Protecting Your Customers' Card Data Presented By: Oliver Pinson-Roxburgh
Agenda Trustwave Overview PCI Scope Compromise Statistics PCI Makes Business Sense Registration Process TrustKeeper Features Support & Resources Questions
Trustwave Our Experience
The leader in compliance and data security MSSP with more than 1,400 devices under management Monitor more than 18 million events per day Top 10 global Certificate Authority with more than 40,000 SSL certificates issued Performed more than 2,000 network and application penetration tests Conducted more than 740 forensic investigations Benchmark work for HIPAA, GLBA, SOX, ISO 27000 series PCI DSS leader Trustwave has certified 42 percent of PsPs; 40 percent of Payment Apps. Fully qualified for all PCI-related work: QSA (2002); ASV (2003); PA-QSA (2005); QIRA (2005)
PCI Scope
Payment Card Acceptance The Payment Card Industry s Data Security Standard states: PCI Data Security Requirements apply to all members, merchants, and service providers that store, process or transmit cardholder data
The Mandate: Visa Merchant Levels Defined Level* Merchant criteria Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.** 2 Merchants processing one million to six million Visa transactions annually via all channels. 3 Merchants processing 20,000 to one million Visa e- commerce transactions annually. Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource Quarterly network scan by Approved Scan Vendor (ASV) Attestation of Compliance form Annual Self-Assessment Questionnaire (SAQ) Quarterly network scan by ASV Attestation of Compliance form Use a service provider that has certified their PCI DSS compliance (certified providers are listed on Visa Europe s website: www.visaeurope.com) OR Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ) 4 E-commerce merchants only Merchants processing fewer than 20,000 Visa e- commerce transactions annually. Use a service provider that has certified their PCI DSS compliance (certified providers are listed on Visa Europe s website: www.visaeurope.com) OR Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ) Non e-commerce merchants Merchants processing up to one million Visa transactions annually. Annual SAQ Quarterly network scan by an ASV Attestation of Compliance form * Compromised entities may be escalated at regional discretion ** Where merchants operate in more than one country or region, if they meet level one criteria in any Visa country or region, they are considered a global Level one merchant. An exception may apply to global merchants if there is no common infrastructure and if Visa data is not aggregated across borders. In such cases merchants are validated according to regional levels.
Compromise Statistics
Incident Response Investigations Detection Methods vs. Time As expected, those able to self detect, detect quicker Unable to self-detect, 5x longer exposure time Investigations showed: Role-based security training = improved detection capability Mature infosec programs and monitoring controls helped
Incident Response Investigations Payment Card Industry Compliance 97% insufficient firewall policy 83% default/ guessable password 48% not using PA-DSS application
PCI DSS Makes Business Sense
PCI DSS Compliance: Sound Business Practice Fundamental Best Security Practices Avoid fraud Helps to understand own system better Clarifies where data is stored Upholds Brand Name Adds value to name Increases consumer confidence Non-compliant, compromised business could expect: Damage to their brand/reputation Investigation costs Remediation costs Fines and fees
TrustKeeper Registration
Splash Page
Registration Process
TrustKeeper Features
PCI Wizard 2 Choices
PCI Wizard for a Dial-up Merchant
PCI Wizard for an Internet Merchant with POS
Help Provides Examples and Advice
As Well as Security Education
PCI Wizard Section Passed
PCI Wizard Section Failed
Resolve Issues with Remediation Advice
Completed PCI Wizard
Completed PCI Wizard
Merchant Profile
Pre-Filled SAQ for Merchant Review
SAQ Submission
Scan Setup Wizard
Scan Setup for Web Sites
Scan Setup for Physical Locations
Support and Resources
Trustkeeper Support TrustKeeper support email: ElavonEUR@trustwave.com Phone numbers: COUNTRY TELEPHONE NUMBER IRELAND 1800 995020 UK 0800 917 8986 GERMANY 0800 6648687 BELGIUM 0800 81013 FRANCE 0805 540461 POLAND 0800 702149 INTERNATIONAL +48-22-381-3130
Resources PCI Security Standards Council: https://www.pcisecuritystandards.org/index.shtml List of compliant payment applications on this site Full version of the PCI DSS Standard Elavon Getting Started Page: https://pci.trustwave.com/elavon-eur/ Further information: www.elavon.co.uk/pci/
Questions?