How To Become A Pca Compliant Organization

Transcription

1 Compliance Management Merchant Guide 2012

2 Stay Clear Of Fraud Are You Concerned About Data Security Risks? Security is a duty. Companies should remember that they are being trusted by consumers with their sensitive data. The abuse of that data can be very damaging to your customers. Therefore, one of your greatest corporate responsibilities is to protect your customer s data. - Forrester Research Learn how to eliminate fraud and become a PCI Compliant organization by contacting Kubera s team of data security experts. As a merchant, you are at the center of payment card transactions. As a result, it is essential that you use Payment Card Industry Data Security Standards and technology to ensure cardholder data is safe. If your company is not PCI DSS compliant, you are putting yourselves and your customers at risk. These risks include financial and operation consequences that not only disrupt business but can destroy reputation. We are here to help merchants avoid these risks.

3 What Is PCI Compliance? PCI Compliance is an industry-mandated security standard that applies to every business that processes, handles or stores credit card information. Don t let your company get caught up in the middle of a breach. Information security breaches have severe consequences for affected organizations: 1. Fines Up To $500,000 Per Incident 2. Remediation Requirements Costs At $90 to $302 For Each Record 3. Loss Of Reputation 4. Loss Of Customers 5. Litigation Expenses

4 What Is PCI Compliance? PCI DSS is the comprehensive information security framework for organizations who process payments including prevention, detection and appropriate reaction to security incidents. There are 12 core competencies (see appendix) with a few hundred controls, but can be oversimplified as: 1. All merchants must achieve & maintain compliance at all times 2. Merchants cannot store certain credit card information 3. Merchants must follow specific security standards to store permitted information Who Made PCI DSS? PCI DSS was originally developed by Visa and MasterCard. Since 2006 American Express, Discover, and JCB joined Visa & MasterCard to form the PCI Security Council. Why? A large number of businesses both large and small have been breached over the past few years. Global Payments, TJX, Bank of America, BJ s, Hotels.com, LexisNexis, Polo Ralph Lauren and Citigroup to name a few. In response to these breaches the PCI Security Council was created to give businesses the necessary tools they need to avoid these disasters. Who Is Responsible & Who Is At Risk? You are! Although most breaches that you will see on the news are larger companies, both Visa and Verizon s security report states the majority of breaches are at small businesses.

5 Become Compliant With the right partner, maintaining compliance can be severely less complicated than it seems. Working with Kubera Payments Corporation can help your business achieve PCI Compliance without making any great changes or disruptions to your day to day operations. Our certified information systems auditors will work for you to make this complex process as easy and simple as possible. The end result will help you avoid costly finds, increase customer confidence, and decrease the risk of security breaches. Achieve PCI Compliance today and get in touch with our team. Call Kubera Today (855) And ensure that your data is safe and secure.

6 Payment Security Facts Since 2005 more than 80% of credit card information breaches are at small businesses. Verizon s 2011 Data Breach Investigations Report states that the majority of breaches happen to smaller organizations with employees The majority of breaches occur in the hospitality, retail and financial services industries. Lodi Beer, a restaurant and microbrewery in California unknowingly had over 11,000 credit card holders information stored in their POS system and the data was breached. Visa & MasterCard fined their merchant account provider $27,000 who passed the fine to Lodi Beer. The merchant spent over $50,000 cleaning up its mess. Noncompliance fines are currently $25,000 per month, however there are other fees that card brands and acquirers can add on depending on your merchant agreement. Noncompliance puts any company at high risk for credit card theft. Forrester Research estimates these costs are between $90 and $300 per compromised record excluding lawsuits, remediation efforts, and loss of reputation. The TJX has already spent more than $200 million over the past few years in response to the breach in Sony announced that it will cost their company more than $170 Million USD to clean up the recent Playstation Network breach and even more to compensate for lost business. It doesn t matter how visible your organization is. By not maintaining PCI Compliance your organization becomes more attractive to attackers.

7 Appendix Appendix I: PCI DSS Security Requirements 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security **These requirements specify the framework for a secure payments environment and should be carried out in three steps: Assess Remediate and Report. Contact Kubera today to learn how to achieve PCI Compliance. Appendix II: The highest number of breaches occur in the following industry groups: Hospitality, Retail, and Financial Services **Source: Verizon s 2011 Data Breach Investigations Report