The Easy Way to Accept and Protect Payment Account Data<br />Commerce Security Fundamentals<br />July 12, 2011<br />
Who You Are Interacting with Today<br />Kerry Murdock<br />Editor and Publisher<br />Practical eCommerce<br />
Who You Are Interacting with Today<br />Tyler Hannan<br />Platform Evangelist<br />IP Commerce<br />
Who You Are Interacting with Today<br />David Herrald<br />Consulting Architect – Information Security<br />Global Technol...
Sponsored by<br />
Agenda<br /><ul><li>Consequences of a Data Breach
What Is PCI Compliance?
Status of Payment Card Industry Data Security Standard
PCI responsibilities of the merchant and developer
Tools to Assist with Security and Compliance
Tokenization
Hosted payment solutions</li></li></ul><li>Consequences of a Data Breach<br />
What Data Compromise Looks Like<br />
TJX: Anatomy of a Data Breach<br />TJX Data Breach, Announced January 2007<br /><ul><li>TJX owns retail companies: T.J. Ma...
Data breach called the “biggest ever”
Initial estimates have the number of breached accounts at a few million
By December 2007, it has been confirmed that at least 94 million customers have had their information stolen</li></ul>What...
$4.5 billion (estimated)</li></li></ul><li>Sony: Anatomy of a Data Breach<br />Sony Data Breach, 2011<br /><ul><li>Sony Pl...
Proved to be an easy target
SQL injection vulnerabilities
Unencrypted or poorly encrypted stored passwords
77 million records compromised
Ongoing attacks against other Sony business units - Sony Pictures        (1 million users accounts hacked)</li></ul>What d...
Estimates range from $1.5 billion to $4.6 billion</li></li></ul><li>Data Breach Statistics<br /><ul><li>85%of attacks were...
86%of victims had evidence of attack in their log files however
61% of breaches discovered by a third party
96% of breaches were avoidable through simple or intermediate controls
79% of victims subject to PCI had not achieved compliance
Upcoming SlideShare
Loading in …5
×

The Easy WAy to Accept & Protect Credit Card Data

823 views

Published on

The recorded version of this webinar is available at:

http://www.practicalecommerce.com/webinars/60-The-Easy-Way-to-Accept-and-Protect-Credit-Card-Data

"The Easy Way to Accept & Protect Credit Card Data" is a free, educational webinar. The moderator is Kerry Murdock, editor and publisher of Practical eCommerce. The presenters are Tyler Hannan, platform evangelist for IP Commerce, a leading cloud-computing payment platform, and David Herrald, an information security consultant with Global Technology Resources, Inc., an international security and technology firm.

e-Similate, a leading provider of payment integration tools, is the sponsor of the webinar.

Published in: Technology, Economy & Finance
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
823
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
28
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • WelcomeResponsibilities of protecting payment dataConsequences and examples of not protecting dataTools, options to help protect data, and shift responsibility
  • Tyler Hannan is an experienced technologist and the platform evangelist for IP Commerce, a leading cloud-computing payment platform. Tyler facilitates collaboration and coordination with companies in the payment processing and technology market to drive innovation and deliver understanding of IP Commerce. His blog, Reflections on Emergent Commerce and Technology,helps industry leaders break down technology silos and deliver on-demand commerce services.
  • David Herrald is an information security consultant with 17 years of information technology experience in the financial services, software, and payments industries. He has built information-security and PCI DSS compliance programs from the ground up, and he has advised many software companies and merchants on information security and PCI DSS compliance topics. He is now consulting architect for information security with Global Technology Resources, Inc., an international security and technology firm.
  • The Easy WAy to Accept & Protect Credit Card Data

    1. 1. The Easy Way to Accept and Protect Payment Account Data<br />Commerce Security Fundamentals<br />July 12, 2011<br />
    2. 2. Who You Are Interacting with Today<br />Kerry Murdock<br />Editor and Publisher<br />Practical eCommerce<br />
    3. 3. Who You Are Interacting with Today<br />Tyler Hannan<br />Platform Evangelist<br />IP Commerce<br />
    4. 4. Who You Are Interacting with Today<br />David Herrald<br />Consulting Architect – Information Security<br />Global Technology Resources, Inc.<br />
    5. 5. Sponsored by<br />
    6. 6. Agenda<br /><ul><li>Consequences of a Data Breach
    7. 7. What Is PCI Compliance?
    8. 8. Status of Payment Card Industry Data Security Standard
    9. 9. PCI responsibilities of the merchant and developer
    10. 10. Tools to Assist with Security and Compliance
    11. 11. Tokenization
    12. 12. Hosted payment solutions</li></li></ul><li>Consequences of a Data Breach<br />
    13. 13. What Data Compromise Looks Like<br />
    14. 14. TJX: Anatomy of a Data Breach<br />TJX Data Breach, Announced January 2007<br /><ul><li>TJX owns retail companies: T.J. Max, Marshalls, Bob’s Stores
    15. 15. Data breach called the “biggest ever”
    16. 16. Initial estimates have the number of breached accounts at a few million
    17. 17. By December 2007, it has been confirmed that at least 94 million customers have had their information stolen</li></ul>What did it cost?<br /><ul><li>Credibility
    18. 18. $4.5 billion (estimated)</li></li></ul><li>Sony: Anatomy of a Data Breach<br />Sony Data Breach, 2011<br /><ul><li>Sony Playstationnetwork is targeted by a malicious hacker groups
    19. 19. Proved to be an easy target
    20. 20. SQL injection vulnerabilities
    21. 21. Unencrypted or poorly encrypted stored passwords
    22. 22. 77 million records compromised
    23. 23. Ongoing attacks against other Sony business units - Sony Pictures (1 million users accounts hacked)</li></ul>What did it cost?<br /><ul><li>Credibility
    24. 24. Estimates range from $1.5 billion to $4.6 billion</li></li></ul><li>Data Breach Statistics<br /><ul><li>85%of attacks were not considered highly difficult
    25. 25. 86%of victims had evidence of attack in their log files however
    26. 26. 61% of breaches discovered by a third party
    27. 27. 96% of breaches were avoidable through simple or intermediate controls
    28. 28. 79% of victims subject to PCI had not achieved compliance
    29. 29. 30% of victims met PCI requirement 3 to Protect Stored Card Data</li></ul>Source: Verizon 2010 Data Breach Investigations Report<br />
    30. 30. Consequences for the Merchant<br />Source: “Calculating the Cost of a Security Breach,” Forrester Research.<br />
    31. 31. Consequences for the Merchant<br />Source: “Calculating the Cost of a Security Breach,” Forrester Research.<br />
    32. 32. Focus on Small Merchants<br />If I am a small merchant…does this really matter? <br />Why is there a focus on the smallest of merchants?<br /><ul><li>5% of all exposed accounts
    33. 33. 80% of software breaches
    34. 34. 99% of Visa’s merchant base
    35. 35. 64% feel invulnerable to attack*
    36. 36. 1 million est. small business victims *
    37. 37. 60% of small businesses do not </li></ul> understand fines they are subject to*<br />*National Retail Federation (NRF) and First Data Corporation 2010 survey of US Small Business<br />
    38. 38. What Is PCI Compliance?<br />
    39. 39. PCI Security Standards Council<br />“The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards…<br />“All five payment brands share equally in the Council’s governance, have equal input into the PCI Security Standards Council and share responsibility for carrying out the work of the organization.”<br />- https://www.pcisecuritystandards.org/organization_info/index.php<br />
    40. 40. What Does PCI-DSS Consist Of?<br />1. Install and maintain a firewall to protect cardholder data.<br />2. Do not use vendor-supplied defaults for system passwords and other security parameters.<br />Build and Maintain a Secure Network<br />1<br />3. Protect stored cardholder data.<br />4. Encrypt transmission of cardholder data across open, public networks.<br />Protect Cardholder Data<br />2<br />Maintain a Vulnerability Management Program<br />3<br />5. Use and regularly update anti-virus software or programs.<br />6. Develop and maintain secure systems and applications.<br />7. Restrict access to cardholder data by business need to know.<br />8. Assign a unique ID to each person with computer access.<br />9. Restrict physical access to cardholder data.<br />Implement Strong Access Control Measures<br />4<br />10. Track and monitor all access to network resources and cardholder data.<br />11. Regularly test security systems and processes.<br />Regularly Monitor and Test Networks<br />5<br />12. Maintain a policy that addresses information security for all personnel.<br />Maintain an Information Security Policy<br />6<br />
    41. 41. “Is there anyone who can save me from all this?”<br />
    42. 42. Tools to Assist with Security and Compliance<br />
    43. 43. Prioritized Approach<br />Where Should a Merchant Start?<br /><ul><li>The PCI DSS contains over 200 individual requirements.
    44. 44. The PCI Councilhas released the Prioritized Approach to Pursue PCI DSS Compliance.
    45. 45. Milestone 1: Remove cardholder data and sensitive authentication data.
    46. 46. Helps integrate the concept of risk management with PCI DSS compliance.
    47. 47. Remember: There are a total of 6 milestones in the prioritized approach, and every requirement in the PCI DSS must be met to be compliant.</li></li></ul><li>Tokenization<br />Eliminate the Complexity of Secure Data Storage<br /><ul><li>Protect sensitive customer payment account data by encrypting and assigning it a unique token.
    48. 48. Token can be leveraged for future use, such as recurring payments.
    49. 49. The data is stored in a PCI Compliant data center, removing that element of risk.</li></ul>How It Works<br />Payment Account data is sent from the merchant’s website, POS system to the Platform for tokenizing.<br />A copy of the payment account data is assigned a token and stored securely.<br />The Platform securely passes payment account data to the desired payment service provider.<br />A token is returned in the transaction response and can be stored, instead of the payment account data, and used for subsequent transactions.<br />
    50. 50. Value-Added Services<br />What is a Value-Added Service?<br /><ul><li>Services that are injected into the payment transaction
    51. 51. Services that do not “remove” compliance but “address” risk
    52. 52. Capabilities that can be added “point-in-time” when appropriate for the Merchant customer without additive integration work</li></ul>Examples of Value-Added Services<br /><ul><li>Risk Management
    53. 53. Each transaction is inspected
    54. 54. Each transaction returns a approve/decline based on risk thresholds
    55. 55. ChargeBack Management
    56. 56. Transaction information is provided, securely, to chargeback specialist
    57. 57. People, product, and process manage chargeback behavior on the merchant ‘s behalf</li></li></ul><li>Commerce Hosted Payment Page<br />PCI-Compliant Payment Page<br /><ul><li>PCI Compliance obligation is reduced to completion of a Self-Assessment Questionnaire (SAQ A)</li></ul>Fully Customizable<br /><ul><li>No harsh transitions from retailer site to another checkout page
    58. 58. Fewer abandoned shopping carts</li></ul>Simple Integration<br /><ul><li>One method call to initiation (http-post)
    59. 59. Callback to hidden URL upon payment completion
    60. 60. Easy to implement CSS to support merchant look/feel
    61. 61. Adding payments is a matter of hours from conception to “go live”</li></li></ul><li>Choose Your Product<br />
    62. 62. Populate Your Cart<br />
    63. 63. Check Out Securely<br />
    64. 64. Return to Website<br />
    65. 65. Q&A<br />Tyler Hannan<br />Platform Evangelist, IP Commerce<br />thannan@ipcommerce.com<br />@tylerhannan<br />David Herrald<br />Consulting Architect - Information Security, <br />Global Technology Resources Inc.<br />dherrald@gtri.com<br />@daveherrald<br />http://www.e-similate.com <br />

    ×