加密与令牌化：保护客户数据.pdf

Encryption and Tokenization: Protecting Customer Data Your Payments Universally Amplified Tia D. Ilori Sue Zloth September 18, 2013 Agenda  Global Threat Landscape  Real Cost of a Data Breach  Evolution of Point-to-Point Encryption and Tokenization  Visa Merchant Data Secure Visa Public 2 Visa Global Security Summit The Visa Global Security Summit is a must-attend event for executives from business, government, academia and law enforcement. The conference will explore the intersection of technology and security, and participants will offer diverse perspectives on how industry and government can collaborate to address cyber security issues.  Pre-Summit Risk workshops for acquirers, merchants, and processors: Oct 1st  General Session: Oct 2nd Register at: http://www.VisaSecuritySummit.com Visa Public 3 Visa’s Multi-Layered Strategy Mitigating fraud through continuous leadership, coordination and investment Maintaining and enhancing stakeholder trust in Visa as the most secure way to pay and be paid Prevent Protect Minimize fraud in the payment system Protect Trust vulnerable account data and Partnership ! Advance Execute risk strategies for emerging products and channels Respond Monitor and manage events that occur Visa Public 4 PCI DSS Requirements Commonly Identified Security Deficiencies Vulnerability Applicable Requirement Default or no firewall / router rules Requirement 1 No DMZ Requirement 1 Insecure remote access, no 2-factor authentication Requirement 8 Insecure operating systems and databases Requirement 6 No patching Requirement 6 No or outdated anti-virus signatures Requirement 5 No password management or access control lists (ACL) Requirement 7 Use of default or shared usernames and passwords Requirement 2 No system logging Requirement 10 No file integrity monitoring Requirement 10 SQL injection / other web-based exploits Requirement 6 No secure coding, independent code review, or penetration testing process in place Requirement 6 Incident Response No incident response plan Requirement 12 General No monitoring of systems, logs, access control, etc. Requirement 10 Network Security Host-based Security Application Security  Lack of network segmentation has contributed to multiple location breaches Source: Data breach forensic reports Visa Public 5 Data Security Best Practices  Implement PCI DSS, including a PA-DSS compliant application  Secure remote access connectivity by IP address (or disable if not necessary)  Use 2-factor authentication  Use strong passwords when accessing POS systems  Implement a hardware-based stateful firewall and enable filtering for inbound and outbound traffic  Enable logging on systems and periodically monitor for malicious activities  Do not use your POS systems to browse the Internet, email, etc.  Ensure POS systems have latest anti-virus signature files  Remove unnecessary accounts/services on POS systems  Enforce data security on third-parties via contracts  Enroll in a managed firewall and vulnerability scan program Visa Public 6 Real Cost of a Data Breach  Data breaches impacts your company’s bottom line  Average cost of a data breach was $136 a record ‒ $188 in the U.S.  Average number of breached records was 23,647 ‒ 28,765 in the U.S.  U.S. organizations spent on average $565,020 on notification costs  Root cause of U.S. breaches ‒ Malicious or criminal attack – 41% ‒ Human factor – 33% ‒ System glitch – 26% Source: Ponemon/Symantec 2013 Cost of Data Breach Study Visa Public 7 Poll Question #1 What payment security issues keep you up at night?  Is my data secure?  Has my payment environment been breached?  What can I do to protect my data from hackers?  All of the above Visa Public 8 Point-to-Point Encryption and Tokenization – how did we get here?  TJ Maxx, 2007: In the first major breach, hackers embedded malware onto an internal network stealing 46 MM cards Major Breaches  Heartland, 2009: A multi-month malware intrusion compromised information for nearly 100 MM payment cards  Global Payments, 2012: International hackers embedded malware to capture 1 MM payment cards, and PII data  Visa released guidance docs – Encryption in 2009 and Increased Vigilance Tokenization in 2010  PCI SSC released guidance docs – Encryption in 2010 and Tokenization in 2011 Encryption Market Today  Many solution providers offer products  Lack of clarity for leading industry practices  Visa continues leading PCI SSC and the industry in development of standards and solutions Sources: Bloomberg Business Week, BankInfo Security, The Boston Globe Visa Public 9 Transaction Flow Point-to-Point Encryption 1. POS Transaction 2. Data Encryption Original Card Number: 4000123456789010 Encrypted Card Number: 4000129999999010 3. Leading Security Decrypted Card Number: 4000123456789010 Tokenization 6. Safe Storage Stored Value: 4123456789101112 5. Secure Transmission Card Token: 4123456789101112 Visa Public 4. Return Token Card Token: 4123456789101112 10 EMV and Point-to-Point Encryption EMV Only  Dynamic authentication  Account number and card data remain exposed  Exposure of sensitive information results in crosschannel fraud Cardholders 5000123456789010 340012345678901 4000123456789010 Payment Network MC: 5000123456789010 AmEx: 340012345678901 V: 4000123456789010 Transactions in the Clear EMV and Encrypted Transactions  Dynamic authentication  Account number and card data are protected in transit  Strongly mitigates the risk of point-of-sale and crosschannel fraud Cardholders 500012XXXXXX9010 340012XXXXXX901 400012XXXXXX9010 Payment Network MC: 5000123456789010 AmEx: 340012345678901 V: 4000123456789010 Encrypted Transactions Visa Public 11 PCI SSC and P2PE/Tokenization  P2PE – PCI has introduced a validation program for Point-to-Point Encryption – Merchants who use a validated P2PE Solution may qualify for scope reduction – 2013 and 2014 releases will likely focus on hybrid (aka software) encryption  Tokenization – In addition to the Guidance previously released, PCI SSC has started to look at Tokenization Standards and Requirements See the PCI website at https://www.pcisecuritystandards.org for more information Visa Public 12 Technology solutions – who could they help in securing payment data? Brick and Mortar Merchant E-Commerce Merchant Service Provider Hardware Encryption  Software Encryption    Tokenization     Visa Public 13 Poll Question #2 Have you implemented a P2PE solution? If not, are you looking at one?  Yes, and it works well  Yes, but we’re looking for an alternative  No, but we’re interested  No, and we’re not interested Visa Public 14 Visa Merchant Data Secure with Pointto-Point Encryption (VMDS with P2PE) Is Being Developed to: Encrypt from the POS to a Card Network Protect Sensitive Card Data Information Encrypt All Card Brand Data in Transit Integrate Seamlessly into Existing Business Processes VMDS w/ P2PE Offer Scalable Technology and Be Flexible for All Merchant Sizes Be a Leading Industry Standard Proposed service in development and presented for discussion purposes only; service functionality, features and timelines subject to change by Visa at any time. Visa Public 15 Visa Merchant Data Secure Product Features Merchant Data Secure Zone Translation    Standards-based (TDES + DUKPT)  Hardware Encryption Single Key Injection Use of zone translation and standards-based technology enables VMDS w/P2PE to become an industry standard for encryption Proposed service in development and presented for discussion purposes only; service functionality, features and timelines subject to change by Visa at any time. Visa Public 16 Roadmap for Development Visa Plans to Expand the VMDS Product Suite by Providing Customers with Solutions for Enterprise Security 2013 2014 Hardware Encryption 2014 2014 Product Evaluation Summit Encryption in hardware from the Point of Interaction – either dip, swipe, tap or keyed Conference to share changes in the industry and discuss new product features Tokenization Software Encryption Transforming card data into a surrogate value Secure e-commerce transactions Proposed service in development and presented for discussion purposes only; service functionality, features and timelines subject to change by Visa at any time. Visa Public 17 Visa Global Security Summit The Visa Global Security Summit is a must-attend event for executives from business, government, academia and law enforcement. The conference will explore the intersection of technology and security, and participants will offer diverse perspectives on how industry and government can collaborate to address cyber security issues.  Pre-Summit Risk workshops for acquirers, merchants, and processors: Oct 1st  General Session: Oct 2nd Register at: http://www.VisaSecuritySummit.com Visa Public 18 PCI SSC Community Meeting  PCI Security Standards Council (SSC) North America Community Meeting  September 24-26, 2013  Las Vegas, Nevada  Visa will host “office hours” throughout the community meeting ‒ Participating organization are encouraged to take advantage of this unique opportunity to engage with Visa representatives ‒ For more information please visit https://www.pcisecuritystandards.org/communitymeeting/2013/northamerica Visa Public 19 Questions Your Payments Universally Amplified For More Information Please Contact: Sue Zloth mds@visa.com Tia D. Ilori cisp@visa.com www.visamerchantdatasecure.com www.visa.com/cisp Visa Public 20