The Top 5 Security Best Practices for Small Merchants. Simple, affordable steps to protect your business from data thieves
|
|
- Amos Garrett
- 8 years ago
- Views:
Transcription
1 The Top 5 Security Best Practices for Small Merchants Simple, affordable steps to protect your business from data thieves A White Paper May 2012
2 Information Security and Your Business. Stories of hackers and data breaches appear in the news on a near-daily basis, yet studies show that many small merchants are unaware of the steps they should take to protect their businesses from data theft. In fact, the annual ControlScan Level 4 Merchant Study has consistently found that not only are many small merchants unaware of their vulnerability to attack, they are complacent about the impact a breach can have on their business. Even the smallest data breach can have a business-ending result for the average merchant: Costly fines In 2011, more than 95% of the merchants experiencing a data breach had not complied with the Payment Card Industry Data Security Standard (PCI DSS); when not compliant, the breached merchant is often subject to fines from its payment card brand and/or acquiring bank. Recovery-Related Costs Merchants direct costs associated with recovering from a security breach average $194 per stolen record. Given that the typical breach involves tens of thousands of records, the results can be catastrophic to the business. Small merchants could find themselves out of business should a data breach occur. Brand/Reputation Damage If the fines and costs related to the breach aren t enough to topple the business, the loss of consumer trust could be the catalyst. Currently, only public companies are required by law to report breaches; however, this requirement may expand to private businesses in the near future. Think you re not vulnerable? According to Verizon s 2012 Data Breach Investigations Report, which examined 855 incidents affecting 174 million compromised records, 96% of attacks were not highly difficult and 97% of breaches were avoidable through simple or intermediate controls. As a small business owner, your systems are actually the most vulnerable to attack because, according to Verizon, target selection is based more on opportunity than on choice. This educational white paper addresses the top five best practices small merchants can put in place to easily and cost-effectively protect their businesses against data breaches. We will examine each of the best practices in detail, discussing the benefits and opportunities associated with each activity. Our goal is to help you be proactive in your information security approach so that your business becomes a less likely target for data thieves. 2
3 Best Practice #1: Understand Your Sensitive Data, Where It Is, and Who is Responsible for its Protection. Owners of even the smallest businesses need to understand what happens to each customer s sensitive data as soon as it leaves the customer s hands and enters the business s data processing, storage and transmission systems. As the customer s information moves through your business processes, it is critical to maintain that data s security and integrity. What is Sensitive Data? Sensitive data can be financial information, such as account numbers, as well as any personally identifiable information (PII) that can be linked to an individual. While much of the focus is often placed on credit card data (due to its financial implications), it is helpful to also consider PII such as phone, social security and driver s license numbers, as well as home and addresses. In today s era of information privacy and the consumer expectations that surround it, it is increasingly important that businesses protect customer contact and credential information with the same discipline as card data. Fraudsters are adept at leveraging pieces of personal information to exploit consumers, including sending phishing s that appear to originate from a trusted source such as the recipient s bank or credit card issuer. What is the PCI DSS? The Payment Card Industry Data Security Standard (PCI DSS) was created by the major credit card brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.) to establish a security standard and specific measures merchants must take to protect cardholder data and minimize the risk of a security breach. All merchants who process, store or transmit credit card information are subject to the PCI DSS; essentially, any merchant who has a Merchant ID (MID). For more information, visit Where Does Your Sensitive Data Live? It is critical to understand and identify all the places within your office environment, business processes and systems that sensitive data is captured, exchanged or stored. While online and transactional business systems are an obvious place to consider, it is not unusual for data to be pulled into spreadsheets and left, forgotten, on hard drives or USB sticks. Cardholder data and PII may also 3
4 be jotted down on paper in the course of talking to the customer over the phone. It s important to identify all these places, as well as the business processes that are involved. For example, if employees are jotting down information on paper, you will want to update your processes and systems so that this no longer occurs. Who is Responsible for Data Safekeeping? A significant first step to putting security controls in place is assigning individual responsibility and accountability for monitoring and protecting the sensitive data your business handles. Next, create a simple spreadsheet that documents the various types of sensitive data your business is handling (cardholder data, addresses, etc.), the location of any and all data, and who has responsibility for it. Be sure to review this spreadsheet on a quarterly basis at minimum, to ensure that the information it contains remains current. Best Practice #2: Avoid Storing Sensitive Data And if You Have to, Secure It. One of the easiest steps toward lowering the security risk to your business (and reducing your scope for complying with the PCI DSS) is to not store cardholder data, period. Examine the spreadsheet you created as part of Best Practice #1 to evaluate where your sensitive data resides. Ask yourself with each line item: Does this information really need to be retained and stored? The more items you can remove from your spreadsheet (because you aren t storing the data), the better. Here are some tips on ways to eliminate information from being stored in your system/network: If you are an ecommerce merchant, utilize a check-out or payment page, hosted by a PCI-compliant service provider, to process your customers payment information outside of your own business network. If you accept physical credit cards, consider moving to a point-to-point encryption solution that encrypts card data from the point that it s swiped up to the payment processor. If you use portable storage devices or laptops to store or transfer data, make sure that the data is encrypted. Recent studies show that small merchants are typically reactive in applying the above approaches, much to their own detriment. The easiest and most cost-effective way to incorporate the above steps is to outsource to a PCI-compliant service provider (see Best Practice #5). 4
5 Have to Store Data? Secure It. If there is a significant business reason for you to store sensitive data, the following steps will help you secure it: Limit database access to only those who absolutely need it, giving those parties their own, unique credentials; Do not store authentication data for either your employees or your customers; and Implement a tokenization solution to enable repeat online customers to securely store and access their payment information. Again, the best thing you can do for your business is not store cardholder data or PII at all. Securing sensitive data means limiting user access and segmenting network systems. Network Segmentation is Key to Security. Systems that store, process or transmit sensitive data cardholder data in particular should be segmented away from the rest of your business network. While network segmentation can sound daunting, more and more solutions are coming to market that simplify this task. With cloud solutions proliferating, there are more options emerging for managed firewalls in which experts oversee the deployment and ongoing management of firewalls remotely. These firewalls offer native segmentation abilities, allowing the point-of-sale (POS) network to be plugged into one port, and the rest of the network to be plugged into another. A managed solution can ensure that the POS network is locked down, that additional devices can only be added on an authorized basis and that communications can only occur with approved targets. 5
6 Merchant Location Non-POS Network Normal two-way communications with the Internet; not PCI compliant Internet POS Network Locked down and only allows one-way communications with Payment Processor; completely secure and PCI compliant Payment Processor In the diagram above, the firewall controls the traffic from the POS network, directing it to the payment processor and refusing communications from any other source. Meanwhile, non-pos devices including guests on the wireless network and back office PCs are able to access other destinations across the Internet. These same firewalls can provide the added protection of filtering out or blocking sites that you don t want employees or guests reaching, and typically contain anti-virus or anti-malware themselves. Best Practice #3: Protect Your Perimeter with Firewalls; Ensure You Don t Leave Back Doors Open. Good security incorporates defense in depth, or multiple layers of protection. One of the primary requirements of the PCI DSS is to have a properly configured firewall in place, because for businesses with an Internet connection, firewalls are a first line of cyber-defense. It s common for small merchants to either purchase a consumer-grade router from their local electronics store or plug in the firewall that their franchisor sent them. Default settings are typically left as-is, and the merchant moves on. 6
7 The issue with plugging in and forgetting your business s firewall is that a poorly configured firewall is only slightly better than no firewall at all. According to the United States Computer Emergency Readiness Team (US-CERT), the most common configuration mistake is not providing outbound data rules, which can leave the business open to external attack. Therefore, it is imperative to properly configure your firewall according to the way your business handles data. Hackers are skilled at locating and exploiting security holes and network vulnerabilities. Protecting your perimeter means checking for any unprotected holes that could allow attackers to gain entry. The most common mistake is a remote access service that has been left up and running with a weak or, even worse, a default user-id and password in place. This often happens when consultants, contractors or VARs want to conveniently access business systems remotely in order to provide support. You can mitigate this security risk by limiting remote access to your network, ensuring remote access is only enabled when it has to be, and requiring vendors to use two-factor authentication for access. (Two-factor authentication goes beyond a password, requiring that a token be presented to the system in order to gain access.) If your business utilizes Internet-facing Web applications in particular, an ecommerce site that accepts card payments requirement 6.6 of the PCI DSS requires that you either utilize a Web Application Firewall (WAF) or have your website reviewed annually (or after any changes). Most merchants don t have the resources to engage a technical expert to review their site after changes, so a WAF is the optimal alternative. WAFs work by examining the inbound traffic seeking access to your website and blocking what is found to be illegitimate. This is important, because many Internet-facing Web applications are supported by an underlying database containing all kinds of sensitive customer data. Managed Security Services can be Affordable. Proactively arming the perimeter of your network is a wise business decision that requires an up-front investment. The best way to control your spending while maximizing the investment s outcome (e.g., a correctly configured firewall) is to procure managed security services from an expert provider (an MSSP). 7
8 Fortify your interior with regular training that unifies employees security mindset. Managed security services offer an uncomplicated, cost-effective way to bring enterprise-level security to your small business. Small merchants especially those who process or store card data should consider a managed service offering to meet best practices for securing data and to comply with the PCI DSS. Managed security services allow firewalls to be implemented, configured and administered on a remote basis, making them a simple and affordable solution. Like network firewalls, WAFs are becoming increasingly available as service offerings, allowing merchants to tap into outside expertise at a manageable cost in order to protect their website and the data behind it. Best Practice #4: Fortify Your Interior with People, Procedures and Technology. According to studies like Verizon s, internal threats are far less likely than an external hack. Still, each year, many breaches are caused by careless handling of data or even malicious employees selling customer data to outsiders. It is a best practice to mitigate security risks associated with your people and the internal procedures and technologies they rely upon to conduct business. Your People: Training, Access, Vigilance. One of the weakest links in the security chain is humans your employees. An example of a recent, highly publicized breach that originated through human error is the RSA breach. The security hole occurred when an employee unwittingly opened a booby-trapped Excel file contained within a phishing . The Q attack, which targeted sensitive data related to RSA s SecureID token authentication technology, cost the company $66 million in Q alone. 8
9 Security awareness training is a critical, ongoing requirement for all employees, no matter the size of the business. The PCI Security Standards Council (SSC) has placed significant weight on employee training, making it mandatory for the PCI compliance of every merchant completing its Self Assessment Questionnaire (SAQ) versions B-D. Small merchants should conduct security awareness training on an annual basis and include specific instructions for how employees should handle sensitive information and credit card transactions. Keep in mind that, like many other security services, employee security awareness training can be procured affordably over the Internet or is often available at no additional cost as part of most conventional PCI compliance programs. As mentioned under Best Practice #2, it is imperative that you restrict access to only those employees who absolutely need to handle sensitive data. This practice relates to the concept of minimizing the scope, or surface area, that needs to be protected. Develop an internal security process that reflects your changing business needs. Vigilance is required on the part of all employees, but especially on the part of the person you ve made responsible for monitoring and protecting your business s sensitive data (see Best Practice #1). The following are suggestions to exercise this vigilance (source: Test your systems repeatedly to keep up with evolving systems, networks and changes in staff behavior. Spot-check aspects of your business monthly, examine the security impact of new applications before you deploy them, and perform a company-wide security analysis at least once per year. Subscribe to security-related Internet resources such as security advisories, and search key websites to stay current. Treat security as a process, not a product. Develop an internal security process that reflects your changing business needs. If you have multiple locations, make sure you keep a close watch on the IT operations of each. The lack of oversight over your locations can lead to unknown risks and threats. The best scenario is a solution that allows centralized control over the administration and configuration of your distributed networks. Your Procedures: Policies, Planning, Enforcement. A comprehensive security policy is also foundational to a strong interior. Your security policy should include a checklist to ensure important security points are reviewed on a regular basis. This can be a simple spreadsheet that lists the tasks and the date they should be carried out. If you are enrolled in a conventional PCI compliance program, it is possible that you may have free access to policy templates that can be tailored to fit your business model. 9
10 Ongoing security tasks may include: Ensuring that departed employees have been completely removed from all systems. Reviewing and updating current user access rights. Checking to see that all systems are properly patched (in the Windows world this is usually as simple as running Windows Update). Inspecting the actual payment-related hardware in place to ensure it hasn t been altered or replaced with an illicit device. Making sure that passwords are changed regularly and are properly complex, using capital letters, numbers, etc. There should be a password policy within your security policy document to reinforce this important area. Many compromises are a result of merchants and integrators using default, weak or shared passwords. Security is an ongoing process of checking and ensuring that all bases are covered. Like the security policy, an incident response plan is a proactive way to shield your organization against worst-case scenarios. It s a fact that even after breaches are discovered, they often persist for days or even weeks as the organization tries to determine where to go for help and how to isolate the affected systems. Your incident response plan should include the contact information of key authorities, financial entities and service providers in the event of a breach. If you have business insurance, keep that information handy as well. Finally, it is important to regularly review and understand your system logs (or have an MSSP doing this), so that you can easily spot inconsistencies that signify possible system threats. 10
11 Your Technology: Software, Applications, Segmentation. Merchants should be using payment technologies that have been tested and approved for PCI Payment Application Data Security Standard (PA-DSS) compliance. The PCI SSC requires regular, ongoing reviews of payment applications and maintains a list of validated payment applications on its website. If you are an ecommerce merchant using your own proprietary payment application(s), consider outsourcing that functionality to a PCI-compliant service provider. Home grown payment applications are more susceptible to security holes, making them costly to maintain and requiring extensive subject matter expertise in PCI compliance and security. In addition to segmenting the card data environment away from the rest of the network, it s important to keep anti-virus protection resident and current on every machine. Follow your technology vendor s recommendations for installing and using every patch and service kit released for your systems and applications. Best Practice #5: Know Your Service Provider(s) and Their State of PCI DSS Compliance. Today, many small merchants are outsourcing all or part of their card processing steps to service providers, such as shared hosting providers, payment gateways, managed security firms, etc. (see box below). It is typical for merchants to outsource all or part of their IT infrastructure to service providers as well. When considering options for outsourcing pieces of your business and infrastructure, it s important to evaluate service providers from a PCI DSS compliance standpoint. Definition of a Service Provider: Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. Entities such as telecommunications companies that only provide communication links without access to the application layer of the communication link are excluded. (Source: PCI SSC Glossary) 11
12 Don t assume that the service provider you re handing sensitive data to is PCI DSS compliant, because their inability to properly protect your customer data could implicate your business should a breach occur. Protect yourself by asking for proof of compliance, as well as requesting any other audit reports such as the SAS 70, or its successor, the SSAE 16. These reports are often held by larger companies that store and/or process financial or other critical information on behalf of others. Both Visa and MasterCard maintain lists of PCI DSS-compliant service providers. The following are tips for evaluating and maintaining solid working relationships with your outsourced service providers. Staying on top of these tasks will also ensure your ongoing compliance with the PCI DSS: Create a due diligence list for choosing new service providers. Your list could include items like the provider s disaster recovery/business continuation plans as well as experience with organizations like yours (i.e., do they understand your unique needs?). Keep a list of your current service providers and include their PCI DSS compliance status. (Check up on their status at least annually.) Have a written agreement with your service providers; make sure service providers acknowledge their responsibility for the security of the cardholder data they touch. For most small merchants, technology and data security are foreign and frustrating concepts. If you re in a place where you would rather run your business than worry about hackers and security threats, PCI DSS-compliant service providers are the way to go. Security is Top-of-Mind for Your Customers. Although the Internet has seemingly been around forever, the global marketplace is still working to negotiate the security issues that come with online payment transactions and consumers are aware of this. A 2012 study by Edelman s Data Security & Privacy Group, Privacy & Security: The New Drivers of Brand, Reputation and Action Global Insights 2012, makes it painfully clear that consumers still find it difficult to trust businesses with online payment features. Of the more than 4,000 consumers polled, 84% said information privacy and security was very important to them when purchasing products online; however, only 33% said they trust online retailers to properly protect their personal information. 12
13 Security is Everybody s Business. When implemented, the five best practices examined in this white paper will help small merchants easily and cost-effectively protect their businesses against data breaches. There are myriad benefits and opportunities associated with these practices, including significantly reducing PCI scope and garnering consumer trust. The ultimate benefit, however, is becoming a less likely target for data thieves. Just as you rely on the merchants you shop with, your customers are depending upon you to protect their sensitive information. As a small business owner, it is your responsibility to take threats to your business systems seriously so that consumer information can be protected. In addition to the moral aspects of data privacy and security, the legal regulations and financial penalties you are subject to should be considered a part of doing business. About PCI Compliance and Security Provider, ControlScan. Headquartered in Atlanta, Georgia, ControlScan is the leading provider of Payment Card Industry (PCI) Compliance and Security services designed to meet the unique needs of small to mid-sized merchants and the acquirers that serve them. The company s flexible solutions, easy-to-use online tools and personalized support significantly simplify PCI and security for its clients. In addition, as an Approved Scanning Vendor and a Qualified Security Assessor, ControlScan is positioned to help merchants meet compliance requirements and maintain secure business environments for their customers. For more information about ControlScan and its cloud-based solutions visit controlscan.com or call Copyright 2012, ControlScan, Inc. All rights reserved
PCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More informationPCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationSecurityMetrics Introduction to PCI Compliance
SecurityMetrics Introduction to PCI Compliance Card Data Compromise What is a card data compromise? A card data compromise occurs when payment card information is stolen from a merchant. Some examples
More informationYour guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)
Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions Version 5.0 (April 2011) Contents Contents...2 Introduction...3 What are the 12 key requirements of
More information* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.
Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain
More informationPCI Compliance: How to ensure customer cardholder data is handled with care
PCI Compliance: How to ensure customer cardholder data is handled with care Choosing a safe payment process for your business Contents Contents 2 Executive Summary 3 PCI compliance and accreditation 4
More informationCyber - Security and Investigations. Ingrid Beierly August 18, 2008
Cyber - Security and Investigations Ingrid Beierly August 18, 2008 Agenda Visa Cyber - Security and Investigations Today s Targets Recent Attack Patterns Hacking Statistics (removed) Top Merchant Vulnerabilities
More informationSecurityMetrics. PCI Starter Kit
SecurityMetrics PCI Starter Kit Orbis Payment Services, Inc. 42 Digital Drive, Suite 1 Novato, CA 94949 USA Dear Merchant, Thank you for your interest in Orbis Payment Services as your merchant service
More informationTokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism
Tokenization Amplified XiIntercept The ultimate PCI DSS cost & scope reduction mechanism Paymetric White Paper Tokenization Amplified XiIntercept 2 Table of Contents Executive Summary 3 PCI DSS 3 The PCI
More informationPCI Compliance Overview
PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)
More informationPROTECTION OF OUR MERCHANTS AND REFERRAL PARTNERS IS OUR FIRST CONCERN
PCI Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information
More informationQ: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?
Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain
More informationAnd Take a Step on the IG Career Path
How to Develop a PCI Compliance Program And Take a Step on the IG Career Path Andrew Altepeter Any organization that processes customer payment cards must comply with the Payment Card Industry s Data Security
More informationPayment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.
Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 1.1 February 2008 Table of Contents About this Document... 1 PCI Data Security Standard
More informationPayment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS
The PCI Security Standards Council http://www.pcisecuritystandards.org The OWASP Foundation http://www.owasp.org Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS Omar F. Khandaker,
More informationPreventing. Payment Card Fraud. Is your business protected?
BY TROY HAWES Preventing Payment Card Fraud Is your business protected? AT A GLANCE + The theft of credit card payment data by hackers is not limited to large corporations. + Many smaller companies fall
More informationPCI DSS COMPLIANCE DATA
PCI DSS COMPLIANCE DATA AND PROTECTION EagleHeaps FROM CONTENTS Overview... 2 The Basics of PCI DSS... 2 PCI DSS Compliance... 4 The Solution Provider Role (and Accountability).... 4 Concerns and Opportunities
More informationPCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS
PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS CIVICA Conference 22 January 2015 WELCOME AND AGENDA Change is here! PCI-DSS 3.0 is mandatory starting January 1, 2015 Goals of the session
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial
More informationWHITE PAPER. PCI Basics: What it Takes to Be Compliant
WHITE PAPER PCI Basics: What it Takes to Be Compliant Introduction A long-running worldwide advertising campaign by Visa states that the card is accepted everywhere you want to be. Unfortunately, and through
More informationHow To Protect Your Credit Card Information From Being Stolen
Visa Account Information Security Tool Kit Welcome to the Visa Account Information Security Program 2 Contents 1. Securing cardholder data is everyone s concern 4 2. Visa Account Information Security (AIS)
More informationPAI Secure Program Guide
PAI Secure Program Guide A complete guide to understanding the Payment Card Industry Data Security Requirements and utilizing the PAI Secure Program. Letter From the CEO Welcome to PAI Secure. As you
More informationWhy Is Compliance with PCI DSS Important?
Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These
More informationProject Title slide Project: PCI. Are You At Risk?
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
More informationA PCI Journey with Wichita State University
A PCI Journey with Wichita State University Blaine Linehan System Software Analyst III Financial Operations & Business Technology Division of Administration & Finance 1 Question #1 How many of you know
More informationFranchise Data Compromise Trends and Cardholder. December, 2010
Franchise Data Compromise Trends and Cardholder Security Best Practices December, 2010 Franchise Data Security Agenda Cardholder Data Compromise Overview Breach Commonalities Hacking Techniques Franchisee
More informationPCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES
PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES CUTTING THROUGH THE COMPLEXITY AND CONFUSION Over the years, South African retailers have come under increased pressure to gain PCI DSS (Payment Card Industry
More informationTNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business
TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment
More informationPCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014
PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions
More informationJosiah Wilkinson Internal Security Assessor. Nationwide
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
More informationIt Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe
It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe Agenda Who Is VendorSafe Technologies? It Won t Happen to Me! PCI DSS Overview The VendorSafe Solution Questions
More informationP R O G R E S S I V E S O L U T I O N S
PCI DSS: PCI DSS is a set of technical and operational mandates designed to ensure that all organizations that process, store or transmit credit card information maintain a secure environment and safeguard
More informationHOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS
HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS August 23, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Presenters Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security
More informationThe 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance
Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand
More informationBecoming PCI Compliant
Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History
More informationPCI Risks and Compliance Considerations
PCI Risks and Compliance Considerations July 21, 2015 Stephen Ramminger, Senior Business Operations Manager, ControlScan Jon Uyterlinde, Product Manager, Merchant Services, SVB Agenda 1 2 3 4 5 6 7 8 Introduction
More informationTop Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009
Top Five Data Security Trends Impacting Franchise Operators Payment System Risk September 29, 2009 Top Five Data Security Trends Agenda Data Security Environment Compromise Overview and Attack Methods
More informationAISA Sydney 15 th April 2009
AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks
More informationHow Secure is Your Payment Card Data?
How Secure is Your Payment Card Data? Complying with PCI DSS SLIDE 1 PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security Practice PCI Practice Leader Francis has
More informationSales Rep Frequently Asked Questions
V 02.21.13 Sales Rep Frequently Asked Questions OMEGA Processing Data Protection Program February 2013 - Updated In response to a national rise in data breaches and system compromises, OMEGA Processing
More informationConquering PCI DSS Compliance
Any organization that stores, processes or transmits information related to credit and debit card payments has a responsibility to protect each cardholder s personal data. To help accomplish this goal,
More informationPCI Compliance for Healthcare
PCI Compliance for Healthcare Best practices for securing payment card data In just five years, criminal attacks on healthcare organizations are up by a stunning 125%. 1 Why are these data breaches happening?
More informationPayment Card Industry Data Security Standards
Payment Card Industry Data Security Standards Discussion Objectives Agenda Introduction PCI Overview and History The Protiviti Difference Questions and Discussion 2 2014 Protiviti Inc. CONFIDENTIAL: This
More informationPCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:
What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers
More informationSection 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationProtect Data. Secure Business.
Achieve Payment Card Industry Data Standard Security (PCI DSS) compliance today, while advancing your network for the technology of tomorrow. Protect Data. Secure Business. Building Your Business With
More informationAre You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014
Are You Ready For PCI v 3.0 Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014 Today s Presenter Corbin Del Carlo QSA, PA QSA Director, National Leader PCI Services Practice 847.413.6319
More informationFive PCI Security Deficiencies of Retail Merchants and Restaurants
Whitepaper January 2010 Five PCI Security Deficiencies of Retail Merchants and Restaurants The Most Common PCI Compliance Mistakes of Brick-and-Mortar Locations by Brad Cyprus, SSCP - Senior Security Architect,
More informationHow To Protect A Web Application From Attack From A Trusted Environment
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
More informationPCI Compliance in Multi-Site Retail Environments
TECHNICAL ASSESSMENT WHITE PAPER PCI Compliance in Multi-Site Retail Environments Executive Summary As an independent auditor, Coalfire seeks to be a trusted advisor to our clients. Our role is to help
More informationWhitepaper. PCI Compliance: Protect Your Business from Data Breach
Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation. PCI Compliance: Protect Your
More informationMasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.
MasterCard PCI & Site Data Protection (SDP) Program Update Academy of Risk Management Innovate. Collaborate. Educate. The Payment Card Industry Security Standards Council (PCI SSC) Open, Global Forum Founded
More informationPC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA
PC-DSS Compliance Strategies 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA True or False Now that my institution has outsourced credit card processing, I don t have to worry about compliance?
More informationHow To Protect Your Business From A Hacker Attack
Payment Card Industry Data Security Standards The payment card industry data security standard PCI DSS Visa and MasterCard have developed the Payment Card Industry Data Security Standard or PCI DSS as
More informationIt is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.
PCI FAQ And MYTHS FREQUENTLY ASKED QUESTIONS (FAQ): Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process,
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More informationAn article on PCI Compliance for the Not-For-Profit Sector
Level 8, 66 King Street Sydney NSW 2000 Australia Telephone +61 2 9290 4444 or 1300 922 923 An article on PCI Compliance for the Not-For-Profit Sector Page No.1 PCI Compliance for the Not-For-Profit Sector
More informationYour Compliance Classification Level and What it Means
General Information What are the Payment Card Industry (PCI) Data Security Standards? The PCI Data Security Standards represents a common set of industry tools and measurements to help ensure the safe
More informationPAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW
PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW David Kittle Chief Information Officer Chris Ditmarsch Network & Security Administrator Smoker Friendly International / The Cigarette Store Corp
More informationPCI Compliance is More Than a Matter of Dollars (and Sense) Are Your Clients Properly Protected Against Lost or Stolen Data?
PCI Compliance is More Than a Matter of Dollars (and Sense) Are Your Clients Properly Protected Against Lost or Stolen Data? Overview Every electronic transaction creates an opportunity for unscrupulous
More informationAchieving Compliance with the PCI Data Security Standard
Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),
More informationNew PCI Standards Enhance Security of Cardholder Data
December 2013 New PCI Standards Enhance Security of Cardholder Data By Angela K. Hipsher, CISA, QSA, Jeff A. Palgon, CPA, CISSP, QSA, and Craig D. Sullivan, CPA, CISA, QSA Payment cards a favorite target
More informationPCI DSS. CollectorSolutions, Incorporated
PCI DSS Robert Cothran President CollectorSolutions www.collectorsolutions.com CollectorSolutions, Incorporated Founded as Florida C corporation in 1999 Approximately 235 clients in 35 states Targeted
More informationInformation Security Services. Achieving PCI compliance with Dell SecureWorks security services
Information Security Services Achieving PCI compliance with Dell SecureWorks security services Executive summary In October 2010, the Payment Card Industry (PCI) issued the new Data Security Standard (DSS)
More informationThe Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development
The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment Card Industry Data Security Standards
More informationHow To Protect Visa Account Information
Account Information Security Merchant Guide At Visa, protecting our cardholders is at the core of everything we do. One of the many reasons people trust our brand is that we make buying and selling safer
More informationPCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz
PCI-DSS: A Step-by-Step Payment Card Security Approach Amy Mushahwar & Mason Weisz The PCI-DSS in a Nutshell It mandates security processes for handling, processing, storing and transmitting payment card
More informationSecuring Your Customer Data Simple Steps, Tips, and Resources
Securing Your Customer Data This document is intended to provide simple and quick information security steps for small to mid-size merchants that accept credit and/or debit cards as a form of payment for
More informationBottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.
Payment Card Industry Security Standards Over the past years, a series of new rules and regulations regarding consumer safety and identify theft have been enacted by both the government and the PCI Security
More informationWhitepaper. PCI Compliance: Protect Your Business from Data Breach
Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation. PCI Compliance: Protect Your
More informationPCI Security Compliance
E N T E R P R I S E Enterprise Security Solutions PCI Security Compliance : What PCI security means for your business The Facts Comodo HackerGuardian TM PCI and the Online Merchant Overview The Payment
More informationImplementation Guide
Implementation Guide PayLINK Implementation Guide Version 2.1.252 Released September 17, 2013 Copyright 2011-2013, BridgePay Network Solutions, Inc. All rights reserved. The information contained herein
More informationHow To Protect Your Data From Being Stolen
DATA SECURITY & PCI DSS COMPLIANCE PROTECTING CUSTOMER DATA WHAT IS PCI DSS? PAYMENT CARD INDUSTRY DATA SECURITY STANDARD A SET OF REQUIREMENTS FOR ANY ORGANIZATION OR MERCHANT THAT ACCEPTS, TRANSMITS
More informationPlatform as a Service and PCI www.engineyard.com
Engine Yard White Paper Platform as a Service and PCI www.engineyard.com Purpose Achieving PCI compliance can be a complex, time-consuming, and expensive undertaking, but the right approach can make it
More informationCREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011
CREDIT CARD MERCHANT PROCEDURES MANUAL Effective Date: 5/25/2011 Updated: May 25, 2011 TABLE OF CONTENTS Introduction... 1 Third-Party Vendors... 1 Merchant Account Set-up... 2 Personnel Requirements...
More informationPCI (Payment Card Industry) Compliance For Healthcare Offices By Ron Barnett
PCI (Payment Card Industry) Compliance For Healthcare Offices By Ron Barnett Dr. Svenson thought he was doing both his patients and his practice a big favor when he started setting up monthly payment arrangements
More informationPayment Card Industry - Achieving PCI Compliance Steps Steps
CUR RITY SE Data Security Requirements for K-12 January 28, 2010 Payment Card Industry (PCI) SE CUR RITY 1 Welcome To Join The Voice Conference Dial 866-939-3921 Technical issues press 0 Q & A We ll leave
More informationVerizon 2014 PCI Compliance Report
Executive Summary Verizon 2014 PCI Compliance Report Highlights from our in-depth research into the current state of PCI Security compliance. In 2013, 64.4% of organizations failed to restrict each account
More informationEncryption and Tokenization: Protecting Customer Data. Your Payments Universally Amplified. Tia D. Ilori Sue Zloth September 18, 2013
Encryption and Tokenization: Protecting Customer Data Your Payments Universally Amplified Tia D. Ilori Sue Zloth September 18, 2013 Agenda Global Threat Landscape Real Cost of a Data Breach Evolution of
More informationWhite Paper. Best Practices to Protect the Cardholder Data Environment and Achieve PCI Compliance
White Paper Best Practices to Protect the Cardholder Data Environment and Achieve PCI Compliance Best Practices to Protect the Cardholder Data Environment and Achieve PCI Compliance Executive Overview
More informationData Security Standard (DSS) Compliance. SIFMA June 13, 2012
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance SIFMA June 13, 2012 EisnerAmper Consulting Services Group Overview of EisnerAmper Fifth fhlargest accounting firm in the Metro New York
More informationNACS/PCATS WeCare Data Security Program Overview
NACS/PCATS WeCare Data Security Program Overview March 27, 2012 Abstract This document describes the WeCare Program, discusses common data security threats, outlines an 8-point plan to improve data security,
More informationVersion 7.4 & higher is Critical for all Customers Processing Credit Cards!
Version 7.4 & higher is Critical for all Customers Processing Credit Cards! Data Pro Accounting Software has met the latest credit card processing requirements with its release of Version 7.4 due to the
More informationInformation Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI
More informationTop Three POS System Vulnerabilities Identified to Promote Data Security Awareness
CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA
More informationData Security Basics for Small Merchants
Data Security Basics for Small Merchants 28 October 2015 Stan Hui Director, Merchant Risk Lester Chan Director, Merchant Risk Disclaimer The information or recommendations contained herein are provided
More informationCHEAT SHEET: PCI DSS 3.1 COMPLIANCE
CHEAT SHEET: PCI DSS 3.1 COMPLIANCE WHAT IS PCI DSS? Payment Card Industry Data Security Standard Information security standard for organizations that handle data for debit, credit, prepaid, e-purse, ATM,
More informationFive PCI Security Deficiencies of Restaurants
Whitepaper The Most Common PCI Compliance Mistakes of Brick-and-Mortar Locations By Bradley K. Cyprus- Senior Security Architect, Vendor Safe 2011 7324 Southwest Freeway, Suite 1700, Houston, TX 77074
More informationTREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS
TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration
More information8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year
Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year Over 80% of compromised systems were card present or in-person transactions
More informationPCI Security Standards Council
PCI Security Standards Council Jeremy King, European Director 2013 Why PCI Matters Applying PCI How You Can Participate Agenda 2 Why PCI Matters Applying PCI How You Can Participate Agenda About the PCI
More informationWHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI
WHITEPAPER Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI About PCI DSS Compliance The widespread use of debit and credit cards in retail transactions demands
More informationAdyen PCI DSS 3.0 Compliance Guide
Adyen PCI DSS 3.0 Compliance Guide February 2015 Page 1 2015 Adyen BV www.adyen.com Disclaimer: This document is for guidance purposes only. Adyen does not accept responsibility for any inaccuracies. Merchants
More informationSecurityMetrics Vision whitepaper
SecurityMetrics Vision whitepaper 1 SecurityMetrics Vision: Network Threat Sensor for Small Businesses Small Businesses at Risk for Data Theft Small businesses are the primary target for card data theft,
More informationWorldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)
Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS) What is PCI DSS? The 12 Requirements Becoming compliant with SaferPayments Understanding the jargon SaferPayments Be smart.
More informationImportant Info for Youth Sports Associations
Important Info for Youth Sports Associations What the Heck is PCI DSS and Why Should I Care? Joe Posey Terrapin Financial Services Your Club is an ecommerce Business You accept online registration over
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 3.2 May 2016 Document Changes Date Version Description October 1, 2008 1.2 October 28,
More informationHow To Comply With The Pci Ds.S.A.S
PCI Compliance and the Data Security Standards Introduction The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of
More informationComodo HackerGuardian PCI Approved Scanning Vendor Compliancy drives commerce: A reseller's Case Study - Merchant-Accounts.ca
E N T E R P R I S E Enterprise Security Solutions TM Comodo HackerGuardian PCI Approved Scanning Vendor Compliancy drives commerce: A reseller's Case Study - Merchant-Accounts.ca May 2008 PCI Data Security
More information