The document discusses cybersecurity issues in the payment card industry, focusing on vulnerabilities, common attack vectors, and the impact of transitioning to chip card technology. It emphasizes the importance of adhering to Payment Card Industry Data Security Standards and outlines strategies for preventing data breaches, including the use of EMV chips and effective phishing defenses. The document also recommends best practices for businesses to protect themselves and their customers from increasing cyber threats.

1. Cyber Security Issues in
Payment Card Industry
by
Anil Kumar Jain
Security Consultant, Indore.
Contents are based on PAYMENT SECURITY EDUCATIONAL RESOURCES, ,
PCI Security Standards Council, LLC.
Presented at workshop on “Cyber Challenges and Security’’ held on
4th March 2017 at Shri G.S. Institute of Technology & Science, Indore

2. Presentation Agenda
• Security - Global Perception
• Addressing security in Payment Card Industry
• CommonAttackVectors,Vulnerabilities and Exploits
• PaymentTransactions in Card Present Scenario
• PaymentTransaction in Card Not Present Scenario (e-Commerce)
• TopTen Recommendations

3. Security – Global Perception

4. Hackers rush to cash in on $14 billion in fraud before
chip cards take over in US
In 2016, hacked credit card fraud will reach $4 billion, a record level, and that's
just the beginning of a counterintuitive aspect of the nationwide migration
away from magnetic strip to chip cards.
In the short term, the switch to the chip card technology (known as EMV, which
can process credit cards with embedded smart chips) will cause fraud to
increase.You read that right. Beyond the $4 billion in fraud expected this year,
there will be as much as $10 billion in ....
http://www.cnbc.com/2016/05/06/those-new-chip-cards-will-cause-14-billion-in-fraud-by-2020.html

7. Small businesses globally are a prime target
for cybercriminals.

10. Addressing Security in
Payment Card Industry

11. Payment Card Industry Security Standards Council
The Payment Card Industry Security Standards Council was
originally formed by American Express, Discover Financial
Services, JCB, MasterCardWorldwide andVisa International on
September 7, 2006, with the goal of managing the ongoing
evolution of the Payment Card Industry Data Security Standard.
The council itself claims to be independent of the various card
vendors that make up the council.

12. Payment Card Industry Data Security
Standards
Control objectives -- covering People, Process and Technology
1. Build and maintain a secure network
2. Protect cardholder data
3. Maintain a vulnerability management program
4. Implement strong access control measures
5. Regularly monitor and test networks
6. Maintain an information security policy

13. Security ControlTypes
Security controls are safeguards or countermeasures to avoid, detect, counteract, or
minimize security risks to physical property, information, computer systems, or other assets

14. Common AttackVectors,
Vulnerabilities and Exploits

15. SKIMMING – 1/2
Skimming is copying payment
card numbers and personal
identification numbers (PIN)
and using them to make
counterfeit cards, siphon
money from bank accounts
and make fraudulent
purchases.
Criminals install equipment at
merchant locations, on point-
of-sale (POS) devices,
automated teller machines
(ATM), and kiosks that
captures the information
from the magnetic stripe.

16. SKIMMING – 2/2

17. Malware Exploits - 1/4
Recent headlines announcing
organizations falling victim to payment
card breaches are alarming for business
owners.
The Payment Card Industry Security
Standards Council (PCI SSC) shares steps
to take to ensure your organization has
the proper security controls in place to
prevent a breach caused by malware.

18. Malware Exploits - 2/4

19. Malware Exploits - 3/4

20. Malware Exploits - 4/4

21. Phishing & Social Engineering
Attacks- 1/4
Hackers use phishing and other social engineering methods to target
organisations with legitimate-looking emails and social media messages
that trick users into providing confidential data, such as credit card
number, social security number, account number or password.
These attacks are at the heart of many of today’s most serious cyber hacks and
can put your business and your customers at risk.
With a few security basics and ongoing vigilance, businesses can be aware
and defend against these attacks.

22. Phishing & Social Engineering
Attacks- 2/4

23. Phishing & Social Engineering
Attacks- 3/4

24. Phishing & Social Engineering
Attacks- 4/4
HOW HACKERS BREAK IN

25. Ransomware – 1/3
RANSOMWARE ISTHE FASTEST GROWING MALWARETHREAT
Criminals are attacking businesses with a type
of malware that holds business-critical systems
and data hostage until a sum of money is
received.

26. Ransomware – 2/3

27. Ransomware – 3/3

28. Responding to a Data Breach
Research shows that an
Incident ResponseTeam in
place can provide significant
savings.

29. PaymentTransaction in
Card Present Scenario

30. Card Payment
Transaction Process
There are many places card
data travels throughout the
transaction process.
Each player that comes in
contact with card data plays
a vital role in keeping data
safe.
Card-Holder > Merchant >
Acquirer > Card Networks
> Issuer

31. Merchant POS Security: EMV® chip and PCI
EMV chip is proven to cut down on fraud at the
point-of-sale

32. Fight Cybercrime by
Making Stolen Data
Worthless toThieves - 1/3
42.8 million cyber attacks are expected this
year alone. How can businesses eliminate
their data as a target for hackers?
Three technologies - EMV chip, tokenisation
and point-to-point encryption can help
organizations make their customer data less
valuable to criminals.

33. Technologies that protect data in the
transaction process – 1/4

34. Technologies that protect data in the
transaction process – 2/4

35. Technologies that protect data in the
transaction process – 3/4

36. Technologies that protect data in the
transaction process – 4/4

37. PaymentTransaction in
Card Not Present Scenario

38. E-commerce with all CNP Payment Channels

39. E-commerce Implementation Schemes – 1/7
Merchant-managed e-commerce implementations:
o Proprietary/custom-developed shopping cart/payment application
o Commercial shopping cart/payment application implementation fully managed by the merchant
Shared-management e-commerce implementations:
o URL redirection to a third-party hosted payment page
o An Inline Frame (or “IFrame”) that allows a payment form hosted by a third party to be embedded within the merchant’s
web page(s)
o Embedded content within the merchant’s page(s) using non-IFrame tags.
o Direct Post Method (Form)
o JavaScript Form
o Merchant gateway with third-party embedded application programming interfaces (APIs) or Electronic Data Interchange
(EDI)
Wholly outsourced e-commerce implementations

40. E-commerce Implementation Schemes – 2/7
An Example Redirect Payment Flow

41. E-commerce Implementation Schemes – 3/7
An Example IFrame Payment Flow

42. E-commerce Implementation Schemes – 4/7
An Example Direct Post Payment Flow

43. E-commerce Implementation Schemes – 5/7
An Example JavaScript Form Payment Flow

44. E-commerce Implementation Schemes – 6/7
An Example API Payment Flow

45. E-commerce Implementation Schemes – 7/7
Advantages and Disadvantages of E-commerce Methods

46. Migrating from SSL and EarlyTLS

47. TopTen Recommendations – 1/9
Stay Smart in Protecting against Card Frauds

48. TopTen Recommendations – 2/9

49. TopTen Recommendations – 3/9

50. TopTen Recommendations – 4/9

51. TopTen Recommendations – 5/9

52. TopTen Recommendations – 6/9

53. TopTen Recommendations – 7/9

54. TopTen Recommendations – 8/9

55. TopTen Recommendations – 9/9