SellWise User Group. Thursday, February 19, 2015

Transcription

1 SellWise User Group Thursday, February 19, 2015

2 Slides and recording posted on scouting.org/financeimpact Look on the Council Fiscal Management Tab, then look at the bottom left for Sellwise Support/User Group link

3 Chat Window 1. Look for horizontal bars at top right of your screen 2. Click on the bars and a chat window opens 3. Type in your question and hit enter to send

4

5 PCI Compliance & Data Security Notice of Confidentiality. This presentation is furnished to you solely in connection with your review of a proposed relationship with Mercury Payment Systems, LLC ( Mercury ). By your accessing or use of this presentation, you agree and acknowledge that the information contained herein (the Information ) is confidential and proprietary information of Mercury. You agree to keep the Information confidential and not to use the Information for any purpose other than in connection with your review of a proposed relationship with Mercury. The Information may only be disseminated within your organization on a need-to-know basis to enable your review of the proposed relationship. You accept the Information presented herein as is, without any representation as to its accuracy or completeness. Neither party takes on any obligation, other than with respect to keeping the Information confidential, until and unless a definitive agreement is executed.

6 It s Not a Matter of IF but WHEN 90% of data breaches are targeted at Level 4 merchants who process less than one million transactions annually. Retail and food and beverage businesses make up the majority of breaches. Average cost of a breach is $36,000 and can exceed $50,000. A breach can result in severe reputation damage, unwanted headlines, lost sales, lost customer confidence, card brand fines/fees, fraud losses, legal costs, etc Trustwave Global Security Report: ges/2014_trustwave_global_security_rep ort.pdf?aliid= Mercury Confidential and Proprietary - For Recipient's Internal Use Only

7 What is PCI Compliance? The Payment Card Industry Data Security Standards (PCI DSS) is an industry wide requirement for anyone who processes, stores, or transmits cardholder data. Adopted by all card brands including VISA, MasterCard, Discover, American Express, and JCB International. There are 12 requirements for any entities storing, processing or transmitting data. Failure to adhere to the standards could result in fines and fees. Mercury Confidential and Proprietary - For Recipient's Internal Use Only

8 Validating PCI Compliance Each level brings its specific validation requirements & Action is Needed Level 4 merchants (Up to one million transactions annually) Annual Self-Assessment Questionnaire (SAQ) Quarterly network scan by ASV if applicable Mercury Confidential and Proprietary - For Recipient's Internal Use Only

9 Merchant Requirements Mercury Confidential and Proprietary - For Recipient's Internal Use Only

10 Increased Education and Awareness Either because of a lack of education or policy enforcement employees leave the door open for attacks by picking weak passwords, clicking on phishing links, or sharing company information on social and public platforms. Employees directly involved in the payment chain- like cashiers, waiters, and bank tellers- often are most often responsible for internal breaches. By Increasing awareness and education across organizations, we can help drive payment security as good business practice. Protect users from themselves. Mercury Confidential and Proprietary - For Recipient's Internal Use Only

11 Security Risks in Councils FOS cards filed with credit card information in tact Camp and activity registration forms with filed or sent to camp with credit card information in tact FOS cards needing quarterly billing filed in unlocked desk drawer Using non compliant credit card swipe machines after 10/1/15

12 SOLUTIONS Always mark out or cut off the credit card information before filing FOS cards or registration forms Never leave FOS cards or registration forms with credit card information on your desk EVER Store FOS cards needing quarterly billing in a locked space Use MercuryPay with Sellwise to achieve end to end encryption of credit card info as it is transmitted over the internet Purchase the VX-805 credit card terminal by 10/1/15

13 Myths If a merchant is running a PA-DSS compliant payment application, nothing more is needed Running a PA-DSS compliant application is only one of 12 PCI DSS requirements. I m paying a PCI fee so therefore I m already compliant You may not be compliant unless you re getting quarterly network scans and have completed your annual Self-Assessment Questionnaire. Action is required from a merchant in order to achieve PCI compliance. Paying for breach assistance does not make an entity compliant either. It only offers aid after a breach has already occurred. PCI compliance is just too complicated To ensure security controls are properly implemented, PCI DSS should be implemented into business-asusual activates as part of an entity's overall security strategy. It s much easier and less expensive to secure your environment rather than dealing with a breach later. A breach won t happen to me For small merchants, it is not a matter of if, but when they will be breached. Data thieves are targeting small merchants daily and the average cost of a card data compromise can put a merchant out of business. Mercury Confidential and Proprietary - For Recipient's Internal Use Only

14 Practical Steps to Reduce Your Risk DISCONNECT security cameras, WiFi access points and other devices from the POS network segment. SEGMENT all other computers and devices from your POS network including WiFi, back office computers and laptops. STOP all internet browsing from systems connected to the POS network segment. CONDUCT a quarterly PCI vulnerability scan. SCHEDULE regular anti-virus scans and definition updates, as well as occasional anti-virus scans. APPLY all operating system patches and POS updates as soon as they are released. ENABLE remote access only when needed; disable when done. EDUCATE your employees annually about security best practices. ENROLL in Merchant SecureAssist, Mercury s PCI compliance solution. Mercury Confidential and Proprietary - For Recipient's Internal Use Only

15 PCI Compliance is not a One-time Event Mercury Confidential and Proprietary - For Recipient's Internal Use Only

16 Merchant SecureAssist Features Up to $100,000 in breach assistance TrustKeeper PCI Manager online compliance tool Unique PCI Wizard and To Do List provide actionable tasks for compliance Monthly network scanning test for over 6,000 operating system and application vulnerabilities Security Policy Advisor to assist with creating security policies and procedures 24/7 support to help with SAQ and scans Helpful tips and support from PCI experts Big company backing from Great American Insurance Group in the event of a breach Trusted Commerce Seal and printable Certificate of Compliance assures customers your business is secure Fast, easy PCI compliance Mercury Confidential and Proprietary - For Recipient's Internal Use Only

17 Merchant SecureAssist Benefits Achieve and maintain PCI compliance quickly and easily Reduce financial risk of a card data breach Get peace of mind with breach assistance We are here to help you! Support is available 24/7- Fast, easy PCI compliance Trustwave Support Mercury s Compliance Dept- compliance@mercurypay.com or Mercury Confidential and Proprietary - For Recipient's Internal Use Only

18 EMV

19 What is EMV? EMV is a set of international standards that defines interoperability of secure transactions across the international payments landscape. EMV transactions introduce dynamic data specific to the card and the transaction. Goal of devaluing transaction data in flight and reducing the risk of counterfeit fraud. The computer chip on the card uses cryptography to provide strong security. In the context of EMV, encryption is only used to protect the PIN.

20 How EMV Works Step 1: An EMV card is inserted into a terminal Step 2: The chip embedded in the card contains a unique issuer key; this is accessed by the reader in the terminal Step 3: Using the key from the card and data from the transaction, the chip creates and sends a unique code, or cryptogram to the processor s host with the approval transaction, allowing the issuer to validate the card is legitimate and not counterfeit Step 4: The card is removed when the transaction is completed

21 EMV Fiction Vs. Fact Fiction EMV is a merchant mandate If you don t implement EMV you will be open to a breach Processing will be shut off if you don t switch to EMV by October 2015 Magnetic stripes will go away You will be charged extra if you don t use a chip Your old hardware will stop working Fact There is no mandate EMV is part of the security and fraud puzzle and does not solve the problem alone Your processing will not be shut off Totally False. Cards will have both chip and magnetic stripes Interchange rates for EMV and card swipes are not changing as part of liability shift Existing hardware will continue to work for magnetic stripes Solution provider: We have a product solution today for EMV Solution provider: Our solution is EMV ready EMV cards are being issued all over the place Most solutions in the market are only partially ready EMV ready is misleading term, and doesn t mean it s EMV capable. Chip card adoption/usage still has a long way to go. More so in 2015, but they ll still have a magstripe

22 Thank you!