Hi. My name is Kelly Hander Han and I will be your subject matter expert on R P C i. D s s class. And that stands for payment card industries, data security standard and what we're gonna be covering today. We're gonna be really focusing in on the most essential elements of P C i. D. S s
We're gonna look at the y.
Who, what? Where, When? Why Those sorts of things will start by talking about why p. C i. D. S s is so important. Then we'll talk about who must adhere to the standards set forth in PC. Idea says we'll talk about what those specific standards are and with the requirements basically talking about those 12
elements that P. C. I. D. S s specifies
and that will lead into how PC idea says protects our payment card information. I will also just give a quick little word on social engineering because that is one of the more common ways that this information gets disclosed through one form of another
or another. And of course, we'll do a little wrap up at the end.
All right, So, talking about why we need payment card industries data security standards. Well, we have to understand that currently certain elements of the payment card industry essentially your self regulated, and it's certainly in their best interest to maintain that self regulation.
So what they need to do to make sure that they're able to maintain that
that self regulation is to adhere to certain standards and to make sure that there aren't breaches of large size. Because once those breaches start happening at the lawsuits come once the lawsuits come,
they're start to be legislative drivers. That will mandate how this information is protected.
So the PC I counsel essentially got together and came up with some security standards that would be available to vendors and merchants and provide them a framework in some guidance on how to protect that information.
So that's one of the big reasons why. But the other reasons I don't even have to tell you. Ah, we have seen loss after loss after loss. We'll talk about some of the more common in some of the more recent losses, but it has been estimated somewhere near $14 billion has been lost
through credit card theft and fraud.
That's a lot of money and is, we know those companies don't just absorb those costs. They pass it along to the consumers through higher interest rates, higher annual fees and so on. So we, as consumers need to be concerned about that. We also need to be concerned about this. Information being disclosed could lead
to our identity. Theft could lead to
bogus charges on our account.
Lots of issues, um, lost customer confidence from a business standpoint. So we as individuals, care about compromise to payment card information. But we, his businesses have to care a swell. We want our customers to be confident that we understand the significance of the information with which they've entrusted us,
and also that we inspire confidence that our customers will come back and continue to shop with us.
When we lose customer confidence that usually turns into lost sales, and that doesn't have the cost of re issuing new payment cards. I know that sounds like small potatoes and in comparison to 4 $14 billion it may be, but when you look at how many times and I think we pause here
and I'd ask each of you to think about have you ever had an instance where one of your payment cards was compromised.
I think many people would answer yes to that. So that caused the hassle of re issuing those cards can be quite costly over time.
Now, also, his vendors or merchants. If we don't adhere to the P C. I. D. S s, we may find that our credentials in order to accept payment cards are revoked and that we're no longer able to do so very difficult to exist in today's economy without accepting payment card. So
we want to make sure his individual companies that were able to do so
All right, so who does the data security standard apply? So what is it in a nutshell? You can see that this is for merchants and payment card processors Doesn't matter the size of the business. If you're a merchant that accepts payment card payments,
uh, you are susceptible to the PC. Idea says
specifically, there are 12 requirements that businesses must adhere to, and anyone that stores processes or transmits this cardholder information must follow these requirements.
And this really is a global data security standards. So this isn't something us based.
one of the things that I found is a lot of the security practices or common sense, at least the concept behind him. Sometimes implementing them could be a little bit more difficult. But I think when we go through those 12 elements you'll find, yeah, most of these make sense. So the next piece we have to talk about is,
where is Dad of vulnerable? What? Her Attackers,
um, looking to compromise. You know, the old joke. Why did you rob the bank?
Because that's where the money is. So why do Attackers target payment card systems? Because that's where the money is. If I can retrieve your payment card information, think about all the many sources we have today for me to make purchases where that
physical card does not have to be present. You know, just look att, e commerce and online purchasing and processing
of payment information. So if I can steal those credit card numbers, it doesn't matter that I don't physically have the card in my hand. So, uh, first of all at the payment card centers, you know your credit card data processing centers, call centers. That information may be present
in the databases that hold payment card information
compromise card readers, especially when we have the cards that simply have the magnetic stripe that a magnetic stripe can be siphoned. All can be assigned to a new magnetic strip without the user even knowing. And sometimes we refer
to these elements that would do so as shims.
And I've seen this in the I live in the Washington D. C area, and we've had instances of several A T M systems being compromised. They've added a either a hardware or software element again called a shim, that records the transactions going on between the user and the actual A t. M itself.
So if that information is intercepted,
it could be applied to a new card
point of sale systems. We've seen a couple of big compromises in the last few years where the point of sale systems, as in you're at the shop, swipe your card. Those particular systems are compromised themselves. We'll talk a little bit about a technique called Ram scraping
and anything that resides in memory.
They're remnants left over. Even when that process is not currently, it's not current or is not being transmitted or at rest. So Ram scrapings gonna take advantage of that
paper records. Always a vulnerability. You know you have that written copy of information, whether it's handwritten notes, whether it's paper based files, making sure that those files that papers properly stored and, equally important, making sure that once that material is no longer of use,
that it's destroyed in a
Other ways that data could be compromised. Hidden cameras recording entry of authentication information, you know, think about when you use your A T M or your credit card and you have to punch in a pen or a personal I D number at a store.
Uh, it doesn't have to be a security camera or hidden camera.
It could be as basic as somebody looking over your shoulder, but often were typing in these authentication codes unprotected again. If I could get your number or your card. Having that authentication code is just one more step that makes it very likely I can access your information
secret Tap into your stores, wireless or wired network. So basically the information gets transmitted. Very frequent means of communication used wireless and even wired networks are susceptible,
and I'll tell you. I think you would be surprised at how very vulnerable
your information may be for organizations that use wireless communication or again, even wired communications. I was at a shopping mall, and it's probably been six months ago or so, and I was getting some pictures taken of my kids,
and I asked her to the restroom and went to the rest of the restroom, and their wireless router
that was connected to their wired network was sitting on top of their toilet in a public restroom.
Now think about that for just a minute. How very simple it would be for me to have a man in the middle attack insert a device that all the communication goes through that device before being passed along. How very easy it would be for me to substitute a device to tap into that network,
you know, have was just absolutely stunned because you think about the credit card information
that you know when you purchased the pictures, you give him the credit card. That information gets transmitted and it's transmitted across that exceedingly vulnerable set of hardware. So, you know we don't take for granted that companies protect our information
As a matter of fact, what we tend to find is companies protect our information a lot better.
Once they've had a breach. Because management either gets it or they don't, they either have buy in. They either understand the risks associated with their data or they don't. And when companies have management that doesn't understand and doesn't support the security function,
it's not gonna happen.
And when will they support that function after their found liable for millions of credit card numbers? Perhaps being compromised
is usually when it happens. I mentioned shims with a T. M's residual information stored in RAM, and this was one of the things that happened to Target. We'll talk about that compromise with Target in a few minutes ago,
but it was a ram scraping attack, so essentially software had gotten installed on their point of sale systems
and was able to retrieve information that was swiped through the point of sale readers. Other places that data is vulnerable just everywhere. That's all just everywhere. If information about a payment card is stored, its vulnerable, there are no absolute security mechanisms.
The best that we can hope to do is to do what's right
to do an industry standard suggest toe, Look at what our competitors are doing to continue to monitor for risks as they occur and as new risks pop up. You know, constant vigilance is the key to protecting our patient card information. So what, We're going to our payment card information.
So what, we're gonna do what we're going to focus in?
We're gonna focus in on the framework that P. C. I. D. S s supplies for us now. The reason I call it a framework first of all because it is a frame or but when a framework means is the PC idea says, is not a list of do's and don'ts and specific methodologies,
essentially what it is and any does address. Do this and don't do certain things. But essentially what it is
is guidance to provide me with a general instruction set. It doesn't detail specific technologies. It doesn't provide me with the 25 access control list rules that I should have on my firewall.
But it is a set of general instructions
and mechanisms that need to be employed to protect payment card information anywhere that it's collected. Process is stored or processed, stored or transmitted. So we'll see that across the upcoming slides