SlideShare uma empresa Scribd logo

The Path to Payment Security

Tom Cooley
Tom Cooley
1 de 5
Baixar para ler offline
www.cardconnect.com The Path to Payment Security A Clear Approach to Preventing Data Breaches and Protecting Your Business Cybercrime is not only increasing in frequency, it’s increasing in cost. With more sophisticated hacking methods constantly being developed, the danger of storing sensitive information is rapidly increasing. Recently, the massive Target data breach has taken over headlines. With up to 110 million customers at risk and a $1.2 billion potential price tag, their brand and bottom line are in jeopardy. Despite EMV “Chip-and-PIN” technology being heralded by the media as the answer to payment data breaches, it simply is not true. In this document, we delve into the problems EMV and PCI 3.0 leave unsolved and offer a comprehensive solution through a combination of EMV, P2PE (Point-to-Point Encryption), Tokenization, and a secure, hosted Vault. By preparing merchants for EMV technology and taking them out of PCI Compliance scope, the risk of compromised data and the cost of constantly having to monitor your system for breaches are removed. Robert Nathan Chief Technology Officer Rush Taggart Chief Security Officer
In reality, the number is actually much higher because for many of the breaches included, the number of compromised records is unknown. These security breaches not only negatively impacted the reputation of the companies involved, but also cost them significant amounts of money in lawsuits and fines. A 2013 study found that the merchant cost to a data breach victim is around $200 per compromised record. www.cardconnect.com The Emergence of the Data Breach In recent years as hackers have become more sophisticated, these attacks have increased in frequency and effectiveness. In 2011, Sony’s Playstation Network had to be shut down due to a major data breach, resulting in a class-action lawsuit and costs that have been estimated at up to $24 billion. Most recently, Target has been in the spotlight for their massive data breach. Target CEO Gregg Steinhafel confirmed to CNBC that the breach was caused by malware installed on Point-of-Sale (”POS”) systems. Between lawsuits, government fines, and reimbursements to customers, Goldman Sachs estimates total costs incurred by Target could be $1.2 billion. What should worry merchants most is the only thing unusual about the Target hack was its size—Target was one of over 600 security breaches in 2013 alone. Because Target likely invests heavily in security, this breach confirms vulnerabilities exist in current systems. As Stan Lippelman, VP of Marketing at Bass Pro Shops, puts it, “We feel very comfortable…But, the fact that it happens to Target means it can happen to anybody, right?” Over 600 million records have been compromised in the United States since January 2005. Where Your Payments Are at Risk There are underlying vulnerabilities in the payment process for any given business or company due to the exchange of data between systems, the sensitive nature of that data, and the requirements and standards set forth by the Payment Card Industry (“PCI”) Security Standards Council, which serves as the governing body of the payment processing industry. Point-of-Sale/Terminal – In many recent breaches, credit and debit cards were compromised by malware installed on POS systems. With Point-to-Point-Encryption (”P2PE”) technology, these malware attacks would be prevented. P2PE hardware is designed to stop functioning if any foreign code or application is installed on the device. 1. Terminal to Gateway Transmission – As card data is transmitted from the terminal to the gateway, there can be points when data is left unencrypted, for example when card data leaves the merchant network. While the movement to EMV Cards will mask this data within computer chips, the only way for a business to protect itself from this vulnerability is to encrypt data at the Point-of-Interaction ("POI"), or in this case, the point at which the card is swiped. 2. Gateway to Bank Transmission – PCI Standards require payment gateways to only transmit data to a select list of IP addresses of certified processors. Payment gateways should halt data transmission to any foreign IP addresses outside of this small, select list. At this point of the payment process, data is leaving the merchant’s system and carries inherent vulnerability since data must be unencrypted before reaching the bank or processor.  3. Strict Network Monitoring/Vulnerability Management Program – PCI DSS requires merchants to regularly track and monitor all access to network resources and cardholder data and regularly test security systems and processes. Without proper follow-through, especially for merchants with small IT departments, this presents a huge burden and vulnerability for a data breach. 4. The Path to Payment Security | Preventing Data Breaches and Protecting Your Business | White Paper 2014 | PAGE1 Four Main Vulnerabilities 1 2 3 4 5 6 7
www.cardconnect.com Major breaches in the retail industry have produced one rallying cry that has become ubiquitous in the news media: EMV (also known as Chip-and-PIN) could have prevented this type of breach. Unfortunately, that is not entirely accurate. Sure, there is no doubt that magnetic stripe credit cards are antiquated technology, as they are extremely simple and inexpensive to replicate. EMV is advantageous as it makes card replication harder and more costly, which is definitely a direct benefit to the cardholder. What EMV does not address is protecting card data when it is in route to the processor, post-authorization storage of card data by the merchant and card-not-present fraud (such as sales via e-commerce, phone and mail).  EMV is Not the Answer Preventing Breach & Fraud On January 1st, 2014, PCI DSS 3.0 went into effect. As the PCI Security Standards Council put it themselves, the updates were based on "feedback from the industry" and "market needs." In essence, PCI DSS is reactionary, not anticipatory. One of the fastest growing methods of payment acceptance – mobile – was hardly addressed.  The Problem with PCI DSS This is understandable. PCI DSS 2.0 was already seen as complex and merchants collectively spent billions to simply be compliant. While 3.0 includes some necessary changes that will heighten the overall security of our national infrastructure for accepting payments, it is predominantly believed that the victims of recent data breaches would still have suffered the same fate had they been compliant with the 3.0 updates. If EMV doesn't protect card data and PCI Compliance doesn't guarantee safety from attacks, how should merchants protect themselves? One technology that could have potentially prevented the damage incurred by recent breaches is P2PE. As soon as a credit card is swiped, the data is encrypted and remains encrypted throughout the merchant’s environment. If a breach were ever to occur on a merchant’s network, the data the thieves stole would be encrypted, rendering it useless. Also, P2PE protects from malware being placed on the POS system. If any foreign application were to be placed on the device, it would stop working immediately.  The Answer is P2PE With the negative repercussions of security breaches and the myriad vulnerabilities in the payment process, the path to payment security can seem daunting. Thankfully, CardConnect has introduced the ideal solution. P2PE The Ideal Solution CardConnect’s Payment Security Solution consists of P2PE hardware that is EMV-ready, our secure payment gateway that utilizes CardSecure™ encryption and tokenization, and a hosted vault that is designed to solely communicate with validated processors. CardConnect’s Payment Security Solution utilizes a P2PE terminal, co-developed with Ingenico, which safeguards a merchant’s customer data from the POI to the point at which it is sent to the processor. By removing sensitive data in this fashion from a merchant’s system, CardConnect allows the merchant to remove itself from PCI Compliance scope. certified P2PE solution will completely remove you from PCI Compliance scope – even taking away the PCI DSS Self-Assessment Questionnaire (“SAQ”). The difficulty for merchants is determining if a vendor’s P2PE claims are valid. Proper due diligence for implementing P2PE technology should include evidence of a proven track record in payment security, a discussion on where the vendor is at in the PCI-certification process, and a fully comprehensive roadmap for implementing a P2PE solution. EMV-Ready CardConnect’s P2PE terminal is EMV-ready, ensuring merchants meet the EMV transition deadline. The card issuers have unanimously identified October 2015 as the date that all merchants must use EMV-compliant terminals. If a merchant fails to adhere to this requirement, the card issuers will transfer the liability of any security breach to the merchant. Removal from PCI Compliance Scope CardConnect’s Payment Security Solution completely removes the merchant from PCI Compliance scope. This means no PCI audits, no vulnerability tests, and no SAQs. The Path to Payment Security | Preventing Data Breaches and Protecting Your Business | White Paper 2014 | PAGE2 P2PE is seen as such a secure approach that using a PCI-
www.cardconnect.com CardConnect has a proven track record in developing security technology for the payments industry. A History of Protecting Payments • 1997: CardConnect builds first payment gateway integrated to SAP for Fortune 500 corporations. • 2004: CardConnect builds CardSecure, a payment card encryption solution for SAP. • 2006: CardConnect's payment gateway validated as PABP Compliant under Visa'a Payment Application Best Practices program. • 2009: CardConnect's payment gateway validated as PA-DSS Compliant and listed on the PCI Security Standards Council website. • 2010: CardConnect's payment gateway validated as PCI-DSS Compliant and listed on Visa Service Provider Registry. • 2012: CardConnect's PANPAD, a terminal that encrypts card data at the point of entry, named winner of Security Products Guide's Global Excellent Award. • 2012: CardConnect's payment gateway with CardSecure becomes the first Oracle Validated Integration for payment acceptance and security. • 2013: CardConnect develops proprietary P2PE solution in response to security risks for point-of-sale transactions. • 2013: CardConnect receives United States patent for token-based payment processing As referenced earlier, proper due diligence for implementing P2PE technology should include evidence of a proven track record in payment security, a discussion on where the vendor is at in the PCI-certification process, and a fully comprehensive roadmap for implementing a P2PE solution.  4 3 Encryption/ Tokenization on swipe Merchant Network Out of PCI Scope CREDIT CARD NUMBER IS TOKENIZED THROUGHOUT Decryption/SSL Terminal = Ingenico ICT 250 with CardSecure Encryption Key Gateway & Vault - Sungard Data Center - HSM (Hardware Security Module) - FIPS140-2 Government Grade Security CardConnect's Payment Security Solution Upon card being swiped, card data is securely sent to the CardConnectVault where it is encrypted and tokenized. An intelligent token (which passes Luhn Test) is transmitted to the Terminal. 1. The token is passed to the merchant's business system. Since no actual card data is being transmitted or stored, the Merchant Network is completely removed from PCI Compliance scope. 2. The token is transmitted via the CardConnect Gateway to the secure, hosted Vault. 3. The card information is securely decrypted and transmitted via Secure Sockets Layer (SSL). 4. The Path to Payment Security | Preventing Data Breaches and Protecting Your Business | White Paper 2014 | PAGE3 TM TM TM
cardconnect.com 484.581.2200 info@cardconnect.com Trusted By [1] Privacy Rights Clearinghouse (as of January 2014) - http://www.privacyrights.org/data-breach [2] Ponemon 2013 Cost of Data Breach Study: Global Analysis - https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_ Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf [3] PlayStation Network Breach Could Cost Sony $24 Billion -http://www.businessinsider.com/playstation-network-breach-could-cost-sony- 24-billion-2011-4 [4] CNBC Interview with Target CEO http://www.cnbc.com/id/101330060 [5] Goldman Sachs estimate on Target breachhttp://money.cnn.com/2014/01/13/investing/target-stock/ [6] 2013 Data Breach Investigations Report - http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report- 2013_en_xg.pdf [7] Stan Lippelman on Target Breach - CNBC http://www.cnbc.com/id/101330258 CardConnect is an innovative payments technology company that designs solutions to safely transmit credit card data. More than 50,000 businesses–including GE, Adobe and the New York Times–use our payment technology and processing services that make accepting payments as simple, easy and secure as possible. The Path to Payment Security | Preventing Data Breaches and Protecting Your Business | White Paper 2014 | PAGE4 Copyright © 2014 CardConnect. All rights reserved.

Recomendados

Hacking Point of Sale
Hacking Point of SaleHacking Point of Sale
Hacking Point of SaleTripwire
 
Chip and Skim: cloning EMV cards with the pre-play attack
Chip and Skim: cloning EMV cards with the pre-play attackChip and Skim: cloning EMV cards with the pre-play attack
Chip and Skim: cloning EMV cards with the pre-play attack- Mark - Fullbright
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)theijes
 
EMV - Is your business ready?
EMV - Is your business ready?EMV - Is your business ready?
EMV - Is your business ready?Shannon Walcott
 
DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011
DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011
DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011Andris Soroka
 
E Commerce -Security Threats and Challenges
E Commerce -Security Threats and ChallengesE Commerce -Security Threats and Challenges
E Commerce -Security Threats and ChallengesInderjeet Singh
 
Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Anil Jain
 
E banking security
E banking securityE banking security
E banking securityIman Rahmanian
 

Recomendados

Hacking Point of Sale
Hacking Point of SaleHacking Point of Sale
Hacking Point of SaleTripwire
 
Chip and Skim: cloning EMV cards with the pre-play attack
Chip and Skim: cloning EMV cards with the pre-play attackChip and Skim: cloning EMV cards with the pre-play attack
Chip and Skim: cloning EMV cards with the pre-play attack- Mark - Fullbright
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)theijes
 
EMV - Is your business ready?
EMV - Is your business ready?EMV - Is your business ready?
EMV - Is your business ready?Shannon Walcott
 
DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011
DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011
DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011Andris Soroka
 
E Commerce -Security Threats and Challenges
E Commerce -Security Threats and ChallengesE Commerce -Security Threats and Challenges
E Commerce -Security Threats and ChallengesInderjeet Singh
 
Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Anil Jain
 
E banking security
E banking securityE banking security
E banking securityIman Rahmanian
 
3-D Secure 2.0
3-D Secure 2.03-D Secure 2.0
3-D Secure 2.0Netcetera
 
E banking & security
E banking & securityE banking & security
E banking & securitySumeer Sharma
 
EMV chip cards
EMV chip cardsEMV chip cards
EMV chip cardsDilip Kumar
 
Mobile payment-security-risk-and-response
Mobile payment-security-risk-and-responseMobile payment-security-risk-and-response
Mobile payment-security-risk-and-responseDESMOND YUEN
 
nonClonableID™ for the Banking Domain
nonClonableID™ for the Banking DomainnonClonableID™ for the Banking Domain
nonClonableID™ for the Banking DomainBilcareltd
 
White paper-safe-secure-payments-master card-approach-usa
White paper-safe-secure-payments-master card-approach-usaWhite paper-safe-secure-payments-master card-approach-usa
White paper-safe-secure-payments-master card-approach-usaCMR WORLD TECH
 
The 3-D Secure Protocol
The 3-D Secure ProtocolThe 3-D Secure Protocol
The 3-D Secure ProtocolVlad Petre
 
Preventing Internet Fraud By Preventing Identity Theft
Preventing Internet Fraud By Preventing Identity TheftPreventing Internet Fraud By Preventing Identity Theft
Preventing Internet Fraud By Preventing Identity TheftDiane M. Metcalf
 
Review on Fraud Detection in Electronic Payment Gateway
Review on Fraud Detection in Electronic Payment GatewayReview on Fraud Detection in Electronic Payment Gateway
Review on Fraud Detection in Electronic Payment GatewayIRJET Journal
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Hai Nguyen
 
Security consideration with e commerce
Security consideration with e commerceSecurity consideration with e commerce
Security consideration with e commerceStudsPlanet.com
 
IRJET- Credit Card Transaction using Fingerprint Recognisation and Two St...
IRJET- Credit Card Transaction using Fingerprint Recognisation and Two St...IRJET- Credit Card Transaction using Fingerprint Recognisation and Two St...
IRJET- Credit Card Transaction using Fingerprint Recognisation and Two St...IRJET Journal
 
E banking & security concern
E banking & security concernE banking & security concern
E banking & security concernSyed Akhtar-Uz-Zaman
 
Analysis of Security Algorithms used in E-Commerce and ATM Transactions
Analysis of Security Algorithms used in E-Commerce and ATM TransactionsAnalysis of Security Algorithms used in E-Commerce and ATM Transactions
Analysis of Security Algorithms used in E-Commerce and ATM TransactionsIJERD Editor
 
Bhadale group of companies- services catalogue for banking and financial sector
Bhadale group of companies- services catalogue for banking and financial sectorBhadale group of companies- services catalogue for banking and financial sector
Bhadale group of companies- services catalogue for banking and financial sectorVijayananda Mohire
 
Secure PIN Management How to Issue and Change PINs Securely over the Web
Secure PIN Management How to Issue and Change PINs Securely over the WebSecure PIN Management How to Issue and Change PINs Securely over the Web
Secure PIN Management How to Issue and Change PINs Securely over the WebSafeNet
 
Smart Card EMV for Dummies
Smart Card EMV for DummiesSmart Card EMV for Dummies
Smart Card EMV for DummiesSilly Beez
 
Senate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_RicheySenate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_RicheyPeter Tran
 
Credit Card Duplication and Crime Prevention Using Biometrics
Credit Card Duplication and Crime Prevention Using BiometricsCredit Card Duplication and Crime Prevention Using Biometrics
Credit Card Duplication and Crime Prevention Using BiometricsIOSR Journals
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Merchants
 
Synaesthesia
SynaesthesiaSynaesthesia
Synaesthesiahyleanaanthony
 
Drop in groundwater levels is threat to pakistan's survival
Drop in groundwater levels is threat to pakistan's survivalDrop in groundwater levels is threat to pakistan's survival
Drop in groundwater levels is threat to pakistan's survivalShujaul Mulk Khan
 

Mais conteúdo relacionado

Mais procurados

3-D Secure 2.0
3-D Secure 2.03-D Secure 2.0
3-D Secure 2.0Netcetera
 
E banking & security
E banking & securityE banking & security
E banking & securitySumeer Sharma
 
Mobile payment-security-risk-and-response
Mobile payment-security-risk-and-responseMobile payment-security-risk-and-response
Mobile payment-security-risk-and-responseDESMOND YUEN
 
nonClonableID™ for the Banking Domain
nonClonableID™ for the Banking DomainnonClonableID™ for the Banking Domain
nonClonableID™ for the Banking DomainBilcareltd
 
White paper-safe-secure-payments-master card-approach-usa
White paper-safe-secure-payments-master card-approach-usaWhite paper-safe-secure-payments-master card-approach-usa
White paper-safe-secure-payments-master card-approach-usaCMR WORLD TECH
 
The 3-D Secure Protocol
The 3-D Secure ProtocolThe 3-D Secure Protocol
The 3-D Secure ProtocolVlad Petre
 
Preventing Internet Fraud By Preventing Identity Theft
Preventing Internet Fraud By Preventing Identity TheftPreventing Internet Fraud By Preventing Identity Theft
Preventing Internet Fraud By Preventing Identity TheftDiane M. Metcalf
 
Review on Fraud Detection in Electronic Payment Gateway
Review on Fraud Detection in Electronic Payment GatewayReview on Fraud Detection in Electronic Payment Gateway
Review on Fraud Detection in Electronic Payment GatewayIRJET Journal
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Hai Nguyen
 
Security consideration with e commerce
Security consideration with e commerceSecurity consideration with e commerce
Security consideration with e commerceStudsPlanet.com
 
IRJET- Credit Card Transaction using Fingerprint Recognisation and Two St...
IRJET- Credit Card Transaction using Fingerprint Recognisation and Two St...IRJET- Credit Card Transaction using Fingerprint Recognisation and Two St...
IRJET- Credit Card Transaction using Fingerprint Recognisation and Two St...IRJET Journal
 
Analysis of Security Algorithms used in E-Commerce and ATM Transactions
Analysis of Security Algorithms used in E-Commerce and ATM TransactionsAnalysis of Security Algorithms used in E-Commerce and ATM Transactions
Analysis of Security Algorithms used in E-Commerce and ATM TransactionsIJERD Editor
 
Bhadale group of companies- services catalogue for banking and financial sector
Bhadale group of companies- services catalogue for banking and financial sectorBhadale group of companies- services catalogue for banking and financial sector
Bhadale group of companies- services catalogue for banking and financial sectorVijayananda Mohire
 
Secure PIN Management How to Issue and Change PINs Securely over the Web
Secure PIN Management How to Issue and Change PINs Securely over the WebSecure PIN Management How to Issue and Change PINs Securely over the Web
Secure PIN Management How to Issue and Change PINs Securely over the WebSafeNet
 
Smart Card EMV for Dummies
Smart Card EMV for DummiesSmart Card EMV for Dummies
Smart Card EMV for DummiesSilly Beez
 
Senate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_RicheySenate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_RicheyPeter Tran
 
Credit Card Duplication and Crime Prevention Using Biometrics
Credit Card Duplication and Crime Prevention Using BiometricsCredit Card Duplication and Crime Prevention Using Biometrics
Credit Card Duplication and Crime Prevention Using BiometricsIOSR Journals
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Merchants
 

Mais procurados (20)

3-D Secure 2.0
3-D Secure 2.03-D Secure 2.0
3-D Secure 2.0
 
E banking & security
E banking & securityE banking & security
E banking & security
 
EMV chip cards
EMV chip cardsEMV chip cards
EMV chip cards
 
Mobile payment-security-risk-and-response
Mobile payment-security-risk-and-responseMobile payment-security-risk-and-response
Mobile payment-security-risk-and-response
 
nonClonableID™ for the Banking Domain
nonClonableID™ for the Banking DomainnonClonableID™ for the Banking Domain
nonClonableID™ for the Banking Domain
 
White paper-safe-secure-payments-master card-approach-usa
White paper-safe-secure-payments-master card-approach-usaWhite paper-safe-secure-payments-master card-approach-usa
White paper-safe-secure-payments-master card-approach-usa
 
The 3-D Secure Protocol
The 3-D Secure ProtocolThe 3-D Secure Protocol
The 3-D Secure Protocol
 
Preventing Internet Fraud By Preventing Identity Theft
Preventing Internet Fraud By Preventing Identity TheftPreventing Internet Fraud By Preventing Identity Theft
Preventing Internet Fraud By Preventing Identity Theft
 
Review on Fraud Detection in Electronic Payment Gateway
Review on Fraud Detection in Electronic Payment GatewayReview on Fraud Detection in Electronic Payment Gateway
Review on Fraud Detection in Electronic Payment Gateway
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462
 
Security consideration with e commerce
Security consideration with e commerceSecurity consideration with e commerce
Security consideration with e commerce
 
IRJET- Credit Card Transaction using Fingerprint Recognisation and Two St...
IRJET- Credit Card Transaction using Fingerprint Recognisation and Two St...IRJET- Credit Card Transaction using Fingerprint Recognisation and Two St...
IRJET- Credit Card Transaction using Fingerprint Recognisation and Two St...
 
E banking & security concern
E banking & security concernE banking & security concern
E banking & security concern
 
Analysis of Security Algorithms used in E-Commerce and ATM Transactions
Analysis of Security Algorithms used in E-Commerce and ATM TransactionsAnalysis of Security Algorithms used in E-Commerce and ATM Transactions
Analysis of Security Algorithms used in E-Commerce and ATM Transactions
 
Bhadale group of companies- services catalogue for banking and financial sector
Bhadale group of companies- services catalogue for banking and financial sectorBhadale group of companies- services catalogue for banking and financial sector
Bhadale group of companies- services catalogue for banking and financial sector
 
Secure PIN Management How to Issue and Change PINs Securely over the Web
Secure PIN Management How to Issue and Change PINs Securely over the WebSecure PIN Management How to Issue and Change PINs Securely over the Web
Secure PIN Management How to Issue and Change PINs Securely over the Web
 
Smart Card EMV for Dummies
Smart Card EMV for DummiesSmart Card EMV for Dummies
Smart Card EMV for Dummies
 
Senate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_RicheySenate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_Richey
 
Credit Card Duplication and Crime Prevention Using Biometrics
Credit Card Duplication and Crime Prevention Using BiometricsCredit Card Duplication and Crime Prevention Using Biometrics
Credit Card Duplication and Crime Prevention Using Biometrics
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 

Destaque

Drop in groundwater levels is threat to pakistan's survival
Drop in groundwater levels is threat to pakistan's survivalDrop in groundwater levels is threat to pakistan's survival
Drop in groundwater levels is threat to pakistan's survivalShujaul Mulk Khan
 
SRI SUWANTI - MIP- Latihan 24
SRI SUWANTI - MIP- Latihan 24SRI SUWANTI - MIP- Latihan 24
SRI SUWANTI - MIP- Latihan 24Sri Suwanti
 
How to develop a data scientist – What business has requested v02
How to develop a data scientist – What business has requested v02How to develop a data scientist – What business has requested v02
How to develop a data scientist – What business has requested v02Data Science London
 
Ig1 task 2 analysis work sheet halo 3
Ig1 task 2 analysis work sheet halo 3Ig1 task 2 analysis work sheet halo 3
Ig1 task 2 analysis work sheet halo 3halo4robo
 
2016 EDI Mini-MBA New Energy Realities and Leadership
2016 EDI Mini-MBA New Energy Realities and Leadership2016 EDI Mini-MBA New Energy Realities and Leadership
2016 EDI Mini-MBA New Energy Realities and LeadershipEnergy for One World
 
How Smart is Your Smart Card?
How Smart is Your Smart Card?How Smart is Your Smart Card?
How Smart is Your Smart Card?Neal Lathia
 
Textual analysis of thriller
Textual analysis of thrillerTextual analysis of thriller
Textual analysis of thrillerTammy Baldwin
 
Thermally Broken Facades Webinar
Thermally Broken Facades WebinarThermally Broken Facades Webinar
Thermally Broken Facades WebinarLaura Sheridan
 
Star theory – richard dyer
Star theory – richard dyerStar theory – richard dyer
Star theory – richard dyerniamhbarrett
 
BIO DATA SHEET
BIO DATA SHEETBIO DATA SHEET
BIO DATA SHEETOmair Ayaz
 
COMPLETE ISSB BOOK.
COMPLETE ISSB BOOK.COMPLETE ISSB BOOK.
COMPLETE ISSB BOOK.Omair Ayaz
 
Entrepreneurship and expansion into foreign countries
Entrepreneurship and expansion into foreign countriesEntrepreneurship and expansion into foreign countries
Entrepreneurship and expansion into foreign countriesVladas Sapranavicius
 

Destaque (16)

Synaesthesia
SynaesthesiaSynaesthesia
Synaesthesia
 
Drop in groundwater levels is threat to pakistan's survival
Drop in groundwater levels is threat to pakistan's survivalDrop in groundwater levels is threat to pakistan's survival
Drop in groundwater levels is threat to pakistan's survival
 
SRI SUWANTI - MIP- Latihan 24
SRI SUWANTI - MIP- Latihan 24SRI SUWANTI - MIP- Latihan 24
SRI SUWANTI - MIP- Latihan 24
 
How to develop a data scientist – What business has requested v02
How to develop a data scientist – What business has requested v02How to develop a data scientist – What business has requested v02
How to develop a data scientist – What business has requested v02
 
Ig1 task 2 analysis work sheet halo 3
Ig1 task 2 analysis work sheet halo 3Ig1 task 2 analysis work sheet halo 3
Ig1 task 2 analysis work sheet halo 3
 
2016 EDI Mini-MBA New Energy Realities and Leadership
2016 EDI Mini-MBA New Energy Realities and Leadership2016 EDI Mini-MBA New Energy Realities and Leadership
2016 EDI Mini-MBA New Energy Realities and Leadership
 
How Smart is Your Smart Card?
How Smart is Your Smart Card?How Smart is Your Smart Card?
How Smart is Your Smart Card?
 
Textual analysis of thriller
Textual analysis of thrillerTextual analysis of thriller
Textual analysis of thriller
 
Thermally Broken Facades Webinar
Thermally Broken Facades WebinarThermally Broken Facades Webinar
Thermally Broken Facades Webinar
 
Star theory – richard dyer
Star theory – richard dyerStar theory – richard dyer
Star theory – richard dyer
 
Shot list say it
Shot list say itShot list say it
Shot list say it
 
healing gardens in hospitals
healing gardens in hospitalshealing gardens in hospitals
healing gardens in hospitals
 
BIO DATA SHEET
BIO DATA SHEETBIO DATA SHEET
BIO DATA SHEET
 
COMPLETE ISSB BOOK.
COMPLETE ISSB BOOK.COMPLETE ISSB BOOK.
COMPLETE ISSB BOOK.
 
Aula 01
Aula 01Aula 01
Aula 01
 
Entrepreneurship and expansion into foreign countries
Entrepreneurship and expansion into foreign countriesEntrepreneurship and expansion into foreign countries
Entrepreneurship and expansion into foreign countries
 

Semelhante a The Path to Payment Security

key-trends-in-merchant-security
key-trends-in-merchant-securitykey-trends-in-merchant-security
key-trends-in-merchant-securityKerri Lorch
 
Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Halo Metrics
 
Demystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales SystemsDemystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales SystemsSymantec
 
QSecure Presentation at RSA 2011
QSecure Presentation at RSA 2011QSecure Presentation at RSA 2011
QSecure Presentation at RSA 2011jhatch9418
 
EMV: Preparing for Changes to the Retail Payment Process
EMV: Preparing for Changes to the Retail Payment ProcessEMV: Preparing for Changes to the Retail Payment Process
EMV: Preparing for Changes to the Retail Payment Process- Mark - Fullbright
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingHai Nguyen
 
All You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxAll You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxITIO Innovex
 
Small_Merchant_Guide_to_Safe_Payments
Small_Merchant_Guide_to_Safe_PaymentsSmall_Merchant_Guide_to_Safe_Payments
Small_Merchant_Guide_to_Safe_PaymentsSteve Abrams
 
Attacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonlineAttacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonlineRapidSSLOnline.com
 
Attacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By SymantecAttacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By SymantecCheapSSLsecurity
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsVictor Oluwajuwon Badejo
 
Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?EMC
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance ReportHolly Vega
 
The Rise of Card Not Present Crime in Contact Centers
The Rise of Card Not Present Crime in Contact CentersThe Rise of Card Not Present Crime in Contact Centers
The Rise of Card Not Present Crime in Contact CentersEckoh
 
The Easy WAy to Accept & Protect Credit Card Data
The Easy WAy to Accept & Protect Credit Card DataThe Easy WAy to Accept & Protect Credit Card Data
The Easy WAy to Accept & Protect Credit Card DataTyler Hannan
 
Secure payments slick
Secure payments slick Secure payments slick
Secure payments slick gensoftpro
 

Semelhante a The Path to Payment Security (20)

key-trends-in-merchant-security
key-trends-in-merchant-securitykey-trends-in-merchant-security
key-trends-in-merchant-security
 
Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!
 
Demystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales SystemsDemystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales Systems
 
QSecure Presentation at RSA 2011
QSecure Presentation at RSA 2011QSecure Presentation at RSA 2011
QSecure Presentation at RSA 2011
 
EMV: Preparing for Changes to the Retail Payment Process
EMV: Preparing for Changes to the Retail Payment ProcessEMV: Preparing for Changes to the Retail Payment Process
EMV: Preparing for Changes to the Retail Payment Process
 
E-commerce Security
E-commerce SecurityE-commerce Security
E-commerce Security
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for banking
 
All You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxAll You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptx
 
Small_Merchant_Guide_to_Safe_Payments
Small_Merchant_Guide_to_Safe_PaymentsSmall_Merchant_Guide_to_Safe_Payments
Small_Merchant_Guide_to_Safe_Payments
 
Attacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonlineAttacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonline
 
Attacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By SymantecAttacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By Symantec
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security Standards
 
SBMS EMV Doc
SBMS EMV Doc SBMS EMV Doc
SBMS EMV Doc
 
Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?
 
PCI Compliance Process
PCI Compliance ProcessPCI Compliance Process
PCI Compliance Process
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance Report
 
The Rise of Card Not Present Crime in Contact Centers
The Rise of Card Not Present Crime in Contact CentersThe Rise of Card Not Present Crime in Contact Centers
The Rise of Card Not Present Crime in Contact Centers
 
The Easy WAy to Accept & Protect Credit Card Data
The Easy WAy to Accept & Protect Credit Card DataThe Easy WAy to Accept & Protect Credit Card Data
The Easy WAy to Accept & Protect Credit Card Data
 
Secure payments slick
Secure payments slick Secure payments slick
Secure payments slick
 
Tokenization
TokenizationTokenization
Tokenization
 

The Path to Payment Security

  • 1. www.cardconnect.com The Path to Payment Security A Clear Approach to Preventing Data Breaches and Protecting Your Business Cybercrime is not only increasing in frequency, it’s increasing in cost. With more sophisticated hacking methods constantly being developed, the danger of storing sensitive information is rapidly increasing. Recently, the massive Target data breach has taken over headlines. With up to 110 million customers at risk and a $1.2 billion potential price tag, their brand and bottom line are in jeopardy. Despite EMV “Chip-and-PIN” technology being heralded by the media as the answer to payment data breaches, it simply is not true. In this document, we delve into the problems EMV and PCI 3.0 leave unsolved and offer a comprehensive solution through a combination of EMV, P2PE (Point-to-Point Encryption), Tokenization, and a secure, hosted Vault. By preparing merchants for EMV technology and taking them out of PCI Compliance scope, the risk of compromised data and the cost of constantly having to monitor your system for breaches are removed. Robert Nathan Chief Technology Officer Rush Taggart Chief Security Officer
  • 2. In reality, the number is actually much higher because for many of the breaches included, the number of compromised records is unknown. These security breaches not only negatively impacted the reputation of the companies involved, but also cost them significant amounts of money in lawsuits and fines. A 2013 study found that the merchant cost to a data breach victim is around $200 per compromised record. www.cardconnect.com The Emergence of the Data Breach In recent years as hackers have become more sophisticated, these attacks have increased in frequency and effectiveness. In 2011, Sony’s Playstation Network had to be shut down due to a major data breach, resulting in a class-action lawsuit and costs that have been estimated at up to $24 billion. Most recently, Target has been in the spotlight for their massive data breach. Target CEO Gregg Steinhafel confirmed to CNBC that the breach was caused by malware installed on Point-of-Sale (”POS”) systems. Between lawsuits, government fines, and reimbursements to customers, Goldman Sachs estimates total costs incurred by Target could be $1.2 billion. What should worry merchants most is the only thing unusual about the Target hack was its size—Target was one of over 600 security breaches in 2013 alone. Because Target likely invests heavily in security, this breach confirms vulnerabilities exist in current systems. As Stan Lippelman, VP of Marketing at Bass Pro Shops, puts it, “We feel very comfortable…But, the fact that it happens to Target means it can happen to anybody, right?” Over 600 million records have been compromised in the United States since January 2005. Where Your Payments Are at Risk There are underlying vulnerabilities in the payment process for any given business or company due to the exchange of data between systems, the sensitive nature of that data, and the requirements and standards set forth by the Payment Card Industry (“PCI”) Security Standards Council, which serves as the governing body of the payment processing industry. Point-of-Sale/Terminal – In many recent breaches, credit and debit cards were compromised by malware installed on POS systems. With Point-to-Point-Encryption (”P2PE”) technology, these malware attacks would be prevented. P2PE hardware is designed to stop functioning if any foreign code or application is installed on the device. 1. Terminal to Gateway Transmission – As card data is transmitted from the terminal to the gateway, there can be points when data is left unencrypted, for example when card data leaves the merchant network. While the movement to EMV Cards will mask this data within computer chips, the only way for a business to protect itself from this vulnerability is to encrypt data at the Point-of-Interaction ("POI"), or in this case, the point at which the card is swiped. 2. Gateway to Bank Transmission – PCI Standards require payment gateways to only transmit data to a select list of IP addresses of certified processors. Payment gateways should halt data transmission to any foreign IP addresses outside of this small, select list. At this point of the payment process, data is leaving the merchant’s system and carries inherent vulnerability since data must be unencrypted before reaching the bank or processor.  3. Strict Network Monitoring/Vulnerability Management Program – PCI DSS requires merchants to regularly track and monitor all access to network resources and cardholder data and regularly test security systems and processes. Without proper follow-through, especially for merchants with small IT departments, this presents a huge burden and vulnerability for a data breach. 4. The Path to Payment Security | Preventing Data Breaches and Protecting Your Business | White Paper 2014 | PAGE1 Four Main Vulnerabilities 1 2 3 4 5 6 7
  • 3. www.cardconnect.com Major breaches in the retail industry have produced one rallying cry that has become ubiquitous in the news media: EMV (also known as Chip-and-PIN) could have prevented this type of breach. Unfortunately, that is not entirely accurate. Sure, there is no doubt that magnetic stripe credit cards are antiquated technology, as they are extremely simple and inexpensive to replicate. EMV is advantageous as it makes card replication harder and more costly, which is definitely a direct benefit to the cardholder. What EMV does not address is protecting card data when it is in route to the processor, post-authorization storage of card data by the merchant and card-not-present fraud (such as sales via e-commerce, phone and mail).  EMV is Not the Answer Preventing Breach & Fraud On January 1st, 2014, PCI DSS 3.0 went into effect. As the PCI Security Standards Council put it themselves, the updates were based on "feedback from the industry" and "market needs." In essence, PCI DSS is reactionary, not anticipatory. One of the fastest growing methods of payment acceptance – mobile – was hardly addressed.  The Problem with PCI DSS This is understandable. PCI DSS 2.0 was already seen as complex and merchants collectively spent billions to simply be compliant. While 3.0 includes some necessary changes that will heighten the overall security of our national infrastructure for accepting payments, it is predominantly believed that the victims of recent data breaches would still have suffered the same fate had they been compliant with the 3.0 updates. If EMV doesn't protect card data and PCI Compliance doesn't guarantee safety from attacks, how should merchants protect themselves? One technology that could have potentially prevented the damage incurred by recent breaches is P2PE. As soon as a credit card is swiped, the data is encrypted and remains encrypted throughout the merchant’s environment. If a breach were ever to occur on a merchant’s network, the data the thieves stole would be encrypted, rendering it useless. Also, P2PE protects from malware being placed on the POS system. If any foreign application were to be placed on the device, it would stop working immediately.  The Answer is P2PE With the negative repercussions of security breaches and the myriad vulnerabilities in the payment process, the path to payment security can seem daunting. Thankfully, CardConnect has introduced the ideal solution. P2PE The Ideal Solution CardConnect’s Payment Security Solution consists of P2PE hardware that is EMV-ready, our secure payment gateway that utilizes CardSecure™ encryption and tokenization, and a hosted vault that is designed to solely communicate with validated processors. CardConnect’s Payment Security Solution utilizes a P2PE terminal, co-developed with Ingenico, which safeguards a merchant’s customer data from the POI to the point at which it is sent to the processor. By removing sensitive data in this fashion from a merchant’s system, CardConnect allows the merchant to remove itself from PCI Compliance scope. certified P2PE solution will completely remove you from PCI Compliance scope – even taking away the PCI DSS Self-Assessment Questionnaire (“SAQ”). The difficulty for merchants is determining if a vendor’s P2PE claims are valid. Proper due diligence for implementing P2PE technology should include evidence of a proven track record in payment security, a discussion on where the vendor is at in the PCI-certification process, and a fully comprehensive roadmap for implementing a P2PE solution. EMV-Ready CardConnect’s P2PE terminal is EMV-ready, ensuring merchants meet the EMV transition deadline. The card issuers have unanimously identified October 2015 as the date that all merchants must use EMV-compliant terminals. If a merchant fails to adhere to this requirement, the card issuers will transfer the liability of any security breach to the merchant. Removal from PCI Compliance Scope CardConnect’s Payment Security Solution completely removes the merchant from PCI Compliance scope. This means no PCI audits, no vulnerability tests, and no SAQs. The Path to Payment Security | Preventing Data Breaches and Protecting Your Business | White Paper 2014 | PAGE2 P2PE is seen as such a secure approach that using a PCI-
  • 4. www.cardconnect.com CardConnect has a proven track record in developing security technology for the payments industry. A History of Protecting Payments • 1997: CardConnect builds first payment gateway integrated to SAP for Fortune 500 corporations. • 2004: CardConnect builds CardSecure, a payment card encryption solution for SAP. • 2006: CardConnect's payment gateway validated as PABP Compliant under Visa'a Payment Application Best Practices program. • 2009: CardConnect's payment gateway validated as PA-DSS Compliant and listed on the PCI Security Standards Council website. • 2010: CardConnect's payment gateway validated as PCI-DSS Compliant and listed on Visa Service Provider Registry. • 2012: CardConnect's PANPAD, a terminal that encrypts card data at the point of entry, named winner of Security Products Guide's Global Excellent Award. • 2012: CardConnect's payment gateway with CardSecure becomes the first Oracle Validated Integration for payment acceptance and security. • 2013: CardConnect develops proprietary P2PE solution in response to security risks for point-of-sale transactions. • 2013: CardConnect receives United States patent for token-based payment processing As referenced earlier, proper due diligence for implementing P2PE technology should include evidence of a proven track record in payment security, a discussion on where the vendor is at in the PCI-certification process, and a fully comprehensive roadmap for implementing a P2PE solution.  4 3 Encryption/ Tokenization on swipe Merchant Network Out of PCI Scope CREDIT CARD NUMBER IS TOKENIZED THROUGHOUT Decryption/SSL Terminal = Ingenico ICT 250 with CardSecure Encryption Key Gateway & Vault - Sungard Data Center - HSM (Hardware Security Module) - FIPS140-2 Government Grade Security CardConnect's Payment Security Solution Upon card being swiped, card data is securely sent to the CardConnectVault where it is encrypted and tokenized. An intelligent token (which passes Luhn Test) is transmitted to the Terminal. 1. The token is passed to the merchant's business system. Since no actual card data is being transmitted or stored, the Merchant Network is completely removed from PCI Compliance scope. 2. The token is transmitted via the CardConnect Gateway to the secure, hosted Vault. 3. The card information is securely decrypted and transmitted via Secure Sockets Layer (SSL). 4. The Path to Payment Security | Preventing Data Breaches and Protecting Your Business | White Paper 2014 | PAGE3 TM TM TM
  • 5. cardconnect.com 484.581.2200 info@cardconnect.com Trusted By [1] Privacy Rights Clearinghouse (as of January 2014) - http://www.privacyrights.org/data-breach [2] Ponemon 2013 Cost of Data Breach Study: Global Analysis - https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_ Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf [3] PlayStation Network Breach Could Cost Sony $24 Billion -http://www.businessinsider.com/playstation-network-breach-could-cost-sony- 24-billion-2011-4 [4] CNBC Interview with Target CEO http://www.cnbc.com/id/101330060 [5] Goldman Sachs estimate on Target breachhttp://money.cnn.com/2014/01/13/investing/target-stock/ [6] 2013 Data Breach Investigations Report - http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report- 2013_en_xg.pdf [7] Stan Lippelman on Target Breach - CNBC http://www.cnbc.com/id/101330258 CardConnect is an innovative payments technology company that designs solutions to safely transmit credit card data. More than 50,000 businesses–including GE, Adobe and the New York Times–use our payment technology and processing services that make accepting payments as simple, easy and secure as possible. The Path to Payment Security | Preventing Data Breaches and Protecting Your Business | White Paper 2014 | PAGE4 Copyright © 2014 CardConnect. All rights reserved.