Merchant Risk Management PCIDSS - Visa Asia Pacific
Merchant Risk Management PCIDSS - Visa Asia Pacific
Merchant Risk Management PCIDSS - Visa Asia Pacific
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Merchant</strong> <strong>Risk</strong> <strong>Management</strong><strong>PCIDSS</strong>Presented byDave MillerSenior Business Manager, <strong>Merchant</strong> <strong>Risk</strong>27 May 2009
History• Westpac is the 2 nd largest Acquiring Bank in Australia;• Westpac has a high market share of e-Comm merchants;• Westpac has its own 100% fully owned gateway provider; and• Westpac has a dedicated resource to manage <strong>Merchant</strong> <strong>PCIDSS</strong>Compliance
Sources of Data LossPfizer / Wheels Inc. - [2007-10-10] (Names,addresses, birth dates and driver's license numbers of1,800 employees revealed)New York City Financial Information ServicesAgency - [2007-08-23] (Stolen laptop containsfinancial information for as many as 280,000)University of Iowa - [2007-10-08] (Stolen laptop containspersonal information for 184, including 100 Social Securitynumbers)Carnegie Mellon University - [2007-10-08] (Students'Social Security numbers on two stolen laptops)Gap Inc. - [2007-09-28] (Personal dataincluding some Social Security numbers for800,000 on stolen laptop)Massachusetts Division of Professional Licensure -[2007-10-04] (Social Security numbers of about 450,000licensed professionals inadvertently released)The Nature Conservancy - [2007-10-02] (Social Security numbers,names, and addresses of 14,000illegally accessed)TD Ameritrade - [2007-09-14](Personal information of 6.3million exposed by databasehack)West Virginia Board ofBarbers andCosmetologists -[2007-08-21] (Personalinformation ofthousands in stolensafePfizer - [2007-09-04] (SocialSecurity numbers, names andfinancial information of 34,000accessed by employee)HM Customs and Revenue - [2007-10-05] (Stolen laptop containspersonal and financial details of at least 400)MacEwan College - [2007-10-04] (Credit cardnumbers, addresses, and other informationpublicly available on internet)Athens Regional Health Services - [2007-10-02] (Medical information, names, andsome Social Security numbers of 1,441 onstolen computer)Kartenhaus - [2007-10-05] (Credit cardnumbers and billing addresses for 66,000customers stolen)American Ex-Prisoners of War -[2007-08-26] (Stolen paperrecords include Social Securitynumbers and addresses of 35,000)
Analysis of 7 Westpac Data Compromise EventsPCI Levels:3 Level 3 <strong>Merchant</strong>s, 4 Level 4;Total Annual Card Transactions:12,183,240Total Potentially Exposed Data:407,656Total Number of Compromised cards:3,779 (3,200 came from one merchant)Identification Source:5 via a CPP alert, 2 raised by the merchantSource of Breach:Evidence that 5 compromises came from internal sources due to poor datamanagement practices, only 1 SQL injection.
Not All Press Is Good Press
The Challenges Faced•Australia has a small population, a small merchant base and a largegeographical footprint, (40% of the population resides outside of thecapital cities) this makes it difficult to individually manage merchants;To put this challenge into perspective:AustraliaUSAGeographical Size 7,700,000 sq km 9,830,000 sq kmPopulation 23.1M 300M# of <strong>Merchant</strong>s 743,000 7,800,000•E-Comm merchants were not well managed in the early days, this hasmeant that there has been a lot of catching up to do, particularlyamongst Level 4 merchants;
The Challenges Faced (cont)•Many large merchants have antiquated legacy systems that areextremely complex and costly to make compliant. It is not unusual forthe older legacy systems to be so old that total compliance isimpossible, compensating controls control the risks effectively, but stillleave the merchant out of compliance;•Over 97%, of our e-comm merchants are Level 4. 44% of transactions,by number, are Levels 1, 2 & 3, scheme and Bank focus has been onthe upper level merchants, the compromise events experienced havebeen on the lower level merchants – have we concentrated in the rightspace;•There are a significant number of players involved in the e-comm spacewho touch customer data; Many of these, Web Hosters for example, aretransparent to the Bank;•Players who do not have direct contractual arrangements with a Bankare difficult to police, and direct compliance enforcement is almostimpossible;
What Happens Next?• We continue to profile the Level 4 merchants for potential data breachexposures;• We have engaged an external vendor, G2 Web services, to identifywhich of our merchants have a internet presence without having ane-comm merchant facility;• Ensure that large merchants, with outdated legacy systems, do notslow down on their compliance activities;• Make sure merchants use compliant web-hosters and gateways;• Encourage merchants to use hosted solutions;• Make sure 3 rd Party vendors are appropriately registered; and• Validate all device types to ensure PCI compliance.
Summary• Breaches are inevitable;• It is impossible to micro-manage every merchant;• Ensure resources are directed to the biggest areas of risk;• Work closely with CPP teams;• Have robust incident response plans; and• Use <strong>PCIDSS</strong> compliance as a ‘value add’ to merchants, it is mucheasier to sell a value add than a compliance requirement.
Question Time
Change language