Reducing Payment Systems Risks in the Retail Delivery Channel - PowerPoint PPT Presentation

1 / 82
About This Presentation
Title:

Reducing Payment Systems Risks in the Retail Delivery Channel

Description:

Reducing Payment Systems Risks in the Retail Delivery Channel NYS Society Of CPA s Technology Assurance Committee July 20, 2004 Presentation Objectives Assist ... – PowerPoint PPT presentation

Number of Views:254
Avg rating:3.0/5.0
Slides: 83
Provided by: NYCEAss
Learn more at: https://www.nysscpa.org
Category:

less

Transcript and Presenter's Notes

Title: Reducing Payment Systems Risks in the Retail Delivery Channel


1
Reducing Payment Systems Risks in the Retail
Delivery Channel
  • NYS Society Of CPAs
  • Technology Assurance Committee
  • July 20, 2004

2
Presentation Objectives
  • Assist Auditors who have Retail and Data
  • Processing Clients by
  • Identifying dynamic payment methods and channels.
  • Reviewing risks and mitigation techniques.
  • Discussing secure payment options for the
    virtual or web delivery channel.

3
Point of Sale Crimes
  • External
  • Domestic individuals / gangs.
  • Global individuals / gangs (organized crime
    type).
  • Attacks can be physical or logical.
  • Published threats of physical attacks available.

4
Point of Sale Crimes (contd)
  • Internal
  • Disgruntled employees / highly trusted
    individuals.
  • Attack can be physical or logical access.
  • Published fraud not readily available.

5
Retail PaymentDelivery Channels Methods
  • ATM Networks Debit and Check Cards.
  • Credit Cards Branded by MC, VISA,
  • Discover, Amex.
  • Third Party Processors.
  • ACH Networks.
  • Electronic Check Truncation.
  • Web Based Methods.

6
Key Point
  • Retailers are almost always sponsored into a
    payment network.
  • Retailers should check their liability to the
    sponsor, regarding network rules compliance.
  • The sponsor may hold the retailer liable for
    losses or breach of required security procedures.
  • Check your contract !

7
How Is Each Method Different ?
  • ATM cards can be used with a pin.
  • Pin-based allows real time authorization.
  • Same day settlement/no Float.
  • Secure.
  • Preferred by merchants due to lower cost.
  • Authorization time can be slower.

8
Check Cards
  • ATM cards can be authorized with a pin or
    signature.
  • ATM cards often branded with a NYCE, Star and/or
    MasterCard or VISA logo.
  • When authorized with a signature, authorization
    and settlement are batched based.
  • Check cards are prone to high fraud rates vs. ATM
    only cards.

9
Check Cards (contd)
  • At their zenith of popularity.
  • Usage will flatten due to MC/VISA loss in class
    action anti-trust suit.
  • Retailers must obtain electronic authorization.
  • Follow floor limit rules.
  • Follow CVC/CVV counterfeit card protections.

10
Check Cards (contd)
  • Hot carding procedures essential.
  • Fraud Risk/Velocity check essential.
  • Not a good idea for internet or MOTO
    transactions.
  • Banks love them due to high interchange.

11
Check Cards (contd)
  • Retailers win the Walmart anti-trust suit.
  • After 1/1/04, retailers need not accept them.
  • Learn more about fraud management by obtaining
    Visa's Check Card Risk Management Overview (doc
    V10524-0698) and Check Card Card Risk Management
    Brochure.
  • MasterCard has similar documents.

12
Third Party Processors ACH Networks
  • 3rd Party Processors provide data processing,
    settlement and authorization services to
    retailers.
  • Automated Clearinghouse Services (ACH) provide
    settlement services for the retailer and their
    processor.
  • Check cards present a higher risk due to charge
    back and delayed settlement.

13
Check Truncation
  • Electronic capture, transmission and
    authorization of physical checks.
  • Faster authorization.
  • Less float and credit risk.

14
POS Debit Crime - External
  • Skimming
  • Magnetic card reader device (about the size of a
    Palm Pilot or a duplicate POS device).
  • Debit card is swiped through the skimmer as
    well as the legitimate POS device.
  • Card data is collected from the magnetic strip of
    the card.
  • Make bogus cards from collected data
  • make purchases from victims accounts.

15
POS Crime External (contd)
  • Skimming
  • Device attached to an legitimate ATM.
  • Captures card data.
  • Camera records customer entering PIN or thief
    obtains PIN by shoulder surfing.
  • Make bogus cards from captured data.
  • Create false deposits to inflate account balance.
  • Make withdrawal.

16
Industry Trends Driving Risk
  • Merchants prefer PIN-based debit.
  • Accepting PINs saves merchants BUT
  • PIN-based debit means merchants assume risk of
    data loss or theft, if they fail to observe card
    association and network rules.

17
Industry Trends Driving Risk(contd)
  • Increased network security requirements.
  • FTC adopts Banking Privacy Rules (GLBA).
  • More sophisticated card skimming.
  • Retailers begin deploying ATMs in their stores.

18
Industry Trends Driving Risk(contd)
  • Exploding pin-based volumes.
  • Check card volumes almost equal credit card
    volume.
  • Retailers win Anti-trust suit.
  • Retailers enter the web delivery channel.
  • FTC successfully sues retailer for privacy
    violations.

19
Industry Trends Driving Risk(contd)
  • Expensive, security driven technology changes
  • New Encryption Algorithms.
  • New Fraud Checking CVC2.
  • Wireless Technology at the check out lane.
  • Loyalty Cards create more data storage of
  • non-public cardholder data.

20
Card Association Network Requirements
  • VISA Cardholder Information Security Program
    (CISP).
  • ATM Networks require compliance with PIN Security
    Rules.
  • Retailers need financial institution sponsors to
    accept debit.

21
Implications
  • Retailers will need expertise in
  • Card Technology
  • Card Security
  • Retail Encryption Standards
  • Privacy Identity Management
  • Access Controls
  • Security Audits Needed VISA CISP

22
PIN Debit
  • What Risks Do Retailers Need to
  • Manage ?

23
Card Skimming Has Reached Epidemic Proportions
  • Examples
  • Breaches of logical security.
  • Installation of a parasite or sniffer on the
    key pad or controller.
  • Low tech double swipe technique.
  • Wireless POS may broadcast data.

24
What Is The Risk?
  • Cardholder PIN Security depends upon the
    retailers implemented Key Management Procedures.
  • Can you survive
  • Replacing Citibanks, Bank of Americas or any
    large institutions cards?
  • The brand damage to your institution?
  • Disconnection from a payment brand ?

25
What PIN-based Standards Retailers Must Know
  • Identify Liability to their Sponsor
  • Identify Liability to their Processor
  • Practice a Standard of reasonable care
  • ANSI Standards x9.8 and X9.24
  • Major ATM Networks
  • (Star, NYCE, Interlink) follow these standards

26
Standards for PIN and Key Management
  • American National Standards Institute (ANSI)
    published standards for Retail Banking to provide
    protection of
  • PIN Issuance.
  • All PINed Transactions during Interchange.
  • Symmetric Cryptographic Keys
  • used in Retail Banking Payment Infrastructure,
  • to protect PINs
  • Standards are voluntary

27
Standards for PIN and Key Management
  • Some retailers deploying in store ATMs to earn
    surcharge and interchange
  • Knowledge of

28
How Does Retail Encryption Work ?
Castle B
Castle A
Same Key
Chest 12345
Chest 12345
Data
Keys
PINs
To lock up information to share with Castle B
To lock up information to share with Castle A
Chest 12345
29
Authenticating the Card Holder - ANS X9.8
  • The PIN is a means of verifying the identity of
    a customer within an Electronic Funds Transfer
    (EFT) System.
  • The objective of PIN Management is to protect the
    PIN against unauthorized disclosure and
    compromise and misuse throughout its life cycle.
  • PIN Security depends on sound key management.
    Maintaining the secrecy of the Cryptographic Keys
    is of the utmost importance, because the
    compromise of the key allows the compromise of
    any PIN ever enciphered under it.

E. PEK(PIN block)
Customer
Any Bank
Retailer's PINPAD
  • Using an ANY Bank card at an
  • Oregon Bank owned ATM.

30
PIN Verification by the Issuer Host (on-us or
not-on-us)
Other switches
3) E.AWK(PIN)
4) Network performs a PIN translation to
transport to FCU Issuer.
Third Party Processor (TPP)
NYCE
Star
5) PIN is verified at FCU host center and
authorization
2) OB performs a PIN translation to
transport transaction to network.
FCU cardholder
Oregon Bank
PULSE
Federal CU
Retailer PED
1) TPP does not verify PIN at ATM,
transaction transported to FCU host center.
31
Pin Debit Growth
  • Implications for Retailers
  • Recent Anti Trust victory spurs volume.
  • Savings due to lower Interchange.
  • ATM Network Rules much more important.
  • Retailers efforts to comply with ATM Network
    Rules, must be meaningful!

32
What can CPAs do to help Retailers Reduce
Payments Exposure?
  • Assess the key management health of your
  • retailer client.
  • Audit your retail clients third party processor.
  • Ensure your client does not store magnetic stripe
    data (prohibited by VISA due to risk of
    counterfeit cards).

33
Other Revenue Opportunities for CPAs
  • Prepare your clients for rules driven change
  • Design and implement a rollout plan to replace
    non-compliant POS PAD ATMs and global keys.
  • Secure PIN PAD Management.
  • DUKPT and Triple DES Algorithms.

34
What else can CPAs do?
  • Education of all key management operations
    personnel, for compliant implementation of key
    life cycle needed.
  • Understanding of Network Operating Rules and
    applicable ANS Standards.
  • Adequate written policies and procedures needed.
  • Acquisition of applicable PIN and Key Management
    Standards.

35
What else can CPAs do?
  • Review position papers.
  • Best practices for PIN Debit Security.
  • http//www.nyce.net/pdf/PIN_debit_encryption.pdf
  • Preparing for the Industry Migration to Triple
    DES.
  • http//www.nyce.net/pdf/triple_des.pdf
  • Get involved in the ANS Work Group F6.
  • http//www.x9.org to locate the standards and
    audit programs

36
Privacy Risks for Retailers
  • Why do Retailers Need to Care ?
  • Answer Collecting Debit, Credit and Check
    Payments, require the retailer to acquire and
    store, non- public, personally identifiable
    information (NPI).
  • This triggers FTC liabilities.

37
Privacy Standards For Retailers
  • Federal Trade Commission (FTC) Adopts FFIEC
    Interagency Standards for Customer Information.
  • April 2000, FTC Fair Information Practice
    Principles.
  • Merchants now subject to banking rules through
    the FTC.

38

Privacy Standards For Retailers (contd)
  • June 26,2000 - FFIEC issues Interagency Standards
    for customer information (Federal Register, Vol.
    65/123/39475).
  • Regulators expect Banks and Service Providers to
    develop Information Security Programs to ensure
    the security and confidentiality of customer
    information and protect against any anticipated
    threats to the security or integrity of such
    information.

39
Privacy Standards For Retailers (contd)
  • ..protect against unauthorized access to, or use
    of customer information that could
  • result in substantial harm/inconvenience to
    customer.
  • present a safety soundness risk.

40

Privacy Standards For Retailers (contd)
  • Opt-out exceptions to FTC/GLBA Privacy Risks
    only
  • For marketing arrangements.
  • Services if the customer authorizes.
  • For fraud protection/risk reduction.
  • Error resolution.

41

Privacy Standards For Retailers(contd)
  • No exceptions to encryption mentioned.
  • Restriction on sharing of data, not intended to
    be limited to telemarketing only.

42
FTC Actions Vs. Non-Compliant Retailer
  • Guess settles FTC Security Charges third FTC
    case targets false claims about Information
    Security.
  • Agency alleges security flaws placed consumers'
    credit card numbers at risk to hackers.

43
FTC Actions Vs. Non-CompliantRetailer (contd)
  • In the FTC's third case targeting companies that
    misrepresent the security of consumers' personal
    information, designer clothing and accessory
    marketer, Guess Incorporated, has agreed to
    settle Federal Trade Commission charges, that it
    exposed consumers' personal information,
    including credit card numbers to commonly known
    attacks by hackers.

44
FTC Actions Vs. Non-CompliantRetailer (contd)
  • Contrary to the company's claims, FTC alleges
    that Guess did not use reasonable or appropriate
    measures to prevent consumer information from
    being accessed at its Web site Guess.com.
  • The settlement will require that Guess implement
    a comprehensive information security program, for
    Guess.com and its other Web sites.

45
FTC Actions Vs. Non-CompliantRetailer (contd)
  • "Consumers have every right to expect that a
    business that says it's keeping personal
    information secure, is doing exactly that," said
    Howard Beales, Director of the FTC's Bureau of
    Consumer Protection. "It's not just good
    business, it's the law," he said.

46
FTC Actions Vs. Non-Compliant Retailer (contd)
  • Information would be secure and protected. The
    company's claims included "This site has
    security measures in place to protect the loss,
    misuse and alteration of information under our
    control" and all of your personal information,
    including your credit card information and
    sign-in password are stored in an unreadable,
    encrypted format at all times."

47
FTC Actions Vs. Non-Compliant Retailer (contd)
  • In fact, according to the FTC, the personal
    information was not stored in an unreadable,
    encrypted format at all times and Guess' security
    measures failed to protect against SQL and other
    commonly known attacks. In February 2002, a
    visitor to the Web site, using an SQL injection
    attack, was able to read in clear text credit
    card numbers, stored in Guess' databases,
    according to the FTC.

48
Requirements
  • Part II of the Proposed Order requires an Infosec
    Program in writing, that is reasonably designed
    to protect the security, confidentiality and
    integrity of personal information, collected
    from, or about consumers.
  • Designate an employee or employees to coordinate
    and be accountable for the Information Security
    Program.

49
Requirements (contd)
  • Identify material, internal and external risks to
    the security, confidentiality and integrity of
    customer information, that could result in the
    unauthorized disclosure, misuse, loss,
    alteration, destruction, or other compromise of
    such information and assess the sufficiency of
    any safeguards in place to control these risks.
    At a minimum, this risk assessment must include
    consideration of risks in each area of relevant
    operation.

50
Requirements (contd)
  • Design and implement reasonable safeguards to
    control the risks identified through risk
    assessment, and regularly test or monitor, the
    effectiveness of the safeguards' key controls,
    systems, and procedures.
  • Evaluate and adjust its Information Security
    Program in light of the results of testing and
    monitoring, any material changes to its
    operations or business arrangements, or any other
    circumstances that Guess knows or has reason to
    know, may have a material impact on its
    Information Security Program.

51
Requirements (contd)
  • Perform an assessment and report certifying that
  • A security program provides protections that meet
    or exceed, the protections required by Part II of
    this order and
  • The security program is operating with sufficient
    effectiveness, to provide reasonable assurance
    that the security, confidentiality, and integrity
    of consumer's personal information has been
    protected.

52
Enforcing Privacy Promises
  • It's important that all retailers on-line and
    off, honor the privacy promises they make to
    consumers. The FTC has encouraged web sites to
    post privacy notices and honor the promises in
    them. Many web sites indeed, (nearly all of the
    Top 100 Sites) now post their privacy policies.
    The FTC has already brought a number of cases
    under Section 5 of the FTC Act, to enforce the
    promises in privacy statements. The FTC will
    also investigate claims touting the privacy and
    security features of products and services.

53
Enforcing Privacy Promises(contd)
  • Retain the documents for three years after the
    date that each assessment is prepared.
  • Submit compliance reports to the FTC.
  • Some states, (California) pass onerous privacy
    laws.
  • Encryption on bank-controlled links is a black
    and white issue.
  • Other state lawsa wild card.
  • More info http//www.ftc.gov/privacy/index.html

54
Revenue Opportunities for CPAs
  • Assess whether or not your retail clients have a
    privacy program.
  • Regulatory Compliance Risk Assessment.
  • Information Security Assessments.

55
Check Truncation Act
  • Emerging Trend
  • Electronically captures MICR Data.
  • MICR Data A one time debit.
  • MICR Data forwarded to check processor.
  • Check processor forwards to ACH or ATM Switch.

56
Check Truncation- Business Issues
  • Changed Float and Availability Schedules.
  • Time Value of Money.
  • Retailers win less float, less check fraud.
  • Checks move electronically in lieu of trains,
    planes and automobiles.
  • May facilitate data theft.

57
Why Bother Encrypting?
  • Its an FTC Regulatory Requirement.
  • Check Truncation is premised on increasing
    confidence in Electronic Check Acceptance vs.
    Increasing Check Fraud Risk.
  • Enticement to steal account holder data,
    increases dramatically when large numbers of
    checking account numbers are transmitted and
    stored in clear text.

58
Why Bother Encrypting Truncated Check Files if we
dont Encrypt Individual Checks?
  • Encrypting checking account information, offsets
    new flavors of old risks.
  • Account takeover (mailbox fraud).
  • Impersonating (spoofing) the check processor of
    merchant.
  • These risks could retard product acceptance if
    they are not managed and balanced with cost and
    implementation issues.

59
Why Bother Encrypting?
  • Insert a data sniffer between the Store
    Controller and the Check Processor.
  • Insert a data sniffer between the Check Processor
    and the Switch, or the Switch and FI.
  • Use a data program to logically inspect data
    packets.
  • Thousands of retail locations create ample
    opportunity.

60
Why Bother Encrypting?
  • Data sniffers are commonplace.
  • Work clandestinely - without a trace.
  • Not a controlled item.
  • Common to all telecommunications personnel.
  • Check fraud would be most like be perpetrated by
    insiders technicians.
  • This risk is no different than the risk in on
    line POS
  • where encryption is used

61
How Could the Check Fraud Occur?
  • Collect MICR numbers in bulk.
  • Transfer to desktop publishing device packages.
  • Print on high quality paper.
  • Check paper can be purchased for 8.00.
  • Forge large numbers of checks under the bank
    signature review threshold.

62
What are Viable Safeguards ?
  • Hardware Encryption.
  • Customer Account/MICR Data.
  • Similar to existing encryption of PIN Block.
  • Leverage existing PIN PAD Infrastructure.
  • Software encryption.
  • Encrypt same Data as with Hardware Encryption.
  • Link or End-to-End encryption.
  • Encrypts the entire message.
  • Processor Indemnification (least desirable).

63
How do I Know That Encryption is Really Viable?
  • Common uses of line encryptors.
  • EFT Switch to settlement ACH banks.
  • ACH processing - debit and credit applications.
  • Remote Banking and E-Commerce.

64
More Info About Encryptors
  • Link encryptors used successfully since 1980s.
  • Most common problems are in key synchronization.
  • These issues are not characterized by users as
    severe.
  • Transaction throughput no longer an issue, as
    processor speeds have increased.
  • Average cost per node is about 1800.

65
Who makes line encryptors?
  • Racal
  • Cylink
  • Ravlin

66
Who Makes Line Encryptors?
  • What about the Telecommunications Protocol?
  • RACAL and Cylink product literature state that
    they support
  • TCP/IP
  • Routers
  • Simple Network Management Protocol
  • Asynchronous Transmission
  • Full Duplex
  • PBX
  • Multiple Data Transfer Rates
  • Frame Relay up to 256 kbps
  • Dial-up
  • Remote Support

67
Who Makes Line Encryptors?
  • Can hackers easily defeat encryption?
  • The product literature indicates support for
    strong encryption.
  • Triple DES
  • Diffie Hellman
  • Scant economic incentive for hackers to attempt
    to attack data, encrypted with strong methods.
  • Requires over 20 years and several million
    dollars to decrypt Triple DES or stronger
    encrypted data.

68
Implications
  • Summary
  • Truncating check data and converting it to
    electronic format, could facilitate mass theft of
    customer information, because the incentive to
    steal increases when the reward increases and the
    risk of detection is minimal.

69
Privacy Implications for Retailers
  • The Federal Trade Commission, the nation's
    consumer protection champion, plays a vital role
    in protecting consumers' privacy. The agency's
  • pro-privacy agenda emphasizes both enforcement
    and education.
  • Any non-cash payment triggers obligations.

70
Web Payment Channels
  • Risks retailers need to manage.
  • Account Information Theft.
  • Card not present fraud.
  • Card Skimming/Counterfeit.
  • Fraudulent Applications and Identity Theft.

71
Web Payment Fraud Trends
  • Increased card compromises at third party
    processors and merchants attract payment network
    and regulatory attention.
  • VISA launches its Cardholder Information Security
    Program (CISP).
  • Merchants must comply or may lose access to the
    VISA brand.
  • MasterCard has similar intentions.

72
4 - Key Characteristics of an Acceptable Web
Payment Solution
  • Prevent Session/Credential Theft or Replay.
  • Authenticate User.
  • Authenticate Terminal.
  • Authenticate Access Device.

73
How Does CISP Work?
  • CISP defines a standard of due care for
    safeguarding cardholder information.
  • Compliance Audits for High Risk Merchants.
  • Self-Assessment for all other.
  • VISA or third party processors will push
    requirements to merchants.
  • 12 - key CISP control objectives.

74
12 - CISP Control Objectives
  • Install a working firewall.
  • Keep security patches updated.
  • Protect stored data.
  • Encrypt data transmissions using public networks.
  • Use and update anti-virus software.
  • Restrict access by need-to-know.

75
12 - CISP Control Objectives
  • Assign unique IDs.
  • No use of default passwords.
  • User ID tracking and accountability.
  • Test security systems.
  • Implement a security policy.
  • Restrict physical access to data.

76
Web Payment Channels
  • More info on VISA CISP available by email at
    AskVisaUSA_at_Visa.com
  • Some insurers require security audits as a
    condition of coverage for fraud computer crime.

77
Opportunities for CPAs
  • Become a Visa Certified Provider.
  • SSAE Type Reviews.
  • Encryption Key Management Reviews.

78
Other Business Risks
  • Regulation E.
  • You must provide adequate receipts.
  • Time, Locator Number.
  • Amount.
  • Dispute Resolution.

79
Another Risk with Receipts
  • Regulation E requires truncation of card and
    account numbers on receipts.
  • Beware of Dumpster Diving.

80
Performance Risk
  • Do everything you can to promote a higher uptime
    and authorization rate.
  • Help your client avoid the melting ice-cream
    syndrome.
  • Consider DSL, Ethernet and IP-based networks.
  • Better handle electronic checks, loyalty programs
    and data mining.

81
Performance Risk
  • Caveat.
  • All Ethernet, IP and DSL Networks, require a
    firewall.
  • Beware of wireless risks at the POS.
  • More info http//www/cisecurity.org

82
Questions ?
  • Thanks for your attendance!
Write a Comment
User Comments (0)
About PowerShow.com