Payment Painkillers: How to secure customer payment data in a complex world

Similar documents
Adyen PCI DSS 3.0 Compliance Guide

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

ICS Presents: The October 1st 2015 Credit Card Liability Shift: This Impacts Everyone!

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

Project Title slide Project: PCI. Are You At Risk?

WHITE PAPER. How to simplify and control the cardholder security environment

How To Comply With The New Credit Card Chip And Pin Card Standards

PCI Security Standards Council

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants

Tokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism

A PCI Journey with Wichita State University

An article on PCI Compliance for the Not-For-Profit Sector

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

PCI Compliance 3.1. About Us

P R O G R E S S I V E S O L U T I O N S

Security. Tiffany Trent-Abram VP, Global Product Management. November 6 th, One Connection - A World of Opportunities

PCI DSS Top 10 Reports March 2011

PCI Overview. Lee Buttke Director of Consulting QSA, CPISM, CISSP

How To Protect Your Business From A Hacker Attack

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

PCI Compliance in Multi-Site Retail Environments

PCI Compliance. Top 10 Questions & Answers

<COMPANY> P07 - Third Parties Policy

PCI DSS Compliance Information Pack for Merchants

PCI DSS. Payment Card Industry Data Security Standard.

PCI DSS. CollectorSolutions, Incorporated

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

Data Security for the Hospitality

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES

A HOLISTIC APPROACH TO MERCHANT PAYMENT SECURITY. 2016, Vantiv, LLC. All rights reserved.

PCI Compliance: Protection Against Data Breaches

Payment Security teleconference

PCI Security Compliance

PCI Compliance Top 10 Questions and Answers

Target Security Breach

PCI PA-DSS Requirements. For hardware vendors

Corbin Del Carlo Director, National Leader PCI Services. October 5, 2015

How To Secure Your Store Data With Fortinet

What You Need to Know About PCI SSC Guiding open standards for global payment card security

PCI Compliance Overview

SECURITY FIRST: CLARITY ON PCI COMPLIANCE

Protecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

How To Protect Your Credit Card Information From Being Stolen

PCI Compliance: How to ensure customer cardholder data is handled with care

SecurityMetrics Introduction to PCI Compliance

Payment Card Industry (PCI) Data Security Standard (DSS) Motorola PCI Security Assessment

Drive your fraud rates down

Need to be PCI DSS compliant and reduce the risk of fraud?

Foregenix Incident Response Handbook. A comprehensive guide of what to do in the unfortunate event of a compromise

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

Payment Card Industry Data Security Standard

Securing Your Customer Data Simple Steps, Tips, and Resources

PCI Security Standards Council

PCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard

PCI DSS v3.0 SAQ Eligibility

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

What s New in PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

PAYMENT SECURITY. Best Practices

The PCI DSS Compliance Guide For Small Business

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

Customer PCI 3.0 Changes = New Opportunity For You. Giles Witherspoon-Boyd SecurityMetrics

PCI Data Security Standards. Presented by Pat Bergamo for the NJTC February 6, 2014

A Compliance Overview for the Payment Card Industry (PCI)

Payment Card Industry - Achieving PCI Compliance Steps Steps

How To Protect Your Restaurant From A Data Security Breach

How To Protect Visa Account Information

PCI DSS Presentation University of Cincinnati

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

Payment Card Industry Standard - Symantec Services

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

HOW TO PREPARE FOR A PCI DSS AUDIT

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

DataStealth and your PCI-DSS audit

Technology Innovation Programme

EMV Delivery of Mobile, Parking and Unattended Payments. Elavon

Merchant guide to PCI DSS

Is the PCI Data Security Standard Enough?

Policy. London School of Economics & Political Science. PCI DSS Compliance. Jethro Perkins IMT. Information Security Manager. Version Release 1.

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

Becoming PCI Compliant

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

2.1.2 CARDHOLDER DATA SECURITY

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.

SellWise User Group. Thursday, February 19, 2015

PCI Compliance 101: Payment Card. Your Presenter: 7/19/2011. Data Security Standards Compliance. Wednesday, July 20, :00 pm 3:00 pm EDT

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

PCI DSS 101- The background you need for understanding the PCI DSS

HOSTING. Managed Security Solutions. Managed Security. ECSC Solutions

Application Delivery in PCI DSS Compliant Environments

Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standards.

How To Use Fis Payment Gateway

Transcription:

Payment Painkillers: How to secure customer payment data in a complex world

A better way to secure payment data There is a more secure, affordable, manageable and sustainable way for retailers to secure customers payment data and it doesn t involve Point to Point Encryption (P2PE). Vodat International has created this special report to help senior retail executives build an effective strategy for getting PCI compliance. It starts with understanding the real cost to your business of poorly secured payment data. Payment data is vulnerable and under continuous assault. In fact, it remains one of the easiest types of data to convert to cash, and therefore the preferred choice of criminals. 74% of attacks on retail, accommodation and food services companies target payment card information. A breach costs on average 95 per customer record lost, of which over half ( 50) is due to indirect costs such as drops in turnover and customer churn. cost of a breach is 2.21m, up 8% on 2013 Per company, the average cost of a breach is 2.21m, up 8% on 2013 due mostly to increased customer churn, proving that consumers are becoming more aware of payment security and voting with their feet. Where there is an obligation on the retailer to secure critical customer data credit and debit card information the response from many retailers has been both mixed and heavily delayed. According to a Government report on information security breaches, retailers spend the least on information security compared to other sectors in the UK. 74% of attacks on retail, accommodation and food services companies target payment card information. Page 2

Retailers are still not effectively securing payment data Payment Card Industry (PCI) compliance is mandated by the Card Schemes and the PCI Security Standards Council created the standards that retailers must attain, and yet companies are still not PCI compliant. A recent report into the payments landscape revealed: Only 38% of businesses are PCI compliant Only 27% of retailers fully understand the PCI requirements and how to gain compliance Only 19% are aware of the penalties for non-compliance Confusion in some areas clearly reigns, further complicated by the advent of Point-to-Point Encryption (P2PE), promoted as the Holy Grail for PCI scope reduction, but which hides some uncomfortable truths. The cost of implementing P2PE will almost certainly be higher than most retailers appreciate. Worse, it will not reduce the scope of PCI quite as much as has been suggested. The result might be that merchants ends up with two headaches: one for PCI and one for P2PE, both of them painful, expensive to remove, and likely to return unless carefully managed every day. P2PE only covers the customer-present environment, so excludes both online and the call centre. In addition, some so-called P2PE offerings are not validated solutions, as listed on the PCI web site, running further risk that these recommendations will not be accepted by a QSA. What s wrong with most P2PE services? Inflexible as the solution has been developed by commercial organisations, many of the P2PE solutions are developed for specific hardware, so there are limited integration capabilities Complex complicated managed environment to maintain compliance Expensive implementing P2PE involves extensive software and hardware changes for all transaction points Counter-productive P2PE designed to take data security responsibility away from retailers. P2PE compliance management shifts that responsibility back to the retailer 1 Verizon, Data Breach Investigations Report, 2013 2 IBM/Ponemon Institute, Cost of Data Breach Study: United Kingdom, 2014 3 Department for Business and Innovation Skills/PWC/Infosecurity Europe, Information Security Breaches Survey, 2014 4 Sage Pay, The Payments Landscape, 2014 Page 3

A road less travelled The claim that P2PE is the only option for reducing PCI scope is wrong. There is an alternative that is more secure, affordable, manageable and sustainable. It involves removing sensitive card data from the merchant s network altogether, to the extent that 10 of the 12 PCI Data Security Standards (DSS) requirements are wholly delivered by a third party. Even for the remaining two, PCI compliance scope is reduced. The end result is that the solution delivers the same benefits of scope reduction without the constraints of implementing P2PE. This solution is Vodat s Unified Payment Service. The alternative to P2PE: Remove sensitive card data altogether Page 4

The Vodat solution in detail Vodat s Unified Payment Service is an integrated in-store solution that provides retailers with a single, fast and secure interface for all card present EFT transactions. The service is managed totally by Vodat International through a secure, resilient network. The solution consists of IP based Chip and PIN Entry Devices (PED) and a managed firewall. The firewall provides network isolation between the PEDs and the in-store network. All communications from the Point of Sale (PoS) to the PED and back are via the firewall into and out of the Vodat secure data centres. The PoS and PED are never connected and never communicate directly. Implementing payment solutions in this way reduces scope against the PCI DSS. Highlights All traffic to the PEDs from the merchant network is considered untrusted and blocked. The PEDs can only communicate with the Vodat Unified Payment Service data centres in order to process payment. Merchant personnel have no access to the firewall management interfaces. Page 5

Vodat s managed firewall is configured with a number of additional security features that further assist in mitigating threats as well as in meeting PCI compliance requirements: Network Address Translation Intrusion Detection ARP Spoofing prevention (assists with man in the middle mitigation). Unified Payment Service grew out of an industry oversight; the Special Interest Group (SIG) that worked on P2PE overlooked what was the simple option. A number of Chip and PIN terminal manufacturers already supported Transport Layer Security (TLS), which forms the basis of the Vodat Unified Payment Service, a Secure Alternative to P2PE, and a Level 1 PCI DSS compliant service. Vodat further enhanced the solution using encryption, which occurs on the PED. All data remains encrypted until it s safely received in Vodat s secure data centres. Because Vodat operates the service this also reduces scope for users; there is no complex key management or rotation processes to implement and no central infrastructure scope. PCI DSS Requirement (based on SAQ B-IP)* Vodat Responsibility Merchant Responsibility Requirement 1 Requirement 2 Requirement 3 Requirement 4 Requirement 6 Requirement 7 Requirement 8 Requirement 9 Guidance provided by Vodat Physical security responsibility of merchant Requirement 11 Requirement 12 Guidance provided by Vodat Reduced requirement in SAQ B-IP * Requirement 10 (track and monitor all access to network resources and cardholder data) is not in this list because it is not required for SAQ B-IP. Vodat s approach to payment data isolation has been validated and endorsed by a leading independent IT audit and compliance firm, Coalfire, and the global Thought Leaders on enhancing the security of vital data and communications resources, MWR InfoSecurity. The architecture and benefits of this approach are published in a white paper (LINK). Page 6

Why act now? Merchants have been urged for nearly 10 years to ensure that their systems are fully PCI compliant, which explains the sense of fatigue many now experience at the constant barrage of vendor pressure. However, the business imperatives are mounting as merchants recognise that their current legacy systems and PoS hardware are no longer able to serve the multichannel consumer. Worse, PCI PTS v1.x PIN Entry Devices must be replaced by 31st December 2017; although Vodat s Unified Payment Service ensures no current legacy systems and PoS hardware are no longer able to serve the multi-channel consumer customer data reaches the Point of Sale, so replacement can focus on PEDs rather than the whole network and PoS operating system. The urgency to act should be based on retailers desire to secure customer data and avoid the financial and reputation resulting from breaches, regardless of whether it will be mandated or not. We recommend that organizations define, implement, and maintain a process to proactively manage the scope of compliance for each environment. Government Report on Information Security Breaches Page 7

Where to start As the leading provider of telecom solutions and private managed networks to retailers, Vodat recommend that we carry out a free review of your current network to determine where the vulnerabilities lie. Click here for more details Page 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information