Post on 05-Jun-2020
4/19/2018
1
Credit Card Cybersecurity Insights to Help Safeguard your Multichannel Business
May 9, 2018
1
DisclosuresThis presentation is provided as a courtesy and is to be used for general information purposes only. Bank of America Merchant Services shall not be responsible for any inaccurate or incomplete information. The matters contained herein are subject to change. Individual circumstances may vary and procedures may be amended or supplemented as appropriate. This is not intended to be a complete listing of all applicable procedures. No information contained herein alters any existing contractual obligations between Bank of America Merchant Services and its clients. This presentation may not be copied, reproduced or distributed in any manner whatsoever without the express written consent of Bank of America Merchant Services.
Neither Bank of America nor its affiliates provide information security or information technology (IT) consulting services. This material is provided "as is", with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this material, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, quality and fitness for a particular purpose. This material should be regarded as general information on information security and IT considerations and is not intended to provide specific information security or IT advice nor is it any substitute for your own independent investigations. If you have questions regarding your particular IT system or information security concerns, please contact your IT or information security advisor. No information contained herein alters any existing contractual obligations between Bank of America and its clients
2Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES
4/19/2018
2
Credit Card Payments Process
Credit Card Payments Process
4Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES
4/19/2018
3
Anatomy of Card Theft
How Cybercriminals Operate
Gain Entry• Thieves target internet‐exposed remote access systems • Conduct network reconnaissance using diagnostic tools • Create custom attack scripts inside the merchant’s network criminals
• Payment card data is extracted with malware• Traces of attacker activity is removed
Steal Credit Card Data
6
• Payment data is used to commit fraud• Cards carry a typical value of between $20‐$50 on markets for stolen data
Monetize Data
Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES
4/19/2018
4
The criminal:
1. Steals remote login credentials
2. Performs network reconnaissance
Anatomy of a Card Data Theft
3. Pivots and elevates privileges
4. Gains access to patch management or software distribution server
5. Distributes point‐of‐sale malware
6. Harvests payment card data
7. Exfiltrates payment card datap y
8. Payment card information is then sold on the DarkNet
Source: Visa Managing Network Segmentation for Payment Environments presentation, 7/22/2015, slide 12
7Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES
FEAR FACTOR: Phishing, Skimming, Shimming and More
Fraud aimed at stealing information from consumers and businesses is increasing, both online and on the ground.
Phishing ‐ schemes to download personal information from
computers by disguising as a trustworthy entity in an electronic communication
Skimming ‐ use of devices which fit over legitimate credit card
readers to steal card data
Smishing ‐ use of SMS (short messaging services) technology to
phish for individuals' sensitive personal information
8
readers to steal card data
Shimming ‐ use of devices which are inserted into credit card
readers to steal card data
Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES
4/19/2018
5
Fraud Industry Trends Continue to Impact Merchants
7% of their annual revenue1
Total Fraud Costs
8 additional sales to make
up for it1
1 Fraudulent Order Requires
14.9% of merchant’s operational
Fraud Management Costs
results in $2.27 total losses1
$1 CNP Fraud Loss
It is up to 7 times more difficult to prevent fraud in remote channels than in person2
up for it1
False Positives Eat Into Revenue
30% of all transactions are declined1
pcosts1
9
By 2020, eCommerce transactions are expected to top $4 trillion3 and $7.2 billion in card not present losses4
1Javelin Group, The Financial Impact of Fraud: Merchants Challenged as E‐Commerce Fraud Rises Post‐EMC2FT Partners “Transaction Security at the Nexus of E‐Commerce, Payment Market Structure Complexity and Fraud”, LexisNexis “2015 True Cost of Fraud Study”3eMarketer, Worldwide Retail eCommerce Sales: The eMarketer Forecast, August 20164Aite, EMV Issuance Trajectory & Impact on Account Takeover and CNP, May 2016
Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES
Up to 7X more difficult
Criminals Exploiting New Channels/Increased Sophistication and Criminal Collaboration
Fraud Industry Trends Continue to Impact Merchants
pto prevent fraud in remote channels than in person1
“Use of Credit Card 'Skimmers' at Gas Stations, ATMs Is Exploding2”NBC News, July 1 , 2016
1Source: 2015 LexisNexis True Cost of Fraud Study
10
“All the criminal organizations — especially online — move way faster and are way more efficient than the real economy3”
Michael Reitblat, CEO and cofounder of Forter
Source: 2http://www.nbcnews.com/nightly‐news/use‐credit‐card‐skimmers‐gas‐stations‐atms‐exploding‐n4682163http://www.pymnts.com/matchmakers/2016/matchmaker‐is‐in‐forter‐fighting‐fraud/
Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES
4/19/2018
6
Criminal Activity Rising in Skimming Events
Automated Fuel Dispensers (AFDs)• Fraudsters continue to target AFDs• Stations in remote locations often targetedAFD li bilit hift t EMV® hi i 2020• AFD liability shift to EMV® chip in 2020
ATMs• White label ATM higher risk for skimming / overlay devices• Remote locations or foreign countries are at higher risk for fraud and attacks
Terminal Overlay Skimming Devices
Source: Visa Skimming at the Point of Sale, 6/28/16, slide 9
11
Terminal Overlay Skimming Devices• 3D printers leveraged to create devices• Takes a criminal only seconds to deploy
EMV is a registered trademark in the U.S. and other countries, and an unregistered trademark elsewhere. EMV® is a registered trademark owned by EMVCo LLC.
Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES
Ways to Help Thwart Skimming Attempts
• Dispatch teams to conduct and document daily checks of POS devices• Identify key risk areas where attacks may occur• Use tamper screws or cable locks on POS devices• Affix your devices with unique markings or stickers to quickly identify overlays
12
Source: Visa Managing Network Segmentation for Payment Environments presentation, 7/22/2015, slides 11‐13
Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES
4/19/2018
7
Trends in the Payments, eCommerce and Security Landscape
Retail ecommerce sales worldwide will continue to post solid gains in 2017, rising 23.2% to $2.290 trillion. This year, for the first time, ecommerce sales will account for one‐tenth of total retail sales worldwide1
1
By 2020, eCommerce transactions are expected to top $4 trillion6
and an expected $7.2 billion in card not present losses7
There will be an estimated 11.6 billion mobile connected devices by 2020, exceeding the world’s projected population at that time (7.8 billion).2
Mobile devices impact both offline and online buying decisions3
24
13
y g
1https://www.emarketer.com/Report/Worldwide‐Retail‐Ecommerce‐Sales‐eMarketers‐Estimates‐20162021/2002090 July 20172Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2015‐2020 White Paper, 2016
3TSG, The Internet of Payments Awakens, 20164Javelin Group, The Financial Impact of Fraud: Merchants Challenged as E‐Commerce Fraud Rises Post‐EMC
5FT Partners “Transaction Security at the Nexus of E‐Commerce, Payment Market Structure Complexity and Fraud”, LexisNexis “2015 True Cost of Fraud Study”6eMarketer, Worldwide Retail eCommerce Sales: The eMarketer Forecast, August 2016
7Aite, EMV Issuance Trajectory & Impact on Account Takeover and CNP, May 20168Passport to International Sales‐Ingenico White Paper, July 2016
3
Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES
It is up to 7 times more difficult to prevent
fraud in remote channels than in person.4
$1 Card Not Present Fraud Loss, results in
$2.27 total losses.5
What’s at stake when a breach occurs?
4/19/2018
8
Data Breaches Continue to Rise
Number of breacheswith exposed credit and debit cards was 160 in 2015, +15.9% increase over prior year. The Banking/Credit/Financial sector ranked third with 9.1 percent of the breaches.¹
$7.01 million is the average total cost of a data breach.²
Nearly 20 percent of consumers would permanently abandon a retailer that was the victim of a data breach.³
15
Merchants need to protect their systems and consumers.
1 Identity Theft Resource Center Multi Year Statistics 2016.² 2015 Cost of Data Breach Study: United States Ponemon Institute© Research Report Benchmark research sponsored by IBM May 2016. ³ KPMG Consumer Loss Barometer, 2016.
Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES
Breach Trends by Merchant Category Code (MCC)
Global Data Compromises
Certain Industries have higher data breach costs
Public Sector
Per capita cost by industry classification in 2017
Life Science
Retail
Industrial
Consumer
Hospitality
Media
US$
$‐ $50 $100 $150 $200 $250 $300 $350 $400
Health
Services
Source: 2017 Cost of Breach Study, Ponemon Institute
16Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES
4/19/2018
9
The Public and Private Cost of a Data Breach
• Card Organization assessments
- Operational reimbursement (replacement of cards)
- Fraud recovery (reimbursement expenses associated with compromised cards)
• Forensics, PCI non‐compliance fines, and moreo e s cs, C o co p a ce es, a d o e
• Crisis communications management costs
• Loss of public trust and confidence
• Cost of legal representation
17Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES
The Rising Cost of Data Breaches
$4.13 millionAverage cost of lost
business after a data breach
$225The average cost of data breach
per incident in the U.S.
$1.46 millionThe average detection and escalation cost in Canada
business after a data breach in the U.S.
18
$1.56 millionThe post data breach response
cost in the U.S. in 2017
$190The average cost of data breach
per incident in Canada
Source: 2017 Cost of Breach Study, Ponemon Institute
Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES
4/19/2018
10
Solutions to Consider
EMV Update
EMV chip cards and chip‐activated merchants combat counterfeit fraud in the U.S.
Counterfeit fraud down¹
66%
55%US
storefrontsaccepting
chip²
462million
Chip cards issued to consumers²
$59.6million
Amount of chip
transactions³
20
Source: Visa, “Visa Chip Card Update”, 09/2017
³Chip transactions continue to increase in the U.S, as of Sep 2017 there were 1257.2 million transactions amounting to $59.6 billion
¹For merchants who have completed the chip upgrade, counterfeit fraud dollars have dropped 66% (as of June 2017 compared to June 2015)²Financial institutions have issued 462 million chip cards to consumers, and 2.5 million, or 55 percent of U.S. storefronts, accept chip
Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES
4/19/2018
11
EMV Alone is Not Enough
Chip based technology (EMV) helps reduce the risk of accepting counterfeit cards, while a PIN reduces the risk of misuse of lost or stolen cards.
EMV will not protect online transactions. Consumers purchasing online are still open to fraudulent transactions.
EMV does not protect cardholder data once the payment method and consumer are validated; or during payment processing transmission or in your environment at rest.
Merchants need to consider multi‐layered security solutions to protect cardholder data from cyber criminals.
21Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES
Help Protect Against Fraud with Target Tools Online
Address VerificationService (AVS)
Card Verification Service (CVV2)
3 digit code to verify cardholder has card in their possession
Fraud Detect®Real‐time fraud scoring and
3D Secure®Authentication options at checkout – Verified by Visa, SecureCode by MasterCard, Safekey by American Express
TokenizationRemoves sensitive cardholder
data from the merchants environment. Solutions can facilitate repeat business
Dispute Manager®
22
gmachine learning capabilities designed to help reduce a
merchant’s overall exposure and cost of fraud
Merchant responsible for selecting which tools to enable and for properly using those tools to effectively help reduce fraud.Availability by country may vary, please review with your business consultant
Dispute ManagerOnline tool that helps merchants automate the chargeback process
Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES
4/19/2018
12
Fraud Post EMV: Card Not Present (CNP), App Fraud, and Account Take Over (ATO) on the Rise
$1.0
ATO Fraud
U.S. ATO, Application and CNP Fraud Growth, 2015 to e2020 (in US$ Billions)$10 BN
$4 4$5.5
$5.9$1.4$1.6
$1.9
$2.2
$2.5
$2.8
$0.6
$0.7
$0.8
$0.8
$0.9Application Fraud
CNP Fraud
$5 BN
$7.5 BN
23
$3.2 $3.3$4.0
$4.4
2015 2016 e2017 e2018 e2019 e2020
$0
Source: Aite Group
Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES
Other Advancements in CNP Fraud Solutions
As EMV adoption drives more fraud towards eCommerce and CNP, it is critical for fraud detection solutions to keep pace.
Advances in fraud detection will leverage:Machine learning technologies vs rules based engines- Machine‐learning technologies vs. rules‐based engines
- Full integration with core eCommerce processing platforms
- Packaged, full‐service fraud offerings
New fraud solutions will help deliver important benefits to merchants:- Easy to get started with pre‐integration to key gateways- Easy to use with intuitive Accept or Decline
d irecommendations- Greater accuracy on fraud scores to help merchants save
money
CONFIDENTIAL ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES 24
4/19/2018
13
The Strength of Machine Learning Helps Combat Fraud
Facilitate Improve
Rapidly respond Help lower costs
Merchant benefits
Fraud Accept
real‐time decision‐making
Improve accuracy
to changing fraud trends
through automation
25
Order Machine Learningmodel
Fraud Risk
Estimate Reject
Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES
Solutions to Consider: Card Present
EMVData EMV DataEncryption
26
Tokenization PCICompliance
Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES
4/19/2018
14
Enhancing Data Security and Reducing Your PCI Validation Scope
Point to point encryption (P2PE) Tokenization technology EMV Chip TechnologyPoint‐to‐point encryption (P2PE) Tokenization technology EMV Chip Technology
• Encryption is designed to help protect cardholder data from the point of data entry.
• Uses a key management feature making cardholder data virtually unreadable to anyone who does not have the encryption key
• Replaces cardholder data (PAN) with surrogate values (token)
• Designed to work in concert with encryption to eliminate storage of cardholder data
• Allows merchant to limit storage of cardholder data with the tokenization system
• Helps protect against counterfeit cards by replacing static data with dynamic
• Works with card‐present transaction only
• Requires a dual processing terminal (mag strip and
27
yp y• Helps protect cardholder
data in transit• If properly implemented,
P2PE can reduce your scope of PCI DSS validation
y• If properly implemented,
tokenization can reduce your scope of PCI DSS validation
( g pchip)
Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES
What is End‐To‐End Encryption?
End‐to‐end encryption (E2EE) is the uninterrupted protection of data from the moment of swipe, through transit between the merchants point of sale and their processor.
No eavesdropper can access the cryptographic keys needed to decrypt the conversation, including telecom providers, Internet providers and the p , pcompany that runs the messaging service.
28Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES
4/19/2018
15
What is End‐To‐End Encryption?
• Primary Account Number (PAN) Data encrypted at Tamper Resistant Security Module (TRSM) protected Point of Interaction (POI )(e.g. terminal) with Bank of America Merchant Services encryption key
M h t h t d ti k• Merchant has no access to decryption key
• Encryption helps protect PAN during transit or offline situations
• PAN is only decrypted once it arrives in Bank of America Merchant Services’ secure processing vault
• Key updates are embedded in transaction message responses
29Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES
Tokenization is the process of substituting a sensitive data element with a non‐sensitive
i l t f d t t k th t h
What is Tokenization?
equivalent, referred to as a token, that has no monetary value.
Important caveat: Encryption and tokenization do not guarantee that your systems will not be breached. Using encryption and tokenization does not mean you are automatically compliant with the
30
not mean you are automatically compliant with the Payment Card Industry Data Security Standard or Card Organization Rules.
Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES
4/19/2018
16
What is Tokenization?
• Tokens help protect data at rest and in use.
• They differ from encryption because tokens have no direct relationship with the card data they replace.
• Tokens are card‐based and have a 1:1 relationship with an account number.
• Tokens do not expire, so the same token follows the card through the entire card lifecycle.
31Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES
A multi‐pay token can be used in place of primary account number (PAN) to perform a financial transaction.
What is a Multi‐Pay Token?
• Because they can initiate a financial transaction without card b i hbeing present, they are:
- Valuable for ecommerce and card‐not‐present environments
- Useful in processing refunds and credits
• They allow merchants to track buying patterns based on card use for sales trending, marketing and loyalty programs – while remaining within PCI compliance
32Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES
4/19/2018
17
Approaches to Transaction Data Encryption
MERCHANTMERCHANT DATA
CENTERACQUIRER DATA CENTER ISSUER
Encrypted Credit Card Request
Tokenized Credit Card
End‐to‐End Encryption (E2EE)
MERCHANTMERCHANT DATA
CENTERGATEWAY ISSUER
Tokenized Credit Card Response
Decrypted Credit Card Request
Non‐tokenized Credit Card Response
Vulnerability Point
THE LAST MILE
Point‐to‐Point Encryption (P2PE)
33
THE LAST MILE
ACQUIRER
Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES
Overall Security Strategy is Critical for an Organization
Securing Consumer Data
Remove card data from Merchant Benefits
Merchant Security
Remove card data from merchant environment: TransArmor® Data Protection
PCI requirements: Logging and monitoring, network access, etc.
Helping Reduce Fraud*
Enhanced Authentication: EMV
Fraud Mitigation Tools:
fHelps protect firm’s reputation and image
Industry BenefitsLess card data in market for potential fraud
Merchant BenefitsReduction in counterfeit fraud
eCommerce Fraud Tools, 3D Secure, Fraud Detect
fraud
Industry BenefitsDevalues stolen card data
*Enhanced authentication and fraud products are being developed in the industry for mobile and ecommerce e.g., device ID, payment tokens, risk scores.TransArmor data protection provides encryption and tokenization services. TransArmor Data Protection is not a guarantee that your systems will not be breached or cause you to be compliant with the Payment Card Industry Data Security Standard or Card Organization Rules. Requires eligible equipment.
34Confidential ‐ NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES