@NTXISSA #NTXISSACSC3

EMV and the Future of Payments

Dr. Branden Williams

@BrandenWilliams

http://www.brandenwilliams.com/

2 October 2015

@NTXISSA #NTXISSACSC3

The Threat Landscape

2

@NTXISSA #NTXISSACSC3

How many states currently have data

breach legislation on the books?

@NTXISSA #NTXISSACSC3

How many questions are asked to Siri

in any given minute?

@NTXISSA #NTXISSACSC3

According to the National Association

of Federal Credit Unions, what was the

average amount spent by member

institutions on merchant data breaches

in 2014?

@NTXISSA #NTXISSACSC3

FUN STUFF GOES HERE

Sorry, had to be present!

6

@NTXISSA #NTXISSACSC3

The Results of a Data Breach Cause Significant

Impacts Across Business Operations

7

Reputational Risk Damage Negative Impact to Your Brand

AND

Investigation

of BreachFines/Liability

Loss of

Confidential

Business

Information

Remediation of

Breach

@NTXISSA #NTXISSACSC3

The Cost of a Data Breach is Staggering

•Since 2013, many major retailers experienced data breaches:

8

Reject cost-per-record estimates, just understand it’s expensive.

@NTXISSA #NTXISSACSC3

Four Key Cyber Assets Targeted by Criminals

9

POS Environments

• 49% of POS intrusions account for 40% of all assets targets.

• If a POS is attacked, it is most likely the business will be US based.

Credit Cards

• 49% of breach investigations involved Personally Identifiable Information (PII) and cardholder data.

• Attackers shifted focus back to payment card from non- payment card.

eCommerce

• Accounted for 42% of all investigations in 2014.

• 64% of retail industry breaches were eCommerce

• “Password1” was still the most commonly used password.

Mobile Apps

• 95% of mobile applications are vulnerable.

• 35% of mobile apps had critical issues

• 45% of mobile apps had high-risk issues.

• 6: Median number of vulnerabilities per mobile app.

SOURCE: 2015 TrustWave Global Security Report.

@NTXISSA #NTXISSACSC3

POS Malware Poses an Insidious Threat

10

• POS malware is extremely

lucrative for criminals and

extraordinarily difficult to

detect.

• In 60% of cases, attackers are

able to compromise an

organization within minutes.

• POS breaches account for

nearly one-third of all types of

breaches.

Nine Main Types of Breaches

SOURCE: Verizon 2015 Data Breach Investigations Report.

@NTXISSA #NTXISSACSC3

Data Protection is Top of Mind for Today’s Executives

11

Preserve Stakeholder Value

Avoid Costs Due to Remediation and a

Negative Brand Image.

Secure POS Systems

Protect Your Customers’ Data During and After

the Transaction Process.

End-to-End Protection

Minimal Operation and Systems Impact.

Benefits of Data Protection

@NTXISSA #NTXISSACSC3

Or is it?

12

@NTXISSA #NTXISSACSC3

Really Guys? </Cartman>

Oxford University and the UK’s Centre for the Protection of the National Infrastructure survey results:

“Concern for

cybersecurity was

significantly lower

among managers

inside the C-suite

than among

managers outside it.”13

Winnefeld Jr, P. A. S., Kirchhoff, C., & Upton, D. M. (2015). Cybersecurity's human factor: Lessons from the pentagon. Harvard Business Review, 93(9), 87-95.

@NTXISSA #NTXISSACSC3

So how does EMV help?

NTX ISSA Cyber Security Conference – October 2-3, 2015

14

@NTXISSA #NTXISSACSC3

EMV Highlights•Widely adopted 1990s technology

•Designed to facilitate offline transactions &

minimize card-present fraud (over time)

•The US implemented a Chip & Choice

version (not exclusively Chip & PIN)

•PIN transactions will occur, but likely

remain debit-focused

•Most will do Chip & Sign, or just Chip

•Modern implementations are surprisingly

effective

15

@NTXISSA #NTXISSACSC3

Fraud in the UK

16Figures from Fraud the Facts, 2015. UK Payments Administration.

@NTXISSA #NTXISSACSC3

Fraud in the UK

17Figures from Fraud the Facts, 2015. UK Payments Administration.

@NTXISSA #NTXISSACSC3

Targets will change•Fraudsters will move away from magstripe to focus on card-

not-present, and other types of attacks to gain funds

•But attack mechanisms have not changed much•Malware•Vishing•Large-scale hacks

•What EMV considers routing data, we consider

sensitive data:•Vishers may not call to ask for PIN, but instead CVV2•Some merchants may accept transactions without CVV2

18

@NTXISSA #NTXISSACSC3

What does this mean for online retail?

•Online merchants traditionally do not want to get in the way

of a transaction:•First iteration of 3DSecure was awful•Merchants hate it due to abandoned carts•Rather take the risk on a transaction

•Think about how IT works today vs. ten

years ago…

19

@NTXISSA #NTXISSACSC3

Chargeback Process

20Image from Willows Consulting

@NTXISSA #NTXISSACSC3

Who should deploy EMV?

•Card present merchants with high chargeback rates

•Especially those that sell gift cards!

•Where will fraud shift in the CNP space?•Digital Goods•High value items•Anything that can be easily fenced or converted to cash

21

@NTXISSA #NTXISSACSC3

What’s Next?•Pervasiveness of technology expands attack surface

•Where are payments moving?•Mobile (expected to eclipse PCs for CNP transactions in 2015)•Platforms with users explore financial exchange (Twitter, Facebook)

•What is attractive for criminals?•Any of the e-wallet options such as Samsung Pay or Apple Pay•Pre-paid cards (targets the under-banked)•Weakly secured accounts

22

@NTXISSA #NTXISSACSC3

A few thoughts about how payments can morph…

23

@NTXISSA #NTXISSACSC3

Questions / Discussion

Dr. Branden Williams

@BrandenWilliams

http://www.brandenwilliams.com/

24

@NTXISSA #NTXISSACSC3@NTXISSA #NTXISSACSC3

The Collin College Engineering Department

Collin College Student Chapter of the North Texas ISSA

North Texas ISSA (Information Systems Security Association)

NTX ISSA Cyber Security Conference – October 2-3, 2015 25

Thank you