Visa Inc' - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

Visa Inc'

Description:

Concerns permeate all facets of their financial life and could impact their ... Cardholders say they don't worry too much. ... 'Flying Dove' hologram ... – PowerPoint PPT presentation

Number of Views:434
Avg rating:3.0/5.0
Slides: 20
Provided by: maineme
Category:
Tags: hologram | inc | visa

less

Transcript and Presenter's Notes

Title: Visa Inc'


1
Cardholder Data Security and Fraud Prevention
  • Visa Inc.
  • September 9, 2008

2
Security A Customer POV
1.
Cardholder awareness of security issues at
record high levels. Concerns permeate all facets
of their financial life and could impact their
spending at the checkout line. Maintaining
consumer confidence in electronic payments is
mutually beneficial.
2.
3.
3
Cardholder Concerns
67 Worried
Cardholders will be more cautious how and where
they use their credit cards in the future.
29 Not Worried
Cardholders say they dont worry too much. They
will continue to use their credit cards as they
have in the past.
  • Based on Visa nationwide cardholder research
    June 20-21, 2005, n1,000

4
Importance of Data Security for Businesses
Damaged reputation to your brand
1.
Potential loss of consumer good will
2.
Financial liability for fraud/chargebacks
3.
4.
5.
Fines and penalties
Potential legal liability
5
Security Environment
  • Hackers are attacking
  • Brick-and-mortar merchants
  • Small businesses increasingly targeted
  • E-commerce merchants
  • Processors and Agents
  • Hackers are looking for
  • Software that stores sensitive cardholder data
  • Personal information to perpetrate identity theft
  • Track data, payment account numbers and PINs

6
Is Your Business a Target?
  • ASK YOURSELF
  • Is your POS terminal software based or is it
    connected to other computers or devices?
  • Do you have multiple systems connected with any
    having Internet access?
  • Do you have wireless access points?
  • Do you have an e-commerce component of your
    business?
  • Do you accept PIN debit (Interlink) transactions?
  • If you said yes to any of these questions, you
    may be a target for data thieves.
  • If no, you still may be the victim of a criminal
    trying to use a fraudulent card in your store.

7
What the Data Criminals are After
Important, sensitive information is stored on the
cards magnetic stripe and Cardholder PINs
If this information is compromised, it can enable
criminals to counterfeit cards and/or use the
cards fraudulently online.
8
Protecting
Cardholder Data
9
How Businesses Can Protect Cardholder Data
Dont Store It If You Dont Need It!
1.
  • Know exactly what you NEED to store and store
    ONLY that. Most businesses dont need to store
    any payment card data.
  • Know what your POS application is storing, if
    anything.
  • Know what your vendors are storing.
  • NEVER store Track I or Track II data.
  • NEVER store PIN data.

2.
3.
4.
5.
10
How Businesses Can Protect Cardholder Data
1.
  • Know what payment application(s) you use and
    make sure they are not storing inappropriate
    data.
  • Determine if payment application vendors or
    other parties have remote access to your systems
    and ensure secure methods of access are used.
  • Be aware of how the Payment Card Industry Data
    Security Standard (PCI DSS) and PCI PIN Security
    Requirements apply to you.

2.
3.
11
PCI Data Security Standard
12
Merchant Compliance Validation
12
13
PCI PIN Security Requirements
  • Established by Visa in 1995 for the secure
    protection of PINs accepted at POS PIN Entry
    Devices (PEDs) and ATMs
  • Requires the use of secure lab-evaluated POS
    PEDs
  • Requires compliance for all aspects of secure
    key management
  • Requires the use of Triple-DES at all POS PEDs
    by July 1, 2010

7/1/2010
1/1/2009
10/1/2007
1/1/2004
All newly purchased attended POS PEDs must be
evaluated by a Visa-recognized laboratory,
approved by Visa (pre-PCI) and be TDES-capable
All POS PEDs must be using TDES. All attended POS
PEDs must be pre-PCI or PCI approved
Newly deployed US AFDs must have a PCI approved
EPP
All newly deployed unattended POS PEDs must have
a PCI approved EPP (excludes US AFDs)
14
Top 7 PCI DSS and PCI PIN Violations
  • Based on compromises of cardholder data, Visa
    has found the following common issues
  • Vulnerable payment applications (e.g.,
    inappropriate storage of full track, CVV2 and PIN
    data, insecure remote access)
  • Inadequate perimeter security (e.g., improperly
    managed firewall)
  • Out of date system security patches
  • Vendor default settings and passwords (e.g.,
    unsecured wireless)
  • Poorly coded web-facing applications resulting in
    SQL injection
  • Poor cryptographic key management used for PIN
    encryption
  • Use of vulnerable POS PIN entry devices

15
Preventing
Payment Card Fraud
16
Merchant Fraud Prevention
At the checkout line
Match receipt with card
Liability
  • Look at the card
  • Flying Dove hologram
  • The name, account number and signature on the
    receipt should match the card.
  • Merchants can ask for identification, but may not
    make providing it a condition of the sale.
  • In face-to-face transactions, merchants are not
    liable for fraud when the transaction is properly
    authorized, which includes getting an electronic
    authorization. This represents the vast majority
    of Visa transactions.

17
Merchant Fraud Prevention
For Internet/Catalog Sales
Authenticate the Cardholder
Authenticate the Card
Liability
  • CVV2
  • The three-digit code printed on the signature
    panel, helps internet merchants verify their
    customers have the actual card in their
    possession.
  • Liability
  • Merchants may be liable for card not present
    fraud.
  • Address Verification Service
  • A fraud prevention system that allows merchants
    to compare the billing address of the purchaser
    with the billing address on file with the card
    issuing financial institution.
  • Verified by Visa
  • A cardholder authentication service, to help
    online merchants reduce fraud. Participating
    merchants are not liable for certain fraudulent
    transactions that make up roughly 70 of online
    fraud.
  • For more information visit www.visa.com/verifiedm
    erchants

CVV2
18
Merchant Fraud Prevention
Employee Fraud Skimming / PED Tampering
  • Skimming is an illegal act that helps criminals
    obtain card account information to produce
    counterfeit cards.
  • Typically, someone in the workplace uses a small
    device to steal information from a cards
    magnetic stripe. That information is put onto a
    counterfeit card and used to make fraudulent
    purchases.
  • Skimming devices are small, portable not much
    bigger than a pager or cell phone.
  • Vulnerable POS PEDs are being modified to capture
    track and PINs See November 2007 Security Alert
    on www.visa.com/cisp
  • Visa will pay a reward of up to 1,000 for
    information leading to the arrest and conviction
    of anyone involved in the manufacture or use of
    counterfeit cards.

19
For More Information
  • Contact your acquiring institution

Visit www.visa.com/CISP www.visa.com/PIN
Visit www.visa.com/usmerchant
Write a Comment
User Comments (0)
About PowerShow.com