holistic payment security information security by another name 30 th may 2012 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Holistic Payment Security Information Security by another name?... 30 th May 2012 PowerPoint Presentation
Download Presentation
Holistic Payment Security Information Security by another name?... 30 th May 2012

Loading in 2 Seconds...

play fullscreen
1 / 23

Holistic Payment Security Information Security by another name?... 30 th May 2012 - PowerPoint PPT Presentation


  • 133 Views
  • Uploaded on

Holistic Payment Security Information Security by another name?... 30 th May 2012. Neira Jones Head of Payment Security Barclaycard Payment Acceptance. Leading the way in secure payments. 2011: the year of the hack…. Travelodge. Sony. Wordpress. United Nations. Epsilon. TeaMp0isoN.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Holistic Payment Security Information Security by another name?... 30 th May 2012' - urania


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
holistic payment security information security by another name 30 th may 2012

Holistic Payment SecurityInformation Security by another name?...30th May 2012

Neira Jones

Head of Payment Security

Barclaycard Payment Acceptance

Leading the way in secure payments

slide2

2011: the year of the hack…

Travelodge

Sony

Wordpress

United Nations

Epsilon

TeaMp0isoN

RSA

Dropbox

Lush

Citigroup

MI6

Lockheed Martin

Infosec breaches have becomea statistical certainty

Betfair

30th May 2012

slide3

What about 2012?...

Source: DataLossDB.org April 2012

30th May 2012

slide4

Public social concerns...

Preventing crime 92%

Protecting personal information 89%

Unemployment 86%

The NHS 84%

Improving education 84%

National security 80%

Protecting freedom of speech 78%

Equal rights 77%

Environmental Issues 74%

Access to info held by public authorities 69%

74% of individuals believe that online companies don’t collect and keep their personal details securely.

Individuals are 3x more likely to suffer identity fraud than have their home burgled.

Information security consumer awareness is rising rapidly and suppliers who aren’t capitalising on this opportunity quickly enough will be left behind...

Source: ICO Annual Track 2011

30th May 2012

slide5

Public social concerns...

Identity theft represents 48% of all fraud in the UK, an increase of 10% since 2010.

Source: CIFAS January 2012

Source: ICO Annual Track 2011

30th May 2012

slide6

Corporate concerns...

  • 68% of organisations believe they can keep customer information for an indefinite period of time.
  • 67% of organisations believe it’s OK to use customers personal information for purposes other than what it was requested for.
  • 28% of organisations are still unaware that they must keep customers personal information secure.

Source: ICO Annual Track 2011

30th May 2012

we all know better
We all know better...
  • Most common login in the business world is “Password1” ***
  • Easter Eggs are more valuable to employees than corporate passwords ** (48% would accept less than £5 for their personal log-ins while 30% would give up their corporate passwords for under £1)

** Source: SC Magazine April 2012

*** Source: Trustwave March 2012

30th May 2012

eu proposal for new data protection laws
30th May 2012EU proposal for new data protection laws…
  • #Infosec #PCIDSS
  • #RiskManagement

#CloudServices

#WebHosting

  • #DataPrivacy
  • #Payments

#DataProtection

#OnlineShopping

  • The right to be forgotten will help people better manage data-protection risks online.
  • EU rules will apply to companies based outside the EU
  • Data Controllers review contracts with Service Providers
  • A single set of rules on data protection, valid across the EU
  • National data protection authorities will be strengthened
  • Breach Disclosure
  • Explicit consent will be required for data processing rather than be assumed.
  • Data Portability enabling transfer of personal data from one service provider to another

To become effective in two years

slide9

It’s war Jim, but not as we know it...

Today’s cybercrime industry is efficient, scalable, profitable and highly motivated with a clear intent on obtaining information that can either be monetisedor inflict damage.

Data protection/ Compliance is seen as a necessary evil(especially by the Board)

60% mobile apps don't have a privacy policy that notifies consumers which of their data the apps access. *

* Source: InfoWorld March 2012

30th May 2012

slide10

Panic!

Too many compliance & regulatory deadlines!

Too many silver bullet solutions!

  • Too many silos!

Too many third parties!

30th May 2012

an example the card processing ecosystem
30th May 2012
  • Issuers
  • Acquirers
  • Merchants
An Example: The Card Processing Ecosystem...

Card Schemes

Merchant Agents

Etc.

slide12

Should we care about Third Parties?...

  • 91% of breaches occurred where assets were owned by the breached entity.

46% of breaches occurred where assets were managed by a third party.

26% of breaches occurred where assets were hosted by a third party.

Source: Verizon DBIR March 2012

Source: DataLossDB.org April 2012

30th May 2012

a perspective on merchant 3 rd party relations
A perspective on merchant/3rd Party relations

In Europe, most data breaches occur in the CNP space.

Most data breaches involve third parties.

Merchants are mostly unaware of which third party relationships they have or why they are relevant.

Criminals go after third parties for the payload.

Merchants don’t understand why they need to use “secure” third parties or don’t know where to find them.

Third parties will often fool merchants into thinking they are “secure” .

Third parties may handle customer information in unexpected ways, unknown to the merchant.

We place our data and our faith in the security measures taken by those managing it on our behalf.

30th May 2012

seeing the wood from the trees
Seeing the wood from the trees...

96% of attacks were not highly difficult.

97% of breaches were avoidable through simple or intermediate controls.

92% of incidents were discovered by a 3rd party.

The 2011 Verizon DBIR concluded that being prepared remains the best defence against security breaches.

It’s not all doom and gloom...

Source: Verizon DBIR March 2012

30th May 2012

what we show merchants
What we show merchants...
  • For those who outsource…
      • >350 (UK) and >900 (US) Level 1 PCI DSS compliant service providers listed on Visa websiteshttp://www.visaeurope.com/en/businesses__retailers/payment_security/service_providers.aspxhttp://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdfhttps://www.visamerchantagents.com/about-merchant-list (NEW)
      • C. 900 Level 1 PCI DSS compliant service providers listed on MasterCard websitehttp://www.mastercard.com/us/company/en/whatwedo/compliant_providers.html
  • For those who want to retain control in-house…
      • C. 750 PA-DSS validated payment applications on PCI SSC websitehttps://www.pcisecuritystandards.org/approved_companies_providers/vpa_agreement.php
  • Barclaycard’s position…
      • We always recommend that our customers use PCI DSS compliant Level 1 Service Providers as self-assessment does not provide you with an independent assessment of your supplier.
      • Contractual provisions are crucial.
      • Merchants should seek help from their acquiring bank when facing problems with third party providers as a merchant cannot reach compliance without their third parties being compliant.

30th May 2012

slide16

Does compliance make a difference?...

Leading the way in secure payments

barclaycard s merchant compliance index
30th May 2012Barclaycard’s merchant compliance index

From an analysis of our corporate and mid-tier portfolio, we can confirm that PCI DSS compliance is moving the right way.

As at April 2012, below is the shape of compliance by sector, so organisations can position themselves against their peers:

what can we learn
What can we learn?...

Lesson 1.Understand your risk profile

Lesson 2.Make risk management your objective,compliance will come naturally

Lesson 3. Select the right partners

Lesson 4.Avoid quick fixes and silos (i.e. don’t panic!)

Lesson 5.Automate

Lesson 6.Educate

30th May 2012

18

slide19

One final thought...

The investment equation

Leading the way in secure payments

fraud in the uk
Fraud in the UK...
  • Fraud loss to the UK economy in 2011: £73bn, £20.3bn billion for the public sector.
  • Mass marketing fraud: £3.5bn, Identity fraud: £1.2bn
  • 9.4% (4.6M adults) suffered identify fraud, 55.3% did not recover their losses and the average loss is £481.
  • Overall cost to the UK economy from cybercrime is £27bn/year
  • Common fraud types in the public sector were:
  • procurement fraud (£1.4bn central & £890M local)
  • payroll fraud (£181M central & £153M local)
  • student finance fraud (£31M)
  • grant fraud (£41M).
  • *Source: National Fraud Authority Annual Fraud Indicator April 2012

30th May 2012

slide21

Infosec/ PCI DSS to combat fraud?...

Authentication technologies/processes

Staff vetting

Effective access control/ access logging

Random spot checks

Segregation of duties

Fraud scoring/monitoring

Security/Fraud awareness programmes

Whistle blowing

Traditional infosec controls (incl. PCI DSS)

Information & Comms: £2.4bn

Procurement fraud: estimate £2.3bn

Payroll fraud: estimate of £334M

Student finance: £31M

Grant fraud: £41M

UK GDP 2010 = £1.4 trillion

Total UK Fraud = £73 billion

30th May 2012

slide22

There was compliance...

And then there was risk...

And then there was fraud.

Could PCI DSS increase the UK GDP and contribute to getting us out of this recession?...

Leading the way in secure payments

slide23

Don’t spend £100 protecting a £1 asset, know your risk, educate, select the right partners, fix the basics first and be prepared…Neira JonesHead of Payment SecurityBarclaycard, Global Payment Acceptanceneira.jones@barclaycard.co.uk

Leading the way in secure payments