Where We Stand.

Costs of a Data BreachCase Study

PCI Prioritization

Presentation by: Ross Federgreen*

*Founder, CSRSI® THE PAYMENT ADVISORS

PCI Critical Dates

Prioritization

PCI Breach Costs

PCI Critical Dates

ALIGNMENT July 1, 2010

US Payment Application Security Mandate

Phase I through Phase V

TDES Mandate

POS PIN Acceptance Device Mandate

US Payment Application Security Mandate (CISP 102307)

Phase I through Phase V

Phase I Jan 1, 2008

Phase II July 1 , 2008

Phase III Oct 1, 2008

Phase IV Oct 1, 2009

Phase V July 1, 2010

US Payment Application Security Mandate (CISP 102307)

Phase I through Phase V

Phase I Jan 1, 2008

Newly boarded merchants must not use known vulnerability payment applications, and VisaNet Processors (VNPs) and agents must not certify new payment applications to their platforms that are known vulnerable payment applications.

US Payment Application Security Mandate (CISP 102307)

Phase I through Phase V

Phase II July 1, 2008

VNPs and agents must only certify new payment applications to their platforms that are PA-DSS compliant applications

US Payment Application Security Mandate (CISP 102307)

Phase I through Phase V

Phase III October 1, 2008

Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PA-DSS compliant applications.

US Payment Application Security Mandate (CISP 102307)

Phase I through Phase V

Phase IV October 1, 2009

VNPs and agents must decertify all vulnerable payment applications.

US Payment Application Security Mandate (CISP 102307)

Phase I through Phase V

Phase V July 1, 2009

Acquirers must ensure their members, VNPs and agents use only PA-DSS compliant applications.

Triple Data Encryption Standard (TDES) Mandate (PIN Security Bulletin 093008)

Phase I through Phase II

Phase I January 1, 2009

Newly deployed US Automated Fuel Dispensers must contain a TDES capable and PC I approved Encrypting PIN pad.

Triple Data Encryption Standard (TDES) Mandate (PIN Security Bulletin 093008)

Phase I through Phase III

Phase II July 1, 2010

All US POS PEDs must be encrypting PINS using TDES end-to-end.

POS PIN mandate (PIN Security Bulletin 093008)

July 1, 2010

All attended POS PIN acceptance device models must have passed testing by a PCI recognized or Pre PCI recognized laboratory and have been approved by Visa.

PRIORITIZATION

PRIORITIZATION

“The prioritized approach provides guidance that will help merchants identify how to reduce risk to card

holder data as early on as possible in their compliance journey.”

PCI Security Standards Council, 2009

PRIORITIZATION

The Prioritized Approach

Benefits:1.Roadmap2.Pragmatic approach3.Supports financial and operational planning4.Objective and measured progress indicators5.Consistency among QSA

PRIORITIZATION

The Prioritized Approach

Six security milestones1.Remove sensitive authentication data and limit data retention2.Protect the perimeter, internal and wireless networks3.Secure payment card applications4.Monitor and control access to your system5.Protect stored cardholder data6.Finalize remaining compliance efforts and ensure all controls are in

place

PCI BREACH COSTS

Total direct cost to a merchant from a PCI event include:

Card replacement costs now averaging about $4 per item

Compliance fines now ranging from about $5,000 to $50,000per event for a small merchant (III, IV)

Cost of forensic examination averaging between $25,000 and $35,000 per event for Level III and IV merchants

Additional fines for actual fraudulent utilization of stolen PAN varies

Total direct cost to a merchant from a PCI event include:

Case Study: July, 2008

A small carp present retailer was breached. The retailer had filled out a self assessment form and attested that the information was true and correct to the acquirer.

The merchant was found to have stored over 2,000 credit card numbers in an accounting system for “reference” and to bill clients “if they forgot there credit card number”.

The file was accessed and the credit card numbers were stolen when during the course of a robbery the CPU was stolen. A CPP (common point of purchase) analysis of credit cards revealed the location of the theft.

Total direct cost to a merchant from a PCI event include:

Replacement Cost $ 5,000Compliance Fine $12,500Forensic Examination $25,000Card Utilization Fines $74,398.47

TOTAL $116,898.47

The merchant also sustained significant reputational cost due to adverse publicity, legal fees, loss of business and other expenses.

The merchant filed for protection under bankruptcy

The amounts due were assessed to the ISO by the acquirer.

Visa fined the ISO additional fees following an examination of ISO practices as it relates to PCI adoption and plan for portfolio under VBR 07508 after the initial event.

ISO sustained a financial loss of $189,354.45

Study: Maine Bureau of Financial Institutions January 2009

Study design: Cost of TJX and Hannaford breach borne by Maine chartered banks and credit unions

*Recovery cost: investigation, communication, reissuance and net fraud

TJX Hannaford

52 Institutions 71 Institutions

64,825 Accounts 243,599 Accounts

$485,000 Recovery* $1,500,000 Recovery*

Study: Ponemon Institute February 2009

Study Design: Cost of compromise to 43 companies in 2008. Each company volunteered under the condition of anonymity.

YEAR Cost per Breach

Cost per record

External Third Party

2008 $6.6 million $202 44%

2007 $6.3 million $193 40%

2006 $4.7 million $186 29%

Do you have questions about how to strategically plan for PII legislation?Would you like advice or complete guidance on how to evaluate PII access, storage, and handling in your business?

Contact us. We’re glad to help. Read more at www.CSRSI.com

Ross Federgreen Jan Carroza866-462-7774x1 866-462-7774x4rfedergreen@csrsi.com jcarroza@csrsi.com Jensen Beach, FL Seattle, WA