Search

Commerce Security Fundamentals

Loading...

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

0 comments

Post a comment

    Post a comment
    Embed Video
    Edit your comment Cancel

    Notes on slide 1

    1 Favorite

    Commerce Security Fundamentals - Presentation Transcript

    1. ISV Innovation Presents: Commerce Security Fundamentals Commerce Security Fundamentals Tyler Hannan Platform Evangelist, IP Commerce 6/11/2008
    2. ISV Innovation Presents: Commerce Security Fundamentals Who is Tyler Hannan? Agenda Platform Evangelist for IP Commerce Agenda one 11+ years experience in the software sector Agenda two Network Administrator, DBA, Part-time Agenda three Developer, 5 years focused on Enterprise Agenda four Retail and Payments Industry Agenda five Member, Society of Payment Security Pros. Agenda six Yes, I really do look like that. 6/11/2008 © Microsoft Corporation 2007 2
    3. ISV Innovation Presents: Commerce Security Fundamentals Agenda or, what are we doing? Agenda Agenda Agenda one • Consequences of data breach Agenda two • Bankcard security mandates Agenda three • Why sell PABP? Agenda four • Why help merchants comply with PCI-DSS? Agenda five Agenda six 6/11/2008 © Microsoft Corporation 2007 3
    4. ISV Innovation Presents: Commerce Security Fundamentals Objectives or, why am I here? • Learn how businesses are impacted by security standards (in particular, the SMB) • Learn how ISVs can support compliance requirements and capture new revenue opportunities • Learn how security can be a differentiator from your competitors products 6/11/2008 © Microsoft Corporation 2007 4
    5. ISV Innovation Presents: Commerce Security Fundamentals Consequences of a Data Breach 6/11/2008 © Microsoft Corporation 2007 5
    6. ISV Innovation Presents: Commerce Security Fundamentals What Data Compromise Looks Like 6/11/2008 © Microsoft Corporation 2007 6
    7. ISV Innovation Presents: Commerce Security Fundamentals TJX: Anatomy of a data breach ● Jan 2007, a major breach is announced – It is called “the biggest breach ever” – Initial estimates have the number of breached accounts at a few million – By December 2007, it has been confirmed that at least 94 million customers have had their information stolen ● How did it happen? – Simple war driving gained access to historical, un-encrypted credit card data – The exploit was expanded to install malicious software that captured data in-flight 6/11/2008 © Microsoft Corporation 2007 7
    8. ISV Innovation Presents: Commerce Security Fundamentals TJX: Anatomy of a data breach ● What did it cost? – Respect – Settlements are currently ongoing but costs are estimated at more than 4.5 billion. ●Four ●Point ●Five ●Billion! 6/11/2008 © Microsoft Corporation 2007 8
    9. ISV Innovation Presents: Commerce Security Fundamentals Consequences for the Merchant LOW-PROFILE LOW-PROFILE BREACH HIGH-PROFILE BREACH BREACH CATEGORY DESCRIPTION NON-REGULATED HIGHLY REGULATED REGULATED INDUSTRY INDUSTRY INDUSTRY Discovery, Outside legal counsel; mail Notification and notification, calls, call center $50 $50 $50 Response and discounted product offers Lost Employee Employees diverted from other Productivity tasks $20 $25 $30 Opportunity Cost Customer churn and difficulty in getting new customers $20 $50 $100 Regulatory Fines FTC, PCI, SOX $0 $25 $60 Restitution Civil courts may require you to put this money aside $0 $0 $30 Additional Security The security and audit and Audit requirements levied as a result $0 $5 $10 Requirements of a breach Other Liabilities Credit card replacement costs; civil penalties if specific fraud $0 $0 $25 can be traced to the breach TOTAL COST PER COMPROMISED RECORD $90 $155 $305 Source: “Calculating the Cost of a Security Breach,” Forrester Research, April 10, 2007. 6/11/2008 © Microsoft Corporation 2007 9
    10. ISV Innovation Presents: Commerce Security Fundamentals Consequences for the Merchant Source: “Calculating the Cost of a Security Breach,” Forrester Research, April 10, 2007. 6/11/2008 © Microsoft Corporation 2007 10
    11. ISV Innovation Presents: Commerce Security Fundamentals Bankcard Security Mandates PABP ● Application Security PCI-DSS ● Secure Operating Environment 6/11/2008 © Microsoft Corporation 2007 11
    12. ISV Innovation Presents: Commerce Security Fundamentals The Burden of Compliance “What are your two biggest „pain points‟ related to information security?” Compliance Identity Management Data Privacy User Awareness Access Control Staffing Patch Management 0 5 10 15 20 25 Source: TheInfoPro Information Security Study Wave 8 6/11/2008 © Microsoft Corporation 2007 12
    13. ISV Innovation Presents: Commerce Security Fundamentals Focus on Small Merchants • 5% of Exposed Accounts • 80% of Software Breaches • 99% of Visa’s Merchant Base Source: Digital Transactions News (October 25, 2007) 6/11/2008 © Microsoft Corporation 2007 13
    14. ISV Innovation Presents: Commerce Security Fundamentals “Isn’t there anyone who can save me from all this?” 6/11/2008 © Microsoft Corporation 2007 14
    15. ISV Innovation Presents: Commerce Security Fundamentals Your Role • Small merchants are hard to reach • Processors and acquirers are not equipped to help • You are best situated to respond to merchant “pain” 6/11/2008 © Microsoft Corporation 2007 15
    16. ISV Innovation Presents: Commerce Security Fundamentals Mandates as an Opportunity • Sell New, PABP-Certified Product • Broaden your Range of Services • Strengthen your Client Relationships 6/11/2008 © Microsoft Corporation 2007 16
    17. ISV Innovation Presents: Commerce Security Fundamentals The Time is Now! • 18 million SMBs in the U.S. have no credit card processing1 • SMBs spend over $50B annually on software and IT services • An average SMB spends over $7100 per year on software and IT • Biggest upgrade / service upsell opportunity since Y2K? Except this one is real. Source: 1) Internal Revenue Service 6/11/2008 © Microsoft Corporation 2007 17
    18. ISV Innovation Presents: Commerce Security Fundamentals Bankcard Security Mandates 6/11/2008 © Microsoft Corporation 2007 18
    19. ISV Innovation Presents: Commerce Security Fundamentals Visa‟s PABP Mandate 6/11/2008 © Microsoft Corporation 2007 19
    20. ISV Innovation Presents: Commerce Security Fundamentals Visa‟s PABP Mandate PABP • Implemented and managed by Visa • Applies to all vendors of bankcard payment solutions • Does not apply to in- 6/11/2008 © Microsoft Corporation 2007 house applications 20
    21. ISV Innovation Presents: Commerce Security Fundamentals The PABP Specification 6/11/2008 © Microsoft Corporation 2007 21
    22. ISV Innovation Presents: Commerce Security Fundamentals What Does PABP Require? 6/11/2008 © Microsoft Corporation 2007 22
    23. ISV Innovation Presents: Commerce Security Fundamentals Additional PABP Requirements 1) Do not retain full magnetic stripe 9) Cardholder data must never be or CVV2 data stored on a server connected to the Internet 2) Protect stored data Data Access 10) Facilitate secure remote software 3) Provide secure password updates features 11) Facilitate secure remote access to 4) Log application activity application 5) Develop secure applications 12) Encrypt sensitive traffic over public networks Data Storage 13) Encrypt all non-console 6) Protect wireless transmissions 7) Test applications to address administrative access vulnerabilities 14) Maintain instructional 8) Facilitate secure network documentation and training implementation programs for customers, resellers 6/11/2008 © Microsoft Corporation 2007 23 and integrators
    24. ISV Innovation Presents: Commerce Security Fundamentals Additional PABP Requirements 1) Do not retain full magnetic stripe 9) Cardholder data must never be or CVV2 data stored on a server connected to the Internet 2) Protect stored data 10) Facilitate secure remote software 3) Provide secure password updates features 11) Facilitate secure remote access to 4) Log application activity application 5) Develop secure applications 12) Encrypt sensitive traffic over public networks 6) Protect wireless transmissions 13) Encrypt all non-console 7) Test applications to address administrative access vulnerabilities Data secure network 8) Facilitate Transmission 14) Maintain instructional documentation and training implementation programs for customers, resellers 6/11/2008 © Microsoft Corporation 2007 24 and integrators
    25. ISV Innovation Presents: Commerce Security Fundamentals Additional PABP Requirements 1) Do not retain full magnetic stripe 9) Cardholder data must never be or CVV2 data stored on a server connected to the Internet 2) Protect stored data 10) Facilitate secure remote software 3) Provide secure password updates features 11) Facilitate secure remote access to 4) Log application activity application 5) Develop secure applications 12) Encrypt sensitive traffic over public networks 6) Protect wireless transmissions 13) Encrypt all non-console 7) Test applications to address administrative access vulnerabilities Application Structure 14) Maintain instructional 8) Facilitate secure network documentation and training implementation programs for customers, resellers 6/11/2008 © Microsoft Corporation 2007 25 and integrators
    26. ISV Innovation Presents: Commerce Security Fundamentals Additional PABP Requirements 1) Do not retain full magnetic stripe 9) Cardholder data must never be or CVV2 data stored on a server connected to the • Instructional Materials 2) Protect stored data Internet 10) Facilitate secure remote software • Documentation 3) Provide secure password updates features • Implementation Guide 4) Log application activity 11) Facilitate secure remote access to application 5) Develop secure applications 12) Encrypt sensitive traffic over public networks 6) Protect wireless transmissions 13) Encrypt all non-console 7) Test applications to address administrative access vulnerabilities 14) Maintain instructional 8) Facilitate secure network documentation and training implementation programs for customers, resellers 6/11/2008 © Microsoft Corporation 2007 26 and integrators
    27. ISV Innovation Presents: Commerce Security Fundamentals PABP Requirements - Summary 1. If the PAN is stored, the application must encrypt data on the front of the card 2. The application must never retain information on the back of the card after authorization 6/11/2008 © Microsoft Corporation 2007 27
    28. ISV Innovation Presents: Commerce Security Fundamentals PCI-DSS PCI-DSS 6/11/2008 © Microsoft Corporation 2007 28
    29. ISV Innovation Presents: Commerce Security Fundamentals The PCI Security Standards Council “The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.” Source: http://www.pcisecuritystandards.org/index.html 6/11/2008 © Microsoft Corporation 2007 29
    30. ISV Innovation Presents: Commerce Security Fundamentals What Does PCI-DSS Consist of? 1. Install and Maintain a Firewall Configuration to Protect Data Build and Maintain a 1 Secure Network 2. Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters 3. Protect Stored Data Protect Cardholder 2 Data 4. Encrypt Transmission of Cardholder Data & Sensitive Information Across Public Networks Maintain a 5. Use and Regularly Update Anti-virus Software 3 Vulnerability Mgmt 6. Develop and Maintain Secure Systems and Applications Program Implement Strong 7. Restrict Access to Data By Business Need-to-know 4 Access Control 8. Assign a Unique ID to Each Person With Computer Access Measures 9. Restrict Physical Access to Cardholder Data 10. Track and Monitor All Access To Network Resources and Regularly Monitor 5 and Test Networks Cardholder Data 11. Regularly Test Security Systems and Processes Maintain Information 6 Security Policy 12. Maintain a Policy That Addresses Information Security 6/11/2008 © Microsoft Corporation 2007 30
    31. ISV Innovation Presents: Commerce Security Fundamentals PABP / PCI-DSS Timelines 6/11/2008 © Microsoft Corporation 2007 31
    32. ISV Innovation Presents: Commerce Security Fundamentals Good Information, Is It Really That Important? ● Short answer – Yes! ● Longer answer – The PCI Security Standards Council officially announced the release of Payment Applications Data Security Standards (PA- DSS) based upon the PABP specification (11/7/2007) – The first version of the PA-DSS specification was released by the PCI Security Standards Council. (4/15/2008) – After engaging with developers, banks, merchants, etc. the PCI- SSC gathered more than 2,000 questions and released version 1.2 of the specification (5/14/2008) – YES! 6/11/2008 © Microsoft Corporation 2007 32
    33. ISV Innovation Presents: Commerce Security Fundamentals Selling PABP-Validated Applications 6/11/2008 © Microsoft Corporation 2007 33
    34. ISV Innovation Presents: Commerce Security Fundamentals Finding PABP Solutions Current Newly Installed Applications Must Not Be Vulnerable 7/1/2008 New Applications Must Be Certified as Compliant 10/1/2008 New Merchants Must Use a PABP Application or Already Be PCI-DSS Compliant 7/1/2010 All Merchants Must Use PABP-Validated Applications 6/11/2008 © Microsoft Corporation 2007 34
    35. ISV Innovation Presents: Commerce Security Fundamentals Vulnerable Payment Applications 6/11/2008 © Microsoft Corporation 2007 35
    36. ISV Innovation Presents: Commerce Security Fundamentals Visa List of PABP-Validated Solutions 6/11/2008 © Microsoft Corporation 2007 36
    37. ISV Innovation Presents: Commerce Security Fundamentals Helping Merchants Comply with PCI-DSS 6/11/2008 © Microsoft Corporation 2007 37
    38. ISV Innovation Presents: Commerce Security Fundamentals Advantages For Your Customers • Protection from Fines for Non-Compliance • Required for Onboarding / PABP Implementation • Gives Your Customers Safe Harbor 6/11/2008 © Microsoft Corporation 2007 38
    39. ISV Innovation Presents: Commerce Security Fundamentals Advantages For You • Strengthens your Client Relationships • Broadens your Range of Services 6/11/2008 © Microsoft Corporation 2007 39
    40. ISV Innovation Presents: Commerce Security Fundamentals The Compliance Ecosystem Comply with PCI and secure cardholder Educate merchants data Report merchant compliance to Card Brands Use compliant processors Enforce PCI Fill out Self-Assessment Promote adoption Questionnaire - Sanctions - - Rewards - Maintain PCI DSS Certify ASVs Secure cardholder data and comply with PCI Verify compliance through quarterly vulnerability scans Render opinions to acquiring bank 6/11/2008 © Microsoft Corporation 2007 40
    41. ISV Innovation Presents: Commerce Security Fundamentals Develop Compliant Applications 6/11/2008 © Microsoft Corporation 2007 41
    42. ISV Innovation Presents: Commerce Security Fundamentals What Do I Do Next? ● ISVs are uniquely positioned. Both the Commerce Service Provider and the Merchant care about security. We can capture that opportunity. ● Learn More: – PCI Answers - http://www.pcianswers.com – SPSP – http://paymentsecuritypros.com ● Payments and Security go hand-in-hand. 6/11/2008 © Microsoft Corporation 2007 42
    43. ISV Innovation Presents: Commerce Security Fundamentals 6/11/2008 © Microsoft Corporation 2007 Slide 43
    44. ISV Innovation Presents: Commerce Security Fundamentals Thank You, For More Information: Agenda thannan <at> ipcommerce <dot> com Agenda one http://tylerhannan.blogspot.com Agenda two http://commercelab.ipcommerce.com Agenda three Agenda four Agenda five Agenda six 6/11/2008 © Microsoft Corporation 2007 44

    + tylerhannantylerhannan, 2 years ago

    custom

    312 views, 1 favs, 0 embeds more stats

    http://isvinnovation.com/Directory/Description.aspx more

    More info about this document

    © All Rights Reserved

    Go to text version

    • Total Views 312
      • 312 on SlideShare
      • 0 from embeds
    • Comments 0
    • Favorites 1
    • Downloads 0
    Most viewed embeds

    more

    All embeds

    less

    Flagged as inappropriate Flag as inappropriate
    Flag as inappropriate

    Select your reason for flagging this presentation as inappropriate. If needed, use the feedback form to let us know more details.

    Cancel
    File a copyright complaint
    Having problems? Go to our helpdesk?

    Categories

    Tags

    -->
    Search
    RSS Feed
    What's new?

    © 2009 SlideShare Inc. All Rights Reserved