PCI Security Best Practicesand Payment Trends

By Lisa Fennell & Randy Schroder, NISC

Objectives

DISCOVER THE METHODS HACKERS ARE USING TO STEAL

YOUR CREDIT CARD DATA

REVIEW PAYMENT CARDHOLDER INDUSTRY DATA SECURITY

STANDARDS (PCI-DSS)

DISCUSS SECURITY BEST PRACTICES FOR PAYMENT

PROCESSING TO REDUCE RISK

TAKE A LOOK AT SOME OF THE LATEST TRENDS IN PAYMENT

SOLUTIONS

what we think we look like TO AN ATTACKER…

services(web/mail/dns)

web applications(java, php, .net)

employees

what we REALLY look like TO AN ATTACKER…

Data Compromise - internal

Statistics

• $50 Billion stolen annually from U.S. businesses by employees

• 7% of annual revenues lost to theft or fraud

• 75% of employees have stolen at least once from their employer

• 37.5% of employees who have stolen at least twice from their employer

• 33% of all business bankruptcies caused by employee theft

Data Compromise - Internal

Employee Access

• In 2007 an employee (Database Administrator) of FIS subsidiary Certegy Check Services stole 3.2 million customer records including credit card, banking and personal information.

• Another means a dishonest employee can steal a customer's card is through use of a small, battery-operated "card skimmer." This hand-held device reads a card's magnetic stripe and records the cardholder data for later download to a computer. From there, the numbers can be used to make unauthorized purchases or create counterfeit cards.

Data Compromise - External

External Vulnerabilities

• Firewall and Wireless network security

• Point of Sale system compromises

• Data decryption point and data storage

• Network communications sniffers

• Malware (Trojan Viruses)

• Social Engineering (Phishing)

Data Compromise -External

Firewall

• Capital One announced a massive data breach on July 29, 2019 reporting that a hacker accessed the information of over 100 million Americans and 6 million Canadians who have applied for credit cards since 2005.

• The breach took advantage of a misconfigured firewall to access the bank’s credit card customer data.

Data Compromise -External

Wireless

• In 2007, thieves used retailer TJX’s wireless networks to access systems that were used to store payment transactions at stores across the country for more than 45 million customer credit and debit cards.

Data Compromise -External

Card Terminals

• Older magnetic strip card POS systems still vulnerable to malware that haven’t been upgraded to chip-and-PIN.

• Deep insert skimmers are different from typical insert skimmers because they are hidden within the card reader transport.

Skimmers found at WalmartAn overlay skimmer made to be fitted to an Ingenico credit card terminal has a PIN pad overlay to capture the user’s PIN, and a mechanism for recording the data stored on a card’s magnetic stripe when customers swipe their cards at self-checkout aisles.

*Image provided by Brian Krebs of krebsonsecurity.com

Skimmers found at Walmart• Here’s how this overlay skimmer looks when it’s attached.

• Think you’d be able to spot it?

*Image provided by Brian Krebs of krebsonsecurity.com

Data Compromise -External

Point of Sale

• Home Depot had 56 million credit and debit cards stolen in 2014, costing the company $63 million.

• Hackers used a vendor's stolen log-on credentials to penetrate Home Depot's computer network and install custom-built malware on self-checkout registers that stole customer payment-card data and e-mail addresses.

Data Compromise -External

Data Decryption

• Target had 40 million credit and debit cards stolen in 2013 when hackers compromised Target’s environment where card data was decrypted. Hackers used a vendor's sign-in credentials to install malicious software.

• Millions of the card accounts stolen were for sale on the black market, going from $20 to more than $100 per card.

Data Compromise -External

Network Sniffers

• In 2008, Heartland Payment Systems had the then largest-ever data breach of 130 million credit cards stolen

• The breach occurred when criminal hackers managed to sneak malware onto Heartland's network that sniffed card data that was processed and stored

Data Compromise -External

Malware/Viruses

• In 2013, visitors to NBC.com affiliated websites were infected by a Citadel malware trojan virus through an Ad Banner from a third-party company

• Once injected, it seeks to capture personal information, including banking credentials

• The Citadel virus was only picked up by 3 out of 46 scanners (Fortinet, Panda and Rising), so it was very effective at eluding detection

• This virus invades computers through vulnerabilities in PDF and Java software

• To avoid being a victim, you should use the latest versions of Java or Adobe PDF

Data Compromise: Social Engineering• Verizon Data Breach Report

• Cybercriminals increasingly using social engineering and phishing attacks to steal account credentials

• Stolen credentials used in 4 out of 5 breaches

• Attackers not creating new accounts

• Using accounts already there

• They’ve broken passwords and can hide out in regular traffic

The scope of PCI

Major payment card companies formed the PCI

Council

Requirements are not a law - industry

self-regulated

Acquirer (ie. Fiserv) is authority for SAQ selection

•Merchants are contractually obligated to Acquirer to maintain compliance

Mission is to protect card data

and limit scope and risk

PCISecurityStandards

.org

The scope of PCI

The primary account number (PAN) is the defining factor for cardholder data.

Cardholder Data also includes Cardholder

Name, Expiration Date, and Service Code when

combined with PAN.

The scope of PCI

Sensitive Authentication Data for additional data

elements may be transmitted or processed

(but not stored).

Mag-stripe or chip data

CAV2/CVC2/CVV2/CID

PINs/PIN blocks

PCI-DSS Requirements

Who does it apply to?

"PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD)." (Emphasis PCI Council)

Payment Card Industry (PCI) Data Security Standard

Merchant Penalties for Non-compliance

• Merchant categories:• Level 3 Merchants are over 20,000 e-transactions

• Level 4 Merchants are under 20,000 e-transactions

• Credit card penalties for PCI non-compliance:

Visa Monthly Fines:

(only level 3)

$5,000 for months 1-3

$25,000 for months 4-6

$50,000 for months 7 & beyond

MasterCard Monthly Fines:

(only level 3)

1st year: $10,000

2nd year: $20,000

3rd year: $40,000

4th year: $80,000

Fiserv Monthly Fines:

(both level 3 and level 4)

$19.95 per MID

Path to PCI Compliance

NISC has developed a Centralized Payment Gateway to transmit credit card data to First Data and is a level 1 service provider audited annually by Trustwave

Encryption and

TokenizationFISERV’S

TRANSARMORSOLUTION REPLACES

THE PERMANENT ACCOUNT NUMBER

(PAN) WITH A “TOKEN”

COMBINES ENCRYPTION AND TOKENIZATION TO

PROTECT DATA

FISERV WARRANTS THE TOKEN AGAINST COMPROMISE AND FRAUDULENT USE

What are my options?

Determine which Self-Assessment Questionnaire (SAQ):

• SAQ A: e-Commerce Only as Customer Self-Service

• (Smarthub web/mobile, Pay Now and/or IVR SecurePay)

• SAQ B or B-IP: Card Terminals (Verifone) – only if no e-Commerce

• SAQ C-VT: PC-based Virtual Terminals - only if no e-Commerce

• SAQ D: e-Commerce + Card Terminals (Verifone) and/or PC-based Virtual Terminals

Note: PCI Compliance rules only apply to your employees and equipment handling cards, not to customer’s equipment.

Fiserv® Clover® Security Solution

• Easy-to-use online tool helps merchants quickly and easily achieve and

maintain PCI DSS compliance

• Includes network scanning for merchants for quarterly scans

How does NISC help members with this?• NISC has a CyberSecurity team for PCI

assistance

• Subscribe to the NISC Community Cybersecurity and Payment spaces

• NISC’s PCI Toolkit provides clear direction and relevant downloads

NISC’s five-tier Cybersecurity Services arsenal

NISC’s CyberSecurity Educational Kit NISC has developed a free

tool kit available to Members which includes educational animations, social media options and other marketing materials such as bill inserts to help share the message of cyber security awareness.

NISC Payment Options for Customers

SmartHub Web or Mobile App

CallCapture Secure Payments IVR*

Pay Now Website (no registration required)

Auto-Pay Recurring Payments

NISC Payment Options for Employees

iVUE Cash Register with Verifone device*

One time payments can be keyed, swiped or contactless on Verifone

New iVUE Connect Cashier Persona with Verifone Device*

Signing up for auto-pay is available

*No Network Isolation of PC required since card data is encrypted on Verifone card terminal and does not pass through PC

iVUE Connect or Cash Register with Verifone

Verifone MX925 and P200Plus • EMV and Contactless Compliant

Front Counter with Glass using two Verifones

PCI & EMV - What’s the difference?

"PCI DSS provides a baseline of technical and operational requirements designed to protect account data."

Payment Card Industry (PCI) Data Security Standard, v3.2.1: https://www.pcisecuritystandards.org/document_library

"EMV® Chip Specifications describe the requirements...to enable secure contact and contactless transactions…"

EMV Payment Acceptance: https://www.emvco.com/about/overview/

Verifone’s VHQ web toolVHQ is Verifone’s solution for monitoring/managing the devices

• Any software updates will be pushed from VHQ

Auto-Pay File Upload

Auto-pay file card numbers are tokenized in iVUEand not in PCI scope

Mobile Devices

Future integration of AppSuite with Verifone card terminal

• Keeps phone or tablet out of PCI scope

• Secure encrypted transmission of card data

Prepaid Billing Solution

Easy and Convenient

Increased control over energy costs

Smaller, incremental payments

Avoid security deposit

Appealing to all income brackets and age levels

NISC’s Prepaid Customers in 37 states

• 245 Live

• 36 in Progress or Scheduled

NISC’s Prepaid Customers

Payment Considerations for Prepaid

Typical customer pays 4 – 5 times per month

Payments must be convenient, 24/7 access

Higher percentage of unbanked customers

Consider credit card fees (4 times normal)

Consider # NSF checks for check payments

Payment arrangements are % based

US Payments Kiosks

• Indoor, Outdoor, and Through-the-wall models.

• Cash, check or charge payments.

• For more information please contact:

Tyler Bush, USP

Tbush@uspayments.com

Ph: 918-728-3822

MoneyGram real-time Payment interface

• Real-time cash payment interface for utilities at Walmart, CVS Pharmacy, and many other retail outlets.

• No setup or monthly costs to the utility

• Customer charged a $1.50 fee

Fidelity Express real-time Payment interface

• Fidelity Express real-time cash payment solution available at many “mom and pop” stores in 18 states.

• $2,500 setup fee from NISC.

• Customer fee is negotiated with FE (typically $1.50)

Western Union real-time Payment interface

• Western Union real-time cash payment solution at Walgreens and many other stores.

• No setup or monthly costs to the utility

• Customer pays $1.50 fee

• Online Locator select -“Quick Collect”

NISC Confidential

Online Bill Payment Services

A customer can enroll on their bill payment service for viewing their bill, or can simply pay it without enrolling

Online Bill Payment Services• Enrolled customers can see the PDF image of their bill and make payments

• Funds are deposited to utility’s account within 24 hours.

• Exception Handling for Rejects and Returns

Incomm/Cashtie future option in 2020

• “Vanilla Direct” will provide a real-time cash payment solution at Dollar General, Family Dollar, CVS Pharmacy and others.

• Barcode Integration with SmartHub Web & Mobile and AMS bill print.

Barcode Delivery Methods

55 CONFIDENTIAL AND PROPRIETARY

Bill Statements Prepaid CardSmartHub Mobile SmartHub Web