1 / 23

Holistic Payment Security Information Security by another name?... 30 th May 2012

Holistic Payment Security Information Security by another name?... 30 th May 2012. Neira Jones Head of Payment Security Barclaycard Payment Acceptance. Leading the way in secure payments. 2011: the year of the hack…. Travelodge. Sony. Wordpress. United Nations. Epsilon. TeaMp0isoN.

urania
Download Presentation

Holistic Payment Security Information Security by another name?... 30 th May 2012

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Holistic Payment SecurityInformation Security by another name?...30th May 2012 Neira Jones Head of Payment Security Barclaycard Payment Acceptance Leading the way in secure payments

  2. 2011: the year of the hack… Travelodge Sony Wordpress United Nations Epsilon TeaMp0isoN RSA Dropbox Lush Citigroup MI6 Lockheed Martin Infosec breaches have becomea statistical certainty Betfair 30th May 2012

  3. What about 2012?... Source: DataLossDB.org April 2012 30th May 2012

  4. Public social concerns... Preventing crime 92% Protecting personal information 89% Unemployment 86% The NHS 84% Improving education 84% National security 80% Protecting freedom of speech 78% Equal rights 77% Environmental Issues 74% Access to info held by public authorities 69% 74% of individuals believe that online companies don’t collect and keep their personal details securely. Individuals are 3x more likely to suffer identity fraud than have their home burgled. Information security consumer awareness is rising rapidly and suppliers who aren’t capitalising on this opportunity quickly enough will be left behind... Source: ICO Annual Track 2011 30th May 2012

  5. Public social concerns... Identity theft represents 48% of all fraud in the UK, an increase of 10% since 2010. Source: CIFAS January 2012 Source: ICO Annual Track 2011 30th May 2012

  6. Corporate concerns... • 68% of organisations believe they can keep customer information for an indefinite period of time. • 67% of organisations believe it’s OK to use customers personal information for purposes other than what it was requested for. • 28% of organisations are still unaware that they must keep customers personal information secure. Source: ICO Annual Track 2011 30th May 2012

  7. We all know better... • Most common login in the business world is “Password1” *** • Easter Eggs are more valuable to employees than corporate passwords ** (48% would accept less than £5 for their personal log-ins while 30% would give up their corporate passwords for under £1) ** Source: SC Magazine April 2012 *** Source: Trustwave March 2012 30th May 2012

  8. 30th May 2012 EU proposal for new data protection laws… • #Infosec #PCIDSS • #RiskManagement #CloudServices #WebHosting • #DataPrivacy • #Payments #DataProtection #OnlineShopping • The right to be forgotten will help people better manage data-protection risks online. • EU rules will apply to companies based outside the EU • Data Controllers review contracts with Service Providers • A single set of rules on data protection, valid across the EU • National data protection authorities will be strengthened • Breach Disclosure • Explicit consent will be required for data processing rather than be assumed. • Data Portability enabling transfer of personal data from one service provider to another To become effective in two years

  9. It’s war Jim, but not as we know it... Today’s cybercrime industry is efficient, scalable, profitable and highly motivated with a clear intent on obtaining information that can either be monetisedor inflict damage. Data protection/ Compliance is seen as a necessary evil(especially by the Board) 60% mobile apps don't have a privacy policy that notifies consumers which of their data the apps access. * * Source: InfoWorld March 2012 30th May 2012

  10. Panic! Too many compliance & regulatory deadlines! Too many silver bullet solutions! • Too many silos! Too many third parties! 30th May 2012

  11. 30th May 2012 • Issuers • Acquirers • Merchants An Example: The Card Processing Ecosystem... Card Schemes Merchant Agents Etc.

  12. Should we care about Third Parties?... • 91% of breaches occurred where assets were owned by the breached entity. 46% of breaches occurred where assets were managed by a third party. 26% of breaches occurred where assets were hosted by a third party. Source: Verizon DBIR March 2012 Source: DataLossDB.org April 2012 30th May 2012

  13. A perspective on merchant/3rd Party relations In Europe, most data breaches occur in the CNP space. Most data breaches involve third parties. Merchants are mostly unaware of which third party relationships they have or why they are relevant. Criminals go after third parties for the payload. Merchants don’t understand why they need to use “secure” third parties or don’t know where to find them. Third parties will often fool merchants into thinking they are “secure” . Third parties may handle customer information in unexpected ways, unknown to the merchant. We place our data and our faith in the security measures taken by those managing it on our behalf. 30th May 2012

  14. Seeing the wood from the trees... 96% of attacks were not highly difficult. 97% of breaches were avoidable through simple or intermediate controls. 92% of incidents were discovered by a 3rd party. The 2011 Verizon DBIR concluded that being prepared remains the best defence against security breaches. It’s not all doom and gloom... Source: Verizon DBIR March 2012 30th May 2012

  15. What we show merchants... • For those who outsource… • >350 (UK) and >900 (US) Level 1 PCI DSS compliant service providers listed on Visa websiteshttp://www.visaeurope.com/en/businesses__retailers/payment_security/service_providers.aspxhttp://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdfhttps://www.visamerchantagents.com/about-merchant-list (NEW) • C. 900 Level 1 PCI DSS compliant service providers listed on MasterCard websitehttp://www.mastercard.com/us/company/en/whatwedo/compliant_providers.html • For those who want to retain control in-house… • C. 750 PA-DSS validated payment applications on PCI SSC websitehttps://www.pcisecuritystandards.org/approved_companies_providers/vpa_agreement.php • Barclaycard’s position… • We always recommend that our customers use PCI DSS compliant Level 1 Service Providers as self-assessment does not provide you with an independent assessment of your supplier. • Contractual provisions are crucial. • Merchants should seek help from their acquiring bank when facing problems with third party providers as a merchant cannot reach compliance without their third parties being compliant. 30th May 2012

  16. Does compliance make a difference?... Leading the way in secure payments

  17. 30th May 2012 Barclaycard’s merchant compliance index From an analysis of our corporate and mid-tier portfolio, we can confirm that PCI DSS compliance is moving the right way. As at April 2012, below is the shape of compliance by sector, so organisations can position themselves against their peers:

  18. What can we learn?... Lesson 1.Understand your risk profile Lesson 2.Make risk management your objective,compliance will come naturally Lesson 3. Select the right partners Lesson 4.Avoid quick fixes and silos (i.e. don’t panic!) Lesson 5.Automate Lesson 6.Educate 30th May 2012 18

  19. One final thought... The investment equation Leading the way in secure payments

  20. Fraud in the UK... • Fraud loss to the UK economy in 2011: £73bn, £20.3bn billion for the public sector. • Mass marketing fraud: £3.5bn, Identity fraud: £1.2bn • 9.4% (4.6M adults) suffered identify fraud, 55.3% did not recover their losses and the average loss is £481. • Overall cost to the UK economy from cybercrime is £27bn/year • Common fraud types in the public sector were: • procurement fraud (£1.4bn central & £890M local) • payroll fraud (£181M central & £153M local) • student finance fraud (£31M) • grant fraud (£41M). • *Source: National Fraud Authority Annual Fraud Indicator April 2012 30th May 2012

  21. Infosec/ PCI DSS to combat fraud?... Authentication technologies/processes Staff vetting Effective access control/ access logging Random spot checks Segregation of duties Fraud scoring/monitoring Security/Fraud awareness programmes Whistle blowing Traditional infosec controls (incl. PCI DSS) Information & Comms: £2.4bn Procurement fraud: estimate £2.3bn Payroll fraud: estimate of £334M Student finance: £31M Grant fraud: £41M UK GDP 2010 = £1.4 trillion Total UK Fraud = £73 billion 30th May 2012

  22. There was compliance... And then there was risk... And then there was fraud. Could PCI DSS increase the UK GDP and contribute to getting us out of this recession?... Leading the way in secure payments

  23. Don’t spend £100 protecting a £1 asset, know your risk, educate, select the right partners, fix the basics first and be prepared…Neira JonesHead of Payment SecurityBarclaycard, Global Payment Acceptanceneira.jones@barclaycard.co.uk Leading the way in secure payments

More Related