Whitepaper. PCI Compliance: Protect Your Business from Data Breach

Transcription

1 Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation. PCI Compliance: Protect Your Business from Data Breach PCI COMPLIANCE IS ESSENTIAL FOR SECURE TRANSACTIONS AND FINANCIAL STABILITY The security and safety of personal and financial data is increasingly threatened. Nowhere is that more apparent than in the retail industry a primary target for cyber criminals. Retail businesses are particularly vulnerable because of the volume of credit card information, the fact that this information is distributed among many locations, the lengthy amount of time it can take them to detect a breach, and the often inadequate staff and safeguards they have in place. Some experts forecast that as many as one in six small businesses will be breached. 1 Small businesses are particularly vulnerable; according to Visa, 97% of U.S. events occurred at small merchants, and 91% of those were brick and mortar merchants. 2 Larger organizations, too, are vulnerable to the consequences of such a breach. Examples from recent years include Bank of America, Boston Market, Sports Authority, and Forever 21. A particularly devastating case was the breach of TJX Corp., which resulted in the loss of at least 45 million credit card numbers to a single hacker. Merchants often underestimate the financial impact of a breach, which can be significant. Smaller retailers that suffer a major and widely publicized breach of credit card data may actually find themselves out of business due to costs associated with fees, fines, and remediation, as well as ongoing damage to their brands and reputations. For example, the average cost of a breach is estimated at $80,000 per location for Level 4 merchants, and can reach into the millions depending on the size of the merchant and the extent of the breach. 3 Direct costs include mandatory forensic audits, credit card replacement, fees, fines, and breach remediation to prevent a recurrence. 1

2 Breach remediation can take months, as shown in Table 1. Table 1: Typical Breach/Remediation Timeline Day 1 Day 5 Day 7 Day 10 to Day Notification of breach Stop taking credit cards Pay for a forensic audit Monitor media/social media Forensic audit complete Contact a Qualified Security Assessor (QSA) Obtain proposals for remediation Execute remediation and compliance plan Replace credit cards For these reasons, complying with PCI-DSS (Payment Card Industry Data Security Standard, also known simply as PCI) is much more than just a technical goal for retailers. It is necessary for business stability. Disclose breach/address brand and media impact Post breach plus one year - revenue impact For these reasons, complying with PCI-DSS (Payment Card Industry Data Security Standard, also known simply as PCI) is much more than just a technical goal for retailers. It is necessary for business stability. What is PCI-DSS? PCI was originally created as a joint initiative by Visa, MasterCard, American Express, JCB, and Discover to protect card-holder information and reduce data theft and fraud. The first version was released in December 2004, and it has since then undergone two significant updates. The current version, 2.0, was issued in October PCI compliance is mandatory for all organizations who accept Visa and MasterCard credit cards. If a retailer is found to be noncompliant, it could incur significant fines and be restricted from accepting credit cards until compliance is achieved. While no standard can guarantee 100% prevention of a major credit card data breach, PCI compliance can significantly reduce the probability of such an event. Being PCI compliant means that merchants are pursuing established best practices specifically designed to protect sensitive credit card data from unauthorized access critical both for themselves and their customers. 2

3 What is required for PCI compliance? Most retailers are aware of the importance of PCI compliance, but many lack the essential safeguards required to fully achieve it. For example, when retailers who accept credit cards are asked the following questions, frequently at least one answer is no, indicating that they are not compliant: Can you demonstrate that all of your cashiers have been trained upon hire with a PCI-certified training program, and does that training recur every year? Can you demonstrate that all of your employees have read and signed an employee awareness security policy? Can you demonstrate that all members of your team or your approved vendors are using a secure virtual private network with two-factor authentication to access applications or systems behind your firewall? All members of the PCI payment card network, including merchants and service providers, must comply with twelve different requirements organized into six core categories. All members of the PCI payment card network, including merchants and service providers, must comply with 12 different requirements organized into six core categories: PCI DSS Requirements Build and Maintain a Secure Network 1. Install and maintain a firewall configured to protect card-holder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Card-holder Data 3. Protect stored card-holder data. 4. Encrypt transmission of card-holder data across open, public networks. Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs. 6. Develop and maintain secure systems and applications. Implement Strong Access Control Measures 7. Restrict access to card-holder data within the organization on the basis of business need-to-know. 8. Assign a unique identifier to each employee with computer access. 9. Restrict physical access to card-holder data. Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and card-holder data. 11. Regularly test security systems and processes. Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all employees. Source: PCI DSS Requirements and Security Assessment Procedures, Version 2.0, 3

4 PCI compliance is not a one-time achievement, but is validated on an ongoing basis. The terms of validation vary based of the total number of annual credit card transactions that merchants generate each year, and are organized into four levels. PCI compliance is not a one-time achievement, but is validated on an ongoing basis. The terms of validation vary based of the total number of annual credit card transactions that merchants generate each year, and are organized into four levels: Level Criteria 1. Any merchant processing more than 6 million transactions per year 2. Any merchant processing 1 to 6 million transactions per year 3. Any merchant processing 20,000 to 1 million transactions per year On-Site Security Audit Self-Assessment Questionnaire External Vulnerability Scan 4. All other merchants, not in Levels 1, 2 or 3 As this chart shows, merchant validation requirements fall into three groups: On-Site Security Audit: for Level 1 merchants, this is also known as a Report on Compliance (ROC) and must be completed by a PCI-certified Qualified Security Assessor (QSA). Annual Self-Assessment Questionnaire: In lieu of a ROC, Level 2-4 merchants must complete one of six Self-Assessment Questionnaires (SAQ) to document PCI compliance status. This must recur annually to identify compliance shortfalls. External Vulnerability Scans: All merchants are required to have external network scans performed by a PCI-certified Authorized- Scanning Vendor (ASV). Scan requirements are rigorous: all 65,000 ports must be scanned, vulnerabilities detected, high severity-level vulnerabilities must be remediated, and two key reports completed and filed with the bank card processor. 4

5 It s advisable to be proactive in protecting your business and customers from credit card data breach; once a breach occurs, much of the damage will have already been done. Proactively protect your business from breach It s advisable to be proactive in protecting your business and customers from credit card data breach; once a breach occurs, much of the damage will have already been done. If you are a Level 2-4 merchant, follow these key steps to start on the path toward compliance: Financially Protect Yourself from a Breach: Consider acquiring breach protection for each of your site locations to help cover costs of a forensic audit, fees, fines and credit card replacement in the event of a breach. Validate PCI Compliance: Select and complete the Self-Assessment Questionnaire (SAQ) based on your environment. Select an Authorized Security Vendor and complete the External Vulnerability Scan. Document the process and file the necessary reports. Achieve PCI Compliance: Requirements will vary depending on your environment, but basic requirements include: implementing a fully managed, stateful inspection firewall; installing layered, dynamic security with unified threat management; implementing secure remote access with two-factor authentication; educating staff; and implementing and managing a security policy. Maintain Compliance: Manage and maintain PCI compliance within your organization. This includes conducting regular employee training, documenting and following security policies, and conducting regular assessments and scans to identify and remediate gaps. PCI Compliance Solutions from EarthLink Business PCI is a complex set of standards, but is critical to financial stability for any size merchant that accepts credit cards. EarthLink Business offers a full range of services to support merchants on the path to PCI compliance. This includes EarthLink s PCI Compliance Validation service, which provides Level 2-4 merchants with $100,000 in breach protection 4 per location as well as tools to validate PCI compliance. Through an easy-to-use web-based portal, merchants can conduct quarterly Authorized Scan Vendor (ASV) scans, Self-Assessment Questionnaires (SAQ), and training, and have access to a security policy and online knowledge base. EarthLink also provides secure MPLS WAN, secure Point of Sale (POS) transport, managed security and other services to address gaps. 5

6 PCI-DSS is a complex standard, however, and one that requires ongoing validation to remain in compliance. Many organizations will find that by collaborating with a trusted partner, achieving and maintaining PCI compliance can be both simplified and accelerated. To learn more about how EarthLink can help your organization getinfo@earthlinkbusiness.com Call: Visit: SUMMARY Retail business success depends upon secure credit card transactions and the protection of sensitive customer data. Unfortunately, the odds of a security breach grow every year, as hackers, criminal organizations, and malware all grow more sophisticated and aggressive. And in the event that a breach occurs and results in the loss of sensitive credit card information the consequences could be very serious, from fiscal, legal, and/or public relations standpoints. Compliance with the PCI-DSS, an end-to-end standard addressing both technology and business processes, is essential to make such breaches far less likely. It s also legally required for all retailers that take Visa or MasterCard. PCI-DSS is a complex standard, however, and one that requires ongoing validation to remain in compliance. Many organizations will find that by collaborating with a trusted partner, achieving and maintaining PCI compliance can be both simplified and accelerated. EarthLink Business delivers the tools, experience, and service to help retailers achieve, maintain, and validate PCI-DSS compliance requirements. Notes: 1. PCI Standards Council Annual Meeting 2011, QSA/ASV General Session, 9/20/11 IC3 Executive. 2. Visa Data Security & Authentication Symposium: Securing Your Business Growth, 6/6/12, 3. PCI Standards Council, QSA summary report, 3/12/ The PCI Compliance Validation and Data Breach Protection Services, which are being resold by EarthLink Business, will be provided and serviced by ANXeBusiness Corp. The PCI Compliance Validation Service is not a guarantee that a data breach will not occur, and alone cannot prevent losses. EarthLink Business makes no representations as to whether the Data Breach Protection Service will apply to, or cover, any particular claim or loss. EARTHLINK BUSINESS DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE PCI COMPLIANCE VALIDATION AND DATA BREACH PROTECTION SERVICES, AND WILL NOT BE LIABLE FOR ANY LOSSES, COSTS OR DAMAGES, INCLUDING, WITHOUT LIMITATION, DIRECT, INDIRECT, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL (INCLUDING LOSS OF PROFITS, BUSINESS OR DATA) RESULTING FROM, OR RELATED TO, THE SERVICES OR INFORMATION ABOUT THE SERVICES, REGARDLESS OF WHETHER SUCH INFORMATION IS PROVIDED BY ANXEBUSINESS CORP. OR EARTHLINK BUSINESS EarthLink, Inc. Trademarks are property of their respective owners. All rights reserved