ICS Presents: The October 1st 2015 Credit Card Liability Shift: This Impacts Everyone!

ICS Presents: The October 1st 2015 Credit Card Liability Shift: This Impacts Everyone! Presenters: Cliff Gray Senior Associate of The Strawhecker Group Jon Bonham CISA, Coalfire

The opinions of the contributors expressed herein do not necessarily state or reflect those of the International Carwash Association, its directors or employees. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, shall not constitute or imply an endorsement, recommendation, or support by the International Carwash Association. The International Carwash Association makes no warranty, express or implied, nor does it assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process described in these materials. All commentary and information provided by the speakers represents individuals opinion only. The International Carwash Association makes no recommendation or representation regarding such market information and commentary. All such information and commentary is subject to change without prior notice. Any prediction, estimation and projection is not necessarily indicative of future performance and is for reference only. The International Carwash Association will not accept any responsibility or liability of any kind with respect to such information or opinion expressed herein. Investment involves risk. Past performance of any business opportunity is no guide to its future performance. The information or investment opportunities expressed herein may not be suitable for all investors. Before making any investment decision, investors should read and understand the relevant nature, risks, terms and conditions of an investment opportunity and be capable of and wiling to assume the associated risks in light of their own investment objectives, financial circumstances or particular needs and exercise their independent judgment. If needed, investors should seek independent professional advice.

What Is PCI Protect Card Holder Data Jon Bonham Coalfire

PCI PCI DSS applies to all entities involved in payment card processing including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). PCI DSS v3.1 page 5 Cliff Gray The Strawhecker Group

What Is PCI Cliff Gray The Strawhecker Group

Current State of PCI PA-DSS The car wash owner is responsible for securing network: technology, policy, & procedures Implementation guides need to be followed for a compliant installation Always evolving and changing There are NO car wash merchants who do not have to be PCI compliant Cliff Gray The Strawhecker Group

Current State of PCI PCI-DSS Cliff Gray The Strawhecker Group

Breach Larger merchant breaches dominate the media. Yet smaller merchants (level 4) suffer 90% of the breaches Significant financial threat looms Jon Bonham Coalfire»Typical for breach damages to approach from $50,000 to $100,000 per incident for smaller merchants

Breach Small merchant breaches and stats»card present transactions account for 80% of fraud and breach»more than 50% of merchants do NOT survive a breach, or suffer disruptive changes Jon Bonham Coalfire Source: Visa

Breach in the Car Wash Space Bad Business Practices Binder with club data Fleet billing with a credit card file on the computer Employees taking card to POS Not inspecting hardware for skimmers Found USB drive Vulnerable remote access software Jon Bonham Coalfire

Breach in the Car Wash Space Weak Policies Improperly configured routers & access points Unrestricted internet & email access No anti-virus protection Jon Bonham Coalfire

Breach in the Car Wash Space Car Wash Merchant is Still Impacted Impact goes beyond PCI damages Damaged reputation Loss of consumer confidence» Club cancellations» Loss of credit card business Lower revenue Jon Bonham Coalfire

Everything Changes with EMV Securing the Credit Card Network EMV - EuroPay, MasterCard, Visa» First version was 2.0 in 1995» Version 4.3 is in effect since November 2011 2005 2006 2008 2011 2012 2015 Europe LAC S. Africa Jon Bonham Coalfire Africa Asia/ Pacific Middle East Brazil Colombia Mexico New Zealand Canada Australia United States

Everything Changes with EMV Securing the Credit Card Network New technology» Chip» EMV terminals New process» Chip and signature» Chip and PIN (most secure) Jon Bonham Coalfire

Everything Changes with EMV Securing the Credit Card Network October 1, 2015 Liability Shift Damages shift from Bank to Merchant»No confusion as to the date of liability shift to YOU the merchant»october 1, 2015 The WEAK LINK Pays! Jon Bonham Coalfire

VISA Explains it Best Jon Bonham Coalfire

VISA Explains it Best Jon Bonham Coalfire

VISA Explains it Best Jon Bonham Coalfire

Visa Explains it Best Exceptions Jon Bonham Coalfire

EMV Adoption Chip-Card Rollout Has Banks, Retailers Scrambling To cut credit-card fraud, issuers are embedding chips; merchants say they can t get card readers fast enough Some 575 million of the new cards representing about three-quarters of U.S. credit cards and about 40% of debit cards are expected to be in the wallets of American consumers by year-end, making it the biggest rollout of new cards in decades. The WSJ, Robin Sidel, April 21, 2015 Cliff Gray The Strawhecker Group

EMV Adoption Threats to car wash operators who do not adopt EMV» Weak link is liable» PCI compliance still required Cliff Gray The Strawhecker Group

Credit Card Compliance & Risk Risk too great to keep magnetic stripe only»pci related damages for a breach»impact business reputation PCI-DSS Evolution»Incremental steps creating a secure network»you need to be a part of it Cliff Gray The Strawhecker Group

EMV with Validated Point-to-Point Encryption Merchants validate as PCI compliant using the simplest SAQ applicable Cliff Gray The Strawhecker Group

October 1 st, 2015 Liability Shift Key Take Away Points Offer your customers the best credit card protection EMV with PCI validated point-to-point encryption»offers the most secure network solution»lowers compliance costs Cliff Gray The Strawhecker Group

October 1 st, 2015 Liability Shift Key Take Away Points Real threat to merchants who delay EMV adoption Avoid half-step solutions that still keep you exposed to liability Anticipate a scramble as liability shift date approaches Cliff Gray The Strawhecker Group

October 1 st, 2015 Liability Shift Key Take Away Points Solutions are limited Processor and POS vendor deployment capacity is limited Credit card and car cash industries may not have capacity to perform upgrades for all merchants by October 1 st, 2015 Cliff Gray The Strawhecker Group

October 1 st, 2015 Liability Shift Key Take Away Points This liability shift is REAL This IMPACTS your business Doing nothing could CLOSE your business Cliff Gray The Strawhecker Group

Q&A Additional Questions? Cliff Gray will be in the ICS Booth #2325 on Thursday during show hours to answer any follow up questions