Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

Transcription

1 Protecting Your Customers' Card Data Presented By: Oliver Pinson-Roxburgh

2 Agenda Trustwave Overview PCI Scope Compromise Statistics PCI Makes Business Sense Registration Process TrustKeeper Features Support & Resources Questions

3 Trustwave Our Experience

4 The leader in compliance and data security MSSP with more than 1,400 devices under management Monitor more than 18 million events per day Top 10 global Certificate Authority with more than 40,000 SSL certificates issued Performed more than 2,000 network and application penetration tests Conducted more than 740 forensic investigations Benchmark work for HIPAA, GLBA, SOX, ISO series PCI DSS leader Trustwave has certified 42 percent of PsPs; 40 percent of Payment Apps. Fully qualified for all PCI-related work: QSA (2002); ASV (2003); PA-QSA (2005); QIRA (2005)

5 PCI Scope

6 Payment Card Acceptance The Payment Card Industry s Data Security Standard states: PCI Data Security Requirements apply to all members, merchants, and service providers that store, process or transmit cardholder data

7 The Mandate: Visa Merchant Levels Defined Level* Merchant criteria Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.** 2 Merchants processing one million to six million Visa transactions annually via all channels. 3 Merchants processing 20,000 to one million Visa e- commerce transactions annually. Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource Quarterly network scan by Approved Scan Vendor (ASV) Attestation of Compliance form Annual Self-Assessment Questionnaire (SAQ) Quarterly network scan by ASV Attestation of Compliance form Use a service provider that has certified their PCI DSS compliance (certified providers are listed on Visa Europe s website: OR Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ) 4 E-commerce merchants only Merchants processing fewer than 20,000 Visa e- commerce transactions annually. Use a service provider that has certified their PCI DSS compliance (certified providers are listed on Visa Europe s website: OR Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ) Non e-commerce merchants Merchants processing up to one million Visa transactions annually. Annual SAQ Quarterly network scan by an ASV Attestation of Compliance form * Compromised entities may be escalated at regional discretion ** Where merchants operate in more than one country or region, if they meet level one criteria in any Visa country or region, they are considered a global Level one merchant. An exception may apply to global merchants if there is no common infrastructure and if Visa data is not aggregated across borders. In such cases merchants are validated according to regional levels.

8 Compromise Statistics

9 Incident Response Investigations Detection Methods vs. Time As expected, those able to self detect, detect quicker Unable to self-detect, 5x longer exposure time Investigations showed: Role-based security training = improved detection capability Mature infosec programs and monitoring controls helped

10 Incident Response Investigations Payment Card Industry Compliance 97% insufficient firewall policy 83% default/ guessable password 48% not using PA-DSS application

11 PCI DSS Makes Business Sense

12 PCI DSS Compliance: Sound Business Practice Fundamental Best Security Practices Avoid fraud Helps to understand own system better Clarifies where data is stored Upholds Brand Name Adds value to name Increases consumer confidence Non-compliant, compromised business could expect: Damage to their brand/reputation Investigation costs Remediation costs Fines and fees

13 TrustKeeper Registration

14 Splash Page

15 Registration Process

16 TrustKeeper Features

17 PCI Wizard 2 Choices

18 PCI Wizard for a Dial-up Merchant

19 PCI Wizard for an Internet Merchant with POS

20 Help Provides Examples and Advice

21 As Well as Security Education

22 PCI Wizard Section Passed

23 PCI Wizard Section Failed

24 Resolve Issues with Remediation Advice

25 Completed PCI Wizard

26 Completed PCI Wizard

27 Merchant Profile

28 Pre-Filled SAQ for Merchant Review

29 SAQ Submission

30 Scan Setup Wizard

31 Scan Setup for Web Sites

32 Scan Setup for Physical Locations

33 Support and Resources

34 Trustkeeper Support TrustKeeper support Phone numbers: COUNTRY TELEPHONE NUMBER IRELAND UK GERMANY BELGIUM FRANCE POLAND INTERNATIONAL

35 Resources PCI Security Standards Council: List of compliant payment applications on this site Full version of the PCI DSS Standard Elavon Getting Started Page: Further information:

36 Questions?