Where We Stand.<br />Costs of a Data Breach<br />Case Study<br />PCI Prioritization<br />Presentation by: Ross Federgreen*...
PCI Critical Dates<br />	Prioritization<br />		PCI Breach Costs<br />
PCI Critical Dates<br />
ALIGNMENT July 1, 2010<br />US Payment Application Security Mandate<br />		Phase I through Phase V<br />	TDES Mandate<br /...
US Payment Application Security Mandate (CISP 102307)<br />Phase I through Phase V<br />Phase I Jan 1, 2008<br />	Phase II...
US Payment Application Security Mandate (CISP 102307)<br />Phase I through Phase V<br />Phase I Jan 1, 2008<br />	Newly bo...
US Payment Application Security Mandate (CISP 102307)<br />Phase I through Phase V<br />Phase II July 1, 2008<br />	VNPs a...
US Payment Application Security Mandate (CISP 102307)<br />Phase I through Phase V<br />Phase III October 1, 2008<br />	Ne...
US Payment Application Security Mandate (CISP 102307)<br />Phase I through Phase V<br />Phase IV October 1, 2009<br />	VNP...
US Payment Application Security Mandate (CISP 102307)<br />Phase I through Phase V<br />Phase V July 1, 2009<br />	Acquire...
Triple Data Encryption Standard (TDES) Mandate (PIN Security Bulletin 093008)<br />Phase I through Phase II<br />Phase I J...
Triple Data Encryption Standard (TDES) Mandate (PIN Security Bulletin 093008)<br />Phase I through Phase III<br />Phase II...
POS PIN mandate  (PIN Security Bulletin 093008)<br />July 1, 2010<br />	All attended POS PIN acceptance device models must...
PRIORITIZATION<br />
PRIORITIZATION<br />“The prioritized approach provides guidance that will help merchants identify how to reduce risk to ca...
PRIORITIZATION<br />The Prioritized Approach<br />Benefits:<br />Roadmap<br />Pragmatic approach<br />Supports financial a...
PRIORITIZATION<br />The Prioritized Approach<br />Six security milestones<br />Remove sensitive authentication data and li...
PCI BREACH COSTS<br />
Total direct cost to a merchant from a PCI event include:<br />Card replacement costs now averaging about $4 per item<br /...
Total direct cost to a merchant from a PCI event include:<br />Case Study: July, 2008<br />A small carp present retailer w...
Total direct cost to a merchant from a PCI event include:<br />	Replacement Cost		$ 5,000<br />	Compliance Fine			$12,500<...
The merchant also sustained significant reputational cost due to adverse publicity, legal fees, loss of business and other...
Study: Maine Bureau of Financial Institutions January 2009<br />Study design: Cost of TJX and Hannaford breach borne by Ma...
Study: Ponemon Institute February 2009<br />Study Design: Cost of compromise to 43 companies in 2008. Each company volunte...
Do you have questions about how to strategically plan for PII legislation?<br />Would you like advice or complete guidance...
Upcoming SlideShare
Loading in …5
×

Cost Of A Breach Case Study and PCI Prioritization

1,366 views

Published on

We’re often asked what does a data breach cost? It varies and some of the fines seem subjective. We outline a Case Study to educate retailers to the kind of significant exposure they face for not protecting their business. Next, the PCI Standards Council has outlined areas to secure by Prioritization. We offer details.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,366
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cost Of A Breach Case Study and PCI Prioritization

  1. 1. Where We Stand.<br />Costs of a Data Breach<br />Case Study<br />PCI Prioritization<br />Presentation by: Ross Federgreen*<br />*Founder, CSRSI® THE PAYMENT ADVISORS<br />
  2. 2. PCI Critical Dates<br /> Prioritization<br /> PCI Breach Costs<br />
  3. 3. PCI Critical Dates<br />
  4. 4. ALIGNMENT July 1, 2010<br />US Payment Application Security Mandate<br /> Phase I through Phase V<br /> TDES Mandate<br /> POS PIN Acceptance Device Mandate<br />
  5. 5. US Payment Application Security Mandate (CISP 102307)<br />Phase I through Phase V<br />Phase I Jan 1, 2008<br /> Phase II July 1 , 2008<br /> Phase III Oct 1, 2008<br /> Phase IV Oct 1, 2009<br /> Phase V July 1, 2010<br />
  6. 6. US Payment Application Security Mandate (CISP 102307)<br />Phase I through Phase V<br />Phase I Jan 1, 2008<br /> Newly boarded merchants must not use known vulnerability payment applications, and VisaNet Processors (VNPs) and agents must not certify new payment applications to their platforms that are known vulnerable payment applications.<br />
  7. 7. US Payment Application Security Mandate (CISP 102307)<br />Phase I through Phase V<br />Phase II July 1, 2008<br /> VNPs and agents must only certify new payment applications to their platforms that are PA-DSS compliant applications<br />
  8. 8. US Payment Application Security Mandate (CISP 102307)<br />Phase I through Phase V<br />Phase III October 1, 2008<br /> Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PA-DSS compliant applications. <br />
  9. 9. US Payment Application Security Mandate (CISP 102307)<br />Phase I through Phase V<br />Phase IV October 1, 2009<br /> VNPs and agents must decertify all vulnerable payment applications. <br />
  10. 10. US Payment Application Security Mandate (CISP 102307)<br />Phase I through Phase V<br />Phase V July 1, 2009<br /> Acquirers must ensure their members, VNPs and agents use only PA-DSS compliant applications. <br />
  11. 11. Triple Data Encryption Standard (TDES) Mandate (PIN Security Bulletin 093008)<br />Phase I through Phase II<br />Phase I January 1, 2009<br /> Newly deployed US Automated Fuel Dispensers must contain a TDES capable and PC I approved Encrypting PIN pad. <br />
  12. 12. Triple Data Encryption Standard (TDES) Mandate (PIN Security Bulletin 093008)<br />Phase I through Phase III<br />Phase II July 1, 2010<br /> All US POS PEDs must be encrypting PINS using TDES end-to-end. <br />
  13. 13. POS PIN mandate (PIN Security Bulletin 093008)<br />July 1, 2010<br /> All attended POS PIN acceptance device models must have passed testing by a PCI recognized or Pre PCI recognized laboratory and have been approved by Visa. <br />
  14. 14. PRIORITIZATION<br />
  15. 15. PRIORITIZATION<br />“The prioritized approach provides guidance that will help merchants identify how to reduce risk to card holder data as early on as possible in their compliance journey.”<br />PCI Security Standards Council, 2009<br />
  16. 16. PRIORITIZATION<br />The Prioritized Approach<br />Benefits:<br />Roadmap<br />Pragmatic approach<br />Supports financial and operational planning<br />Objective and measured progress indicators<br />Consistency among QSA <br />
  17. 17. PRIORITIZATION<br />The Prioritized Approach<br />Six security milestones<br />Remove sensitive authentication data and limit data retention<br />Protect the perimeter, internal and wireless networks<br />Secure payment card applications<br />Monitor and control access to your system<br />Protect stored cardholder data<br />Finalize remaining compliance efforts and ensure all controls are in place<br />
  18. 18. PCI BREACH COSTS<br />
  19. 19. Total direct cost to a merchant from a PCI event include:<br />Card replacement costs now averaging about $4 per item<br /> Compliance fines now ranging from about $5,000 to $50,000<br /> per event for a small merchant (III, IV)<br /> Cost of forensic examination averaging between $25,000 and $35,000 per event for Level III and IV merchants<br /> Additional fines for actual fraudulent utilization of stolen PAN varies<br />
  20. 20. Total direct cost to a merchant from a PCI event include:<br />Case Study: July, 2008<br />A small carp present retailer was breached. The retailer had filled out a self assessment form and attested that the information was true and correct to the acquirer. <br />The merchant was found to have stored over 2,000 credit card numbers in an accounting system for “reference” and to bill clients “if they forgot there credit card number”. <br />The file was accessed and the credit card numbers were stolen when during the course of a robbery the CPU was stolen. A CPP (common point of purchase) analysis of credit cards revealed the location of the theft.<br />
  21. 21. Total direct cost to a merchant from a PCI event include:<br /> Replacement Cost $ 5,000<br /> Compliance Fine $12,500<br /> Forensic Examination $25,000<br /> Card Utilization Fines $74,398.47<br /> TOTAL $116,898.47<br />
  22. 22. The merchant also sustained significant reputational cost due to adverse publicity, legal fees, loss of business and other expenses.<br />The merchant filed for protection under bankruptcy<br />The amounts due were assessed to the ISO by the acquirer.<br />Visa fined the ISO additional fees following an examination of ISO practices as it relates to PCI adoption and plan for portfolio under VBR 07508 after the initial event.<br />ISO sustained a financial loss of $189,354.45<br />
  23. 23. Study: Maine Bureau of Financial Institutions January 2009<br />Study design: Cost of TJX and Hannaford breach borne by Maine chartered banks and credit unions<br />*Recovery cost: investigation, communication, reissuance and net fraud<br />
  24. 24. Study: Ponemon Institute February 2009<br />Study Design: Cost of compromise to 43 companies in 2008. Each company volunteered under the condition of anonymity.<br />
  25. 25. Do you have questions about how to strategically plan for PII legislation?<br />Would you like advice or complete guidance on how to evaluate PII access, storage, and handling in your business? <br />Contact us. We’re glad to help. Read more at www.CSRSI.com<br />Ross Federgreen Jan Carroza<br />866-462-7774x1 866-462-7774x4<br />rfedergreen@csrsi.comjcarroza@csrsi.com<br />Jensen Beach, FL Seattle, WA<br />

×