GETTING STARTED WITH THE EPSG PCI DSS PROGRAM. Derek Schultz, Business Development Manager

Transcription

1 GETTING STARTED WITH THE EPSG PCI DSS PROGRAM Derek Schultz, Business Development Manager

2 AGENDA 1 EPSG Program 2 About Trustwave 3 PCI Basics 4 The Risk of Non-Compliance 5 Using TrustKeeper PCI Manager

3 Who We Are WHO WE ARE Company facts and figures SERVING GROWING GLOBAL over 3 MILLION subscribers with over 1,300 EMPLOYEES THREAT MANAGEMENT Integrated portfolio of technologies delivering comprehensive protection VULNERABILITY MANAGEMENT Global Threat Database feeding Big Data back-end employees in 26 countries INNOVATING over 56 patents granted / pending COMPLIANCE MANAGEMENT Leading provider of cloud delivered IT-GRC services

4 OUR CUSTOMERS

5 WHO S RESPONSIBLE FOR WHAT Oversight, Responsibility, Enforcement PCI Security Standards Council Qualified Security Assessor (QSA) Perform assessments and provide support to merchants, processors, banks Submit compliance report or other form Merchants Processors Banks Compliant policies, systems & procedures

6 PCI BASICS PCI DSS defined Cardholder data is any personally identifiable data including: Primary Account Number Expiry Date Name Sensitive Authentication Data must also be protected: Full Track Data (magnetic strip) CAV2/CVC2/CVV2/CID (3 or 4 digit code) PIN/PIN Block All merchants accepting debit/credit cards must comply with the PCI DSS at all times.

7 PCI BASICS PCI DSS defined The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements designed to protect cardholder data Applies to all merchants, systems, networks and applications that process, store, and/or transmit card numbers Build and Maintain a Secure Network and Systems (2) Protect Cardholder Data (2) Maintain a Vulnerability Management Program (2) Implement Strong Access Control Measures (3) Regularly Monitor and Test Networks (2) Maintain an Information Security Policy (1)

8 PCI DSS Key terms Self-Assessment Questionnaire (SAQ) A questionnaire designed to assist organizations in self-evaluating their IT and payment processing environment Vulnerability Scanning Helps secure your business by identifying weaknesses in your network and applications Qualified Security Assessor (QSA) Certified to validate that a company is compliant with the PCI DSS Approved Scanning Vendor (ASV) Certified to perform vulnerability scanning

9 VALIDATION ACTIONS DEPEND ON LEVEL Merchant Level Validation Actions Validated By 3 Any merchant that processes 20,000 to 1 million e-commerce transactions annually Annual Self- Assessment Questionnaire Quarterly Network Scan Merchant Approved Scanning Vendor 4 Any merchant that processes up to 1 million brick-and-mortar Visa transactions, or less than 20,000 Visa/ e-commerce transactions annually Annual Self-Assessment Questionnaire Quarterly Scan Network Merchant Approved Scanning Vendor

10 THE RISK OF NON-COMPLIANCE Large corporations that have been breached make it to the evening news What doesn t make the news is that SMALL MERCHANTS are at the greatest risk of a data breach Trustwave found that 90% of merchants that have data stolen are small businesses.

11 PCI DSS COMPLIANCE Sound business practice Fundamental Security Best Practices Avoid fraud Helps to understand own system better Clarifies where data is stored Upholds Brand Name Adds value to name Increases consumer confidence Non-compliant or Compromised Business could expect: Damage to their brand/reputation Investigation costs Remediation costs Fines and fees

12 GETTING STARTED WITH TRUSTKEEPER PCI MANAGER

13 GETTING STARTED LANDING PAGE

14 REGISTRATION THREE EASY STEPS Step 1: Enter merchant information

15 ASSESSMENT OVERVIEW Customized step-by-step workflow

16 BUSINESS ENVIRONMENT Guidance for scanning and tuning the workflow

17 SCAN SETUP E-commerce website or physical location?

18 L4 Merchant Security Enablement TrustKeeper Agent Persistent Monitoring Vulnerability Scanning Security Configuration Check PAN and Track Data ID PA-DSS compliance Unauthorized Device Monitoring File Integrity Monitoring Anti-Virus Protection Remote Access Monitoring 18

19 EXPERT FORM OR PCI WIZARD Simplify completion by the Step-By-Step Wizard

20 PCI WIZARD

21 HELP ALONG THE WAY Contextual help and tips throughout + 24/7/365 helpdesk

22 GUIDANCE TOWARDS COMPLIANCE

23 SCAN RESULTS Online and offline (PDF) scan results

24 CERTIFICATION DOCUMENTS

25 TRUSTED COMMERCE SEAL Display a seal of approval

26 SECURITY POLICY ADVISOR Sample security policies and supporting documents

27 SECURITY AWARENESS EDUCATION Online training based on different industries and roles

28 NOTIFICATIONS

29 TRUSTWAVE SECURITY OPERATIONS CENTER

30 Who We Are COMPLIANCE SUPPORT 201,000 CALLS In 2015 More than 75 support analysts, working 24/7/365. SUPPORT 6 LANGUAGES SOC locations: Chicago, Denver, 24 SECONDS AVERAGE HOLD TIME OF AVERAGE TALK TIME OVER 7 MINUTES Warsaw, Minneapolis and Manila 5 GLOBAL SUPPORT LOCATIONS All agents are fluent in English

31 COMPLIANCE SUPPORT What we do Support Analysts Outbound Analyst To help merchants activate accounts, become compliant, renew compliance Chat Analysts Escalation Team Quality Assurance/Training All calls are recorded and available for escalations, call calibrations, etc Screen is also captured, to give a better sense of what happened on the call Scanning Team Help customers understand why scans failed, what the vulnerabilities mean, advice on how to remediate Review disputes Agent/POSM Team

32 SMB Security Toolkit: Highlights

33 SECURITY PROGRAM TrustKeeper PCI Manager Today Profile Wizard To Do List SAQ Compliance TrustKeeper Merchant Security Program Security Toolkit & TrustKeeper Agent Security Tasks SAQ Secure Compliance

34 PCI COMPLIANCE & SECURITY Key List Feature PCI Compliance PCI Comp. Plus PCI Security PCI Security Plus SMB Security Toolkit PCI Wizard, To Do List, and SAQ Security Policy Templates PCI Network Vulnerability Scans (if required) (1 IP) (3 IPs) (3 IPs) (3 IPs) Security Health Check Security Configuration Monitoring POS Application Detection Module Credit Card Data Storage Monitoring (DLP) Unauthorized Device Monitoring File Integrity Monitoring (FIM) Trustwave Anti-virus (AV) Security Policy Generator POS Tracker Mobile Device Security Remote Access Security Web Malware Monitoring (3 websites) Security Log Monitoring OV/EV SSL Certificate Vulnerability Management (TVM) Secure Gateway (cloud) Breach Protection 24

35 QUESTIONS? WE ARE HERE TO HELP. EPSG Getting Started Page: Have your Merchant ID handy Customer Support Number TrustKeeper

36 THANK YOU