Cost Of A Breach Case Study and PCI Prioritization
-
Upload
jan-carroza -
Category
Documents
-
view
1.137 -
download
1
description
Transcript of Cost Of A Breach Case Study and PCI Prioritization
Where We Stand.
Costs of a Data BreachCase Study
PCI Prioritization
Presentation by: Ross Federgreen*
*Founder, CSRSI® THE PAYMENT ADVISORS
PCI Critical Dates
Prioritization
PCI Breach Costs
PCI Critical Dates
ALIGNMENT July 1, 2010
US Payment Application Security Mandate
Phase I through Phase V
TDES Mandate
POS PIN Acceptance Device Mandate
US Payment Application Security Mandate (CISP 102307)
Phase I through Phase V
Phase I Jan 1, 2008
Phase II July 1 , 2008
Phase III Oct 1, 2008
Phase IV Oct 1, 2009
Phase V July 1, 2010
US Payment Application Security Mandate (CISP 102307)
Phase I through Phase V
Phase I Jan 1, 2008
Newly boarded merchants must not use known vulnerability payment applications, and VisaNet Processors (VNPs) and agents must not certify new payment applications to their platforms that are known vulnerable payment applications.
US Payment Application Security Mandate (CISP 102307)
Phase I through Phase V
Phase II July 1, 2008
VNPs and agents must only certify new payment applications to their platforms that are PA-DSS compliant applications
US Payment Application Security Mandate (CISP 102307)
Phase I through Phase V
Phase III October 1, 2008
Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PA-DSS compliant applications.
US Payment Application Security Mandate (CISP 102307)
Phase I through Phase V
Phase IV October 1, 2009
VNPs and agents must decertify all vulnerable payment applications.
US Payment Application Security Mandate (CISP 102307)
Phase I through Phase V
Phase V July 1, 2009
Acquirers must ensure their members, VNPs and agents use only PA-DSS compliant applications.
Triple Data Encryption Standard (TDES) Mandate (PIN Security Bulletin 093008)
Phase I through Phase II
Phase I January 1, 2009
Newly deployed US Automated Fuel Dispensers must contain a TDES capable and PC I approved Encrypting PIN pad.
Triple Data Encryption Standard (TDES) Mandate (PIN Security Bulletin 093008)
Phase I through Phase III
Phase II July 1, 2010
All US POS PEDs must be encrypting PINS using TDES end-to-end.
POS PIN mandate (PIN Security Bulletin 093008)
July 1, 2010
All attended POS PIN acceptance device models must have passed testing by a PCI recognized or Pre PCI recognized laboratory and have been approved by Visa.
PRIORITIZATION
PRIORITIZATION
“The prioritized approach provides guidance that will help merchants identify how to reduce risk to card
holder data as early on as possible in their compliance journey.”
PCI Security Standards Council, 2009
PRIORITIZATION
The Prioritized Approach
Benefits:1.Roadmap2.Pragmatic approach3.Supports financial and operational planning4.Objective and measured progress indicators5.Consistency among QSA
PRIORITIZATION
The Prioritized Approach
Six security milestones1.Remove sensitive authentication data and limit data retention2.Protect the perimeter, internal and wireless networks3.Secure payment card applications4.Monitor and control access to your system5.Protect stored cardholder data6.Finalize remaining compliance efforts and ensure all controls are in
place
PCI BREACH COSTS
Total direct cost to a merchant from a PCI event include:
Card replacement costs now averaging about $4 per item
Compliance fines now ranging from about $5,000 to $50,000per event for a small merchant (III, IV)
Cost of forensic examination averaging between $25,000 and $35,000 per event for Level III and IV merchants
Additional fines for actual fraudulent utilization of stolen PAN varies
Total direct cost to a merchant from a PCI event include:
Case Study: July, 2008
A small carp present retailer was breached. The retailer had filled out a self assessment form and attested that the information was true and correct to the acquirer.
The merchant was found to have stored over 2,000 credit card numbers in an accounting system for “reference” and to bill clients “if they forgot there credit card number”.
The file was accessed and the credit card numbers were stolen when during the course of a robbery the CPU was stolen. A CPP (common point of purchase) analysis of credit cards revealed the location of the theft.
Total direct cost to a merchant from a PCI event include:
Replacement Cost $ 5,000Compliance Fine $12,500Forensic Examination $25,000Card Utilization Fines $74,398.47
TOTAL $116,898.47
The merchant also sustained significant reputational cost due to adverse publicity, legal fees, loss of business and other expenses.
The merchant filed for protection under bankruptcy
The amounts due were assessed to the ISO by the acquirer.
Visa fined the ISO additional fees following an examination of ISO practices as it relates to PCI adoption and plan for portfolio under VBR 07508 after the initial event.
ISO sustained a financial loss of $189,354.45
Study: Maine Bureau of Financial Institutions January 2009
Study design: Cost of TJX and Hannaford breach borne by Maine chartered banks and credit unions
*Recovery cost: investigation, communication, reissuance and net fraud
TJX Hannaford
52 Institutions 71 Institutions
64,825 Accounts 243,599 Accounts
$485,000 Recovery* $1,500,000 Recovery*
Study: Ponemon Institute February 2009
Study Design: Cost of compromise to 43 companies in 2008. Each company volunteered under the condition of anonymity.
YEAR Cost per Breach
Cost per record
External Third Party
2008 $6.6 million $202 44%
2007 $6.3 million $193 40%
2006 $4.7 million $186 29%
Do you have questions about how to strategically plan for PII legislation?Would you like advice or complete guidance on how to evaluate PII access, storage, and handling in your business?
Contact us. We’re glad to help. Read more at www.CSRSI.com
Ross Federgreen Jan Carroza866-462-7774x1 [email protected] [email protected] Jensen Beach, FL Seattle, WA