It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

Transcription

1 It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

2 Agenda Who Is VendorSafe Technologies? It Won t Happen to Me! PCI DSS Overview The VendorSafe Solution Questions

3 Who is VendorSafe? Founded in 1989 in Houston, Texas 22+ years of security experience Design and provide secure networks for merchants Preparing networks for future payment, mobility, and cloud trends Our networks have never been breached. Transformation in 2007 Managed firewall architecture Provide security first PCI compliance will follow PCI DSS security experts Patented installation process Network Detecting Firewall 3

4 The Importance of PCI 12 Requirement Sections of PCI: 286 Questions - SAQ D 1. Install and Maintain a Firewall Configuration To Protect Cardholder Data 2. Do Not Use Vendor-Supplied Defaults For System Passwords 3. Protect Stored Cardholder Data 4. Encrypt Transmission of Cardholder Data Across Open, Public Networks 5. Use and Regularly Update Anti-Virus Software 6. Develop and Maintain Secure Systems and Applications 7. Restrict Access to Data on a Need-To-Know Basis 8. Assign a Unique ID to Each Person With Computer Access 9. Restrict Physical Access to Cardholder Data 10.Track and Monitor Access to network Resources and Data 11.Regularly Test Security Systems and Processes 12.Maintain a Policy That Addresses Information Security VendorSafe automatically answers more than 220 of the 286 PCI questions!

5 What Did That Last Slide Really Mean? 1. Build and maintain a secure network 2. Protect cardholder data 3. Maintain a vulnerability management program 4. Implement strong access control measures 5. Regularly monitor and test networks 6. Maintain an information security policy

6 Managing the Elements PCI Compliance is more than POS

7 Did You Read The Fine Print? 7 Data Security and Privacy You agree to post and maintain on all your Web Sites both your consumer data policy (which must comply with all Payment Brand Rules, Regulations, and Guidelines) and your method of transaction security. You may not retain or store CW2/CVC2 data or PIN data subsequent to the authorization. You must comply with all Security Standards published by the Payment Brands and the PCISSC including, but not limited to, Visa s Customer Information Security Program ( CISP ), MasterCard s Security Data Program ( MDSP ) and the Payment Card Industry Data Security Standard ( PCIDSS ). Pursuant to the Security Standards, you must, among other things: (i) install and maintain a working network firewall to protect data accessible via the internet; (ii) keep security patches up to date; (iii) encrypt stored data and data sent over open networks; (iv) use and update antivirus software; (v) restrict access to employees who are on a need to know basis; (vi) assign a unique ID to each person with computer access to data; (vii) not use vendor-supplied defaults for system passwords and other security parameters; (viii) track access to data by unique ID; (ix) regularly test security systems and processes; (x) maintain a policy that addresses information security for employees and contractors; (xi) restrict physical access to Customer information; (xii) when outsourcing administration of information assets, networks, or data you must retain legal control of proprietary information and use limited need to know access to such assets, networks or data; and (xiii) reference the protection of Customer Information and compliance with the Security Standards in contracts with other service providers. You must notify Paymentech of any third party vendor with access to Customer Information, and you are responsible for ensuring that all third party vendors are compliant with the Security Standards, to the extent applicable. The Security Standards may require that you engage an approved third party vendor to conduct quarterly perimeter scans and/or security reviews can be accessed through Visa and Mastercard websites at and Merchants have already agreed to be PCI Compliant! Proprietary and Confidential

8 It Won t Happen to Me! Hackers Shift Attacks to Small Firms Hacking at small businesses "is a prolific problem," says Dean Kinsman, a special agent in the Federal Bureau of Investigation's cyber division, which has more than 400 active investigations into these crimes. "It's going to get much worse before it gets better." Joe Angelastri, owner of City Newsstand (2 locations) in the Chicago area, is out $22,000 because cyber criminals attacked his store s payment system. Article WSJ

9 Services Unique to VendorSafe Network Detecting Firewall Patented VendorSafe service using a Juniper SSG5 with integrated Wi-Fi and dial back-up Internal Vulnerability Scans (IVS) ** Effortless system that checks for local vulnerabilities. Wireless Access Point Detection (WAPD) ** Quarterly service that detects wireless signals broadcasting in the vicinity of our firewall. Rogue Device Manager (RDM) Be alerted if an unauthorized device is added to the network ZERO Breaches! For 23 years VendorSafe has protected our customers from hackers $100K TrustVault Guarantee Not insurance but a guarantee backed by VendorSafe & Lloyds of London ** No additional hardware or software required.

10 Services Unique to VendorSafe SAQuick - Our SAQ Portal Easiest process in the industry to complete the 280+ Self-Assessment Questionnaire (SAQ) questions. Many of the answers are pre-filled after our security solution is installed. Penetration Testing Guide How-to-guide to utilize the VST scans & security practices to complete a penetration test. Simplified Web Content Filtering Secure web blocking and white listing. IPDataBlocker Ability to keep internal data from getting to the internet, and specialized DNS blocking (makes merchants invisible to hackers outside of North America) Forced Configuration Manager Ability to programmatically check for antivirus on remote user systems, part of our twofactor authentication system LANScribe File integrity & system logging & monitoring w/ one year storage available via browser

11 Compliance Is All About The Proof VendorSafe includes the tools to manage and validate a merchant s compliance Hospitality Technology Expo 2011 Firewall Juniper SSG firewall with intrusion detection voted Best in Class enterprise network firewall by Gartner Group firewall, router, switch, wireless, and modem SAQ Portal Our SAQuick is the easiest and fastest way to fill out an SAQ. Many of the answers are pre-filled after our security solution is installed. Approved External Scanning Vendor (ASV) Compliant Scans Quarterly External Vulnerability ASV Scans as dictated by the standard are automatically scheduled and stored for retrieval. Reports available at the touch of a button. Internal Vulnerability Scans (IVS) IVS scans a defined list of IP addresses that correspond to servers, file sharing systems, and other devices to identify any vulnerabilities based on current threats.

12 VST Value Proposition Heavy-lifting components of PCI - DSS High-end firewall w/ secure network segments Provides policy-based, secure remote access Two-factor authentication via text or Logging and storage firewall, remote access System logs and file integrity monitoring (LANScribe) (SAQ D) Quarterly scans external (via 403 Labs), internal, & wireless Managed service, monitoring, & alerts - 24x7x365 12

13 VST Value Proposition PCI compliance reporting services via a web portal SAQuick populates 220 of 286 SAQ D questions On-line access to compliance status Real-time report generator to print SAQ and scan reports Documentation and Training Location policy and procedure templates provided Communication & contract templates for 3rd party vendors Checklist templates for compliance binders Access to general online security training video 13

14 Security With A $100K Guarantee Covers direct breach expenses Forensic audit Fines / penalties Card replacement fees Fraudulent credit card charges Zero Breaches Since 1989! Hospitality Technology Expo 2011

15 Contact Information Daryl Airhart, Director National Accounts Questions and Pete Riesenfeld, Inside Account Manager Answers ZERO Breaches! We protect your network PERIOD.

16 Contact Information Leo Lynch (office) (mobile)