Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Lisa Shipley (Fraud & AML Stream)- Extending the PCI Boundary to Reduce Fraud


Published on

6th BankTech Asia - Lisa Shipley's presentation

Published in: Business
  • Be the first to comment

  • Be the first to like this

Lisa Shipley (Fraud & AML Stream)- Extending the PCI Boundary to Reduce Fraud

  1. 1. Lisa Shipley Extending the PCI Boundary to Reduce Fraud September 24, 2014
  2. 2. Lisa Shipley 2  Executive Vice President and Managing Director of Transaction Network Services Expertise 60,000+ Merchants Around Lisa Shipley  Over 25 years experience in the payment industry  Comprehensive insight of the payment Industry  Ranging from Financial Institutions in payments to non-traditional entrants TNS Private & Confidential 2 the World Scalability 8 Billion+ Enterprise-wide Daily Transactions Flexibility 200+ Acquirer & Processor Network Connections Reach 65+ Countries Where TNS Conducts Business
  3. 3. Global Market Trends Leading Us to New Security Requirements
  4. 4. Global Payment Market Trends  General shift from cash to “cards”, with the market share of ePayments growing o Cross-border acquiring o Companies trying to keep up with global technology trends  Growth in Mobile Payments and the Deployment of Mobile Wallets  Climate Change at the POS o Mobile Acceptance Devices will grow quickly in Asia o Adoption of POS-based tablets over next 12-24 months will impact deployment, communications, and transaction flows  Instrumenting the Age of Context o Always Connected meets Big Data - data generated through mobile, social media, sensors, and location technologies o It’s about cards and cards on file  The Omni-Channel Customer o How merchants interact with consumers will change as mobile data connections provide pre-sale traffic patterns and individual behavior demands 4
  5. 5. Market Trend Impacts on Processors, Banks, and Acquirers  Great Infrastructure Required o Secure cloud services, rock solid mobile broadband access, technology flexibility, and more is required to make it all work  Telecom Shifts o Shift from circuit-switched to IP landline and mobile broadband touches the entire ecosystem  Security and Authentication Services o Cloud-based security and flexible technologies  Value Chain Integration o “Connections” are more important than ever o Merchant’s need for diversity – Managed POS Encryption, Tokenization  Compliance Safe Haven o Beyond PCI Compliance o Security Monitoring o Vulnerability Management 5
  6. 6. Increasing Complexity
  7. 7. Complex Connectivity 7 Security required across the entire process of transaction processing. ATM Host Acquiring Host Stand alone or Integrated POS Store POS eCommerce ATM or Kiosk Access Methods • Dial • Wireless IP • Wired IP Security • SSL • VPN Various line speed options Call Center / Virtual Terminal 3rd Party Hosts Prepaid, Gift, TPP Issuer Host Various Device Types Host / 3rd Party Applications Transport Methods Routing Options
  8. 8. Problems Faced In Securing Payments  PCI DSS Compliance Complexity and Cost  Cost of breach – tangible and intangible  Internal & External threats  Integration & support costs  Speed to market  Decryption outside of the merchant environment  Encryption from decryption event to the host  Flexibility for processor connectivity 8
  9. 9. Merchants need to Quarantine PCI sensitive data away from corporate network Encrypted Card Data Clear Card Data Managed Services Cloud-based, in-flight decryption Terminal POS Store Controller EFT Switch Acquiring Host Format-Preserving Encryption + Processor message format = Transparency to existing merchant payment systems. Merchant PCI-DSS scope reduction. Cloud-based, in-flight decryption + PCI-DSS certified environment = Removes card data from merchant environment. Support for multiple decryption solutions. Rapid time-to-market for merchants and processor. Processor message format + Clear card data = No modifications to the processing host environment. 9
  10. 10. Customer’s Data Encryption Goals Reduce the risks associated with the loss of cardholder data Reduce PCI requirement costs by removing cardholder data Help prevent the loss of brand equity and trust Minimize implementation & operations costs of P2PE Deploy a solution that does not require POS changes Employ a technology that is proven in the marketplace, with national retailers already in production 10
  11. 11. Service and Technologies Used To Safeguard Customer Data  Security Monitoring o Intrusion Detection Systems (IDS) o DDoS Monitoring and Mitigation Service o Change Auditing • File Integrity Monitoring (FIM) • Router Configuration Monitoring  Cryptography o Encryption/Decryption Devices  Vulnerability Management o Vulnerability Scanners o Web Application Scanners 11
  12. 12. 3rd Party Remote Access: Risk Assessment Required  2014 Verizon Breach Report states: o 3rd party software OK; insecure implementation is the problem o 3rd party hacking vector makes up 55% of POS intrusions o 3rd party access is providing the fastest growing discovery method for attacks 12 Data Provided by 2014 Verizon Breach Report
  13. 13. Distributed Denial of Service (DDoS) – Attacks by Region 13 Attacks by Region Over Time Q1 2014 DDoS Attacks by Region
  14. 14. Distributed Denial of Service (DDoS) and the Data Center 14
  15. 15. TNS Platform of Services High Availability Multi-Host Connectivity Acquiring Host Stand alone or Integrated POS Store POS ATM or Kiosk eCommerce Access Methods • Dial • Wireless IP • Wired IP • X.25 Security • SSL • VPN Protocol Conversion • Dial to IP • Serial to IP • X.25 to IP Message Conversion Call Center / Virtual Terminal ATM Host 3rd Party Hosts Prepaid, Gift, TPP TNSPay Payment Gateways TNSVerify TNS SSL Gateway Managed P2PE Mobile Commerce Message Conversion Payment Switching End-to-End Managed Services Issuer Host Device Connectivity TNS Secure Payment Network Host Applications Transport • Committed service levels & Reliability established service record •PCI certified network Security •SSL or VPN transport protection •Virtually any access to any Flexibility global host •Non-competitive partner to align Neutrality with your business strategy •Managed service minimizes Simplicity capital & operational cost •24x7 Monitoring, Help desk & Visibility Web portal management tool Managed Connectivity 15
  16. 16. DDoS Monitoring and Mitigation 16 DDoS Syslog Utilization Verisign DDoS 24x7x365 Monitoring and Mitigation Service TNS 24x7x365 Network Operations Center TNS Global Security Security Operations Center (conducts Incident Management on escalated attacks post correlation)
  17. 17. Questions 17