The Unique Alternative to the Big Four®
Audit | Tax | Advisory | Risk | Performance
Payment Card Industry (PCI) and SecurityCrowe Horwath LLP
Anatomy of Recent Card Breaches
© 2010 Crowe Horwath LLP 2Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
Presentation Objectives Provide insight into possible or likely root causes behind public cases of card
data breaches
Discuss how specific PCI violations contributed to or prolonged the fraud
Discuss technical and non-technical measures to decrease the risk and impact of a card fraud.
Provide suggestions on how to make your organization a “hard target.”
© 2010 Crowe Horwath LLP 3Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
Root Cause Analysis No Payment Card Industry (PCI)-compliant organization is known to have
suffered a card-related data security related breach
Not all the locations where card holder data (CHD) resides were known or secured
Servers containing or providing CHD were configured with superfluous application programs and were not properly scoped and audited by a qualified security assessor (QSA)
Delays in arranging scans and assessments
There were inappropriate distinctions between test versus production servers and networks
Due to weak encryption and poor access controls, wireless networks were electronically “pried open” to reveal private areas of the network which store CHD
© 2010 Crowe Horwath LLP 4Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
Root Cause Analysis Audit trails were not enabled to tie misconduct to a specific employee or
consultant. Lack of audit trails hindered criminal investigations because it was not possible to tie an individual time or time of day to the incursion.
A group user ID was used instead of a unique user ID.
Point-of-sale (POS) terminals were not physically and logically hardened to prevent surreptitious removal and inserting of a monitoring or sniffing device. The terminals were later returned to the retail locations, where they were used to capture PIN blocks.
© 2010 Crowe Horwath LLP 5Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
What are some of the factors which increase the possibility of a successful fraud?
They are not just technical reasons !
Lack of policies
No antifraud program
Technology controls not driven by business process controls
Not learning from past industry frauds
© 2010 Crowe Horwath LLP 6Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
PCI and Your Data and Information Security Policy
Required Elements
Approval
Annual Updating
Training
Vulnerability Vulnerability ManagementManagementVulnerability Vulnerability ManagementManagement
Cardholder Cardholder CentricCentric
Cardholder Cardholder CentricCentric
Document Document DestructionDestructionDocument Document
DestructionDestructionDocument Document RetentionRetentionDocument Document RetentionRetention
CHD CHD SuppressionSuppression
CHD CHD SuppressionSuppression
Wireless Wireless ControlControl
Wireless Wireless ControlControl
PED PED ManagementManagement
PED PED ManagementManagement PED ApprovalPED ApprovalPED ApprovalPED Approval Vendor Vendor
OversightOversightVendor Vendor
OversightOversight ContractsContractsContractsContracts
Adequate Policies Deter
Fraud
Adequate Policies Deter
Fraud
© 2010 Crowe Horwath LLP 7Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
PCI Data Storage Tips Locate all your CHD
CHD not located is CHD not secured
Don’t forget to test and to QA servers
Single purpose devices are a must
Encrypt, encrypt, encrypt
Data at rest
Data in transit
Don’t forget log files of every sort
What about your ISP? What do they store?
© 2010 Crowe Horwath LLP 8Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
Using PCI to Springboard Your Anti Fraud Program
Log File Log File Integrity CheckIntegrity Check
Log File Log File Integrity CheckIntegrity Check
Strong Strong AuthenticationAuthentication
Strong Strong AuthenticationAuthentication
Use Anti Fraud Use Anti Fraud ControlsControls
Use Anti Fraud Use Anti Fraud ControlsControls
Leverage Leverage Physical Physical SecuritySecurity
Leverage Leverage Physical Physical SecuritySecurity
Fraud Deterrence
Fraud Deterrence
© 2010 Crowe Horwath LLP 9Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
Point of Sale (POS) Fraud and PCI Factors reducing POS risks
Hardened Hardened TerminalsTerminalsHardened Hardened TerminalsTerminals
Deployment Deployment ControlsControls
Deployment Deployment ControlsControls
Physical Physical SecuritySecurityPhysical Physical SecuritySecurity
Tamper Tamper Resilience Resilience
Tamper Tamper Resilience Resilience
Web Web Application Application
ReviewReview
Web Web Application Application
ReviewReview
Incident Incident ResponseResponseIncident Incident
ResponseResponse Strong Strong
EncryptionEncryption Strong Strong
EncryptionEncryptionSeparate Test Separate Test EnvironmentEnvironment
Separate Test Separate Test EnvironmentEnvironment
Separate Separate Production Production
EnvironmentEnvironment
Separate Separate Production Production
EnvironmentEnvironmentSeparation of Separation of
DutiesDutiesSeparation of Separation of
DutiesDuties
FraudFraud
© 2010 Crowe Horwath LLP 10Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
Transactional Fraud Statistics: Counterfeit PIN Card Fraud
0
50,000
100,000
150,000
200,000
250,000
300,000
1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006
Block & Reissue Cards
Fraud Cards Reported
Suspect Cards Identified
Source: Card Alert Fraud Manager
© 2010 Crowe Horwath LLP 11Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
Key Components of a PCI Anti Fraud Program
PREVENTION
Tone at the Top
Value System / Code of Conduct
Positive Workplace Environment
Training/ Awareness
Whistleblower Program
Incident Response
Disciplinary Examples
DETERRENCE
Oversight
Risk Assessment
Internal Audit
Data AnalysisDETECTION
Monitoring
Computer Aided Tools
Loss Mitigation
© 2010 Crowe Horwath LLP 12Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
PeoplePeople
ProcessProcess TechnologyTechnology
Using PCI Controls to Prevent Phishing and Identity Theft
Data Analysis Strong Authentication Encryption Adaptive Security
Procedures and Counter Measures
Tone at The Top Honest Ethical Culture Staff Trained to Look
for Red Flags
Fraud Check-ups Fraud Hotline Defined Incident
Handling Process Risk Assessment –
Check for Red Flags
© 2010 Crowe Horwath LLP 13Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
Past Fraud Events Provide a Roadmap for Helping Clients Avoid Common PCI Compliance Pitfalls Do not retain unneeded data. After authorization and settlement, very little CHD
need remain for inquiry and adjustment purposes. Securely dispose of CHD.
CHD not located is CHD not secured. Perform a reliable inventory of all the servers, databases, test facilities, networks, paper records, and transaction and activity logs. Include all service providers and contractors in your search.
Don’t look for a silver bullet solution. There is no single product or service that can alleviate an enterprise's PCI DSS compliance woes. Every business and every network is different, and PCI DSS controls must be tailored to an organization. There is no “one-size-fits-all approach."
© 2010 Crowe Horwath LLP 14Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
Past Fraud Events Provide a Roadmap for Helping Clients Avoid Common PCI Compliance Pitfalls Prevent data leaks. Identify all physical and logical points through which CHD
enters and leaves your client’s organization. This will mean scrutinizing data reports, log files, servers, email and file transfers.
Develop specific policies for handling and secure all data, networks and physical records which contain or provide access to CHD.
Train staff to prevent data leaks to establish a last line of defense to ensure sensitive information stays put.
Perform fraud check-ups.
© 2010 Crowe Horwath LLP 15Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
What Could You Do if Your Fraud Check-Up Reveals Issues?
Increase Data AccessIncrease Data AccessControlsControls
Increase Data AccessIncrease Data AccessControlsControls
Increase Data AnalysisIncrease Data Analysisand Reaction Abilityand Reaction Ability
Increase Data AnalysisIncrease Data Analysisand Reaction Abilityand Reaction Ability
Develop Anti FraudDevelop Anti FraudPolicyPolicy
Develop Anti FraudDevelop Anti FraudPolicyPolicy
Policies DeficientPolicies DeficientPolicies DeficientPolicies Deficient
Incident Response Data Mining Log File Analysis
Authentication Encryption
Improve Code of Conduct Create Conflicts of Interest
Create Fraud Hotlines Oversight Committee
© 2010 Crowe Horwath LLP 16Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
Regulatory and Legislative Responses to Fraud
© 2010 Crowe Horwath LLP 17Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
Summary: Become a Hard Target
Look for the Red Fraud Flags Look for the Red Fraud Flags
Systems MonitoringSystems Monitoring
Employee TrainingEmployee Training
React to the Flags of FraudReact to the Flags of Fraud
Response PlanResponse Plan
New Product Fraud ReviewsNew Product Fraud Reviews
Board or Management Approved PolicyBoard or Management Approved Policy
Fraud Prevention Program ComponentsFraud Prevention Program ComponentsFraud Prevention Program ComponentsFraud Prevention Program Components
Employ Prevention TechniquesEmploy Prevention Techniques
Annual – Independent Fraud Check-UpAnnual – Independent Fraud Check-Up
© 2010 Crowe Horwath LLP 18Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
Any Questions?
Contact Information
Bruce Sussman
973.422.7151
Crowe Horwath LLP