Leveraging Data Security Technology. October 19 th 9:15 AM

Transcription

1 Leveraging Data Security Technology October 19 th 9:15 AM

2 Presenters Moderator Linda Toth Director of Standards Conexxus, Inc. Speakers Kara Gunderson POS Manager CITGO Petroleum Corp Mike Lindberg Payment Solutions Dir. CHS Inc. (CENEX) Linda Toth Director of Standards Conexxus, Inc.

3 What s Happened? What s New? What s Coming? Leveraging Data Security Technology

4 Connect with

5 Objectives UNDERSTAND EVALUATE IDENTIFY Current C-store data security technology & what s coming Leveraging the latest data security technology for a competitive edge Responsibilities for the latest card requirements & liability shift dates 5

6 Agenda EMV Payments What s Happened? What s New? What s Coming? Data Security 6

7 Agenda EMV Payments What s Happened? What s New? What s Coming? Data Security 7

8 EMV Liability Shift* Dates for Petroleum Oct Oct Payment Terminals (except AFDs) Outdoor AFDs *Not a card brand mandate, but may be an oil brand mandate 8

9 Liability Shift Liability shifts to the party in the payment chain with the least secure payment technology 9

10 Who s Liable? It Depends! Type of Fraud - Counterfeit - Lost & Stolen Card Type (Chip, Mag Stripe) Card Brand Location (Attended, Unattended) System (Terminal, POS) Capabilities 10

11 Who s Liable? Merchant is protected if EMV terminal with PIN processing enabled; AND Site system software with EMV processing enabled 11

12 EMV Considerations Consider Faster EMV processing Brand refresh (increase ROI) Be aware of consumer perception Last Man Standing Avoid excessive chargebacks 12

13 Liability Shift Deferment (*fine print) Several Card Brands have chargeback threshold limitations relative to the EMV counterfeit liability shift Check with your payment processor or oil brand for specific information Effective Limitations Oct 1 Excessive fraud-to-sales ratios; and 2017 Excessive amounts of chargebacks; or Excessive number of chargebacks 13

14 Liability Shift Deferment (*fine print) Types Affected Outdoor EMV Counterfeit Liability Only Indoor and Outdoor, Lost & Stolen, EMV and Non-EMV Effects Outdoor counterfeit liability (EMV) chargebacks prior to Oct 1, 2020 Additional penalties/fines imposed on top of the chargeback 14

15 Liability Shift Deferment (*fine print) Chargeback Timing Immediate -OR- Remediation period offered depending upon the total volume of the chargebacks 15

16 Liability Shift Deferment (*fine print) 3-year extension may only apply to U.S. issued Cards for some Card Brands Cards issued outside the U.S. are subject to EMV chargebacks 16

17 EMV Considerations EMV does NOT equal PCI compliance EMV is only one part of securing card data Both PCI and EMV require frequent software upgrades to maintain compliance 17

18 Agenda EMV Payments What s Happened? What s New? What s Coming? Data Security 18

19 EMV Outdoor Liability Shift Extension = Oct 1, 2020 Early Adopter Retain & Obtain New Market Share Additional Inside Sales Add New Technology = Video Secure Data & Reduce Fraud Mitigate Traditional Skimmers = Tamper Alarms 19

20 EMV Outdoor Upgrade Options PIN Pad Upgrade 20

21 EMV Outdoor - Technology EMV Cards Contact Cards NFC or Contactless (Optional Feature) 21

22 EMV Contactless Cards 22

23 EMV Biometric Cards 23

24 EMV Outdoor AFD Video Upgraded Communications enables Media at AFD Video promotes inside sales Be aware of Data Security and PCI DSS Compliance Implications 24

25 Agenda EMV Payments What s Happened? What s New? What s Coming? Data Security 25

26 Fleet Fleet cards enable: Product Restrictions Data Prompting 26

27 Fleet Simplified Track 2 Data SS PAN FS Exp Add. Data Disc. Data ES LRC 27

28 Fleet Simplified Track 2 Data with P2P Encryption XXXXXXXXX6789 SS PAN FS Exp Add. Data Disc. Data ES LRC 28

29 EMV Fleet Today Track data equivalent tags Future (Conexxus Retail Financial Transactions) Standard for EMV Tags (instead of track data) that identify: Product Restrictions Data Prompting 29

30 Debit Routing At least two AIDs on EMV debit cards for routing choice: Global AID ( branded ) US Common Debit AID Shared Debit Network Alliance AID ( unbranded ) 30

31 Debit Routing Someone has to choose: (Consumer) Prompts (Merchant) Auto select the AID based on system configuration Be careful still may route over higher interchange choice Talk to your vendors (oil brand, acquirers, POS, EPS vendors)! 31

32 Agenda EMV Payments What s Happened? What s New? What s Coming? Data Security 32

33 Mobile Contactless Tap/Wave Payment 33

34 Mobile QR Code Scan Payment 34

35 Samsung MST Payment Magnetic Secure Transmission 35

36 Mobile In-App Payment 36

37 Agenda EMV Payments What s Happened? What s New? What s Coming? Data Security 37

38 Connected Cars/Payments OR Select Receipt Begin Authorizing Authorized Select Unleaded 87 Fueling Pump Pump Gallons Payment Total #3 #3 #3... Pump $23.02 In Car Navigation Third Auth Party Provider Pump #3 Request Pump #3 Payment Host Conexxus Standard My Station POS 38

39 Contactless Payment Devices 39

40 BIN Range Expansion MasterCard BIN Range Expands: 5 s AND 2 s Merchant acceptance required June 30, 2017 Substantial fines for merchant non-acceptance 40

41 Longer Bin Migration ISO/IEC * Updated in 2017 Field Old New IIN aka BIN PAN Length to to 19 * Identification Cards-Identification of Issuers Part 1: Numbering System 41

42 Longer Bin Migration Pans will remain 16 digits 2019 Visa system development complete 2022 Visa starts assigning 8-digit BINS Merchants must be able to process! Talk to your vendors (oil brand/ acquirers/pos or EPS vendors)! 42

43 Payment Tokens Tokenization: Method to substitute a nonmeaningful value for sensitive data. Token Service Provider Payment Token 43

44 Payment Tokenization Impact Historical PAN data used to: Reduce Anti-Money Laundering (AML) Curb Fraud Customer service Loyalty, track spending habits 44

45 Payment Account Reference Transactions using PANS Transactions using Tokens > EMVCo PAR Uppercase alphanumeric 29 characters First 4 = BIN Controller Id Next 25 = Unique PAN ID Ex: Q1HPZ28RKA1EBL470G9XYG90R5D3E 45

46 Barriers to PAR Requires broad stakeholder support Token service providers Payment networks Issuers Acquirers Merchants Talk to your vendors! 46

47 Agenda EMV Payments What s Happened? What s New? What s Coming? Data Security 47

48 Federal Reserve Payments Initiative Consultation Paper (2013) Strategies for Improving (2015) Faster Payments Task Force Payment Security Task Force 48

49 Federal Reserve Task Force Faster Payments Goal - Available by 2020 Catch up to the Rest of the World Same Day ACH; Real time???; Kill checks Leverage FinTech innovation Regulate??? 49

50 Federal Reserve Task Force Payments Security Resiliency of US banking Payment System Data Protection Payment Identity Management Information Sharing to mitigate fraud 50

51 Agenda EMV Payments What s Happened? What s New? What s Coming? Data Security 51

52 PCI DSS Compliance Payment Card Industry - Data Security Standard 52

53 PCI Compliance 53

54 PCI Merchant Levels - Visa Level 1 6+ million transactions Level 2 1 to 6 million transactions Level 3 Level 4 E-Commerce 20,000 to 1M transactions < 1M transactions < 20,000 E-Commerce transactions 54

55 PCI DSS What s Happened? Effective January 31, 2017 Annual PROOF of PCI DSS compliance for Level 4 merchants 55

56 PCI DSS What s Happened? Effective January 31, 2017 Level 4 Merchants use technician with Qualified Integrators or Resellers QIR certification for: POS and software installs Fuel dispenser work with PIN Pads or card readers Any device transmitting credit card data = Fuel Controller, PIN Pads, or Electronic POS 56

57 Data Breach Statistics 98% 81% Recorded POS attacks resulted in a data breach Hacking-related breaches used stolen or weak passwords 75% Data breaches were from outsiders 66% Malware was installed via malicious attachments Source: 2017 Verizon Data Breach Investigations Report Executive Summary 57

58 PCI DSS Must-Do s Install PA-DSS POS Software Install PCI DSS Firewall Close Remote Access Internet for Business Only 58

59 PCI DSS Must-Do s Change Default Passwords Track PIN Pads Check Skimmers Current Anti-Virus Software Log Everything & Everybody 59

60 PCI DSS Compliance How to get started? 60

61 PCI DSS Compliance WeCare = nacsonline.com or Conexxus.org Be PCI DSS compliant annually Hire PCI Qualified Security Assessor Required for Level 1 & 3 merchants Check with your processor/oil brand 61

62 PCI DSS Compliance Must complete annual PCI DSS compliance and provide proof of compliance Self-Assessment Questionnaire ( SAQ ) SAQ B (stand-alone, dial terminal, no cardholder data stored) SAQ C (internet terminal, no cardholder data stored) SAQ D (internet terminal, cardholder data) Most Petro locations 62

63 PCI DSS Compliance Approved Scanning Vendor ( ASV ) Test store s closed remote access thru IP address-internet Service Provider Passing scan required every 3 months Need Help? Hire a Qualified Security Assessor 63

64 PCI DSS Compliance Additional Requirements PCI DSS Section = Site Asset Inventory PCI DSS Section = Inspect dispensers for tampering and skimmers 64

65 Dispenser Skimming Your brand is at stake Loss of customer confidence Lost sales Loss of reputation Diminishment of store image Cost Recovery Liability Credit Monitoring Fines 65

66 Proactive Skimming Mitigation NACS/Conexxus WeCare Program (Education, Tamper-Evident Labels, Skim Defend Mobile App) Inspect dispensers daily and post notices Improve Lighting * 66

67 Proactive Skimming Mitigation Prominent Video Surveillance Secure card reader & encrypted pin pad Change dispenser locks Next generation of dispensers (electronic door sensors/alarms) 67

68 Agenda EMV Payments What s Happened? What s New? What s Coming? Data Security 68

69 IoT - Internet of Things Home Smart Appliances Smart Assistants Home Control Business Site Equipment Monitoring Devices Environmental Control 69

70 Worldwide IoT Units (Billions) * *Gartner, Inc. Forecast, February 2017 Higher Security Concerns 70

71 Remote Access Vulnerabilities Loyalty Enrollment and Fulfillment & Back Office ALL Remote Access is susceptible to hacking More than Payment Vulnerabilities EPA Requirements E.g. Tank Monitoring PCI Compliance validation from QIR technician 71

72 Remote Access #1 Cause of Data Breach On-Demand Third-Party Remote Access Do Not Leave On or Open Log & Audit Alert Suspicious Remote Access Multi-Factor Authentication Two or More Access Permissions 72

73 Multi-Factor Authentication Multi = Multiple Authentication for more secure remote access Something you have Something you know PIN Something that is yours Example: Smartphone + PIN 73

74 Agenda EMV Payments What s Happened? What s New? What s Coming? Data Security 74

75 PCI P2PE 75

76 Point to Point Encryption (P2PE) Secure Card Reader & Encrypted PIN Pad Payment Host POS 76

77 What We Learned Today EMV Payments Data Security What s Happened? What s Coming? What s New? 77

78 Q & A

79 Key Takeaways Implement & leverage technology as it becomes available Utilize standards (Conexxus, ISO) Maintain PCI DSS compliance Engage your vendors (oil brand/ acquirers/pos or EPS vendors) 79

80 For Additional Information Tech Edge Solution Center Booth 4384 Website: LinkedIn Group: Conexxus Online 80

81 Survey You MUST complete the Survey to receive presentation slides You will receive a four question survey about this session in your Please complete the survey for each session you attend. The survey will close at 6pm and you will receive the slides in the morning. 81

82 Copyright Notice The copyright law of the United States (Title 17, United States Code) governs the making of photocopies or other reproduction of copyrighted material. Under certain conditions specified in the law, libraries and archives are authorized to furnish a photocopy or other reproduction. One of these specified conditions is that the photocopy or reproduction is not to be "used for other purpose than private study, scholarship or research." If a user makes a request for, or later uses, a photocopy or reproduction for purposes in excess of "fair use," that person may be liable for copyright infringement. Disclaimer The opinions of the contributors expressed herein do not necessarily state or reflect those of the National Association of Convenience Stores. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, shall not constitute or imply an endorsement, recommendation, or support by the National Association of Convenience Stores. The National Association of Convenience Stores makes no warranty, express or implied, nor does it assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process described in these materials. 82