Payment Card Industry (PCI) Card Production and Provisioning
Payment Card Industry Adjudication Process
-
Upload
hb-litigation-conferences -
Category
Law
-
view
62 -
download
1
description
Transcript of Payment Card Industry Adjudication Process
1
NetDiligence®
Cyber Risk & PrivacyLiability Forum October 8-9, 2014
2
PCI Breach Scenario
Examining the Payment Card Industry (PCI) Adjudication Process
3
Speakers
David Navettamoderator
Partner
InfoLawGroup LLP
Denver, Colorado
Neeraj Sahni
Vice President
FINEX North America – Cyber and E&O
New York, New York
Grayson Lenik
Principal Consultant, Incident Response
Nuix DFIR
Helena, Montana
Ernie Liu
Senior Manager
Mandiant
Los Angeles, California
Mark E. Schreiber
Partner
Edwards Wildman Palmer LLP
Boston, Massachusetts
4
Background NVRBreeched, Inc. (Merchant) runs an ecommerce website selling various goods
The webserver for the site is hosted by a third party CloudsR’Secure, Inc. (Cloud Provider)
The site utilizes an ecommerce platform that includes a shopping cart application developed by UnSecureCoding, Inc. (Application Provider)– NVRBreech failed to vet this vendor or its software
NVRBreeched has a merchant agreement in place with, a payment processor, IamOnYourSide, Inc., (Payment Processor) and merchant bank, PassItOn, Inc. (Merchant Bank)
The site conducts approximately 30,000 payment card transactions each month
NVRBreeched does not store any payment cards on its systems
NVRBreeched has cyber liability insurance that includes coverage for “PCI fines and penalties” with a sublimit of $250,000; the policy also has a contract liability exclusion
5
Discovery and Initial Response On February 28, 2015, NVRBreeched (Merchant) receives a letter from its
processor indicating that Visa has discovered fraud on 50 cards and believes that NVRBreeched’s website is a the “common point of purchase”
Visa has requested that the Merchant conduct its own internal investigation and fill out a preliminary questionnaire
Discussion points:
Initial IT investigation (independent forensic investigator?)
Remediation versus forensic preservation
Legal issues and involvement
Coordination with cyber insurance carrier
6
Forensic Investigation and Role of PCI Forensic Investigator
NVRBreeched’s (Merchant) own internal investigation suggests that unauthorized access to its webserver may have occurred on February 14, 2015 (approximately 2 weeks earlier)
That day (March 1, 2015) NVRBreeched disabled its shopping cart application and re-routed its payment processing through a PayPal interface
NVRBreeched receives another communication from its processor indicating that Mastercard has identified it as a “common point of purchase” and is requiring the merchant to retain a PCI Forensic Investigator within 5 business days
Discussion points:
Role of PFI and scope of investigation
Potential conflicts of interest
Obtaining images and logs from CloudsR’Secure, Inc (Cloud Provider)
7
Forensic Findings NVRBreeched’s (Merchant) forensic assessor finds evidence suggesting that the sites’
code was modified allowing hackers with IP addresses from Vietnam to install a script designed to capture payment card information as it is inputted by users of the website into the shopping cart.
It appears that hackers first gained access to the server on January1, 2015 (2 months earlier). However, the evidence suggests that the malicious script was not installed until February 1, 2015 (1 month earlier).
“Dump files” with credit card exists, and the earliest file creation date correlates with the script installation date. However, only a handful of dump files are found suggesting that the attackers were deleting the files after taking them off the server.
Discussion points:
SQL injections and other common application/software vulnerabilities
Attackers ability to scale attacks – scanning for and exploiting common vulnerabilities
Capture of data in real time
8
Forensic Findings Timeline:
Jan. 1 (unauthorized access) Feb. 1 (script activated) March 1 (shopping cart disabled)
Card count (February 1, 2015 thru March 1, 2015)
Visa = 14,990 (15,000 Visa minimum)
Mastercard = 9985 (10,000 MC minimum*)
AXP = 5500 (10,000 AXP minimum)
The PFI has completed its final draft report and wants to set the “window of intrusion” as January 1, 2015 thru March 1, 2015 (affecting 60,000 cards)
Discussion points:
Scope of breach (from PFI perspective v. forensic evidence)
Applicability of card brand rules
Calculating impacted cards and “CAMS” alerts
9
Fines, Penalties and Assessments NVRBreeched receives a letter from its processor indicating that Visa is fining the company
$5000 for PCI non-compliance and will continue to do so for every month that it fails to certify its PCI compliance
NVRBreeched receives another letter from its processor indicating that Visa is issuing fraud recovery and operating expense recovery assessments. The operating expense recovery equals $50,000 (20,000 cards x$2.50 per card) while the fraud recovery amount is $2,000,000.
The processor indicates that it will begin taking 100% of every dollar earned on Visa transactions and put it into a reserve fund until these amounts are met
Discussion points: Vetting the card brands’ calculations Liability to whom (the PCI “Contract Chain”) Defenses and strategies for defense, and negotiations Liability of / indemnification from third parties
10
Insurance Coverage At the outset NVRBreeched notified its carrier of the breach and received coverage
for breach notification expenses
However, NVRBreached also requested that the carrier pay for legal expenses associated with defending the potential claims to be made by the payment processors/merchant banks/card brands arising out of the breach
In addition, NVRBreached requested that the carrier pay the fines, penalties and assessments levied by the card brands (that were taken by the processor pursuant to the merchant agreement)
A coverage letter is imminent.
Discussion points:
Coverage for “pre-claim” defense
Coverage for “assessments”
Coverage for reserve funds
11
Takeaways
Grayson: the earlier the client is engaged with legal counsel, the better the outcome
Mark: the earlier forensics is involved, the better chance of a more favorable outcome
Neeraj: make sure you coverage matches your specific risks in this context
Dave: Know the card brand rules ahead of time so you can anticipate potential defenses and leverage points from the beginning
12
Speaker Company Contact
David Navetta, Esq., CIPP/US InfoLawGroup LLP [email protected]
Mark Schreiber Edwards Wildman Palmer LLP [email protected]
Grayson Lenik Nuix DFIR [email protected]
Neeraj Sahni Willis North America [email protected]
Marshall Heilman Mandiant [email protected](808) 230-4707