Visa Account Information Security
For: Seneca College FCA240 By: John Florinis Date: March 19th, 2003
Paymentech proprietary and confidential information
�Agenda
What is AIS? Why AIS? Hackers Credit Card Fraud Identity Theft AIS 15 Points AIS Process Case Studies
Paymentech proprietary and confidential information
21/01/03
�What is the Visa AIS Program?
AIS is a Visa International Operating Regulation that outlines the requirements, disclosure, use, storage and disposition of account and transaction information
Paymentech proprietary and confidential information
21/01/03
�What is the Visa AIS Program?
Objective: to protect card account and transaction “data at rest”. AIS impacts all entities that store card account and transaction data, including:
Merchants, acquirers, processors, embossers, etc.
AIS is an international mandate that affects businesses in all Visa’s operating regions.
Paymentech proprietary and confidential information
21/01/03
�Why AIS?
Mass digitization of personal information Threat of Hackers Credit card fraud Rise in identity fraud Protect the Visa brand
The Visa AIS Program is intended to prevent data theft and protect businesses and individuals
Paymentech proprietary and confidential information 21/01/03
�Hackers on the Rise
82,094 reported instances in 2002
52,658 in 2001 and 21,756 in 2000 55% increase – How many go unreported? 48% of those attacks were severe
(Source: CERT, 2003))
Symantec reported 689 attacks on FI’s
(Source: Symantec, 2003)
Symantec reported 616 attacks on ecommerce merchants
19% of those attacks were severe
(Source: Symantec, 2003)
Paymentech proprietary and confidential information
21/01/03
�Hackers
24% of hacker attacks are intended
76% are opportunistic
(Symantec, 2003)
Hackers fall into 2 groups:
Thrill Seekers – hack for the challenge Professionals – usually work for foreign governments and organized criminal gangs
Paymentech proprietary and confidential information
21/01/03
�Credit Card Fraud
Projected Visa fraud in Canada is over $92 million
330,686 fraudulent transactions
Average sale = $105.91 Average loss = $278.83
<1% of transactions are fraudulent
Internet fraud accounts for 5% ($4.6 MM) of Visa Canada’s total fraud loss
Paymentech proprietary and confidential information 21/01/03
Source: Visa Canada
�Credit Card Fraud
Paymentech proprietary and confidential information
21/01/03
�Credit Card Fraud
Paymentech proprietary and confidential information
21/01/03
�Identity Theft
Definition:
“Identity theft or fraud involves “stealing” another person’s identifying information, such as SIN number, DOB and mother’s maiden name, in order to to fraudulently establish credit, run up debt, and take over any financial or miscellaneous accounts, and obtain false documents” - Ariana-Michele Moore Celent Communications
Paymentech proprietary and confidential information
21/01/03
�Identity Theft
Over 100,000 identities are stolen every year in the U.S. Rising at a CAGR of 20.7% from 2002 – 2006
(Source: Celent Communications) (Source: Celent Communications)
The Internet has given criminals a new way to obtain personal information
Example – Criminals created a spoof eBay site and had customers enter credit card details and personal information. Example – Job posting sites
Paymentech proprietary and confidential information
21/01/03
�Identity Theft
Paymentech proprietary and confidential information
21/01/03
�Identity Theft
Impact on Financial Services Industry
Over the past 5 years identity fraud has cost close to $2 billion USD. Intangible loss – brand equity and consumer confidence. Increase in security spending and employee training.
(Source: Celent Communications)
Paymentech proprietary and confidential information
21/01/03
�Identity Theft
Paymentech proprietary and confidential information
21/01/03
�15 Steps of AIS
1. 2. 3. 4. 5. 6. 7. Establish a hiring policy for staff and contractors Restrict access to data on a “need-to-know” basis. Assign each person a unique ID to be validated when accessing data. Track access to data, including read access, by each person. Install and maintain a network firewall, if data can be accessed via the Internet. Encrypt data maintained on databases or files accessible from the Internet Encrypt data sent across networks.
8.
9. 10. 11. 12.
Protect systems and data from viruses.
Keep security patches for software up-to-date. Don’t use vendor-supplied defaults for system passwords and other security parameters. Don’t leave paper/diskettes/computers with data unsecured. Securely destroy data when it’s no longer needed for business reasons.
13.
14. 15.
Regularly test security systems and procedures.
Immediately investigate and report to Visa any suspected loss of Account or Transaction information. Use only service providers that meet these security standards.
Paymentech proprietary and confidential information 21/01/03
�The Process
A business that stores card account or transaction data must go through the AIS audit There are 3 transactional thresholds
< 5,000 (monthly) – Self-Assessment Questionnaire 5,000-50,000 (monthly) – SAQ and remote scan > 50,000 (monthly) – SAQ, remote scan, full on-site review.
Every Visa acquirer in Canada is participating
Each is responsible for enrolling their own merchants
Paymentech proprietary and confidential information
21/01/03
�The Process
Failing the AIS program could result in:
Being fined (if you lied) Not being able to process Visa cards
Most businesses are given a chance to fix their weak spots – remedial plan
Paymentech proprietary and confidential information
21/01/03
�Approved AIS Auditing Firms
Paymentech proprietary and confidential information
21/01/03
�AIS Benefits
Helps protect a business against hacker attacks
Protects against credit card fraud and identity theft that could damage a business’ reputation and ability to accept Visa cards.
AIS 15 points can serve as standard operating procedures for any company in any industry.
Paymentech proprietary and confidential information
21/01/03
�Case Study – ISM Canada
A hard disk went missing that contained customer profiles from several businesses
The Co-operators lost 180,000 customer profiles Government of Manitoba lost tax information for 43,000 businesses. Other companies include Investors Group, Sasktel and Saskatchewan Power Corp. Over 1,000,000 personal records were on the hard disk, including, bank account numbers, insurance and pension plan data. A 41-year old employee stole it. Working with ISM for 6 years. Told police he wanted an extra hard disk. ISM is a subsidiary of IBM!
Paymentech proprietary and confidential information
21/01/03
�Case Study - DPI
A hacker gained access to 8 million credit cards – DPI is based in Omaha
60,000 Canadian Visas were compromised
8,000 belonged to Scotiabank
DPI processes credit cards for Internet, retail, MOTO merchants Luckily;
Stolen credit card numbers have not been used Merchants that use DPI have not been named
Paymentech proprietary and confidential information
21/01/03
�Questions?
Paymentech proprietary and confidential information
21/01/03
�Source Links
www.visa.com/secured www.cyberfraudsolutions.com www.cybersource.com http://news.com.com/2100-1017-966835.html www.celent.com http://www.securitystats.com/reports/Symantec Internet_Security_Threat_Report_vIII.20030201.pdf http://www.cert.org/stats/cert_stats.html http://www.usatoday.com/money/perfi/credit/2003-02-19-credit-cardhacker_x.html
Paymentech proprietary and confidential information
21/01/03
�Contact Info
John Florinis Product Analyst, Internet Commerce Paymentech Canada 416.933.2590 john.florinis@paymentech.ca
Paymentech proprietary and confidential information
21/01/03
�