Data Security - SIGMA
Data Security: An Overview
Introduction Data security refers to digital measures that are applied to prevent unauthorized access to computers, databases and websites and to the general protection of data from corruption, destruction, or unauthorized access. Data breach is the unauthorized access to or acquisition of data.
How Thieves Steal and Use Data Thieves can steal account data by: o Simple physical theft of cards or other documents; o Fooling consumers into giving up personal data. For example, phishing involves fooling someone into providing account information by posing as a legitimate company – often via e-mail; Similar physical fraud schemes o Skimming: copying unencrypted card data by installing hardware/software on point-of-sale equipment; and o Sophisticated hacking via malware (i.e., “malicious software”), which is used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.
The Problem – Data Theft o Foreign State Actors (e.g. China): interested in stealing government or national security secrets as well as information related to our critical infrastructure. o Corporate Espionage Actors: interested in stealing competitors’ secrets (some state actors here too). o Slacker Hackers: in it for the thrill/bragging rights. o Organized Crime (e.g. Eastern European criminal networks): interested in stealing consumer data for the economic value. These groups usually want to use the data to commit: Identify theft: the fraudulent acquisition and use of a person’s private identifying information, usually for financial gain; and/or Payment fraud: Fraud that occurs when someone uses a payment instrument or information from a payment instrument to complete a transaction that is not authorized by the legitimate account holder.
Retailers are not the only victims. According to Verizon’s 2013 Report, financial institutions have more data breaches than retailers: 37% to 24%.
The Cost of Fraud Businesses lost $11.27 billion in fraud in 2012, up 14.6% from 2011.
Approximately 6¢ is lost to fraud per $100 in payments. And fraud rates continue to rise. According to the Federal Reserve: o The U.S. experienced $1.11 billion in signature debit fraud losses and $181 million in PIN debit fraud losses in 2012.
o Merchants assume approximately 74 percent of signature debit card fraud for card-not present transactions (i.e. gas pump and internet transactions).
Merchants pay $2.79 for every $1 in fraud losses they incur— a 10¢ per dollar increase since 2012 (2013 LexisNexis Report)
More Fraud Costs Online transactions account for a majority of fraud.
Fraud prevention is also costly. Retailers spend over $6.5 billion each year trying to protect against card fraud. Banks and Card Companies are now trying to get retailers to pay for fraud due to data breach and for the reissuance of cards.
Retailers pay for card reissuance twice Merchants compensate financial institutions for shutting off and reissuing cards through fines assessed to the merchant’s acquiring bank. o By contract, card issuers are reimbursed for fraud losses and card reissuance costs based upon a formula agreed to by the card issuer and card networks. o Even if no fraudulent activity has occurred on the card, card issuers are immediately eligible for a per-card reimbursement based upon contractually agreed rates. The Federal Reserve’s rules on debit transactions specifically provide that the cost of card re-issuance is part of what merchants pay up front, so this is prepaid.
Retailers pay for card fraud twice Visa and MasterCard rules provide a reimbursement formula so that merchants who suffer a breach pay for the fraud committed on those accounts. The Federal Reserve’s rules on debit transactions specifically provide a payment of 5 basis points on all transactions to cover fraud losses.
The U.S. is a major fraud target In 2012, the U.S. accounted for 47% of global fraud, while processing just 24% of the payments by volume Total global payment-card fraud losses were $11.3 billion in 2012 (up nearly 15% from 2011) The U.S. is the only country in which counterfeit-card fraud is consistently growing U.S. card issuers’ total losses from card fraud are $2.4 billion and merchants’ may run into the tens of billions
The U.S. is a major fraud target because The U.S. still uses outdated 1970s payment card technology, the magnetic stripe card. Cards are fraud-prone and have: o (1) the account number printed clearly on the front and o (2) the consumer’s personal credit/debit card data on an unencrypted magnetic stripe on the back - with static data.
Technology Solutions Europe saw drastic reductions in point-of-sale card fraud after switching to “Chip and PIN” technology in the 1990s. PIN shows that the user is the right person. o The Federal Reserve has found that for debit transactions, PIN transactions have one-sixth the amount of fraud losses that signature transactions have. CHIP: Smart cards use multiple layers of security: o Embedded microchip stores and transmits encrypted data. o For each transaction, the chip transmits a unique identifier that constantly changes.
Technology Solutions • Tokenization: a system in which sensitive data is replaced or substituted with a unique identifier/proxy information for the real payment card data • End-to-end encryption: uninterrupted encryption-protected data along all points in the payments chain
Technology Problems What is EMV? o EMV refers to “Europay, MasterCard, and Visa” proprietary chip technology.
o EMV could block new competitors—especially in mobile payments. o There are other technology options. And “Chip and SIGNATURE”? Signature does not authenticate anything
Current Security Standards PCI sets current standards Card networks run PCI
PCI has a limited perspective:
Merchants, consumers, banks need more involvement Current standards are too hard/expensive and not good enough Ignores obvious solutions due to perspective
Reframing the Issue. A company that suffers a data security breach is a victim Retailers are and must continue to be extremely attentive to data security. While there are many types of criminals, the ones who steal customer data in order to monetize it or turn a profit—are the ones that retailers are most concerned about.
Retailers spend over $6.5 billion each year trying to protect against card fraud
Retailers pay for fraud and card re-issuance twice All need a voice in standards
Cover everyone the same way – no loopholes
Next Steps: Current bills only deal with breach notification – not security SIGMA and SIGMA members should: o Reframe this issue
o Ask Congress to: Help prevent breaches – not just clean up afterward Make sure all stakeholders are covered Protect competition for the future
Introduction Data security refers to digital measures that are applied to prevent unauthorized access to computers, databases and websites and to the general protection of data from corruption, destruction, or unauthorized access. Data breach is the unauthorized access to or acquisition of data.
How Thieves Steal and Use Data Thieves can steal account data by: o Simple physical theft of cards or other documents; o Fooling consumers into giving up personal data. For example, phishing involves fooling someone into providing account information by posing as a legitimate company – often via e-mail; Similar physical fraud schemes o Skimming: copying unencrypted card data by installing hardware/software on point-of-sale equipment; and o Sophisticated hacking via malware (i.e., “malicious software”), which is used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.
The Problem – Data Theft o Foreign State Actors (e.g. China): interested in stealing government or national security secrets as well as information related to our critical infrastructure. o Corporate Espionage Actors: interested in stealing competitors’ secrets (some state actors here too). o Slacker Hackers: in it for the thrill/bragging rights. o Organized Crime (e.g. Eastern European criminal networks): interested in stealing consumer data for the economic value. These groups usually want to use the data to commit: Identify theft: the fraudulent acquisition and use of a person’s private identifying information, usually for financial gain; and/or Payment fraud: Fraud that occurs when someone uses a payment instrument or information from a payment instrument to complete a transaction that is not authorized by the legitimate account holder.
Retailers are not the only victims. According to Verizon’s 2013 Report, financial institutions have more data breaches than retailers: 37% to 24%.
The Cost of Fraud Businesses lost $11.27 billion in fraud in 2012, up 14.6% from 2011.
Approximately 6¢ is lost to fraud per $100 in payments. And fraud rates continue to rise. According to the Federal Reserve: o The U.S. experienced $1.11 billion in signature debit fraud losses and $181 million in PIN debit fraud losses in 2012.
o Merchants assume approximately 74 percent of signature debit card fraud for card-not present transactions (i.e. gas pump and internet transactions).
Merchants pay $2.79 for every $1 in fraud losses they incur— a 10¢ per dollar increase since 2012 (2013 LexisNexis Report)
More Fraud Costs Online transactions account for a majority of fraud.
Fraud prevention is also costly. Retailers spend over $6.5 billion each year trying to protect against card fraud. Banks and Card Companies are now trying to get retailers to pay for fraud due to data breach and for the reissuance of cards.
Retailers pay for card reissuance twice Merchants compensate financial institutions for shutting off and reissuing cards through fines assessed to the merchant’s acquiring bank. o By contract, card issuers are reimbursed for fraud losses and card reissuance costs based upon a formula agreed to by the card issuer and card networks. o Even if no fraudulent activity has occurred on the card, card issuers are immediately eligible for a per-card reimbursement based upon contractually agreed rates. The Federal Reserve’s rules on debit transactions specifically provide that the cost of card re-issuance is part of what merchants pay up front, so this is prepaid.
Retailers pay for card fraud twice Visa and MasterCard rules provide a reimbursement formula so that merchants who suffer a breach pay for the fraud committed on those accounts. The Federal Reserve’s rules on debit transactions specifically provide a payment of 5 basis points on all transactions to cover fraud losses.
The U.S. is a major fraud target In 2012, the U.S. accounted for 47% of global fraud, while processing just 24% of the payments by volume Total global payment-card fraud losses were $11.3 billion in 2012 (up nearly 15% from 2011) The U.S. is the only country in which counterfeit-card fraud is consistently growing U.S. card issuers’ total losses from card fraud are $2.4 billion and merchants’ may run into the tens of billions
The U.S. is a major fraud target because The U.S. still uses outdated 1970s payment card technology, the magnetic stripe card. Cards are fraud-prone and have: o (1) the account number printed clearly on the front and o (2) the consumer’s personal credit/debit card data on an unencrypted magnetic stripe on the back - with static data.
Technology Solutions Europe saw drastic reductions in point-of-sale card fraud after switching to “Chip and PIN” technology in the 1990s. PIN shows that the user is the right person. o The Federal Reserve has found that for debit transactions, PIN transactions have one-sixth the amount of fraud losses that signature transactions have. CHIP: Smart cards use multiple layers of security: o Embedded microchip stores and transmits encrypted data. o For each transaction, the chip transmits a unique identifier that constantly changes.
Technology Solutions • Tokenization: a system in which sensitive data is replaced or substituted with a unique identifier/proxy information for the real payment card data • End-to-end encryption: uninterrupted encryption-protected data along all points in the payments chain
Technology Problems What is EMV? o EMV refers to “Europay, MasterCard, and Visa” proprietary chip technology.
o EMV could block new competitors—especially in mobile payments. o There are other technology options. And “Chip and SIGNATURE”? Signature does not authenticate anything
Current Security Standards PCI sets current standards Card networks run PCI
PCI has a limited perspective:
Merchants, consumers, banks need more involvement Current standards are too hard/expensive and not good enough Ignores obvious solutions due to perspective
Reframing the Issue. A company that suffers a data security breach is a victim Retailers are and must continue to be extremely attentive to data security. While there are many types of criminals, the ones who steal customer data in order to monetize it or turn a profit—are the ones that retailers are most concerned about.
Retailers spend over $6.5 billion each year trying to protect against card fraud
Retailers pay for fraud and card re-issuance twice All need a voice in standards
Cover everyone the same way – no loopholes
Next Steps: Current bills only deal with breach notification – not security SIGMA and SIGMA members should: o Reframe this issue
o Ask Congress to: Help prevent breaches – not just clean up afterward Make sure all stakeholders are covered Protect competition for the future
