Upload
taylor-madeley
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
PCI Complianceand the
Restaurant of the FutureOctober 8, 2013
Presented by
WEBINAR
Jim LippardSenior Product ManagerSecurity ProductsEarthLink Business
Kamran ChaudharyDirector of Compliance TechnologyQualified Security Assessor (QSA)ANX eBusiness
About EarthLink
Leading provider of data, voice, and IT services for businesses, with services that include managed security and PCI compliance solutions for retailers.
About ANX eBusiness:
Qualified Security Assessor (QSA) and Authorized Scanning Vendor (ASV) with the PCI Council. The ANX mission is to protect our customers' information, secure their business interactions and be their trusted platform for collaboration.
Introduction
Speakers
Jim LippardSr. Product Manager
Security Products
EarthLink Business
Kamran ChaudharyDirector of Compliance Technology
Qualified Security Assessor (QSA)
ANX eBusiness
2
The basics of PCI DSS compliance
The risks of non-compliance
PCI DSS 3.0
New restaurant technology
4 basic steps for maintaining and achieving compliance
EarthLink/ANX PCI compliance solutions
Questions
Agenda
3
What is PCI Compliance?
Definition – Payment Card Industry Data Security Standard (PCI-DSS)
Set up in 2004 by Visa, MasterCard, American Express, Discover, and JCB to reduce the risk of credit card theft and transfer liability to merchants
Requires mandatory adoption by all businesses that store, process, or transmit credit/debit card data
6 Control
Objectives
6 Control Objectives
12 Core
Requirements
280+ Audit
Procedures
4
THE EFFECTS OF CREDIT CARD BREACH ON RETAIL BUSINESS ARE DAUNTING
is the average direct cost of a data breach$80
k
of breached businesses are out of business within
one year of the attack
70%
small businesses will suffer a credit card breach
in the next 24 months1 in
6
Breaches originate from organized criminal groups98%
Average days between intrusion and detection210
Defining the Market Problem
5
What happens if my business is non-compliant and suffers a breach?
A credit card breach will cripple your business for months
1. Credit cards transactions – Acquirers may ask merchants to cease
2. Forensic audit – QSA team on-site to determine cause of breach.
3. Implement remediation actions – Can take 90-120 days to complete.
4. Fines and fees – Merchant is responsible for all costs. $80-100K average.
5. Brand equity – Breaches are public knowledge; brand image tarnished.
6
The bottom line on PCI Compliance
Many myths about PCI compliance• “It doesn’t apply to my business”
• “I’m already PCI compliant”
• “I have a firewall in place so I’m compliant”
• “My (fill in the blank) has me covered”
PCI DSS is solely the responsibility of the merchant• If merchant can’t demonstrate compliance, they cover breach costs.
• If merchant can demonstrate compliance, bank covers breach costs.
>96% of breached businesses were not PCI compliant
7
If you cannot answer yes to the three questions below, you are NOT PCI Compliant
1
2
3
Can you demonstrate that ALL cashiers have completed and understood a formal security awareness training upon hire and at least annually?
Can you demonstrate that each employee has read and understood the company security policy and procedures?
Have you fully completed your annual SAQs and quarterly vulnerability scans with a 100% pass?
8
PCI 3.0 Timeline
Source: PCI Security Standards Council
What this means for you as a merchant:•PCI Compliance is here to stay, and is always evolving
•The process incorporates feedback from merchants and QSAs
•Each release includes time for merchants to implement requirements and best practices
PCI ReleaseNovember 7,
2013
PCI 2.0 ExpiresDec 31,
2014
Best practices become
requirementsJune 2015
9
What’s new in PCI DSS 3.0
PCI 3.0 emphasizes security versus compliance, and a more proactive, business-as-usual approach
to protecting cardholder data.
Key themes:•Education & awareness•Increased flexibility•Security as a shared responsibility•Guidance on emerging technologies
3 types of changes:•Clarification•Additional guidance•Evolving requirement
10
NEW RESTAURANT TECHNOLOGY
11
Payment Technology
Key points in both scenarios: •Risk is greatly reduced•Merchants are still responsible for PCI compliance
Technology Visa Chip and Pin (EMV)
Point-to-Point or End-to-End Encryption (P2PE or E2EE)
What it is Europe, Visa leading. Uses contactless NFC chips and a PIN to for two-factor authentication on credit card purchases.
Allows merchants to offer point-to-point encryption of card data from point of entry to settlement.
The impact on PCI DSS requirements
Annual validation not required for merchants that process 75% of card transactions through chip-enabled terminals.
Eliminates exposure to fraud and financial liability for the merchant, and reduces PCI scope to 6 PCI steps.
12
Network Technology
• Secure, reliable network connectivity is essential in transitioning to a “Restaurant of the Future”
• Customer-facing systems e.g. POS, mobile POS, consumer Wi-Fi, digital menus, online ordering and phone ordering depend on it
• Having the right technology in place reduces PCI DSS scope
• Key technologies to consider:
− Secure Wi-Fi: Includes rogue wireless scanning, guest access with walled garden
− Unified Threat Management (UTM): “Threat management in a box, including intrusion detection/prevention, anti-malware, anti-virus, anti-spyware
− MPLS WAN: Private, centrally management network with option to connect POS directly to card processors
13
New devices = increased security risk
1980s
1ST GEN• Boot viruses
2ND GEN• Macro viruses• Email • DoS• Limited
hacking
3RD GEN• Network DoS• Blended threat
(worm + virus+ trojan)
• Turbo worms • Widespread
system hacking
NEXT GEN• Infrastructure
hacking • Flash threats• Massive worm
driven • DDoS• Damaging
payload viruses and worms
1990s Today Future
WEEKS
DAYS
MINUTES
SECONDS
IndividualComputer
IndividualNetworks
MultipleNetworks
RegionalNetworks
GlobalInfrastructur
eImpact
Target and Scope
of Damage
All new entry points need to be secured from hackers:Wi-Fi, security cameras, wireless credit card processors, digital menu boards and more interface to networks via IP addresses
14
4 BASIC STEPS TO PCI COMPLIANCE
15
How to Proactively Protect Your Business from Breach
Step 1: Establish Financial Protection
Step 2: Validate PCI Compliance
Step 3: Achieve Compliance
Step 4: Maintain Compliance
16
Step 1: Financially Protect Your Business
Acquire adequate breach protection for each store location to help cover direct costs in the event of a breach
As little as $1/day per location can cover the costs of:
•Forensic audit and consultation with a Qualified Security Assessor (QSA)
•Replacement of credit cards and related expenses
•Fines and penalties incurred
Ensure that coverage is retroactive to cover any undiscovered breach
17
Requirement Level 1 Level 2 Level 3 Level 4
Transaction volume >6 million 1 to 6 million
20,000 to 1 million
All other merchants
On-Site QSA AuditAnnually
Self Assessment Questionnaire (SAQ) Annually
By a QSA/ISA
Authorized Scanning Vendor Scan (ASV)Quarterly
Security Awareness TrainingUpon hire and annually
Policy Review and AcceptanceAnnually
Note: Other quarterly or annual requirements will apply based on SAQ.
18
Step 2: Validate PCI Compliance
Requirements by Merchant Level
Step 3: Achieve PCI Compliance
Common issues:Outdated Firewalls
Insecure Remote Access
Weak security configurations
Operating system flaws
Lack of staff training
Flawed security policies
Poor change control procedures
Address gaps identified during the validation process
Up to 280 requirements depending on your environment
19
Step 4: Maintain Compliance
• Conduct on-going PCI training for employees including cashiers, IT staff
• Document and enforce security policies
• Conduct regular assessments and network scans for all locations and remediate gaps
• Identify and work closely with a PCI Compliance partner who can help
20
PCI Compliance Validation Powered by ANX eBusiness, QSA and ASV
$100,000 in breach protection per location
Portal with all of the tools Level 2-4 merchants need to validate compliance
Private MPLS WAN Network Securely connectivity for all of your restaurants,
all centrally managed from one location
Direct connections from POS to card processors
Managed security Firewall, mobile device management, secure
remote access
EarthLink PCI Compliance Solutions
“We rely on the EarthLink MPLS network 24/7 to run our restaurant operations. The private network also supports PCI compliance
and allows us to control and monitor all 200 restaurants from one location.”
21
Questions?
For more information:http://www.earthlinkbusiness.com/restaurant-pci-
compliance/