Cost Of A Breach Case Study  and PCI Prioritization
Upcoming SlideShare
Loading in...5
×
 

Cost Of A Breach Case Study and PCI Prioritization

on

  • 1,285 views

We’re often asked what does a data breach cost? It varies and some of the fines seem subjective. We outline a Case Study to educate retailers to the kind of significant exposure they face for not ...

We’re often asked what does a data breach cost? It varies and some of the fines seem subjective. We outline a Case Study to educate retailers to the kind of significant exposure they face for not protecting their business. Next, the PCI Standards Council has outlined areas to secure by Prioritization. We offer details.

Statistics

Views

Total Views
1,285
Views on SlideShare
1,285
Embed Views
0

Actions

Likes
0
Downloads
10
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Cost Of A Breach Case Study  and PCI Prioritization Cost Of A Breach Case Study and PCI Prioritization Presentation Transcript

  • Where We Stand.
    Costs of a Data Breach
    Case Study
    PCI Prioritization
    Presentation by: Ross Federgreen*
    *Founder, CSRSI® THE PAYMENT ADVISORS
  • PCI Critical Dates
    Prioritization
    PCI Breach Costs
  • PCI Critical Dates
  • ALIGNMENT July 1, 2010
    US Payment Application Security Mandate
    Phase I through Phase V
    TDES Mandate
    POS PIN Acceptance Device Mandate
  • US Payment Application Security Mandate (CISP 102307)
    Phase I through Phase V
    Phase I Jan 1, 2008
    Phase II July 1 , 2008
    Phase III Oct 1, 2008
    Phase IV Oct 1, 2009
    Phase V July 1, 2010
  • US Payment Application Security Mandate (CISP 102307)
    Phase I through Phase V
    Phase I Jan 1, 2008
    Newly boarded merchants must not use known vulnerability payment applications, and VisaNet Processors (VNPs) and agents must not certify new payment applications to their platforms that are known vulnerable payment applications.
  • US Payment Application Security Mandate (CISP 102307)
    Phase I through Phase V
    Phase II July 1, 2008
    VNPs and agents must only certify new payment applications to their platforms that are PA-DSS compliant applications
  • US Payment Application Security Mandate (CISP 102307)
    Phase I through Phase V
    Phase III October 1, 2008
    Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PA-DSS compliant applications.
  • US Payment Application Security Mandate (CISP 102307)
    Phase I through Phase V
    Phase IV October 1, 2009
    VNPs and agents must decertify all vulnerable payment applications.
  • US Payment Application Security Mandate (CISP 102307)
    Phase I through Phase V
    Phase V July 1, 2009
    Acquirers must ensure their members, VNPs and agents use only PA-DSS compliant applications.
  • Triple Data Encryption Standard (TDES) Mandate (PIN Security Bulletin 093008)
    Phase I through Phase II
    Phase I January 1, 2009
    Newly deployed US Automated Fuel Dispensers must contain a TDES capable and PC I approved Encrypting PIN pad.
  • Triple Data Encryption Standard (TDES) Mandate (PIN Security Bulletin 093008)
    Phase I through Phase III
    Phase II July 1, 2010
    All US POS PEDs must be encrypting PINS using TDES end-to-end.
  • POS PIN mandate (PIN Security Bulletin 093008)
    July 1, 2010
    All attended POS PIN acceptance device models must have passed testing by a PCI recognized or Pre PCI recognized laboratory and have been approved by Visa.
  • PRIORITIZATION
  • PRIORITIZATION
    “The prioritized approach provides guidance that will help merchants identify how to reduce risk to card holder data as early on as possible in their compliance journey.”
    PCI Security Standards Council, 2009
  • PRIORITIZATION
    The Prioritized Approach
    Benefits:
    Roadmap
    Pragmatic approach
    Supports financial and operational planning
    Objective and measured progress indicators
    Consistency among QSA
  • PRIORITIZATION
    The Prioritized Approach
    Six security milestones
    Remove sensitive authentication data and limit data retention
    Protect the perimeter, internal and wireless networks
    Secure payment card applications
    Monitor and control access to your system
    Protect stored cardholder data
    Finalize remaining compliance efforts and ensure all controls are in place
  • PCI BREACH COSTS
  • Total direct cost to a merchant from a PCI event include:
    Card replacement costs now averaging about $4 per item
    Compliance fines now ranging from about $5,000 to $50,000
    per event for a small merchant (III, IV)
    Cost of forensic examination averaging between $25,000 and $35,000 per event for Level III and IV merchants
    Additional fines for actual fraudulent utilization of stolen PAN varies
  • Total direct cost to a merchant from a PCI event include:
    Case Study: July, 2008
    A small carp present retailer was breached. The retailer had filled out a self assessment form and attested that the information was true and correct to the acquirer.
    The merchant was found to have stored over 2,000 credit card numbers in an accounting system for “reference” and to bill clients “if they forgot there credit card number”.
    The file was accessed and the credit card numbers were stolen when during the course of a robbery the CPU was stolen. A CPP (common point of purchase) analysis of credit cards revealed the location of the theft.
  • Total direct cost to a merchant from a PCI event include:
    Replacement Cost $ 5,000
    Compliance Fine $12,500
    Forensic Examination $25,000
    Card Utilization Fines $74,398.47
    TOTAL $116,898.47
  • The merchant also sustained significant reputational cost due to adverse publicity, legal fees, loss of business and other expenses.
    The merchant filed for protection under bankruptcy
    The amounts due were assessed to the ISO by the acquirer.
    Visa fined the ISO additional fees following an examination of ISO practices as it relates to PCI adoption and plan for portfolio under VBR 07508 after the initial event.
    ISO sustained a financial loss of $189,354.45
  • Study: Maine Bureau of Financial Institutions January 2009
    Study design: Cost of TJX and Hannaford breach borne by Maine chartered banks and credit unions
    *Recovery cost: investigation, communication, reissuance and net fraud
  • Study: Ponemon Institute February 2009
    Study Design: Cost of compromise to 43 companies in 2008. Each company volunteered under the condition of anonymity.
  • Do you have questions about how to strategically plan for PII legislation?
    Would you like advice or complete guidance on how to evaluate PII access, storage, and handling in your business?
    Contact us. We’re glad to help. Read more at www.CSRSI.com
    Ross Federgreen Jan Carroza
    866-462-7774x1 866-462-7774x4
    rfedergreen@csrsi.comjcarroza@csrsi.com
    Jensen Beach, FL Seattle, WA