95830
We are sorry, this event is in the past, registrations are now closed. To view forthcoming events please see the Next Sessions tab or see our Schedule.
The GDPR applies to ‘controllers’ and ‘processors’.  A controller determines the purposes and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller. If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach. However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR. The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU. The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities. Through our focused 4-hour workshop you will learn how to handle GDPR requirements in a PRACTICAL WAY. Yes policies and procedures are important but how does that translate into day to day activities? How do we embrace GDPR as an opportunity rather than an imposition? All these questions and more will be answered in our workshop.

GDPR Workshop - St Julians

None

Who Should Attend

primarily aimed at professionals working across public and private sectors...

IT, Risk, Security, Governance and Compliance roles 
Marketing Professionals and Project Managers.
Administration, Legal and Clerical roles involved in GDPR activities
anyone interested in understanding GDPR, its effects and how to implement changes in your organisation
None

Context

The right to privacy is a highly developed area of law in Europe. All the member states of the European Union (EU) are also signatories of the European Convention on Human Rights (ECHR). Article 8 of the ECHR provides a right to respect for one's "private and family life, his home and his correspondence", subject to certain restrictions. The European Court of Human Rights has given this article a very broad interpretation in its jurisprudence.

In 1980, in an effort to create a comprehensive data protection system throughout Europe, the Organization for Economic Cooperation and Development (OECD) issued its "Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data". The seven principles governing the OECD’s recommendations for protection of personal data were:

Notice—data subjects should be given notice when their data is being collected;
Purpose—data should only be used for the purpose stated and not for any other purposes;
Consent—data should not be disclosed without the data subject’s consent;
Security—collected data should be kept secure from any potential abuses;
Disclosure—data subjects should be informed as to who is collecting their data;
Access—data subjects should be allowed to access their data and make corrections to any inaccurate data# Accountability—data subjects should have a method available to them to hold data collectors accountable for not following the above principles.
The OECD Guidelines, however, were nonbinding, and data privacy laws still varied widely across Europe. The United States, meanwhile, while endorsing the OECD's recommendations, did nothing to implement them within the United States. However, all seven principles were incorporated into the EU Directive.[3]

In 1981 the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was negotiated within the Council of Europe. This convention obliges the signatories to enact legislation concerning the automatic processing of personal data, which many duly did.

The European Commission realised that diverging data protection legislation amongst EU member states impeded the free flow of data within the EU and accordingly proposed the Data Protection Directive.

Scope

Personal data are defined as "any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;" (art. 2 a).

This definition is meant to be very broad. Data are "personal data" when someone is able to link the information to a person, even if the person holding the data cannot make this link. Some examples of "personal data" are: address, credit card number, bank statements, criminal record, etc.

The notion processing means "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;" (art. 2 b).

The responsibility for compliance rests on the shoulders of the "controller", meaning the natural or artificial person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; (art. 2 d)

The data protection rules are applicable not only when the controller is established within the EU, but whenever the controller uses equipment situated within the EU in order to process data. (art. 4) Controllers from outside the EU, processing data in the EU, will have to follow data protection regulation. In principle, any online business trading with EU residents would process some personal data and would be using equipment in the EU to process the data (i.e. the customer's computer). As a consequence, the website operator would have to comply with the European data protection rules. The directive was written before the breakthrough of the Internet, and to date there is little jurisprudence on this subject.


None

Testimonials

Hundreds of delegates from all over the world have attended LiquidNexxus training sessions. Here are some testimonials related to this course/event.

View More Testimonials
None

Agenda

Overview of Payment Services Regulatory Environment

What is changing with the Payment Services Directive; The role of the EBA Guidelines; Data Breaches and Fraud; Why is it so important to implement these requirements; Applicability; The business value added and readiness towards PSD2
 

ATM Malware & BlackBox Attacks

Overview of the rise of ATM logical attacks, how they work and what to do to stop your ATM being emptied!

Payments Fraud Forensic Investigation Case Study

eCommerce or Online Payment System Attacks

Predictive Analytics Introduction

An introduction to big data and predictive analytics to provide foundation for the techniques to be covered on the course

Predictive Analytics Introduction

An introduction to big data and predictive analytics to provide foundation for the techniques to be covered on the course

ATM Applications, Operating System, & System Hardening

In light of recent trends and the growth of ATM malware and similar attacks, this section covers guidelines and recommendations for securing the system against manipulation and tampering.
 

    Online Banking Threats: Updates, Countermeasures, and Strategies

    Underground Payment Markets

    Malware, Skimming, Cards and more...how criminals operate underground, a deep insight into the Deep and Dark Web and its economy

    Point of Sale (POS) Attacks & Countermeasures

    Digital payments due diligence and AML

    Definition and History

     The FinTech Revolution: What it is, qualitative and quantitative definitions, why bankers have to pay attention  2008 – The Igniting Force: How the crisis catalysed innovation, how ICT is acting as a GPT (General Purpose Technology)  The Digital Transition Project: Why even the best banks struggle becoming digitally native? The Red Queen Effect, Information Cascades, MNOs: ways some telecom companies got it right

    New Strategies

    Bricks and Mortar vs Digital: Bricks to clicks vs Clicks to bricks - ATL vs Social Media: Synergies and Segmentation - Bundling vs Unbundling: Generalists vs Specialists - Local vs Location Independent: The digital panacea - Physical Safety vs Digital Safety: Changing client-perceptions - Case Studies: Behaviosec from Stockholm, Halifax Bank from Leeds, OCBC Bank from Singapore

    Definición de las partes interesadas, roles y responsabilidades

    Marcas de tarjetas de crédito Emisores de tarjetas Adquirentes de transacciones Procesadores de terceros (intermediarios)

    Definition and History

     The FinTech Revolution: What it is, qualitative and quantitative definitions, why bankers have to pay attention  2008 – The Igniting Force: How the crisis catalysed innovation, how ICT is acting as a GPT (General Purpose Technology)  The Digital Transition Project: Why even the best banks struggle becoming digitally native? The Red Queen Effect, Information Cascades, MNOs: ways some telecom companies got it right

    Security Policy, Management & Audits

    No controls are effective without a holistic integrated strategy, in this section the course covers some high level recommendations for management of ATMs as well as how these overlap with more common best practices.

      Applicable Standards & Other Recommendations

      PCI Standards have become de facto for minimum controls on cardholder data and transactions, in this section we cover how these standards apply to ATM environment and in particular PCI DSS, PA DSS and PTS (POI) applicability and relevance.
       

        ATM Controls: People, Processes & Technology

        This section covers best practices which should be employed by deployers to prevent external attacks, internal misuse, fraud, and costly errors as well as guidance on monitoring and prevention including: Data & Asset Classification, Asset Inventory, Change Control and Change Management, Audit Trails and Accountability, Responsibilities & Oversight
         

          ATM Risk Assessment Methodology

          As opposed to a pen test, this section leverages industry best practices and recommendations for risk assessments applied specifically to the ATM environment with particular focus on people and processes.
          •  

          Introduction and Context

          - Payment Card Industry Threats - Security Breach Reports Overview Attack Vector Analysis

          Monitoring & Remote Management

          This section covers various tools for ATM management and monitoring which permit ATM deployers to not only manage endpoint security but also conduct other activities such as remote diagnostics.
           

            Definición de las partes interesadas, roles y responsabilidades

            Marcas de tarjetas de crédito Emisores de tarjetas Adquirentes de transacciones Procesadores de terceros (intermediarios)

            ATMs and the logical software environment

            This section covers in detail the ATM software environment focusing on clarifying the different logical components and interactions between them. This chapter sets the scene for further understanding ATM functionality and how different type of fraud affects ATMs.

              EBA Banking Security Regulation & Guidelines

              RTS Strong Customer Authentication and Guidelines on Major Incident Reporting 

              New Strategies

              Bricks and Mortar vs Digital: Bricks to clicks vs Clicks to bricks - ATL vs Social Media: Synergies and Segmentation - Bundling vs Unbundling: Generalists vs Specialists - Local vs Location Independent: The digital panacea - Physical Safety vs Digital Safety: Changing client-perceptions - Case Studies: Behaviosec from Stockholm, Halifax Bank from Leeds, OCBC Bank from Singapore

              Introduction and Context

              - Payment Card Industry Threats - Security Breach Reports Overview Attack Vector Analysis

              ATM Hacking and Malware Analysis

              2013 and 2014 have seen Malware feature prominently in the news and affects institutions across the globe. This section analyses in detail the various incidents known and details the modus operandi of Malware attacks with demonstrations. In this section specific countermeasures are also covered.

                Predictive Analytics Introduction

                An introduction to big data and predictive analytics to provide foundation for the techniques to be covered on the course

                The Future of Banking

                 How Banks will Look Like in 2025: The ‘Internet of Things’, The Branch-Network Reimagined  How New Risks Evolve in Banking: Information-security, New Solutions in Risk-Management  New Banks: How Challenger Banks, Neo-Banks, Digital-Only Banks, Smartphone-Only-Banks can reach economy of scale  Case Studies: Moven from New York, Atom Bank from Durham

                Communication in the Digital Age

                 Trust-building via Digital Channels: Information-cascades, Innovation-communication, Frictionless solutions  The Banking Innovation Paradox: How would Steve Jobs market a bank?  Unconventional Marketing: Gamification, Advertainment, Infotainment, Inbound Marketing, Native Advertising  Case Studies: Moven from New York

                Communication in the Digital Age

                 Trust-building via Digital Channels: Information-cascades, Innovation-communication, Frictionless solutions  The Banking Innovation Paradox: How would Steve Jobs market a bank?  Unconventional Marketing: Gamification, Advertainment, Infotainment, Inbound Marketing, Native Advertising  Case Studies: Moven from New York

                Payment Card Industry Stakeholders Overview & Their Relationship with PCI DSS

                About the PCI SSC Card Brand Compliance Programs Standards Applicability & Levels Merchants, Service Providers PCI DSS , PA DSS, PTS

                Evolución de la industria de la tarjeta de crédito y normas relevantes

                Diseño de las tarjetas Requisitos técnicos Cómo manejar el riesgo del crédito Procesamiento de solicitudes Fraude en las solicitudes Clasificación de los créditos Manejo del riesgo de las tarjetas de crédito

                Case Study: Elicitation of Variables

                Create an exhaustive list of reasons that a customer may leave a telecommunications provider for the purposes of these variables being modelled by the company’s data analysts, then be carried through to predictive analytics.

                PCI DSS y otras normas

                Objetivos del PCI DSS; Relación con otras normas, como ISO 27001; Conceptos fundamentales: Cumplimiento y validación; Niveles de validación y diferencias entre marcas 

                The Future of Banking

                 How Banks will Look Like in 2025: The ‘Internet of Things’, The Branch-Network Reimagined  How New Risks Evolve in Banking: Information-security, New Solutions in Risk-Management  New Banks: How Challenger Banks, Neo-Banks, Digital-Only Banks, Smartphone-Only-Banks can reach economy of scale  Case Studies: Moven from New York, Atom Bank from Durham

                Overview of PCI Standards and programs

                including PA-DSS, PCI Point to Point Encryption, Relationship to PA-DSS and P2PE, PCI PTS, PCI PIN Security Requirements

                Payment Card Industry Stakeholders Overview & Their Relationship with PCI DSS

                About the PCI SSC Card Brand Compliance Programs Standards Applicability & Levels Merchants, Service Providers PCI DSS , PA DSS, PTS

                Case Study: Elicitation of Variables

                Create an exhaustive list of reasons that a customer may leave a telecommunications provider for the purposes of these variables being modelled by the company’s data analysts, then be carried through to predictive analytics.

                Evolución de la industria de la tarjeta de crédito y normas relevantes

                Diseño de las tarjetas Requisitos técnicos Cómo manejar el riesgo del crédito Procesamiento de solicitudes Fraude en las solicitudes Clasificación de los créditos Manejo del riesgo de las tarjetas de crédito

                Concepts and Definitions

                Payment Services Providers; Cards, credit transfers, e-mandates, electronic money, etc; Sensitive Data; Risk and control; Strong Authentication and related technical mechanisms
                 

                Basic Statistics with Palisade StatTools

                Predictive Analytics is rooted almost entirely in statistics and an understanding of basic statistics is vital to fully understand the linear and nonlinear predictive analytics techniques to be taught in the course

                Payment Industry Terminology

                All the terminology you need to know

                Clonación de Tarjetas y Fraude Cibernético

                El Cibercrimen y los mercados 'underground' Exposición externa y tendencias El mercado clandestino de fraude en tarjetas de crédito

                How to React to FinTech?

                 Defense & Offense: Evolution and revolution within banking  Communication vs Organization: Innovative image versus Vertical Silos, Incubators, Accelerators, Labs  Venture Capital: How can vs how should banks invest into FinTech  The New Face of Competition: Co-opetition, Frenemies  Group Exercise: The Venture Capital Role-Play

                How to React to FinTech?

                 Defense & Offense: Evolution and revolution within banking  Communication vs Organization: Innovative image versus Vertical Silos, Incubators, Accelerators, Labs  Venture Capital: How can vs how should banks invest into FinTech  The New Face of Competition: Co-opetition, Frenemies  Group Exercise: The Venture Capital Role-Play

                Clonación de Tarjetas y Fraude Cibernético

                El Cibercrimen y los mercados 'underground' Exposición externa y tendencias El mercado clandestino de fraude en tarjetas de crédito

                How to React to Competition?

                 The Speed has Changed: The Red Queen Effect  Competition versus Cooperation: Coopetition, Frenemies, Co- marketing, communication through FinTech companies  Eating the Dinner of Banks: FinTech, Challenger Banks, Digital Convergence, Large Banks vs Small Banks  Risks: bad and ugly in digital marketing, security, digital alienation, financial illiteracy, regulatory approach  Case Studies: Innovate Finance from London, the Super Charger Alliance from Hong Kong, the R3 Alliance from New York

                Basic Statistics with Palisade StatTools

                Predictive Analytics is rooted almost entirely in statistics and an understanding of basic statistics is vital to fully understand the linear and nonlinear predictive analytics techniques to be taught in the course

                Scoping & Network Segmentation

                Applicable Cardholder Data concepts Understanding & Finding Card Data CVV vs CVV2, Track 1 vs Track 2 Data, Full Track or Magnetic Stripe Track Data Characteristics and Guidelines for Searching, MOD-10 Card Data Flow & Network Diagrams Segmentation and Sampling of Business Facilities/System Components Scoping Procedure Network Segmentation & Exercise

                How to React to Competition?

                 The Speed has Changed: The Red Queen Effect  Competition versus Cooperation: Coopetition, Frenemies, Co- marketing, communication through FinTech companies  Eating the Dinner of Banks: FinTech, Challenger Banks, Digital Convergence, Large Banks vs Small Banks  Risks: bad and ugly in digital marketing, security, digital alienation, financial illiteracy, regulatory approach  Case Studies: Innovate Finance from London, the Super Charger Alliance from Hong Kong, the R3 Alliance from New York

                Scoping & Network Segmentation

                Applicable Cardholder Data concepts Understanding & Finding Card Data CVV vs CVV2, Track 1 vs Track 2 Data, Full Track or Magnetic Stripe Track Data Characteristics and Guidelines for Searching, MOD-10 Card Data Flow & Network Diagrams Segmentation and Sampling of Business Facilities/System Components Scoping Procedure Network Segmentation & Exercise

                PSD2 Coverage

                Payments Outside the EU; Payment in Non-EU Currencies; Consumer Protection Requirements Updates; Managing Complaints; Interchange Charges; Surcharges; Thresholds
                 

                Clients of the New Millennium

                 Contradictions: Millennials vs Baby Boomers, Mass vs Affluent  Linear vs Exponential: Metcalfe’s Law, old media vs new media  Customer Loyalty: the lock-in effect  Digital Identity: the trillion dollar problem  Segmentation: CRM, profiling, customer analytics  Case Studies: Max My Interest from New York, Stockpile from Palo Alto, Tether from Hong Kong

                Digital Channels

                 Social Media: FB, LinkedIn, Twitter, Pinterest, Instagram, YouTube  Smartphone: the center of attention and the center of ambivalence  Branch and ATM: ‘The branch of the future’ or ‘The future of the branch’, The 5 directions in ATM Innovation, Video banking  Future: Smartwatch, Wearables, Hyper-connectivity, IoT (Internet of Things), Roboadvisors, AI (Artificial Intelligence)  Case Studies: 4x from London, Q from Singapore, NAO from Tokyo, Kiwi Bank from New Zealand, Barclays Bank from London

                General Controls and Information Security Governance

                Risk Appetite and Information Security Policy; Roles and responsibilities ; Customer awareness, communication and culture
                 

                Digital Channels

                 Social Media: FB, LinkedIn, Twitter, Pinterest, Instagram, YouTube  Smartphone: the center of attention and the center of ambivalence  Branch and ATM: ‘The branch of the future’ or ‘The future of the branch’, The 5 directions in ATM Innovation, Video banking  Future: Smartwatch, Wearables, Hyper-connectivity, IoT (Internet of Things), Roboadvisors, AI (Artificial Intelligence)  Case Studies: 4x from London, Q from Singapore, NAO from Tokyo, Kiwi Bank from New Zealand, Barclays Bank from London

                Cardholder Data Review

                CHD, CDE, SAD and Payment Transaction Flow

                Vectores de los principales ataques

                Tarjetas perdidas/robadas Clonación de tarjetas Captura de tarjetas

                Prioritising Compliance & Security: Risk Assessment Guidelines

                PCI DSS Requirement 12.1.2 Risk Management Strategy, Assessments Prioritised Approach. Third-Party Risks Reporting, Critical Success Factors

                Clients of the New Millennium

                 Contradictions: Millennials vs Baby Boomers, Mass vs Affluent  Linear vs Exponential: Metcalfe’s Law, old media vs new media  Customer Loyalty: the lock-in effect  Digital Identity: the trillion dollar problem  Segmentation: CRM, profiling, customer analytics  Case Studies: Max My Interest from New York, Stockpile from Palo Alto, Tether from Hong Kong

                Vectores de los principales ataques

                Tarjetas perdidas/robadas Clonación de tarjetas Captura de tarjetas

                Prioritising Compliance & Security: Risk Assessment Guidelines

                PCI DSS Requirement 12.1.2 Risk Management Strategy, Assessments Prioritised Approach. Third-Party Risks Reporting, Critical Success Factors

                Donde reside la Trazabilidad.  

                Conocer como y donde se registran evidencias

                Digital Products

                 Crowdsourcing: Digital products developed through digital channels  Digital Market-Research: Virtual Focus Groups, Social-Listening, Research Gamification, Natural Language Robots  Product Development Best Practices: Time Horizons vs Vertical Silos, Big Data in Product Development  Case Studies: Westpac from Australia, ICICI Bank from India  Group Exercise: The Crowdsourcing Brainstorm

                Abstraction and Transformations

                Statistics underpin predictive analytics, however, the real power is the shaping and moulding of data for a given problem domain to create datasets that are more enriched and meaningful and thus lead to better predictive analytics models, measured by better predictive or classification accuracy

                Third Parties and Service Providers

                Working with service providers and other third parties, contracts, risk management, requirements

                Fraude en POS y ATMs

                Specific Controls and Technical Security Measures

                Customer identification and authentication; Access control rules; Transaction logging and monitoring; Sensitive data protection
                 

                Compensating Controls

                Compensating Controls Worksheet Case Study

                Design and Data in Digital Marketing

                 Loving a Bank: UX (User Experience), UI (User Interface)  Design as Differentiator: Branch, Website, Mobile, Logo, Brand  Big Data: Social Media Credit Scoring, Spending patterns, OCR analysis, Geographic proximity, Tailor-made recommendations, Peer comparison  Premium Segments: Luxury Brand by design and data, roboadvisors  Case Studies: Friendly Score from London, Singular Intelligence from Oxford

                Abstraction and Transformations

                Statistics underpin predictive analytics, however, the real power is the shaping and moulding of data for a given problem domain to create datasets that are more enriched and meaningful and thus lead to better predictive analytics models, measured by better predictive or classification accuracy

                Digital Products

                 Crowdsourcing: Digital products developed through digital channels  Digital Market-Research: Virtual Focus Groups, Social-Listening, Research Gamification, Natural Language Robots  Product Development Best Practices: Time Horizons vs Vertical Silos, Big Data in Product Development  Case Studies: Westpac from Australia, ICICI Bank from India  Group Exercise: The Crowdsourcing Brainstorm

                Fraude en POS y ATMs

                Design and Data in Digital Marketing

                 Loving a Bank: UX (User Experience), UI (User Interface)  Design as Differentiator: Branch, Website, Mobile, Logo, Brand  Big Data: Social Media Credit Scoring, Spending patterns, OCR analysis, Geographic proximity, Tailor-made recommendations, Peer comparison  Premium Segments: Luxury Brand by design and data, roboadvisors  Case Studies: Friendly Score from London, Singular Intelligence from Oxford

                Compensating Controls

                Compensating Controls Worksheet Case Study

                Digital Identity The Missing Piece of the Puzzle

                 Onboarding: Why the lack of digital identity hurts banks  AML and KYC: Is this really an issue  Biometrics: The technical solution is more than ready, the question is not ‘if’, but ‘when’ and ‘which version’  Digital Signature and the Paperless Bank: Dream or reality, Cost- cutting versus Quality of Service  Case Studies: Estonia and the E-Stonia Project

                Logistic Regression

                Logistic Regression is intended to model yes \ no, rather binary, type problems and in this regard, is useful for classification and behavioural analytics

                PCI DSS Requirements and Security Assessment Procedures

                An overview of how to interpret and apply

                Sales in the New Era: Maximizing Efficiency

                 Prospects: lead generation in the digital age, the Curiosity Gap  Marketing Automation: Marketing Technology, The MarTech Revolution  Video: problem or solution  Old Techniques in the New Era: Onboarding, X-Sell, Upsell, Referral, Welcome Gift, Aggregators  Case Studies: ICICI Bank from Mumbai, Umpqua Bank from Portland

                PCI DSS Requirements and Security Assessment Procedures

                An overview of how to interpret and apply

                Fraude interno

                Métodos de fraude interno Contramedidas

                Logistic Regression

                Logistic Regression is intended to model yes \ no, rather binary, type problems and in this regard, is useful for classification and behavioural analytics

                Digital Identity The Missing Piece of the Puzzle

                 Onboarding: Why the lack of digital identity hurts banks  AML and KYC: Is this really an issue  Biometrics: The technical solution is more than ready, the question is not ‘if’, but ‘when’ and ‘which version’  Digital Signature and the Paperless Bank: Dream or reality, Cost- cutting versus Quality of Service  Case Studies: Estonia and the E-Stonia Project

                Aplicabilidad y evaluación de cumplimiento PCI DSS

                La PCI DSS se aplica a todas las entidades que almacenan, procesan o transmiten datos del titular de la tarjeta y/o datos confidenciales de autenticación. También aplica a todas las entidades que intervienen en procesamiento de las tarjetas de pago, entre las que se incluyen comercios, procesadores, adquirentes, emisores y proveedores de servicio. 

                Establish a Risk Assessment Framework

                Plan and rollout a risk assessment methodology; Develop a toolkit or use a system to record the results; Execute the risk assessment; Documentation of the risks and mitigation action plans
                 

                Fraude interno

                Métodos de fraude interno Contramedidas

                Sales in the New Era: Maximizing Efficiency

                 Prospects: lead generation in the digital age, the Curiosity Gap  Marketing Automation: Marketing Technology, The MarTech Revolution  Video: problem or solution  Old Techniques in the New Era: Onboarding, X-Sell, Upsell, Referral, Welcome Gift, Aggregators  Case Studies: ICICI Bank from Mumbai, Umpqua Bank from Portland

                Fraude en CNP (pagos sin presencia física de la tarjeta)

                Tipos de fraude en CNP Apropiación de cuenta Colusión y triangulación del comerciante

                The New Role of a Financial Brand in the 21st Century

                 Brand Personality: digital brand-personality, the digital story of the brand  CSR: ‘the good bank’, how a bank can turn the tide on stereotypes  PR 2.0: new opportunities in public relations  Value Proposition: innovative image, good employer, awards, getting beyond the six basics of value proposition (value for money, one-stop shop, superior expertise, product-differentiation, ethics, innovative edge)  Case Studies: PayPal from Palo Alto, TransferWise from London, LendingClub from San Francisco, BBVA from Madrid

                Requirement 1: Install and maintain a firewall configuration to protect cardholder data

                Conceptos Claves de Datos de Tarjeta (CHD)

                Datos de tarjeta, autenticación, pistas, chip, PIN, PIN Block, PAN, CVC, Caducidad, Nombre, etc

                Fraude en CNP (pagos sin presencia física de la tarjeta)

                Tipos de fraude en CNP Apropiación de cuenta Colusión y triangulación del comerciante

                The New Role of a Financial Brand in the 21st Century

                 Brand Personality: digital brand-personality, the digital story of the brand  CSR: ‘the good bank’, how a bank can turn the tide on stereotypes  PR 2.0: new opportunities in public relations  Value Proposition: innovative image, good employer, awards, getting beyond the six basics of value proposition (value for money, one-stop shop, superior expertise, product-differentiation, ethics, innovative edge)  Case Studies: PayPal from Palo Alto, TransferWise from London, LendingClub from San Francisco, BBVA from Madrid

                Payments: Innovation-Arena with High Visibility

                 M-Pesa: Digital payments and Financial inclusion; But how did it all get started  Remittances: How the cash-cow of western banks is being taken away, How do banks react  ApplePay: better to be prepared; the future of plastics is in danger  Case Studies: PayPal from Palo Alto, SelfPay from Toronto, Super Wallet from Lublin  Group Exercise: The Client-Segment Simulation Roleplay

                Payments: Innovation-Arena with High Visibility

                 M-Pesa: Digital payments and Financial inclusion; But how did it all get started  Remittances: How the cash-cow of western banks is being taken away, How do banks react  ApplePay: better to be prepared; the future of plastics is in danger  Case Studies: PayPal from Palo Alto, SelfPay from Toronto, Super Wallet from Lublin  Group Exercise: The Client-Segment Simulation Roleplay

                Implement Fraud Monitoring System

                Analyse Fraud Transaction Risks; Design/Review Fraud Monitoring Rules; Automate alerts and fraud prevention mechanisms
                 

                Case Study: Logistic Regression

                Using a dataset of fraudulent transactions develop a logistic regression model where the best classification accuracy will triumph.

                Case Study: Logistic Regression

                Using a dataset of fraudulent transactions develop a logistic regression model where the best classification accuracy will triumph.

                Compensating Controls

                Overview and appropriate uses

                Requirement 1: Install and maintain a firewall configuration to protect cardholder data

                Prevención y detección de fraude en CNP

                Política de reclutamiento Revisión manual Listas negativas/positivas Métodos de autenticación en CNP

                Prevención y detección de fraude en CNP

                Política de reclutamiento Revisión manual Listas negativas/positivas Métodos de autenticación en CNP

                Summary

                 Concepts  Tools  Trends  ‘To-Do’s  Resources

                Prioritized Approach

                Overview, security milestones, purpose and Prioritized Approach Tool

                Case Study: Bayesian Network

                Create a Bayesian Network which has a better classification accuracy than that observed using Logistic Regression. Seek improvement in the model by transitioning through a Naïve Bayesian Network through to a Hierarchical Bayesian Network, before lastly looking at how variables that may not directly relate to the likelihood of default, relate to one another which when taken together may improve the overall accuracy.

                Norsys Netica and Bayesian Analysis.

                Bayesian Networks are an extremely powerful, yet highly intuitive and explainable, predictive analytics technique. Bayesian Networks not only allow prediction of the likelihood of an event happening but also provide a means of explaining the most probable environment that caused an event to happen

                Case Study: Bayesian Network

                Create a Bayesian Network which has a better classification accuracy than that observed using Logistic Regression. Seek improvement in the model by transitioning through a Naïve Bayesian Network through to a Hierarchical Bayesian Network, before lastly looking at how variables that may not directly relate to the likelihood of default, relate to one another which when taken together may improve the overall accuracy.

                Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

                Summary

                 Concepts  Tools  Trends  ‘To-Do’s  Resources

                Summary

                 Concepts  Tools  Trends  ‘To-Do’s  Resources Evaluation and Termination of the Seminar

                Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

                Norsys Netica and Bayesian Analysis.

                Bayesian Networks are an extremely powerful, yet highly intuitive and explainable, predictive analytics technique. Bayesian Networks not only allow prediction of the likelihood of an event happening but also provide a means of explaining the most probable environment that caused an event to happen

                Procedimiento y fases en el Cumplimiento PCI DSS

                Procesos involucrados en la gestión interna y externa de PCI DSS, y cómo afrontar cada fase

                Linking Related Standards Frameworks and Directives

                Payment Card Industry Standards - PCI-DSS; Central Bank Directives; Eurosight on Card Payment Systems and Settlement Process; etc
                 

                Summary

                 Concepts  Tools  Trends  ‘To-Do’s  Resources Evaluation and Termination of the Seminar

                Neural Networks

                Neural Networks are an extremely accurate, albeit complex and internally unexplainable, means of creating predictive analytics models. Neural Networks work just as well for classification as they do numeric prediction

                Documentos y Recursos

                Las Guías de Implementación, Informes de Cumplimiento, FAQ, SAQ, AOC, ROC, etc...

                Proceso de Selección de Asesores Externos y Consultores PCI

                Los requisitos y mejores prácticas para trabajar con asesores externos y consultores asegurando un mejor control del proyecto y sus gastos.

                Requirement 3: Protect stored cardholder data

                Requirement 4: Encrypt transmission of cardholder data across open, public networks

                Neural Networks

                Neural Networks are an extremely accurate, albeit complex and internally unexplainable, means of creating predictive analytics models. Neural Networks work just as well for classification as they do numeric prediction

                Requirement 3: Protect stored cardholder data

                Requirement 4: Encrypt transmission of cardholder data across open, public networks

                Self-Assessment Questionnaire (SAQ) Overview

                How and when to use Self-Assessment Questionnaires (SAQs)

                Reducción del Alcance con Segmentación de Red

                Una clave de todos los proyectos PCI es definir y reducir el Alcance al máximo. En la práctica consiste en conocer cómo aislar segmentos de red y determinar qué controles son necesarios para estos dispositivos (firewalls, switches, routers, etc)

                Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs

                Recognizing How New Technologies affect PCI

                Including tokenization, virtualization, mobile, Point-to-point encryption

                Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs

                Reporting

                ROC, SAQ and AOCs

                Configuración de Firewalls, Estándares y Ajustes

                Segmentación de red, Configuración por defecto de proveedores y accesos administrativos.

                PCI Ethics and Code of Professional Responsibility

                Requirement 8: Identify and authenticate access to system components

                Requirement 7: Restrict access to cardholder data by business need to know.

                Requirement 10: Track and monitor all access to network resources and cardholder data

                Requirement 11: Regularly test security systems and processes

                Requirement 9: Restrict physical access to cardholder data Skimming Fraud (ATM & POS card reader manipulation)

                Requirement 6: Develop and maintain secure systems and applications

                Requirement 12: Maintain a policy that addresses information security for all personnel

                Requirement 9: Restrict physical access to cardholder data Skimming Fraud (ATM & POS card reader manipulation)

                Requirement 11: Regularly test security systems and processes

                Requirement 12: Maintain a policy that addresses information security for all personnel

                Reporting

                ROC, SAQ and AOCs

                Requirement 6: Develop and maintain secure systems and applications

                Requirement 10: Track and monitor all access to network resources and cardholder data

                Requirement 8: Identify and authenticate access to system components

                Requirement 7: Restrict access to cardholder data by business need to know.

                Restricción de Acceso Físico a Datos de Tarjeta

                Al igual que el acceso lógico también existen medidas básicas necesarias en cualquier medio físico que almacene datos de tarjeta.

                Educación y Análisis de Empleados

                La mayor parte de problemas y brechas de seguridad suelen atribuirse a empleados o contratistas o proveedores, por lo tanto es prioritario educar a todo individuo de acuerdo a sus responsabilidades y relación con los datos de tarjeta y/o componentes del entorno.

                Database Access Control & Restrictions

                controlling access to any database containing cardholder data including access by applications, administrators, and all other users

                Cambio de disco

                Ejemplos de ataques de Endoscopio

                Ataques de ATMs que involucran vulnerabilidad de BIOS

                Ataque dispensador con parches Diebold 4.1.48

                Ataques NCR level 3 encrypt

                Identificar y evitar ataques de servidor de transacciones

                Retención de Datos

                Cuando se puede almacenar y como: Protección de Datos Almacenados, Cifrado de Datos de Tarjeta, Gestión de Claves de Cifrado, Datos Sensibles por redes públicas

                Requisitos para Proveedores de Servicio

                Toda entidad que procese, almacene o transmita datos de tarjeta debe complir con los requisitos de PCI DSS. Pero también aquellos que puedan afectar la seguridad del entorno definido en el alcance tanto directa como indirectamente.

                ​Controles para el desarrollo de software

                Cualquier desarrollo de software debe proteger la integridad de los datos que maneja. Es importante aislar los entornos de desarrollo, testeo y producción además de seguir las buenas prácticas de desarrollo seguro a lo largo del ciclo de vida de desarrollo.

                PCIP Resources

                Links, resources, Making PCI DSS business as usual &
                Information supplements

                Ataques de MITM

                Gestión de Respuesta a Incidentes

                Un plan de respuesta a incidentes debe ser conocido por todos los intervinientes y afectados, además se debe probar que el plan se adecua a la entidad y procedimientos obligatorios de las marcas. El plan debe probarse regularmente para asegurar su funcionamiento en el caso de ocurrir un incidente real.

                Restricción del acceso a datos

                El acceso a datos de tarjeta se debe reducir al mínimo de personas posibles de acuerdo con la necesidad del negocio. Cuantas menos personas tengan acceso a datos sensibles menos el alcance y medidas de protección necesarias.

                Gestión de Normas de Seguridad de la Información

                La Política de Seguridad de la Información es un proceso de gestión continua que involucra mantener evaluación continua de riesgo, monitoreo de efectividad de controles y cambios en el entorno tecnológico. 

                Identificación y Autenticación del usuario

                Todo usuario que interactúe con datos de tarjeta o sistemas conectados debe identificarse, esto es clave para atribuir, investigar e identificar eventos o incidentes (gestión de registros)

                Principios sobre el uso y actualización del software antivirus

                Tener antivirus no es suficiente, hay que administrar las actualizaciones de acuerdo a la clasificación de riesgo entre otros recursos entre otras cosas.

                Escaneos de Vulnerabilidad y Pentesting

                Los requisitos de escaneo y gestión de resultados. Definir Quien, Como, y Cuando se debe testear el entorno de acuerdo a segmentación del entorno y nivel de riesgo.

                Malware ATM (muestra de varios malware)

                Política del Uso Aceptable

                En los entornos con datos de tarjeta es importante cómo se gestionan los datos y los dispositivos relacionados y están directamente relacionados con los niveles de riesgo.

                Parches de dispensador de ATMs diebold y NCR

                Guías para redes inalámbricas

                La gestión de redes inalámbricas es clave en la reducción del riesgo. Existen medidas clave necesarias para asegurar este medio.

                Otras vulnerabilidades de ATMs de configuraciones XFS

                Security Testing (OSSTMM)

                Containment Measures Testing, Password Cracking, Survivability Testing

                Penetration Testing: Requirements, Best Practices & Methodologies

                penetration testing requirements, best practices and methodologies (NIST SP800-115)

                Payment Processors

                Working with payment service providers, processors and other intermediaries

                Plataforma Tecnológica

                Arquitectura del ATM (PC core, Motherboard, External Media, Communications Adapter, Persistent Storage, Boot Code, Software Stack, XFS(Abstraction Layer), Manufacturer Specific Architecture, ATM Devices, ATM Communications, LAN/WAN, Backend Systems, Redes y Comunicaciones, Flujo de Transacciones 

                Acquiring Business

                How the acquiring business functions from a management, operations and fraud prevention perspective, and how to effectively manage risk

                EMV Chip Card Overview

                An overview of the impact of Chip Migration, its benefits and your responsabilities from both issuing and acquiring perspectives.

                Fraud Management

                Fraud Management considerations and best practices

                Defining Payment Fraud

                Payment Card fraud and its many manifestations, overview of fraud vectors and trends

                Card Brand Fraud Reporting

                What you need to consider in terms of reporting

                Fraud Recovery Management

                How to manage recovery and optimise costs

                Card Brand Compliance Programs

                What card brands say, their rules and operating regulations

                ATM Fraud

                A detailed overview of ATM fraud and best practices including specific countermeasures

                3D Secure

                understanding 3D secure and how it can help reduce fraud

                Card Transaction Flow

                A detailed overview of how transactions work in various acceptance environments

                Overview of E-Commerce Features

                the effect of e-commerce and particularities of this type of acceptance from a fraud perspective

                Best Practices for Investigation and Loss Control

                Investigations, chargebacks, dispute best practices and tools

                Best Practices for Fraud Management and Monitoring

                Monitoring and fraud management best practices in the modern day era

                Outline of Card Brands Risk Strategy

                How card brands approach risk management, their priorities and what you should know

                Introduction to Card Brands

                An overview of card brands and their policies

                Proceso de reconciliación y liquidación

                Definición, descripción del proceso, roles, riesgos y recomendaciones.  

                Acquiring Terminal Administration

                POS and ATM management, how to effectively manage terminals and reduce fraud

                Cross-border data transfers

                With any international data transfers, including intra-group transfers, it will be important to ensure that you have a legitimate basis for transferring personal data to jurisdictions that are not recognised as having adequate data protection regulation. This is not a new concern, but as failure to comply could attract a fine of up to the greater of EUR20m and 4% of annual worldwide turnover, the consequences of non-compliance could be severe. You may want to consider adopting binding corporate rules to facilitate intra-group transfers of data

                Processor obligations

                The GDPR imposes some direct obligations on processors which you will need to understand and build into your policies, procedures and contracts. You are also likely to find that your customers will wish to ensure that your services are compatible with the enhanced requirements of the Regulation. Consider whether your contractual documentation is adequate and, for existing contracts, check who bears the cost of making changes to the services as a result of the changes in laws or regulations. If you obtain data processing services from a third party, it is very important to determine and document your respective responsibilities.

                Data subject rights

                Be prepared for data subjects to exercise their rights under the GDPR such as the right to data portability and the right to erasure. If you store personal data, consider the legitimate grounds for its retention – it will be your burden of proof to demonstrate that your legitimate grounds override the interests of the data subjects. You may also face individuals who have unrealistic expectations of their rights

                Privacy Notices and Policies

                The GDPR requires that information provided should be in clear and plain language. Your policies should be transparent and easily accessible.

                Legal Basis of Personal Data Use

                Consider what data processing you undertake. Do you rely on data subject consent for example, or can you show that you have a legitimate interest in processing that data that is not overridden by the interests of the data subject? Companies often assume that they need to obtain the consent of data subjects to process their data. However, consent is just one of a number of different ways of legitimising processing activity and may not be the best (eg it can be withdrawn). If you do rely on obtaining consent, review whether your documents and forms of consent are adequate and check that consents are freely given, specific and informed. You will bear the burden of proof.

                Embrace Privacy by Design

                Ensure that privacy is embedded into any new processing or product that is deployed. This needs to be thought about early in the process to enable a structured assessment and systematic validation. Implementing privacy by design can both demonstrate compliance and create competitive advantage.

                Accountability Framework

                Appoint a data protection officer, if required. Ensure that you have clear policies in place to prove that you meet the required standards. Establish a culture of monitoring, reviewing and assessing your data processing procedures, aiming to minimise data processing and retention of data, and building in safeguards. Check that your staff are trained to understand their obligations. Auditable privacy impact assessments will also need to be conducted to review any risky processing activities and steps taken to address specific concerns.

                Security Breach Readiness

                Put in place clear policies and well-practised procedures to ensure that you can react quickly to any data breach and notify in time where required.

                Data Protection and Information Technologies

                Advances in technology have enabled organisations to process more and more personal data, and to share information more easily. This has obvious benefits if they are collecting and sharing personal data in accordance with the data protection principles

                European Data Protection Framework

                Detailed summary and understanding of applicability of the European Data Protection Framework in the national context

                Privacy Fundamentals

                What is Privacy?; Privacy: A Fundamental Right? Or Something Else?; Why is Privacy Important?; Anonymity and Pseudonymity; Privacy and Culture; Security and Privacy
                None

                Venue

                The venue of this event will be announced shortly.

                None

                Next Sessions

                No session planned yet for this course, please click here to contact us.
                Inhouse and eLearning available and we are always interested in working with new partners.