Kim Decarolis Compliance and Security Specialist (248) Mark Wayne Vice President Compliance and Security Specialist

Transcription

1 Target, Starbucks, Neiman Marcus Will your pharmacy be the next data breach victim? Kim Decarolis Compliance and Security Specialist (248) Mark Wayne Vice President Compliance and Security Specialist

2 AGENDA 1. Do I have to comply with PCI-DSS mandates? 2. How do I determine if I am PCI compliant? 3. What are the options for achieving PCI Compliance?

3 WHAT IS PCI DSS COMPLIANCE? 6 Control Objectives 250+ Sub Requirements 12 6 Core Requirements Control Objectives Payment Card Industry Data Security Standards Set up by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa PCI Security Standards Council established to promote compliance Requires mandatory adoption by all businesses that store, process, transmit credit/debit card data Arduous process!

4 It's a matter of following the 12 requirements in the standard, working with your acquiring bank and using the tools offered. Remember that PCI DSS compliance is an ongoing process, not a one-time event. You'll need to continuously assess your operations, fix any vulnerabilities that are identified, and make the required reports to the acquiring bank and card brands you do business with. PCI Security Standards Council Website

5 The Bo'om Line on PCI Compliance Many myths about PCI compliance It doesn t apply to my business I m already PCI compliant I have a firewall in place so I m compliant My (fill in the blank) has me covered PCI DSS is solely the responsibility of the merchant If merchant can t demonstrate compliance, they cover 100% of associated costs. If merchant demonstrates compliance, breach costs are covered 96% of breached businesses are not PCI compliant ANXeBusiness Confidential PAGE 5

6 Defining the Market Problem THE EFFECTS OF CREDIT CARD BREACH ON RETAIL BUSINESS ARE DAUNTING $80k is the average direct cost of a data breach 70% of breached businesses are out of business within one year of the attack 1 in 6 small businesses will suffer a credit card breach in the next 24 months 98% Breaches originate from organized criminal groups 210 Average days between intrusion and detection

7 HOW IS THIS HAPPENING? AM I AT RISK? Outdated Firewalls Insecure Remote Access Weak security configurations Operating system flaws Lack of staff training Flawed security policies Negligence Poor change control procedures Key Security Gaps are exploited by cybercriminals

8 PERCENTAGE OF DATA BREACHES BY INDUSTRY % Healthcare Business Bank/Financial EducaAon Government Source: Identity Theft Resource Center DATA BREACHES IN HEALTHCARE ARE GROWING FASTER THAN ANY OTHER INSUSTRY

9 FINANCIAL INSTITUTIONS ARE MANDATING COMPLIANCE

10 If you cannot answer yes to the three questions below, you are NOT PCI Compliant 1 2 Have ALL employees completed a PCI Certified security awareness training program upon hire and annually thereafter? Have all employees read and signed a formal security policy? 3 Can you demonstrate that all remote access from you, your employees or vendors incorporate 2-factor authentication?

11 WHAT HAPPENS IF I AM BREACHED? Stop taking credit cards Stop taking Flexible Spending Cards Initiate a forensic audit Implement remediation actions

12 STEP ONE: Protect Your Business Guaranteed financial protection NOW! The ONLY No-Strings Attached program of its kind in the nation: 1. Coverage within 5 business days of contract execution 2. Guaranteed coverage even if not currently PCI Compliant 3. Retroactive coverage if undiscovered breach has occurred Data Breach Protection $100,000 protection per location ANXeBusiness Confidential PAGE 12

13 PCI Compliance Portal: 1. PCI Knowledge Base 2. e-learning STEP TWO: Validate PCI Compliance 3. Policy Management 4. Self Assessment Wizard 5. External Vulnerability Scans 6. Task Management Module 7. Executive Tracking 8. Compliance reporting Gather Empirical Data to Assess your Risk and Compliance ANXeBusiness Confidential PAGE 13

14 IMPLEMENT EMPLOYEE PCI AWARENESS

15 IMPLEMENT SECURITY POLICIES

16 COMPLETE YOUR PCI SELF-ASSESSMENT QUESTIONNAIRE (SAQ) Getting started with the SAQ is half the battle! Seek help if you need it Use the SAQ Wizard to help you determine which type of SAQ to complete

17 COMPLETE AN EXTERNAL VULNERABILITY SCAN OF YOUR NETWORK Run your external vulnerability scans directly from the PCI Portal each quarter Remediate any identified issues Re-run to achieve a passing scan Seek help from the ANX 24x7 U.S.-based support staff when you need it

18 STEP THREE: Achieve and Maintain PCI Compliance 1. Leverage empirical data from the PCI Portal to determine risk level 2. Achieve PCI Compliance by addressing gaps, e.g. with a Secure Cloud Gateway bundle 3. Maintain PCI Compliance through the SecurePCI Premium package and ANX Partnership ANXeBusiness Confidential PAGE 18

19 ANX SECURE CLOUD GATEWAY TECHNOLOGY

20 Solution Attribute $100,000 Data Breach Protection 10 Hours - post Breach Consulting PCI Portal - SAQ PCI Portal - Policy PCI Portal - elearning PCI Portal - Quarterly Scans 24 x 7 support Stateful Inspection Firewall 24 x 7 Firewall Policy Management Cloud- based Unified Threat Management V- Lan Segmentation Internal Scanning Secure Remote Access Wireless End Point Detection System Log Management 2- factor Authentication Pre- populated SAQ The ANX Solu5on Con5nuum ANX PCI Solution Continuum Secure Secure PCI PCI Bundle Enhanced PCI Solutions from less than $1 a day Secure Secure PCI PCI with Premium Secure Cloud Gateway $30 a month $90 a month

21 QUESTIONS AND MORE INFORMATION For more information: Kim Decarolis Compliance and Security Specialist (248)