NACS/PCATS WeCare Data Security Program Overview



Similar documents
Mitigating Card System Breaches. October 11, :00 pm 2:50 pm

PCI It Never Ends! Shekar Swamy, President Omega ATC. Denise Lewis, Pinnacle POS Product Manager. omegasecure.com

Guide to Remote Access Management

PCI DSS Ver. 3.0 Noteworthy Changes for Petro Retailer

PCI: It Never Ends. Why?

Policy for Protecting Customer Data

New PCI Standards Enhance Security of Cardholder Data

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

PCI Compliance Top 10 Questions and Answers

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

Franchise Data Compromise Trends and Cardholder. December, 2010

What does it mean to be secure?

PCI Compliance. Top 10 Questions & Answers

Frequently Asked Questions

Five PCI Security Deficiencies of Retail Merchants and Restaurants

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Top PCI 3.0 Challenges for Chain Merchants. March 11, 2015

Data Security Basics for Small Merchants

ICS Presents: The October 1st 2015 Credit Card Liability Shift: This Impacts Everyone!

The Petroleum Marketer s PCI compliance Reference Guide

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Why Is Compliance with PCI DSS Important?

SecurityMetrics Introduction to PCI Compliance

Encryption and Tokenization: Protecting Customer Data. Your Payments Universally Amplified. Tia D. Ilori Sue Zloth September 18, 2013

Data Security for the Hospitality

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Project Title slide Project: PCI. Are You At Risk?

SECURING YOUR REMOTE DESKTOP CONNECTION

PCI DSS. CollectorSolutions, Incorporated

Becoming PCI Compliant

Two Approaches to PCI-DSS Compliance

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

How To Protect Your Data From Being Stolen

PCI Requirements Coverage Summary Table

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

PCI DSS Requirements - Security Controls and Processes

Payment Processing for Retail Petroleum/Convenience

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

PCI Data Security Standards

How To Protect Your Credit Card Information From Being Stolen

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

PAI Secure Program Guide

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Five PCI Security Deficiencies of Restaurants

Symposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda

Five PCI Security Deficiencies of Restaurants

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Complying with PCI is a necessary step in safely accepting Payment Cards.

PCI DSS Compliance Information Pack for Merchants

SellWise User Group. Thursday, February 19, 2015

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

PCI Requirements Coverage Summary Table

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Policies and Procedures

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

PCI Compliance: Protection Against Data Breaches

PCI and EMV Compliance Checkup

Global Partner Management Notice

Cisco Advanced Services for Network Security

MITIGATING LARGE MERCHANT DATA BREACHES

PCI Compliance in Multi-Site Retail Environments

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

PCI Compliance Overview

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

Did you know your security solution can help with PCI compliance too?

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Best Practices for PCI DSS V3.0 Network Security Compliance

Give Vendors Access to the Data They Need NOT Access to Your Network

Need to be PCI DSS compliant and reduce the risk of fraud?

Reduce the Cost of PCI DSS Compliance with Unified Vulnerability Management

PCI Data Security Standards (DSS)

Credit Card Processing Overview

Enforcing PCI Data Security Standard Compliance

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

PCI v2.0 Compliance for Wireless LAN

Credit card acceptance and software security: Vetting your provider. Jude Augusta and Dan Rowe

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

Continuous compliance through good governance

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Payment Card Industry Technical Requirements

CSU, Chico Credit Card PCI-DSS Risk Assessment

Technical breakout session

EMV and Small Merchants:

Josiah Wilkinson Internal Security Assessor. Nationwide

PCI DSS COMPLIANCE DATA

PCI DSS: An Evolving Standard

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Network and Security Controls

Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 Part Number: E April 2016

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

Transcription:

NACS/PCATS WeCare Data Security Program Overview March 27, 2012 Abstract This document describes the WeCare Program, discusses common data security threats, outlines an 8-point plan to improve data security, and provides the reader with additional resources for risk reduction. Copyright 2012 Petroleum Convenience Alliance for Technology Standards. All rights reserved. Page 1 of 7

Contributors David Bones, Vendor Safe Technologies Ernie Floyd, Radiant Systems Shekar Swamy, Omega ATC Revision History Revision Date Revision Number Revision Author Revision Changes Mar 27, 2012 1.0 Linda Toth, PCATS Corrected minor grammatical and spelling errors Mar 12, 2012 Draft 0.6 Linda Toth, PCATS Updated contributors, original editors and resource sections Added note that implementing the 8 points does not guarantee compliance with any particular security mandate Feb 29, 2012 Draft 0.5 Linda Toth, PCATS Updated contributors and resource sections Feb 17, 2012 Draft 0.4 Linda Toth, PCATS Standardize format, improve readability Jan 6, 2012 Draft 0.3 David Bones, Vendor Safe Technologies Shekar Swamy, Omega ATC Initial Revision Copyright 2012 Petroleum Convenience Alliance for Technology Standards. All rights reserved. Page 2 of 7

Copyright Statement Copyright 2012 Petroleum Convenience Alliance for Technology Standards. All Rights Reserved. This document may be furnished to others, along with derivative works that comment on or otherwise explain it or assist in its implementation that cite or refer to the standard, specification, protocol or guideline, in whole or in part. All other uses must be preapproved in writing by PCATS. Moreover, this document may not be modified in any way, including removal of the copyright notice or references to PCATS. Translations of this document into languages other than English shall continue to reflect the PCATS copyright notice. The limited permissions granted above are perpetual and will not be revoked by the Petroleum Convenience Alliance for Technology Standards or its successors or assigns. Disclaimers The National Association of Convenience Stores (NACS), Petroleum Convenience Alliance for Technology Standards (PCATS), participating vendors and retailers make no warranty, express or implied, nor do they assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process described in these materials. Copyright 2012 Petroleum Convenience Alliance for Technology Standards. All rights reserved. Page 3 of 7

1 Introduction Level 4 merchants are defined by Visa as those merchants who process less than one million Visa transactions annually. Because the cost of a data breach can be significant, a large number of these merchants, primarily single store operators, face the challenge of reducing the risk of a data breach. Low levels of data security increase the potential for data breach incidents. The goal of the NACS/PCATS WeCare Data Security Program is to define a risk reduction program for small operators that is easy to implement and achieves a base level of data security without incurring significant costs. Members of the PCATS Data Security Committee developed this program based on their combined experience in data security and c-store operations. 2 Common Threats Small operators who have installed POS and back office systems with broadband communications are able to serve customers more efficiently by quickly processing credit card transactions. With the improved capabilities comes a host of threats that require management. The major threats include: Weak Remote access and remote control practices that leave the back door open Use of common passwords and common accounts The failure to install and maintain a certified Payment Application resulting in a vulnerable payment environment Over reliance on third-parties to install and manage POS System and not managing risks properly Lack of an anti-malware program designed to trap and contain viruses and other malicious software on an ongoing basis Lack of installed firewall with proper network segmentation Failure to check for overlays on pin pads at the pump to prevent skimming Any one of these threats can easily lead to a data breach. Properly managing these threats requires an ongoing commitment by the store operator. As technology and operating conditions change and evolve, review is necessary to ensure that security measures remain in place. 3 NACS/PCATS WeCare Data Security Program This program can assist you in achieving a baseline level of data security. If you follow these simple guidelines and best practices, you can significantly reduce your risk. However, implementing these steps alone does not meet any particular security mandate or standard, including but not limited to, PCI compliance. Over time, you may be able to incorporate an even higher level of data security than contemplated by this program, so that you will be able to achieve measurable compliance to other industry Copyright 2012 Petroleum Convenience Alliance for Technology Standards. All rights reserved. Page 4 of 7

security standards. The purpose of this program is to help you get started with security so that you will at least mitigate the most common areas of vulnerability. The WeCare Program includes Guidance Documents and Best Practices to address several types of threats. It also includes education and webinars tailored to meet the needs of Level 4 merchants. 4 The 8-Point Data Security Plan Below are the essential elements of data security for your retail sites: 1. Run a certified payment application (PA-DSS validated) Verify that your POS applications are running the current certified versions. There are published lists of approved POS versions that you may refer to or ask your vendor to provide you with documentation. Check the version of your application periodically to verify that it is still in the approved list. 2. Keep your PA-DSS Validated Application Patched and Current Apply recommended patches to your systems and update your POS application to keep them current. If your POS vendor upgrades your POS applications, verify that it is an approved version that is also PA-DSS validated. It is always a good idea to check every POS machine. 3. Install a hardware firewall with adequate network segmentation This important requirement ensures that access to your store network is protected from outside intrusion. Segmentation further improves data security by keeping your POS systems separate from other systems. To be sure, you need to examine the configuration of the firewall frequently to ensure that no one has changed the security after installation. 4. Use only secure, two-factor authenticated remote access and remote control Ensure that anyone who is accessing your systems from the outside is using two forms of authentication to uniquely identify each individual. This requires something known and something physical that validates someone s identity. For example, using a password could be something known, and having a soft token or a key fob could be something physical. Keep in mind that the remote control program itself should also support encryption. Knowing who is accessing your systems and when they are accessing them is one of the easiest ways to maintain security. 5. Change default passwords and have unique accounts for each user Ensure that every POS and back office machine account password is changed frequently. The account name has to be unique for each user - although users often pick their own passwords. Copyright 2012 Petroleum Convenience Alliance for Technology Standards. All rights reserved. Page 5 of 7

6. Run anti-virus or white listing software All systems at your stores must have a good Anti- Virus program, which is frequently updated with the latest signature files. You need to run the scans daily and ensure that you are looking at the results of the scans. Anti-Malware programs are often separate from Anti-Virus and it would be a good idea to use it as well. You may use white listing software to limit your systems to run only authorized programs. This is an alternative to Anti-Virus because it will block viruses from being able to install themselves onto a system, but white listing software will require time and expertise to configure. 7. Do not allow open access to websites from your POS systems Segmentation of the network can limit the POS network from the Internet while still allowing access to the Internet from other stations that are not accepting payments. Also, change the settings on your POS systems to ensure there is no way to surf the web. The only exceptions should be to the approved Anti-Virus update sites and any other logging site for the POS security logs. Disallow everything else. 8. Run external vulnerability scans on the site to identify vulnerabilities and be committed to spending the time it takes to mitigate the gaps found. Performing external scans quarterly will enable you to know how secure your retail site is from the outside. The purpose of the scans is to verify that a hacker on the Internet looking for vulnerable sites will not find any opening into your network from the Internet. Fixing security issues found after a scan will make your retail site more secure. Data breaches at retail locations can be greatly reduced by following the eight points defined above. NACS and PCATS are committed to providing you guidance, education, and best practices to help you in reducing your risk. Data Security is the foundation on which you can build a compliance program. 5 Additional Resources A number of resources are available to help you with data security. These include implementation guides from your payment network provider and POS vendors, as well as educational and technical documents from various organizations such as card merchants, data security standards bodies, and government agencies. In addition, PCATS has put together guidance documents, which are available on their website (http://www.pcats.org/wecare) as follows: 1. PCI Convenience Store Employee Data Security Training Manual This document provides example training and discussion points for use with your store employees to prevent and reduce payment card fraud and security breaches of card data. It also reviews the steps you can take to discourage and reduce theft of card data at your dispensers. Copyright 2012 Petroleum Convenience Alliance for Technology Standards. All rights reserved. Page 6 of 7

2. Guide to Simple Network Design This document provides guidance on simple network design for typical C-Store environments. In addition, this document provides discussion points for consulting with a network or data security professional. C-Store operators are typically non-technical people and network design can be very confusing. To that end, PCATS is offering some very simple designs that locations can use when talking with third parties about network attached systems, configuration of those systems within the store, and the ability to meet the criteria set for security for a level 4 merchant under the PCI Data Security Standards (PCI- DSS). The target audience for this document is the C-Store owner who has no or limited Information Technology (IT) network and security resources. While we expect that C-Store owners are level 4 merchants, this guidance is applicable for all C-Store owners, regardless of actual merchant level. 3. Guide to Remote Access Management This document provides guidance on protecting Convenience Store systems by deploying and using Secure Remote Access Management practices to thwart undesirable access that would compromise cardholder data. It provides a discussion on best practices for Remote Access Management. Each covered topic provides a summary that addresses the high level points, followed by details that allow the reader to dive deeper into the technology specifics The target audience for this document is the C-Store owner who has no or limited Information Technology (IT) network and security resources. While we expect that C-Store owners are level 4 merchants, this guidance is applicable for all C-Store owners, regardless of actual merchant level. Small chains and single site operators often lack the expertise, resources, and/or time to deal with data security. Several vendors who are members of NACS and PCATS are available to help you through the process. They deal with these issues every day for retailers just like you. Contact PCATS (email: info@pcats.org) for additional information. Copyright 2012 Petroleum Convenience Alliance for Technology Standards. All rights reserved. Page 7 of 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information