from bad to worse: how to stay protected from a mega data breach
DESCRIPTION
Data breaches are hitting the news now more than ever before and the trend is getting nothing but worse. View our presentation to learn how deep a breach can go, common misconceptions and best practice solutions to keep your SAP-based business protected.TRANSCRIPT
April 10, 2023 ©2014. Paymetric. All Rights Reserved. 1
From Bad to Worse: How to Stay Protected from a Mega Data Breach
Presenter: Jennifer Rossi, Vice President , Channel Sales, Paymetric
April 10, 2023©2014. Paymetric. All Rights Reserved.
2
Webinar Agenda
About Paymetric Data Breaches in the News Data Breach Impact and Cost The Myth of the “Silver Bullet” Prevailing PCI Solution Options Tokenization Technology Five Best Practices for an SAP-based Enterprise
April 10, 2023©2014. Paymetric. All Rights Reserved.
3
About Paymetric
April 10, 2023©2014. Paymetric. All Rights Reserved.
4
Award-Winning Company
Paymetric is Recognized for Electronic Payments Innovation
Paymetric is an award-winning company built onshared purpose, an unremitting pursuit of excellence, lasting collaboration, accountability and integrity. For more than 15 years, we have been recognized for our work and honored with awards for technical innovation and thought leadership.
April 10, 2023©2014. Paymetric. All Rights Reserved.
5
Data Breaches in the News
• More than 37 percent of data breach incidents involved a malicious or criminal attack
• 35 percent of data breach incidents involved a negligent employee or contractor (human factor)
• 29 percent of data breach incidents involved system glitches that includes both IT and business process failures
*Distribution of the benchmark sample by root cause of the data breach
Source: Ponemon Institute
Human factor
Malicious or criminal attack
System glitches
April 10, 2023©2014. Paymetric. All Rights Reserved.
6
Data Breach Impact and Cost
Source: Ponemon Institute 2013 Cost of Data Breach Study: Global Analysis
Overview Dollars spent per data record when
there is a data breach All industries are at risk, even
though Retail makes the news the most
Healthcare breaches are the most expensive by far due to personal identifiable data (PII) being exposed
April 10, 2023©2014. Paymetric. All Rights Reserved.
7
The Impact to Your Organization
Fines and Litigation Cost of investigation and audit Loss of business/customer trust Potential decline in share value Brand reputation
April 10, 2023©2014. Paymetric. All Rights Reserved.
8
Getting Negative
Dominant industry rule of thumb:
1. There is no “silver bullet” single solution to prevent a data breach
2. It is not “if”, but “when” you will be breached
So, now what?
April 10, 2023©2014. Paymetric. All Rights Reserved.
9
So, Now What?
• Thieves cannot steal what is no longer there to steal– i.e. Render what is left in the system...worthless
• Even if they can see it and exfiltrate it, they cannot use it outside of the merchant
• Understand the prevailing PCI solutions– Tokenization– P2PE – EMV
April 10, 2023©2014. Paymetric. All Rights Reserved.
10
Prevailing PCI Solution Options
PCI solutions and their primary application scenario
Ecommerce (CNP)
Call Center (CNP: MOTO)
Retail (CP)
Tokenization ✔ ✔ ✔
P2PE ✔
EMV ✔
Most SAP-based Enterprise Environments
April 10, 2023©2014. Paymetric. All Rights Reserved.
11
What is Tokenization?
• A token is a substitute value: sensitive data is replaced with data that is of no value to hackers or thieves
• Protected systems no longer store the RAW sensitive or encrypted data• Unlike encryption – tokens can’t be reverse engineered to the original data
• Tokens are not mathematically created; they are random• If system is compromised the real data can’t be taken, only tokens
April 10, 2023©2014. Paymetric. All Rights Reserved.
12
Tokens for the Enterprise
Multi-use token Same data same token Data consistency for secure reporting, queries, customer service
Usable parts of the original data retained in the token Token has business meaning so processes continue securely Token retains permitted parts of the original, e.g. last 4 digits of a
credit card Tokenize only what is needed
Tokenize the sensitive data only Enterprise retains full control of separate data fields
A neutral credit card token vault Token is NOT processor specific
April 10, 2023©2014. Paymetric. All Rights Reserved.
13
Tokenize at the Edge; Then Share & Reuse
WEB
ERPCRM
April 10, 2023©2014. Paymetric. All Rights Reserved.
14
Tokens Protect More Than Card Data
PII is information that can be used uniquely or with other sources to identify, contact or locate a single person. For example: Social Security Number Bank Account Email Drivers License Number
PII Tokenization Format Preserving Tokens Protect PII Affordably Achieve Safe Harbor from Data Breach Notifications Laws Employee, vendor and customer data
April 10, 2023©2014. Paymetric. All Rights Reserved.
15
An Overview of Card Tokenization Technology
EncryptionCentralized/
Non-centralized
April 10, 2023©2014. Paymetric. All Rights Reserved.
16
5 Best Practices for an SAP-based Enterprise
EncryptionCentralized/
Non-centralized
April 10, 2023©2014. Paymetric. All Rights Reserved.
17
#1: Understand Enterprise Decision Drivers
Project Priority,
Budget & Visibility
PCI DSS Compliance
C-Level Visibility
Internal Security &
Compliance Team
Risk Mitigation
Brand Reputation/C
ustomer Perception
PII Protection
April 10, 2023©2014. Paymetric. All Rights Reserved.
18
#2: Identify the Enterprise Risk Workflows
Identify workflows, entry points and use cases where payment cards are being used
April 10, 2023©2014. Paymetric. All Rights Reserved.
19
#3: Protect Data in Transit and at Entry
Once you understand the workflows – now understand what data is in those workflows • Is data at rest, at entry, and
in transit?• Where is it entered?• Where is it being
transmitted – communicated?
• Where is it being stored?
April 10, 2023©2014. Paymetric. All Rights Reserved.
20
#4: Avoid Technology Lock-In
• Focus on being processor agnostic• Keep your options open• Avoid processor lock in• Separate processing requirements from security requirements• This allows you to be covered for expansion and change – be able to
scale up for security and payments
April 10, 2023©2014. Paymetric. All Rights Reserved.
21
#5: Understand Your C-Level Criteria
• Increased breach activity has brought new players into the payment security space
• Payment security is critical to the enterprise– Getting this wrong has serious impact
• What are your C-Level vendor selection criteria for this mission critical solution?– Vendor product suite functionality?– Vendor and product scalability?– Vendor technology investment?– Vendor resource focus?– Vendor experience and reputation?– Vendor stability?– Vendor cost?
April 10, 2023©2014. Paymetric. All Rights Reserved.
22
Best Practice Summary
① Understand Enterprise Decision Drivers② Identify the Enterprise Risk Workflows③ Protect Data in Transit and at Entry (& Stored Data)④ Avoid Technology Lock-In⑤ Understand Your C-level Criteria
April 10, 2023©2014. Paymetric. All Rights Reserved.
23
Questions? Contact our presenter:
Jennifer RossiVice President, Channel Sales