SlideShare a Scribd company logo

Pci Forensic What You Dont Know

Download as KEY, PDF
David Barnett
David Barnett

Bsides San Francisco 2010 What to know when responding to a data breach. How to work with Visa, MasterCard, merchant bank, processor, your lawyer and the forensic investigator (QIRA)

TechnologyEconomy & FinanceBusiness
1 of 61
Preparing for a PCI forensic investigation A ex-QIRA speaks out Copyright 2010
What is a QIRA?
What is a QIRA? Qualified Incident Response Assessor
What is a QIRA? Qualified Incident Response Assessor They are the special investigation units of the Payment Card Industry who have PCI knowledge and forensic examination skills (supposedly)
david.barnett@orbitz.com or David Barnett david.barnett@blue-lava.net Sr. Security Architect, Orbitz WorldWide also - Sr. Consultant, Blue-Lava - Financial crimes forensic/fraud Ex Forensics Investigator for a QSA (QIRA) Consultant/Educator for US Secret Service, DHS, FBI, and DoD. Participant HoneyNet Project Copyright 2010
Why this talk Conversations with David Taylor from PCI Knowledge Base. Provided a wealth of data from interviews and anonymous questionnaires. Dave passed away suddenly from a heart attack on Oct 27, 2009. Breach war stories have been done ad-nausea, poorly most of the time
Breaches effect all merchant levels
Level 4 Merchants
Multi-Site Franchises
Big Corporations
Incident Response Plans should basically the same for all merchant levels
Lessons from 100+ CC investigations Find the right lawyer Pick your forensics investigator* Know how to work with your merchant bank and the card associations Ensure your software/hardware vendors, VARs, subcontractors, etc. take responsibility for their work Prepare for the QIRA onsite investigation *note - forensic (QIRA) vs. other forensic entities
How did we get here?
In the beginning: US Secret Service and Card Association saw individual breaches not the wider common attack trends Investigated them as isolated breaches Remediated as isolated cases No or little breach trending
Let’s talk a little about breaches
The fundamental ways data breaches occur - Theft or Loss of Physical Equipment: such as laptop computers or memory storage devices. Illegal access to the systems or information: A data breach can occur through unlawful access to PII data by technological means such as hacking into existing computer systems. Insiders: A data breach can be committed by current employees, ex- employees
A credit card breach = PCI forensics onsite Who is allowed to perform forensics Only Qualified Incident Response Assessors Master list at http://usa.visa.com/merchants/risk_management/ cisp_if_compromised.html The list has changed over the last few years - Last BIG update January 11, 2010 (only 3 companies when I was in the thick of it) The process of who can be one and who can’t makes no sense at all - though looks to be improving
How are merchants notified? or “Why are they picking on me?” Almost all notification is due to the merchant ID being identified by one of the card brands as a Common Point of Purchase, typically referred to as (CPP) or Point of Compromise (POC) This is the one method of how a merchant or processor can be identified as the breach point in a payment card fraud / compromise 
In this case, the similarity is a single business where all of the stolen credit cards had been used before the cards had been involved in fraudulent activity. This could potentially be the sign of an employee skimming card numbers, or a breach in a database. There are always going to be coincidences involving data on a large scale, but because of the scale, itʼs very difficult to end up with false positive fraud once a margin of error is established.
Card issuers may request that MasterCard initiate an investigation of a merchant for possible CPP activity at any time. Acquiring banks have 5 business days to acknowledge a request from MasterCard for a CPP investigation and 30 calendar days to complete the investigation. Failure to respond may result in fines or assessments. $$$$ Only MasterCard, not a member bank, may designate a merchant location as a CPP and request that an acquiring bank conduct a CPP investigation. MasterCard will identify a merchant location as a CPP from one or more of the following sources: Information received from law enforcement and investigative authorities Card issuers in accordance with the established criteria MasterCard systems, databases, and any other source deemed to be reliable
“Hello, you’ve been breached” Now what?
It is important to move swiftly 1. Follow your completed Data Breach Incident Response Plan 2. Document all ongoing events, all people involved, and all discoveries into a timeline for evidentiary use. The following is a list of actions that are going to need to be taken when a breach occurs:
Visa Fraud Investigations CISP Team has their own agenda, though they state the following: 1 Works with the compromised entity to obtain all potentially compromised account numbers. 2 Disseminates "at risk" account numbers (or data) to the issuing banks. 3 Begins monitoring the activity on the affected accounts. 4 Works with the appropriate law enforcement on the entity’s behalf. 5 Provides guidelines to the compromised entity to assist them in responding to the incident. 6 Works with the entity to identify security deficiencies. 7 Facilitates forensic investigation in a timely manner. 8 Ensures the entity takes corrective action to minimize the risk of future loss or theft of account information. 9 Works with the entity to verify PCI DSS compliance in an expedited timeframe.
Account Data Compromise Recovery (ADCR) process: Visa validates whether validated compromise meets ADCR criteria (full track, 10,000+ US accounts, incremental magnetic stripe counterfeit fraud on accounts) Visa calculates and advises the acquirer of its potential ADCR financial liability If at the end of the issuer fraud reporting window Visa calculates actual fraud and operating expense liability due to each participating and impacted issuer Visa notifies acquirers and issuers of their respective liability and reimbursement
From Breach to Fraud - Typical Timeline Date of Transaction at Entity Date of Transaction at Entity for Earliest Account for LatestAccount Compromised Compromised DATE THE BREACH WAS DISCOVERED: PERIOD of Compromised # of Accounts Likely off this chart, BEGIN Transactions List of Accounts END most breaches are not Time period of entity's transaction data Dates of Transactions discovered until late - due to poor monitoring/ logging Period of Breach End date of Breach Time Period of penetration PERIOD of Compromised Transactions Start Date of Breach DELAY END Time period when entity's transaction data is exploited PCI Assessments are only Date of earliest Date of latest valid for a "point in time: fraudulent Transaction fraudulent Transaction Breaches occur over extended periods. Inactive Inactive Pre-Breach Stage Sustained Breach Exploitation-Only Stage Stage Stage
Compromised Account Management System (CAMS): Merchant discovers account compromise and notifies it acquiring bank Compromised (or suspected) accounts are uploaded into CAMS for monitoring Visa investigates to determine if an account compromise has occurred and sends CAMS alerts to affected issuers to notify them of compromised accounts Affected issuers monitor, block or close compromised accounts
Post notification, know what your expected to do, what you need to do, and the difference
Visa mandated steps in event of a suspected payment card data breach Immediately contain and limit exposure Alert all necessary parties immediately Provide all compromised accounts to your merchant bank within 10 days Provide an Incident Response Report within 3 days to your merchant bank
What your expected to do by the card associations The development of an Incident Response Plan is mandated by the PCI DSS in Requirement 12.9: 12.9.1: Create an incident response plan 12.9.2: Test the plan at least annually 12.9.3: Designate specific personnel to be available on a 24/7 basis to respond to incidents 12.9.4: Provide appropriate training to staff with security breach response responsibilities 12.9.5: Include alerts from IDS, IP and file integrity monitoring systems 12.9.6: Develop processes to modify and evolve the IR plan according to lessons learned.
Focus areas during the forensic investigation Determine the type of cardholder information at risk Determine the how many cardholder information is /was at risk Perform incident validation and assessment Check for sensitive authorization data - Track data, CVV2 and PIN block storage Review payment gateway, VisaNet endpoint security and risk Preserve all electronic evidence Perform an internal and external vulnerability scan Was the merchant PCI compliant at the time of the breach
Be sure to contact - Your internal information security group and incident response team. Your merchant bank. Your local office of the United States Secret Service. If you do not know the exact name and/or contact information for your merchant bank, notify Visa Fraud Investigations and Incident Management group immediately at (650) 432-2978.
Provide all compromised Visa, Interlink, and Plus accounts to your merchant bank within 10 business days. All potentially compromised accounts must be provided and transmitted as instructed by your merchant bank and Visa Fraud Investigations and Incident Management group. Visa will distribute the compromised Visa account numbers to Issuers and ensure the confidentiality of entity and non-public information. Within 3 business days of the reported compromise, provide an Incident Report document to your merchant bank
Know the key stakeholders
..and know them intimately Merchant POS Software/hardware Merchant Bank Card Association Acquiring Payment Processor Bank Gateway
Be Prepared to Answer the Following Initial point of entry Timeline of events Intruder information Data exfiltrated and exposed Compromised accounts Malware Network architecture and application overview Logging and monitoring Investigative methods Regulatory review Encryption Containment efforts
Per Visa - Identify and establish relationships agreements with key vendors, including: Outside IT security forensics experts who can investigate if, when and how a breach occurred, and how to close and repair your system. “Visa requires its partners to use external experts for this function, and doing so is critical to establishing credibility with the media, customers, investors and other key audiences. Also, consider using a different vendor from the one that may have done previous security assessments “
Identify how the breach happened, contain the breach, and implement a solution so it can not happen again Notify appropriate people within the company Notify External Agencies, within required time frames, such as: ›› Forensics Investigator ›› Law Enforcement ›› Affected vendors, suppliers ›› FTC ›› State Attorneys General (where applicable) ›› Consumers
Visa and MasterCard are not interested in forensics, they are interested in risk mitigation. Visa maintains relationships with their QSA’s for a reason Tend to work with the same people throughout the PCI-DSS world, for example, same people move from a QSA company to the PCI SSC (PCI Security Standards Council) Creates an echo chamber Lack of knowledge of modern forensics Place artificial pressure on investigators to got out a compromise time frame Rather wind down a case on lax evidence than determine the true causal effect of compromise and compromise patterns Saw this all the time while a QIRA
Important breach issues Breach Issues Action Items Mandated Breach Notification Which States require notification Media reporting Hire firm for media coverage and Negative customer reaction creating early press releases Cost associated with brand damage Early customer communications and lost revenue
Breach Fines (the ugly truth)
Fines; according to the card associations Stiff fines and penalties ranging from $10K-$500K per month for non- compliance $500K fine per credit card data compromise incident if not PCI compliant $100K fine if Visa is not immediately notified of as suspected data breach If track data or other sensitive data elements was compromised, the merchant can be assessed the estimated cost of fraud under Visa’s ADCR Program as well as cost of card re-issuance (est. $7-$20 per card) Potential termination of credit card processing privileges
Monthly Prohibited Data Fines for Merchant Data Storage Violation Fines Compromise Up to $600,000 for non-compliance Months with PCI DSS requirements. Months 1-3 Months 4-6 Issuer Recovery Cost of Fraud. Months 7 and up Charges that occurred on all exposed Merchant Level 1 cards from the compromised $10,000 location. $50,000 $100,000 The cost of the forensic investigation. Merchant Level 2 $5,000 The cost to replace exposed credit $25,000 cards. $50,000
In reality, fines have been handed down with no consistency Large discrepancies in the per incident cost between large level 1 merchants and level 4 merchants An average fine for a single food services merchant (a local bar) was $350k not including: lawyers costs Forensics assessment, incident investigation and containment Upgrading non-compliant POS software & IT and security remediation and enhancements Identity protection for impacted individuals (~$30 per person) Cost associated with onsite validation for 1 year - now a Level 1 merchant Class action lawsuits and liability in the event that privacy data was compromised
The Heartland Data Breach Aftermath "Visa sent customized settlement information packets to the affected financial institutions on January 14, 2010. In order to accept the settlement, a financial institution was required to affirmatively complete and return the settlement paperwork to Visa by January 29, 2010," said the statement from lawyers representing some of the impacted banks. "The offers--at least those reviewed by class counsel--appeared to be less than 10 cents on the dollar for most financial institutions and some at less than 1 cent on the dollar."
Other issues to deal with
Make sure you know a qualified lawyer and call them immediately A good lawyer can make all the difference in the penalty phase
Interview your lawyer Does the lawyer have: dedicated Internet law department? In house forensics professional? Know what PCI is? Worked with and know key individuals at Visa/MasterCard, the banks, processors, etc. How many digital crimes cases have they handled?
Merchant Bank Know your merchant bank’s Point of Contact for fraud /PCI Call them. Get to know this person. Take them for a beer. They will be involved early in the process, up until the very end. They typically know their counter parts at the card associations But wait, do you have a processor who isn’t your merchant bank? Better find out and give them a call too! Ensure these people are your advocate.
Hardware/Software Vendors For level 4 merchants this can be quite complicated
Where does the responsibility lay? Customer Software/ Implementation Hardware Developer VAR OEM
Large Merchants Per incident costs typically lower than level 3 or 4 merchants IT staff Leverage with manufacturers Media/Marketing Dept. to control the message
The “favorites” game Several instances of medium to large size breaches which remain off all breach lists and in the media Good legal representation early in the process Tend to lay blame of the software/hardware vendors Card Associations deathly afraid of Full Disclosure These and other issues have lead to many complaints of the ADCR process http://Datalossdb.org unofficial master record-keeper of breaches
From 01/21/2010 www.infolawgroup.com
News Update From 01/21/2010 www.infolawgroup.com
News Update In an interesting development, a handful of issuing banks impacted by the Heartland breach have filed a class action lawsuit against two acquiring banks related to Heartland Payment Systems. According to this article, the issuing banks are unhappy with Heartland's proposed settlement with Visa.  This appears and to be an attempted end-run around the proposed $60 million settlement with Visa.  It also may demonstrate that issuing banks are not satisfied with the dispute resolution mechanisms under the Visa Operating Regulations (the Account Data Compromise Recovery process estimated the loss at $140 million, yet the settlement was for only $60 million), and their ability to be made whole under those mechanisms. From 01/21/2010 www.infolawgroup.com
Breach Trends Just as merchants shop for PCI assessors (QSA’s) merchants shop for QIRA’s This tends to skew a specific company’s analysis
TrustWave Verizon Symantec CyberTrust Hospitality: 38%* Retail: 31% Education: 27% Financial services: 30% Government: 20% Financial services: 19% Food and beverage:14% Health care:15% Retail: 14% Hospitality:6% Financial :14% Food and beverage:13% Other: 17% .............
Trend Analysis Trend numbers from each company by themselves should not be taken all that seriously Some basic trends can be seen when viewed outside the confines of these companies www.datalossdb.org is a good overall source for breach data but ... several breach cases I worked on and am aware of are not on their list
Definite trends can be seen when viewed outside the confines of each of the forensics company
Next up ..... banks (February 16, 2010) A Michigan-based manufacturing firm is suing its bank after online crooks depleted the company's account by $560,000 via a series of unauthorized wire transfers last year. The lawsuit is one of several that have been filed over the past few months involving banks and customers victimized by online theft. In this case, the theft occurred after an employee at EMI supplied the crooks with the company's online banking credentials in response to a phishing e- mail that purported to come from the bank.

Recommended

Sipc%20 English%202009
Sipc%20 English%202009Sipc%20 English%202009
Sipc%20 English%202009guest743684
 
Red Flag Rules Compliant? Maybe Not...!
Red Flag Rules Compliant? Maybe Not...!Red Flag Rules Compliant? Maybe Not...!
Red Flag Rules Compliant? Maybe Not...!pdallen
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...Security B-Sides
 
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud &...
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud &...Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud &...
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud &...CDGcommerce
 
Heartland
HeartlandHeartland
Heartlandgrimesjo
 
Window of Compromise
Window of CompromiseWindow of Compromise
Window of CompromiseSecurityMetrics
 
How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach SecurityMetrics
 
Portabl - The state of open banking, regulations, and the intersection of SSI...
Portabl - The state of open banking, regulations, and the intersection of SSI...Portabl - The state of open banking, regulations, and the intersection of SSI...
Portabl - The state of open banking, regulations, and the intersection of SSI...SSIMeetup
 

Recommended

Sipc%20 English%202009
Sipc%20 English%202009Sipc%20 English%202009
Sipc%20 English%202009guest743684
 
Red Flag Rules Compliant? Maybe Not...!
Red Flag Rules Compliant? Maybe Not...!Red Flag Rules Compliant? Maybe Not...!
Red Flag Rules Compliant? Maybe Not...!pdallen
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...Security B-Sides
 
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud &...
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud &...Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud &...
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud &...CDGcommerce
 
Heartland
HeartlandHeartland
Heartlandgrimesjo
 
Window of Compromise
Window of CompromiseWindow of Compromise
Window of CompromiseSecurityMetrics
 
How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach SecurityMetrics
 
Portabl - The state of open banking, regulations, and the intersection of SSI...
Portabl - The state of open banking, regulations, and the intersection of SSI...Portabl - The state of open banking, regulations, and the intersection of SSI...
Portabl - The state of open banking, regulations, and the intersection of SSI...SSIMeetup
 
Jon ppoint
Jon ppointJon ppoint
Jon ppointCheryl White
 
Payment Card Industry Adjudication Process
Payment Card Industry Adjudication ProcessPayment Card Industry Adjudication Process
Payment Card Industry Adjudication ProcessHB Litigation Conferences
 
How to Use Data Analytics to Detect Fixed Asset and Inventory Fraud
How to Use Data Analytics to Detect Fixed Asset and Inventory FraudHow to Use Data Analytics to Detect Fixed Asset and Inventory Fraud
How to Use Data Analytics to Detect Fixed Asset and Inventory FraudFraudBusters
 
Riskpro Capital Markets Industry
Riskpro Capital Markets IndustryRiskpro Capital Markets Industry
Riskpro Capital Markets IndustryRahul Bhan (CA, CIA, MBA)
 
Forensic Audit.pptx
Forensic Audit.pptxForensic Audit.pptx
Forensic Audit.pptxmainuddinbhuiyan4
 
Best Practices in Remote Deposit Capture Risk Management
Best Practices in Remote Deposit Capture Risk ManagementBest Practices in Remote Deposit Capture Risk Management
Best Practices in Remote Deposit Capture Risk ManagementJTLeekley
 
Telecom Revenue Assurance Workshop
Telecom Revenue Assurance WorkshopTelecom Revenue Assurance Workshop
Telecom Revenue Assurance WorkshopParcus Group
 
Fraud risk management in banks
Fraud risk management in banksFraud risk management in banks
Fraud risk management in bankssathyananda prabhu
 
North Face
North FaceNorth Face
North FaceKaty Allen
 
Insight2014 mitigate risk_fraud_6863
Insight2014 mitigate risk_fraud_6863Insight2014 mitigate risk_fraud_6863
Insight2014 mitigate risk_fraud_6863IBMgbsNA
 
Misconduct or Missed Conduct? Ensuring Consistent SAR Reporting of Internal M...
Misconduct or Missed Conduct? Ensuring Consistent SAR Reporting of Internal M...Misconduct or Missed Conduct? Ensuring Consistent SAR Reporting of Internal M...
Misconduct or Missed Conduct? Ensuring Consistent SAR Reporting of Internal M...Case IQ
 
Using Data Analytics to Conduct a Forensic Audit
Using Data Analytics to Conduct a Forensic AuditUsing Data Analytics to Conduct a Forensic Audit
Using Data Analytics to Conduct a Forensic AuditFraudBusters
 
Data Breaches Preparedness (Credit Union Conference Session)
Data Breaches Preparedness (Credit Union Conference Session)Data Breaches Preparedness (Credit Union Conference Session)
Data Breaches Preparedness (Credit Union Conference Session)NAFCU Services Corporation
 
Evolution of Trade Finance Technology
Evolution of Trade Finance Technology Evolution of Trade Finance Technology
Evolution of Trade Finance Technology Financial Poise
 
Data Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachData Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachFinancial Poise
 
Party riskometer
Party riskometerParty riskometer
Party riskometerMilova Sharan-Sinha
 
ACH Payments - Banking Fraud
ACH Payments - Banking FraudACH Payments - Banking Fraud
ACH Payments - Banking FraudGuardian Analytics
 
Entire forensic accounting project
Entire forensic accounting projectEntire forensic accounting project
Entire forensic accounting projectavinash mathias
 
BIZGrowth Strategies - Fall 2017
BIZGrowth Strategies - Fall 2017BIZGrowth Strategies - Fall 2017
BIZGrowth Strategies - Fall 2017CBIZ, Inc.
 
Irm 15-trademark infringement
Irm 15-trademark infringementIrm 15-trademark infringement
Irm 15-trademark infringementKasper de Waard
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 

More Related Content

Similar to Pci Forensic What You Dont Know

How to Use Data Analytics to Detect Fixed Asset and Inventory Fraud
How to Use Data Analytics to Detect Fixed Asset and Inventory FraudHow to Use Data Analytics to Detect Fixed Asset and Inventory Fraud
How to Use Data Analytics to Detect Fixed Asset and Inventory FraudFraudBusters
 
Best Practices in Remote Deposit Capture Risk Management
Best Practices in Remote Deposit Capture Risk ManagementBest Practices in Remote Deposit Capture Risk Management
Best Practices in Remote Deposit Capture Risk ManagementJTLeekley
 
Telecom Revenue Assurance Workshop
Telecom Revenue Assurance WorkshopTelecom Revenue Assurance Workshop
Telecom Revenue Assurance WorkshopParcus Group
 
Fraud risk management in banks
Fraud risk management in banksFraud risk management in banks
Fraud risk management in bankssathyananda prabhu
 
Insight2014 mitigate risk_fraud_6863
Insight2014 mitigate risk_fraud_6863Insight2014 mitigate risk_fraud_6863
Insight2014 mitigate risk_fraud_6863IBMgbsNA
 
Misconduct or Missed Conduct? Ensuring Consistent SAR Reporting of Internal M...
Misconduct or Missed Conduct? Ensuring Consistent SAR Reporting of Internal M...Misconduct or Missed Conduct? Ensuring Consistent SAR Reporting of Internal M...
Misconduct or Missed Conduct? Ensuring Consistent SAR Reporting of Internal M...Case IQ
 
Using Data Analytics to Conduct a Forensic Audit
Using Data Analytics to Conduct a Forensic AuditUsing Data Analytics to Conduct a Forensic Audit
Using Data Analytics to Conduct a Forensic AuditFraudBusters
 
Data Breaches Preparedness (Credit Union Conference Session)
Data Breaches Preparedness (Credit Union Conference Session)Data Breaches Preparedness (Credit Union Conference Session)
Data Breaches Preparedness (Credit Union Conference Session)NAFCU Services Corporation
 
Evolution of Trade Finance Technology
Evolution of Trade Finance Technology Evolution of Trade Finance Technology
Evolution of Trade Finance Technology Financial Poise
 
Data Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachData Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachFinancial Poise
 
Entire forensic accounting project
Entire forensic accounting projectEntire forensic accounting project
Entire forensic accounting projectavinash mathias
 
BIZGrowth Strategies - Fall 2017
BIZGrowth Strategies - Fall 2017BIZGrowth Strategies - Fall 2017
BIZGrowth Strategies - Fall 2017CBIZ, Inc.
 
Irm 15-trademark infringement
Irm 15-trademark infringementIrm 15-trademark infringement
Irm 15-trademark infringementKasper de Waard
 

Similar to Pci Forensic What You Dont Know (20)

Jon ppoint
Jon ppointJon ppoint
Jon ppoint
 
Payment Card Industry Adjudication Process
Payment Card Industry Adjudication ProcessPayment Card Industry Adjudication Process
Payment Card Industry Adjudication Process
 
How to Use Data Analytics to Detect Fixed Asset and Inventory Fraud
How to Use Data Analytics to Detect Fixed Asset and Inventory FraudHow to Use Data Analytics to Detect Fixed Asset and Inventory Fraud
How to Use Data Analytics to Detect Fixed Asset and Inventory Fraud
 
Riskpro Capital Markets Industry
Riskpro Capital Markets IndustryRiskpro Capital Markets Industry
Riskpro Capital Markets Industry
 
Forensic Audit.pptx
Forensic Audit.pptxForensic Audit.pptx
Forensic Audit.pptx
 
Best Practices in Remote Deposit Capture Risk Management
Best Practices in Remote Deposit Capture Risk ManagementBest Practices in Remote Deposit Capture Risk Management
Best Practices in Remote Deposit Capture Risk Management
 
Telecom Revenue Assurance Workshop
Telecom Revenue Assurance WorkshopTelecom Revenue Assurance Workshop
Telecom Revenue Assurance Workshop
 
Fraud risk management in banks
Fraud risk management in banksFraud risk management in banks
Fraud risk management in banks
 
North Face
North FaceNorth Face
North Face
 
Insight2014 mitigate risk_fraud_6863
Insight2014 mitigate risk_fraud_6863Insight2014 mitigate risk_fraud_6863
Insight2014 mitigate risk_fraud_6863
 
Misconduct or Missed Conduct? Ensuring Consistent SAR Reporting of Internal M...
Misconduct or Missed Conduct? Ensuring Consistent SAR Reporting of Internal M...Misconduct or Missed Conduct? Ensuring Consistent SAR Reporting of Internal M...
Misconduct or Missed Conduct? Ensuring Consistent SAR Reporting of Internal M...
 
Using Data Analytics to Conduct a Forensic Audit
Using Data Analytics to Conduct a Forensic AuditUsing Data Analytics to Conduct a Forensic Audit
Using Data Analytics to Conduct a Forensic Audit
 
Data Breaches Preparedness (Credit Union Conference Session)
Data Breaches Preparedness (Credit Union Conference Session)Data Breaches Preparedness (Credit Union Conference Session)
Data Breaches Preparedness (Credit Union Conference Session)
 
Evolution of Trade Finance Technology
Evolution of Trade Finance Technology Evolution of Trade Finance Technology
Evolution of Trade Finance Technology
 
Data Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachData Breach Response: Before and After the Breach
Data Breach Response: Before and After the Breach
 
Party riskometer
Party riskometerParty riskometer
Party riskometer
 
ACH Payments - Banking Fraud
ACH Payments - Banking FraudACH Payments - Banking Fraud
ACH Payments - Banking Fraud
 
Entire forensic accounting project
Entire forensic accounting projectEntire forensic accounting project
Entire forensic accounting project
 
BIZGrowth Strategies - Fall 2017
BIZGrowth Strategies - Fall 2017BIZGrowth Strategies - Fall 2017
BIZGrowth Strategies - Fall 2017
 
Irm 15-trademark infringement
Irm 15-trademark infringementIrm 15-trademark infringement
Irm 15-trademark infringement
 

Recently uploaded

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 

Recently uploaded (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

Pci Forensic What You Dont Know

  • 1. Preparing for a PCI forensic investigation A ex-QIRA speaks out Copyright 2010
  • 2. What is a QIRA?
  • 3. What is a QIRA? Qualified Incident Response Assessor
  • 4. What is a QIRA? Qualified Incident Response Assessor They are the special investigation units of the Payment Card Industry who have PCI knowledge and forensic examination skills (supposedly)
  • 5. david.barnett@orbitz.com or David Barnett david.barnett@blue-lava.net Sr. Security Architect, Orbitz WorldWide also - Sr. Consultant, Blue-Lava - Financial crimes forensic/fraud Ex Forensics Investigator for a QSA (QIRA) Consultant/Educator for US Secret Service, DHS, FBI, and DoD. Participant HoneyNet Project Copyright 2010
  • 6. Why this talk Conversations with David Taylor from PCI Knowledge Base. Provided a wealth of data from interviews and anonymous questionnaires. Dave passed away suddenly from a heart attack on Oct 27, 2009. Breach war stories have been done ad-nausea, poorly most of the time
  • 7. Breaches effect all merchant levels
  • 11. Incident Response Plans should basically the same for all merchant levels
  • 12. Lessons from 100+ CC investigations Find the right lawyer Pick your forensics investigator* Know how to work with your merchant bank and the card associations Ensure your software/hardware vendors, VARs, subcontractors, etc. take responsibility for their work Prepare for the QIRA onsite investigation *note - forensic (QIRA) vs. other forensic entities
  • 13. How did we get here?
  • 14. In the beginning: US Secret Service and Card Association saw individual breaches not the wider common attack trends Investigated them as isolated breaches Remediated as isolated cases No or little breach trending
  • 15.
  • 16. Let’s talk a little about breaches
  • 17. The fundamental ways data breaches occur - Theft or Loss of Physical Equipment: such as laptop computers or memory storage devices. Illegal access to the systems or information: A data breach can occur through unlawful access to PII data by technological means such as hacking into existing computer systems. Insiders: A data breach can be committed by current employees, ex- employees
  • 18. A credit card breach = PCI forensics onsite Who is allowed to perform forensics Only Qualified Incident Response Assessors Master list at http://usa.visa.com/merchants/risk_management/ cisp_if_compromised.html The list has changed over the last few years - Last BIG update January 11, 2010 (only 3 companies when I was in the thick of it) The process of who can be one and who can’t makes no sense at all - though looks to be improving
  • 19. How are merchants notified? or “Why are they picking on me?” Almost all notification is due to the merchant ID being identified by one of the card brands as a Common Point of Purchase, typically referred to as (CPP) or Point of Compromise (POC) This is the one method of how a merchant or processor can be identified as the breach point in a payment card fraud / compromise 
  • 20. In this case, the similarity is a single business where all of the stolen credit cards had been used before the cards had been involved in fraudulent activity. This could potentially be the sign of an employee skimming card numbers, or a breach in a database. There are always going to be coincidences involving data on a large scale, but because of the scale, itʼs very difficult to end up with false positive fraud once a margin of error is established.
  • 21. Card issuers may request that MasterCard initiate an investigation of a merchant for possible CPP activity at any time. Acquiring banks have 5 business days to acknowledge a request from MasterCard for a CPP investigation and 30 calendar days to complete the investigation. Failure to respond may result in fines or assessments. $$$$ Only MasterCard, not a member bank, may designate a merchant location as a CPP and request that an acquiring bank conduct a CPP investigation. MasterCard will identify a merchant location as a CPP from one or more of the following sources: Information received from law enforcement and investigative authorities Card issuers in accordance with the established criteria MasterCard systems, databases, and any other source deemed to be reliable
  • 22. “Hello, you’ve been breached” Now what?
  • 23. It is important to move swiftly 1. Follow your completed Data Breach Incident Response Plan 2. Document all ongoing events, all people involved, and all discoveries into a timeline for evidentiary use. The following is a list of actions that are going to need to be taken when a breach occurs:
  • 24. Visa Fraud Investigations CISP Team has their own agenda, though they state the following: 1 Works with the compromised entity to obtain all potentially compromised account numbers. 2 Disseminates "at risk" account numbers (or data) to the issuing banks. 3 Begins monitoring the activity on the affected accounts. 4 Works with the appropriate law enforcement on the entity’s behalf. 5 Provides guidelines to the compromised entity to assist them in responding to the incident. 6 Works with the entity to identify security deficiencies. 7 Facilitates forensic investigation in a timely manner. 8 Ensures the entity takes corrective action to minimize the risk of future loss or theft of account information. 9 Works with the entity to verify PCI DSS compliance in an expedited timeframe.
  • 25. Account Data Compromise Recovery (ADCR) process: Visa validates whether validated compromise meets ADCR criteria (full track, 10,000+ US accounts, incremental magnetic stripe counterfeit fraud on accounts) Visa calculates and advises the acquirer of its potential ADCR financial liability If at the end of the issuer fraud reporting window Visa calculates actual fraud and operating expense liability due to each participating and impacted issuer Visa notifies acquirers and issuers of their respective liability and reimbursement
  • 26. From Breach to Fraud - Typical Timeline Date of Transaction at Entity Date of Transaction at Entity for Earliest Account for LatestAccount Compromised Compromised DATE THE BREACH WAS DISCOVERED: PERIOD of Compromised # of Accounts Likely off this chart, BEGIN Transactions List of Accounts END most breaches are not Time period of entity's transaction data Dates of Transactions discovered until late - due to poor monitoring/ logging Period of Breach End date of Breach Time Period of penetration PERIOD of Compromised Transactions Start Date of Breach DELAY END Time period when entity's transaction data is exploited PCI Assessments are only Date of earliest Date of latest valid for a "point in time: fraudulent Transaction fraudulent Transaction Breaches occur over extended periods. Inactive Inactive Pre-Breach Stage Sustained Breach Exploitation-Only Stage Stage Stage
  • 27. Compromised Account Management System (CAMS): Merchant discovers account compromise and notifies it acquiring bank Compromised (or suspected) accounts are uploaded into CAMS for monitoring Visa investigates to determine if an account compromise has occurred and sends CAMS alerts to affected issuers to notify them of compromised accounts Affected issuers monitor, block or close compromised accounts
  • 28. Post notification, know what your expected to do, what you need to do, and the difference
  • 29. Visa mandated steps in event of a suspected payment card data breach Immediately contain and limit exposure Alert all necessary parties immediately Provide all compromised accounts to your merchant bank within 10 days Provide an Incident Response Report within 3 days to your merchant bank
  • 30. What your expected to do by the card associations The development of an Incident Response Plan is mandated by the PCI DSS in Requirement 12.9: 12.9.1: Create an incident response plan 12.9.2: Test the plan at least annually 12.9.3: Designate specific personnel to be available on a 24/7 basis to respond to incidents 12.9.4: Provide appropriate training to staff with security breach response responsibilities 12.9.5: Include alerts from IDS, IP and file integrity monitoring systems 12.9.6: Develop processes to modify and evolve the IR plan according to lessons learned.
  • 31. Focus areas during the forensic investigation Determine the type of cardholder information at risk Determine the how many cardholder information is /was at risk Perform incident validation and assessment Check for sensitive authorization data - Track data, CVV2 and PIN block storage Review payment gateway, VisaNet endpoint security and risk Preserve all electronic evidence Perform an internal and external vulnerability scan Was the merchant PCI compliant at the time of the breach
  • 32. Be sure to contact - Your internal information security group and incident response team. Your merchant bank. Your local office of the United States Secret Service. If you do not know the exact name and/or contact information for your merchant bank, notify Visa Fraud Investigations and Incident Management group immediately at (650) 432-2978.
  • 33. Provide all compromised Visa, Interlink, and Plus accounts to your merchant bank within 10 business days. All potentially compromised accounts must be provided and transmitted as instructed by your merchant bank and Visa Fraud Investigations and Incident Management group. Visa will distribute the compromised Visa account numbers to Issuers and ensure the confidentiality of entity and non-public information. Within 3 business days of the reported compromise, provide an Incident Report document to your merchant bank
  • 34. Know the key stakeholders
  • 35. ..and know them intimately Merchant POS Software/hardware Merchant Bank Card Association Acquiring Payment Processor Bank Gateway
  • 36. Be Prepared to Answer the Following Initial point of entry Timeline of events Intruder information Data exfiltrated and exposed Compromised accounts Malware Network architecture and application overview Logging and monitoring Investigative methods Regulatory review Encryption Containment efforts
  • 37. Per Visa - Identify and establish relationships agreements with key vendors, including: Outside IT security forensics experts who can investigate if, when and how a breach occurred, and how to close and repair your system. “Visa requires its partners to use external experts for this function, and doing so is critical to establishing credibility with the media, customers, investors and other key audiences. Also, consider using a different vendor from the one that may have done previous security assessments “
  • 38. Identify how the breach happened, contain the breach, and implement a solution so it can not happen again Notify appropriate people within the company Notify External Agencies, within required time frames, such as: ›› Forensics Investigator ›› Law Enforcement ›› Affected vendors, suppliers ›› FTC ›› State Attorneys General (where applicable) ›› Consumers
  • 39. Visa and MasterCard are not interested in forensics, they are interested in risk mitigation. Visa maintains relationships with their QSA’s for a reason Tend to work with the same people throughout the PCI-DSS world, for example, same people move from a QSA company to the PCI SSC (PCI Security Standards Council) Creates an echo chamber Lack of knowledge of modern forensics Place artificial pressure on investigators to got out a compromise time frame Rather wind down a case on lax evidence than determine the true causal effect of compromise and compromise patterns Saw this all the time while a QIRA
  • 40. Important breach issues Breach Issues Action Items Mandated Breach Notification Which States require notification Media reporting Hire firm for media coverage and Negative customer reaction creating early press releases Cost associated with brand damage Early customer communications and lost revenue
  • 42. Fines; according to the card associations Stiff fines and penalties ranging from $10K-$500K per month for non- compliance $500K fine per credit card data compromise incident if not PCI compliant $100K fine if Visa is not immediately notified of as suspected data breach If track data or other sensitive data elements was compromised, the merchant can be assessed the estimated cost of fraud under Visa’s ADCR Program as well as cost of card re-issuance (est. $7-$20 per card) Potential termination of credit card processing privileges
  • 43. Monthly Prohibited Data Fines for Merchant Data Storage Violation Fines Compromise Up to $600,000 for non-compliance Months with PCI DSS requirements. Months 1-3 Months 4-6 Issuer Recovery Cost of Fraud. Months 7 and up Charges that occurred on all exposed Merchant Level 1 cards from the compromised $10,000 location. $50,000 $100,000 The cost of the forensic investigation. Merchant Level 2 $5,000 The cost to replace exposed credit $25,000 cards. $50,000
  • 44. In reality, fines have been handed down with no consistency Large discrepancies in the per incident cost between large level 1 merchants and level 4 merchants An average fine for a single food services merchant (a local bar) was $350k not including: lawyers costs Forensics assessment, incident investigation and containment Upgrading non-compliant POS software & IT and security remediation and enhancements Identity protection for impacted individuals (~$30 per person) Cost associated with onsite validation for 1 year - now a Level 1 merchant Class action lawsuits and liability in the event that privacy data was compromised
  • 45. The Heartland Data Breach Aftermath "Visa sent customized settlement information packets to the affected financial institutions on January 14, 2010. In order to accept the settlement, a financial institution was required to affirmatively complete and return the settlement paperwork to Visa by January 29, 2010," said the statement from lawyers representing some of the impacted banks. "The offers--at least those reviewed by class counsel--appeared to be less than 10 cents on the dollar for most financial institutions and some at less than 1 cent on the dollar."
  • 46. Other issues to deal with
  • 47. Make sure you know a qualified lawyer and call them immediately A good lawyer can make all the difference in the penalty phase
  • 48. Interview your lawyer Does the lawyer have: dedicated Internet law department? In house forensics professional? Know what PCI is? Worked with and know key individuals at Visa/MasterCard, the banks, processors, etc. How many digital crimes cases have they handled?
  • 49. Merchant Bank Know your merchant bank’s Point of Contact for fraud /PCI Call them. Get to know this person. Take them for a beer. They will be involved early in the process, up until the very end. They typically know their counter parts at the card associations But wait, do you have a processor who isn’t your merchant bank? Better find out and give them a call too! Ensure these people are your advocate.
  • 50. Hardware/Software Vendors For level 4 merchants this can be quite complicated
  • 51. Where does the responsibility lay? Customer Software/ Implementation Hardware Developer VAR OEM
  • 52. Large Merchants Per incident costs typically lower than level 3 or 4 merchants IT staff Leverage with manufacturers Media/Marketing Dept. to control the message
  • 53. The “favorites” game Several instances of medium to large size breaches which remain off all breach lists and in the media Good legal representation early in the process Tend to lay blame of the software/hardware vendors Card Associations deathly afraid of Full Disclosure These and other issues have lead to many complaints of the ADCR process http://Datalossdb.org unofficial master record-keeper of breaches
  • 55. News Update From 01/21/2010 www.infolawgroup.com
  • 56. News Update In an interesting development, a handful of issuing banks impacted by the Heartland breach have filed a class action lawsuit against two acquiring banks related to Heartland Payment Systems. According to this article, the issuing banks are unhappy with Heartland's proposed settlement with Visa.  This appears and to be an attempted end-run around the proposed $60 million settlement with Visa.  It also may demonstrate that issuing banks are not satisfied with the dispute resolution mechanisms under the Visa Operating Regulations (the Account Data Compromise Recovery process estimated the loss at $140 million, yet the settlement was for only $60 million), and their ability to be made whole under those mechanisms. From 01/21/2010 www.infolawgroup.com
  • 57. Breach Trends Just as merchants shop for PCI assessors (QSA’s) merchants shop for QIRA’s This tends to skew a specific company’s analysis
  • 58. TrustWave Verizon Symantec CyberTrust Hospitality: 38%* Retail: 31% Education: 27% Financial services: 30% Government: 20% Financial services: 19% Food and beverage:14% Health care:15% Retail: 14% Hospitality:6% Financial :14% Food and beverage:13% Other: 17% .............
  • 59. Trend Analysis Trend numbers from each company by themselves should not be taken all that seriously Some basic trends can be seen when viewed outside the confines of these companies www.datalossdb.org is a good overall source for breach data but ... several breach cases I worked on and am aware of are not on their list
  • 60. Definite trends can be seen when viewed outside the confines of each of the forensics company
  • 61. Next up ..... banks (February 16, 2010) A Michigan-based manufacturing firm is suing its bank after online crooks depleted the company's account by $560,000 via a series of unauthorized wire transfers last year. The lawsuit is one of several that have been filed over the past few months involving banks and customers victimized by online theft. In this case, the theft occurred after an employee at EMI supplied the crooks with the company's online banking credentials in response to a phishing e- mail that purported to come from the bank.

Editor's Notes

  7. mom and pop restaurant, bar, coffee shop, bed and breakfast
  8. multiple franchise sites all over the country during a typical breach timeframe
  9. The large news breaking type
  12. Why are
  44. This behavior is typical with larger level 1 merchants whereas, level 4 merchants often just go bankrupt.
  48. The merchant POC for fraud typically is in the PCI group
  50. If a POS is retaining track data, who removes the old data, upgrades the software, New software/hardware
  53. The aftermath of this incident is still in flux The issue still exists
  54. The aftermath of this incident is still in flux The issue still exists
  55. Heard of the practice of shopping for QSA’s?