Presentation on theme: "Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,"— Presentation transcript:
Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta, Vice Manager, United Airlines Herman Mensink, EVP, Prism Group, EMEA Paul Buelens, Fraud Manager, MasterCard International, Risk & Security Services, ESAMEA
Risk Management Through PCI Compliance March 2006 Peter Warner EVP, Business Development
Hacking Is Fast Becoming The “Crime Of The Century”
Hacking Yes they do - but organised criminals do it for profit ! A single database compromise in a payment card processor or a major on-line retailer can reap millions of card details Which the criminals can use to commit payment card fraud Hackers do it for Fun!
The Cost? Aside from the fraud losses which on average are $1,000 per card account The payment card schemes impose substantial penalties on the compromised company to compensate the card issuers for replacing the card ($25 per card) or monitoring the account activity more closely ($5 per account) For example if 1 million accounts are compromised of which only 1,000 or 0.1% are used fraudulently the organisation responsible will face costs of –$1,000,000 in fraud losses –Up to $25,000,000 in penalties And suffer the consequential reputational risk
Ready for Export 99% of all known Account Data Compromise events were on US institutions Of these 68% were at Merchant Service Providers (MSP’s) And 32% were at Merchants Unnecessary & insecure data storage must be eliminated in order to minimise the risk
The Real Cost of e-commerce Fraud for Airlines Lost revenue: Lost ticket sales to fraud Rejecting, insulting and losing genuine airline customers Lost repeat ticket sales to competitors Rejecting third party bookings as risk prone Turning away cross border transactions from high risk destinations Seats blocked to good customers by fraudsters testing cards (Alicante) Increased fraud: Chargebacks, surcharges and fines Increased Costs: Cost of sale (postage, ticket sales time) High manual review costs to minimise fraud
Warning Many hacks are not reported Many more are not detected And internal fraud is often involved
Top 5 Reasons for Compromise 1.Ineffective patch management 2.No security scanning 3.Weak network level security 4.SQL injection 5.Lack of real-time security monitoring ……………………………………………………………………. Security professionals use scans to find vulnerabilities Hackers also scan systems to find vulnerabilities and exploit them using well-known and widely available tools
PCI Compliance – Some Observations ReD were already BS 7799 compliant when PCI programme was started. –Basic infra-structure was already in place –Saved a considerable amount of documentation work (e.g. process definition etc.) HOWEVER, PCI Compliance took longer than we originally planned due to: –Production Network Reconfiguration –Installation of an Intrusion Detection System –Implementation of a full Network Monitoring system –Number of planned maintenance windows required to accomplish this (our customers commented on this). Need to select a Quality Audit Partner –Need access to a dedicated resource –Make sure that resource is available throughout the audit process
PCI Compliance – The Trickle Down Theory Need to assess the impact on your Supply Chain –Vendors have been slow to recognise the importance of PCI Compliance –Vendors have been slow to modify their products and services to be PCI Compliant –Examples: Off-Site Tape Storage and liability Database Encryption Communications Need to assess the impact on your Customers –PCI Compliance message has not gone out to everyone
PCI Compliance – In Summary PCI Compliance is expensive but necessary –Smaller Payment Service Providers may be forced out of business –Benefit to out-sourcing Payment Service Processing Staying PCI Compliant requires strict adherence to change management processes
The Impact of Account Data Compromise Counterfeits cards and fraud Significant chargeback risk Penalties, fines, losses Negative media coverage Loss of reputation Re-issuance and monitoring of cards Loss of consumer confidence Threat of new legislation
Thank you March 2006 Peter Warner EVP, Business Development
Your consent to our cookies if you continue to use this website.