a presentation for Company Name date

advertisement
WEBINAR
PCI Compliance
and the
Restaurant of the Future
October 8, 2013
Presented by
Kamran Chaudhary
Director of Compliance Technology
Qualified Security Assessor (QSA)
ANX eBusiness
Jim Lippard
Senior Product Manager
Security Products
EarthLink Business
Introduction
About EarthLink
Leading provider of data, voice,
and IT services for businesses,
with services that include managed
security and PCI compliance
solutions for retailers.
Speakers
Jim Lippard
Sr. Product Manager
Security Products
EarthLink Business
About ANX eBusiness:
Qualified Security Assessor (QSA)
and Authorized Scanning Vendor
(ASV) with the PCI Council. The
ANX mission is to protect our
customers' information, secure their
business interactions and be their
trusted platform for collaboration.
Kamran Chaudhary
Director of Compliance Technology
Qualified Security Assessor (QSA)
ANX eBusiness
2
Agenda
 The basics of PCI DSS compliance
 The risks of non-compliance
 PCI DSS 3.0
 New restaurant technology
 4 basic steps for maintaining and achieving compliance
 EarthLink/ANX PCI compliance solutions
 Questions
3
What is PCI Compliance?
 Definition – Payment Card
Industry Data Security
Standard (PCI-DSS)
6
Control
Objectives
12
6
Core
Requirements
280+
Control Objectives
Audit
Procedures
 Set up in 2004 by Visa,
MasterCard, American
Express, Discover, and JCB
to reduce the risk of credit
card theft and transfer liability
to merchants
 Requires mandatory adoption
by all businesses that store,
process, or transmit
credit/debit card data
4
Defining the Market Problem
THE EFFECTS OF CREDIT CARD BREACH ON
RETAIL BUSINESS ARE DAUNTING
$80k
is the average direct
cost of a data breach
1 in 6
small businesses will
suffer a credit card breach
in the next 24 months
210
70%
of breached businesses
are out of business within
one year of the attack
98%
Breaches originate from
organized criminal groups
Average days between
intrusion and detection
5
What happens if my business is
non-compliant and suffers a breach?
1.
Credit cards transactions – Acquirers may ask merchants to cease
2.
Forensic audit – QSA team on-site to determine cause of breach.
3.
Implement remediation actions – Can take 90-120 days to complete.
4.
Fines and fees – Merchant is responsible for all costs. $80-100K average.
5.
Brand equity – Breaches are public knowledge; brand image tarnished.
A credit card breach will cripple your business for months
6
The bottom line on PCI Compliance
Many myths about PCI compliance
•
•
•
•
“It doesn’t apply to my business”
“I’m already PCI compliant”
“I have a firewall in place so I’m compliant”
“My (fill in the blank) has me covered”
PCI DSS is solely the responsibility of the merchant
• If merchant can’t demonstrate compliance, they cover breach costs.
• If merchant can demonstrate compliance, bank covers breach costs.
>96% of breached businesses were not PCI compliant
7
If you cannot answer yes to the three
questions below, you are NOT PCI Compliant
1
2
3
Can you demonstrate that ALL cashiers have completed and
understood a formal security awareness training upon hire and
at least annually?
Can you demonstrate that each employee has read and
understood the company security policy and procedures?
Have you fully completed your annual SAQs and quarterly
vulnerability scans with a 100% pass?
8
PCI 3.0 Timeline
What this means for you
as a merchant:
• PCI Compliance is here to
stay, and is always evolving
Best practices
become
requirements
June 2015
• The process incorporates
feedback from merchants
and QSAs
PCI Release
November 7,
2013
Source:
PCI Security Standards Council
• Each release includes time
for merchants to
implement requirements
and best practices
PCI 2.0
Expires
Dec 31, 2014
9
What’s new in PCI DSS 3.0
PCI 3.0 emphasizes security versus compliance,
and a more proactive, business-as-usual approach
to protecting cardholder data.
Key themes:
• Education & awareness
• Increased flexibility
• Security as a shared responsibility
• Guidance on emerging technologies
3 types of changes:
• Clarification
• Additional guidance
• Evolving requirement
10
NEW RESTAURANT
TECHNOLOGY
11
Payment Technology
Technology
Visa Chip and Pin
(EMV)
Point-to-Point or
End-to-End Encryption
(P2PE or E2EE)
What it is
Europe, Visa leading. Uses
contactless NFC chips and a
PIN to for two-factor
authentication on credit card
purchases.
Allows merchants to offer pointto-point encryption of card data
from point of entry to
settlement.
The impact on
PCI DSS
requirements
Annual validation not
required for merchants that
process 75% of card
transactions through chipenabled terminals.
Eliminates exposure to fraud and
financial liability for the
merchant, and reduces PCI scope
to 6 PCI steps.
Key points in both scenarios:
• Risk is greatly reduced
• Merchants are still responsible for PCI compliance
12
Network Technology
• Secure, reliable network connectivity is essential in transitioning to
a “Restaurant of the Future”
• Customer-facing systems e.g. POS, mobile POS, consumer Wi-Fi,
digital menus, online ordering and phone ordering depend on it
• Having the right technology in place reduces PCI DSS scope
• Key technologies to consider:
− Secure Wi-Fi: Includes rogue wireless scanning, guest
access with walled garden
− Unified Threat Management (UTM): “Threat management in
a box, including intrusion detection/prevention, anti-malware,
anti-virus, anti-spyware
− MPLS WAN: Private, centrally management network with
option to connect POS directly to card processors
13
New devices = increased security risk
Target and
Scope of
Damage
All new entry points need to be secured from hackers:
Wi-Fi, security cameras, wireless credit card processors, digital
menu boards and more interface to networks via IP addresses
SECONDS
Global
Infrastructure
Impact
Regional
Networks
MINUTES
Multiple
Networks
DAYS
Individual
Networks
2ND GEN
• Macro viruses
• Email
• DoS
• Limited hacking
Individual
Computer
WEEKS
1ST GEN
• Boot viruses
1980s
1990s
3RD GEN
• Network DoS
• Blended threat
(worm + virus+
trojan)
• Turbo worms
• Widespread
system hacking
Today
NEXT GEN
• Infrastructure
hacking
• Flash threats
• Massive worm
driven
• DDoS
• Damaging
payload viruses
and worms
Future
14
4 BASIC STEPS TO
PCI COMPLIANCE
15
How to Proactively Protect Your
Business from Breach
Step 1: Establish Financial Protection
Step 2: Validate PCI Compliance
Step 3: Achieve Compliance
Step 4: Maintain Compliance
16
Step 1: Financially Protect Your Business
Acquire adequate breach protection for each store location
to help cover direct costs in the event of a breach
As little as $1/day per location
can cover the costs of:
• Forensic audit and consultation
with a Qualified Security
Assessor (QSA)
• Replacement of credit cards
and related expenses
• Fines and penalties incurred
Ensure that coverage is retroactive to
cover any undiscovered breach
17
Step 2: Validate PCI Compliance
Requirements by Merchant Level
Requirement
Level 1
Level 2
Level 3
Level 4
Transaction volume
>6 million
1 to 6
million
20,000 to 1
million
All other
merchants
On-Site QSA Audit
Annually

By a
QSA/ISA


Self Assessment Questionnaire (SAQ)
Annually
Authorized Scanning Vendor Scan (ASV)
Quarterly




Security Awareness Training
Upon hire and annually




Policy Review and Acceptance
Annually




Note: Other quarterly or annual requirements will apply based on SAQ.
18
Step 3: Achieve PCI Compliance
 Address gaps identified during the validation process
 Up to 280 requirements depending on your environment
Common issues:

Outdated Firewalls

Insecure Remote Access

Weak security configurations

Operating system flaws

Lack of staff training

Flawed security policies

Poor change control procedures
19
Step 4: Maintain Compliance
• Conduct on-going PCI
training for employees
including cashiers, IT staff
• Document and enforce
security policies
• Conduct regular assessments
and network scans for all
locations and remediate gaps
• Identify and work closely with
a PCI Compliance partner
who can help
20
EarthLink PCI Compliance Solutions
 PCI Compliance Validation
 Powered by ANX eBusiness, QSA and ASV
 $100,000 in breach protection per location
 Portal with all of the tools Level 2-4 merchants
need to validate compliance
 Private MPLS WAN Network
 Securely connectivity for all of your restaurants,
all centrally managed from one location
 Direct connections from POS to card processors
 Managed security
 Firewall, mobile device management, secure
remote access
“We rely on the EarthLink MPLS network 24/7 to run our restaurant operations.
The private network also supports PCI compliance
and allows us to control and monitor all 200 restaurants from one location.”
21
Questions?
For more information:
http://www.earthlinkbusiness.com/restaurant-pci-compliance/
Download