Mitigating Card System Breaches. October 11, 2015 2:00 pm 2:50 pm

Mitigating Card System Breaches October 11, 2015 2:00 pm 2:50 pm

Direct Costs of a Data Breach

Indirect Costs of a Data Breach

Objectives Technology arm of NACS Volunteers do the heavy lifting Create technology standards Educate Advocate NACS partner in Technology Edge at the Show Technology Edge Solution Center (Booth 5709)

Moderator Linda Toth Director of Standards Conexxus Speakers Kara Gunderson POS Manager Citgo Petroleum Corporation Phil Schwartz IS Manager, Credit Card Systems POS App Support Valero Energy Corporation

Objectives Objectives Define security versus compliance as it pertains to your organization s data security Identify the resources available today to help you secure your sensitive data Connect with resources that can provide you with additional information on data security

What we are going to discuss Difference between Security vs. Compliance Anti-skimming Risk Mitigation Plan Conexxus Security Incident Reporting Tool Q & A

Are you PCI compliant today? A. Yes B. No C. Not sure

Don t concentrate on the finger

What is the most frequently used method of data theft in the convenience retail channel? A. RAM skimming B. AFD skimming C. Remote access infiltration D. SQL injection

Skimming Devices

How many of the previously pictured devices are skimmers? A. One B. Two C. All three D. None

Skimming Devices

Tamper-proof Stickers

Replace Standard Locks

Inspect Dispensers Regularly

NACS / Conexxus We Care Program

Start with a PA-DSS Point of Sale

PCI Terminology PA-DSS = Point of Sale Developers Payment Application Data Security Standard PCI-DSS = Merchants Payment Card Industry Data Security Standard

Keep your payment application patched

Are you running the most current version of your payment application? A. Yes B. No C. Don t know

Internet access? Back Office PC Fuel Dispensers Video Surveillance Point of Sale

Install a firewall

Firewall installation Back Office PC & Surveillance Cardholder Data FIREWALL with Segmentation

Use two-factor authentication

Passwords

Do you have a schedule for changing all passwords on your retail systems?

Anti-virus

White Listing ONLY ALLOW THESE WEBSITES or IP ADDRESSES Managed Firewall Service Provider Help Desk Point of Sale Vendor Help Desk Fuel Dispenser Manufacturer Help Desk Underground Tank Storage Monitoring Service Video Surveillance Company Back Office Accounting Software Help Desk Use Managed Firewall Service Provider or IT person to set up White List

New/Upgraded POS = IP Based DIRECT CONNECTION Install Managed Firewall Service & Anti-Virus Software Inspect Fuel Dispensers Daily

Pen Testing

Has an external vulnerability scan been performed at your sites this year?

Data Security Incident Report Database Developed by the Conexxus Data Security Standards Committee Complete Anonymous No IP tracking Single Username and Password

Incident tracking

Key takeaways Compliance is required Security should be your focus There are some simple steps that you can take to enhance security of sensitive customer data You are not alone

Available resources NACS We Care Anti-Skimming Video: http://www.nacsonline.com/solutions/finance-operations/pages/wecare.aspx NACS We Care Security Stickers: http://tydenbrooks.com/seals-bytype/security-tape-labels/gas-pump-tamper-evident-labels Conexxus-NACS We Care Program: http://www.conexxus.org/content/conexxus-resources NACS - www.nacsonline.com PCI Compliance Information: www.pcisecuritystandards.org

Objectives Technology Edge Solution Center (Booth 5709) Website: www.conexxus.org Email: info@conexxus.org LinkedIn Group: Conexxus Online Follow us on Twitter: @Conexxusonline

Session Survey Question #1 I would recommend this session to my peers. ( Swipe your rating on your phone or tablet) Please complete the three survey questions if you wish to receive the presentation

Session Survey Question #2 I can apply the content from this session in my job. ( Swipe your rating on your phone or tablet) Please complete the three survey questions if you wish to receive the presentation

Session Survey Question #3 Please share what you liked most or least about this session as well as future topics for education sessions (Type your response in the text field. The last edit is your final submission) Please complete the three survey questions if you wish to receive the presentation

Copyright Notice The copyright law of the United States (Title 17, United States Code) governs the making of photocopies or other reproduction of copyrighted material. Under certain conditions specified in the law, libraries and archives are authorized to furnish a photocopy or other reproduction. One of these specified conditions is that the photocopy or reproduction is not to be "used for other purpose than private study, scholarship or research." If a user makes a request for, or lateruses, a photocopy or reproduction for purposes in excess of "fair use," that person may be liable for copyright infringement. Disclaimer The opinions of the contributors expressed herein do not necessarily state or reflect those of the National Association of Convenience Stores. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, shall not constitute or imply an endorsement, recommendation, or support by the National Association of Convenience Stores. The National Association of Convenience Stores makes no warranty, express or implied, nor does it assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process described in these materials.