Secure
Preventing a Card Compromise: New Tools that Merchants Can Use to Help Protect Themselves Against Fraud October 4, 2011
Š Copyright 2011 Vantiv, LLC. All rights reserved. Vantiv, the Vantiv logo and all other Vantiv product or service names and logos are registered trademarks or trademarks of Vantiv, LLC in the USA and other countries. Ž indicates USA registration.
Preventing a Card Compromise: New Tools to Help Protect Against Fraud
Executive Summary
Cybercriminals have historically focused on compromising cardholder data within large merchant databases. In response to being breached, merchants have recognized that establishing PCI DSS compliance is only the beginning of a much larger security plan that requires constant effort and resources. Beyond PCI DSS compliance, large merchants have also sought to reduce their risk by deploying emerging technologies such as encryption and tokenization. These increased efforts and newer technologies have resulted in cybercriminals shifting their focus toward attacking small to mid-size merchants where vulnerabilities may still exist. While all small to mid-size merchants are required to maintain PCI DSS compliance, many find the guidelines difficult to understand and tough to apply. Not knowing what steps to take may result in costly mistakes that still do not provide the baseline level of protection intended by PCI DSS compliance. To help small to mid-size merchants secure their networks, PCI DSS evaluation tools have been developed to easily assess current compliance status and make suggestions about how to get compliant. Every day, new and more sophisticated attacks are being developed to the point that merchants need to take additional steps to protect their businesses. Small to mid-size merchants can also deploy encryption and tokenization technologies to eliminate card data from their systems and protect their business. While being compliant with PCI DSS guidelines reduces the risk of a data breach, it doesn’t guarantee that a breach won’t happen. Merchants can also obtain breach-protection services to reduce the financial burden associated with a breach. Fraud Is a Never-Ending Burden, Shifting to Small and Mid-Size Merchants
Over the past 10 years, cybercriminals have consistently targeted their cyber attacks against large merchants, having successfully hacked a number of large cardholder databases. They have stolen large quantities of unprotected card numbers and made billions of dollars of fraudulent transactions. In response, large merchants have invested heavily in PCI DSS compliance and other preventive security measures, causing cybercriminals to change their strategy. They have turned their attention toward intercepting card numbers while transactions are being processed (in motion) through the retailer’s network. Several notable, large data breaches that have occurred in the past few years were the result of an organized assault by a multi-country hacker team that used sophisticated SQL injection attacks that installed sniffer programs to capture unencrypted card data traveling over the network on its way to the payment switch.1
1
End-to-End Encryption, Tokenization, and EMV in the US, Javelin Strategy & Research, 2010.
2
Preventing a Card Compromise: New Tools to Help Protect Against Fraud
Merchants of all sizes, but most notably large merchants, have been forced to adopt new technologies designed to secure these vulnerable points. These investments, while successful, have cost billions of dollars to deploy. The National Retail Federation estimates that merchants spent more than $1 billion on PCI compliance in 20092 to protect cardholder data. As large merchants have successfully deterred attacks, cybercriminals have turned their attention to small to mid-size retailers. A 2010 report by Verizon shows that the number of breach incidents is increasing and that more than 63% of reported data breaches occurred with businesses that have 100 or Incidents Percentage fewer employees.3 That study cites, “Criminals may be making a classic # Employees risk vs. reward decision and opting to play it safe” in light of recent 1-10 46 6.10% arrests and prosecutions following large-scale intrusions into financial 11-100 436 57.40% services firms. Numerous smaller strikes on hotels, restaurants and 101-1,000 74 9.70% retailers represent a lower-risk alternative, and cybercriminals may be 1,001-10,000 49 6.50% taking greater advantage of that option. 10,001-100,000 59 7.80%
100,000+ Unknown
Take Action to Evaluate Your PCI Compliance Status
55 40 759
7.20% 5.30% 100%
2011 Data Breach Investigations Report Small to mid-size merchants typically spend less time and money Verizon, 2011 on PCI compliance or other ways to secure cardholder data. The guidelines are extensive and can be difficult to understand when applying. While turning to an expert is an option, it can be expensive and time-consuming. The result is that security falls by the wayside and sets the merchant up as a prime target for cybercriminals. If breached, the financial and reputational impacts to the merchant can be extensive, compromising revenues and business continuity.
Merchants need a partner that can help answer the questions, “What does it mean to be PCI compliant? How can I tell if I am?” The good news is that easy-to-use, online tools are available to help you evaluate your current compliance status and offer guidance about how you can improve your network security. The tools typically:
• Evaluate your current PCI environment by asking you a series of questions
• Make security recommendations
• Help you identify where and how to deploy technology solutions
They also help you stay compliant by offering an annual evaluation that keeps you up to date as PCI guidelines change. These updates can provide you with valuable insights about where to focus your investments.
Investigate Emerging Technologies – They Could Make the Difference
Spending time and money to ensure that your business is PCI compliant does not mean that you are completely protected. Cybercriminals are relentless, constantly figuring out different ways to breach networks and obtain card data. They focus on weaknesses in POS and online payment applications, networks that handle transaction processing, and database storage systems. New technologies, such as end-to-end encryption (E2EE) and tokenization, help protect these susceptible transaction points.
2
http://www.nrf.com/modules.php?name=Pages&sp_id=1052 Accessed Dec. 22, 2009.
3
2011 Data Breach Investigations Report, Verizon, 2011.
3
Preventing a Card Compromise: New Tools to Help Protect Against Fraud
End-to-End Encryption
Typically, a customer’s payment card information is collected when the card is swiped at the POS. After a card has been swiped, the card information is then transported through a series of networks in order to obtain an authorization. Without E2EE, the information is typically in the clear and vulnerable to hackers as it moves through the network. E2EE technology is designed to encrypt the card data at the point of entry and protect it as it travels through the network. Here’s how E2EE works: • At the time the card is swiped, or entered into an online payment application, the data is encrypted using algorithms to encode the cardholder number into a non-readable form, called ciphertext. • The ciphertext, instead of the unencrypted card data, is then sent as part of the transaction to the processor, where it is decrypted and returned it to its original form. If the transmission is breached, the cybercriminals will only have access to encrypted card data, which is unusable and worthless. The encryption process helps protect the merchant by encrypting the card data within the authorization and approval transactions from the point of swipe until it is decrypted at an endpoint outside the merchant’s network.
1 Card Data is Entered into Terminal and Encrypted 2 Encrypted Data is Securely Sent to Processor 3 Card Data is Decrypted and Sent to the Card Networks While encryption is not required for PCI DSS compliance, the technology does provide a level of protection that goes beyond PCI DSS. Encryption may also reduce the level of effort required to achieve PCI DSS compliance by eliminating clear card data from the merchant’s network. As with most new technologies, E2EE has a tradeoff in that system components enabled to support encryption may be more expensive compared to equipment and applications that do not support encryption. The payback for these increased costs is the higher level of protection and reduced risk to both revenue and reputation if breached. When investigating E2EE technologies, merchants should work with a trusted payment provider that has performed the necessary due diligence required to successfully select and integrate encryption as a core service.
Tokenization
Encrypting card data as it travels through the network provides a foundation for more secure transactions, but it’s not the only point of data vulnerability for a transaction. Cybercriminals also focus on breaching transaction databases and analytical systems where card number data may be stored post-authorization. For example, POS systems may store the card number for use during post-authorization transactions like return processing, business analytics or marketing efforts (such as loyalty programs). Tokenization technology provides a level of protection similar to encryption but without having to manage the keys necessary to encrypt and decrypt the ciphertext. Tokenization is designed to replace the real card number with a substitute reference value, or “token,” and reduce the merchant’s risk by keeping the actual card number out of the retailer’s data systems. Tokens, instead of ciphertext, better support post-authorization requirements like reporting without exposing sensitive card data. For small to mid-sized merchants, a tokenization solution is a secure and cost-effective means to support store operations while still removing card data from the network.
4
Preventing a Card Compromise: New Tools to Help Protect Against Fraud
Here’s how a processor-based tokenization solution works:
• The card number (preferably encrypted) is used in the transaction.
• Once the transaction is authorized, the card data is sent to a secure system that generates the token and stores both the token and card number.
• To facilitate operations, the token typically maintains the last four digits of the card number.
• The token is returned to the merchant in the authorization response. Once returned, the token can be stored in the merchant’s business-management system.
• If breached, the token, like the encrypted ciphertext, is unusable by cybercriminals.
Encryption & Tokenizaton
Like encryption, tokenization adds another layer of data protection that goes beyond PCI DSS while possibly making PCI DSS compliance easier to obtain. As you evaluate tokenization, consider not only that tokenization removes card data, but that it also limits the impact to other post-authorization business processes. Again, be sure to work with a trusted payment provider that has done the necessary due diligence to evaluate solutions on your behalf, and adopt a tokenization solution that works with your card processor.
Despite Your Best Efforts, Breaches Do Occur
In spite of your best efforts, card data breaches do occur. When they do, you are required to report them to the networks and to the appropriate authorities. An often time-consuming and expensive forensics investigation will ensue to validate the breach and determine the extent of the compromise. If the investigation finds there was a breach, network fines, PCI compliance fines and card costs may be levied. The total financial impact on your business can be extreme, creating the risk of putting you out of business. Royal Group Services (RGS) reports that the cost of the forensics analysis can be anywhere from $8,000 to $20,000.4 The network and card association fines can run from $3 to $10 per card for replacement costs and $5,000 to $50,000 or more in network compliance fines.5 And, the remediation expenses can be three times the actual theft. LexisNexis released a study that
5
Preventing a Card Compromise: New Tools to Help Protect Against Fraud
measured the “true cost of fraud,” finding that for every $1 in fraud loss that a merchant incurs, their actual fraud loss is $3, as they bear the additional costs associated with chargeback fees, interest and replacement merchandise charges.6 The reputational impact also contributes to the risk of losing your business. Any publicity about the breach could cost you customers and revenue. A survey by Javelin Strategy & Research showed that 43% of consumers avoided certain merchants after they became victims of fraud, and 31% of them admitted to spending less money at the same merchant if they continued their relationships.7 You can protect yourself from some of these costs if your processor offers a program that mitigates the financial impact of a breach and helps you protect your business. A good program helps limit your financial obligation for forensic and investigative expenses as well as network fines and assessments.
Conclusion
Cybercriminals are continuously figuring out new ways to steal card data. All merchants need to follow PCI DSS compliance guidelines to secure cardholder data. Many small to mid-size businesses have not made the investments needed to be PCI DSS compliant because it is difficult for small retailers focused on their core business functions to understand. Even if a small business has worked hard to be PCI compliant, that doesn’t guarantee that a breach won’t occur, but there are still ways to further protect your company. So, don’t stop at being PCI DSS compliant. New emerging technology options are available that address data while it is being processed in the network and while it is at rest in business systems. Start with encryption, which adds additional security to cardholder data within the transaction. Then add tokenization to further enhance the security of card data stored in databases. Finally, look into a breach-protection program that helps limit your financial obligation for forensic and investigative expenses and reduces your liability to your processor and/or acquirer in the event of a breach. Consider Vantiv Secure: a suite of security products designed for small to mid-size merchants that includes PCI Assist, Encryption, Tokenization and Breach Assist protection. Vantiv Secure addresses many of the fraud-mitigation challenges that you face and can help you: • Protect your business – PCI Assist gives you access to easily understandable PCI compliance information that can help you deploy solutions where you need them, and lead you down the path to PCI compliance validation • Protect your customers – E2EE and Tokenization technologies help secure your transaction data through the network • Protect your peace of mind – when breaches occur, turn to Breach Assist to help you reduce certain breach- related expenses It’s our core business to be payment experts. Concentrate on your core business while we concentrate on supporting solutions that can help you protect your business. Learn more about how you can protect your customers and your business with Vantiv Secure. Visit us online at www.vantiv.com or contact your relationship manager or sales executive today.
The Real Cost of Data Breach, John Halsey, Royal Group Services. http://www.pcicomplianceguide.org/merchants-20090416-cost- data-breach.php 4
The Real Cost of Data Breach, John Halsey, Royal Group Services. http://www.pcicomplianceguide.org/merchants-20090416-cost- data-breach.php 5
6
2010 LexisNexis True Cost of Fraud Study, Javelin Strategy & Research.
7
End-to-End Encryption, Tokenization, and EMV in the US, Javelin Strategy & Research, 2010.
6