sensitive data

encrypted data

news data breach impact

cost of data breach

original data tokens

data record whenthere

preventa data breach2