PCI DSS
Managed Service Solution
October 18, 2011
Who is Vendor Safe?
Founded in 1989 in Houston, Texas:
20 Plus Years of Security Experience
 Internet Security
 Network Security
 Data Security
Transformation in 2007:
Managed Firewall Architecture
Provide Security First – PCI Compliance Will Follow
PCI DSS Security Experts
2
Why Care about PCI Compliance
The Problem:
“Many Franchise owners and IT
Managers underestimate the
high risk of credit card fraud
and the consequences that
follow.”
3
PCI - Terms
•
•
•
•
•
•
•
PA - DSS ( Payment Application)
PCI- DSS ( Data Security)
SAQ -( Self Assessment Questionnaire)
Scans - External, Internal, Wireless
ASV - Authorized Scanning Vendor
QSA – Qualified Security Assessor
Compliance vs. Validation
I Signed What?
7 Data Security and Privacy
You agree to post and maintain on all your Web Sites both your consumer data policy (which must comply with all Payment Brand
Rules, Regulations, and Guidelines) and your method of transaction security. You may not retain or store CW2/CVC2 data or PIN
data subsequent to the authorization. You must comply with all Security Standards published by the Payment Brands and the
PCISSC including, but not limited to, Visa’s Customer Information Security Program (“CISP”), MasterCard’s Security Data Program
(“MDSP”) and the Payment Card Industry Data Security Standard (“PCIDSS”). Pursuant to the Security Standards, you must,
among other things: (i)
install and maintain a working network firewall to protect data accessible
via the internet; (ii) keep security patches up to date; (iii) encrypt stored data and data
sent over open networks; (iv) use and update antivirus software; (v) restrict access to employees
who are on a “need to know” basis; (vi) assign a unique ID to each person with computer access to
data; (vii) not use vendor-supplied defaults for system passwords and other security
parameters; (viii) track access to data by unique ID; (ix) regularly test security systems and processes; (x) maintain a policy
that addresses information security for employees and contractors; (xi) restrict physical access to Customer information; (xii) when
outsourcing administration of information assets , networks, or data you must retain legal control of proprietary information and use
limited “need to know” access to such assets, networks or data; and (xiii) reference the protection of Customer Information and
compliance with the Security Standards in contracts with other service providers. You must n otify Paymentech of any third party
vendor with access to Customer Information, and you are responsible for ensuring that all third party vendors are compliant with the
Security Standards, to the extent applicable. The Security Standards may require that you engage an approved third party vendor to
conduct quarterly perimeter scans and/or security reviews can be accessed through Visa and Mastercard websites at
www.Visa.com and www.MasterCard.com
Merchants have already agreed to be PCI Compliant !
5
It Won’t Happen to Me!
Hackers Shift Attacks to Small Firms
Hacking at small businesses "is a prolific problem," says Dean
Kinsman, a special agent in the Federal Bureau of Investigation's
cyber division, which has more than 400 active investigations into
these crimes. "It's going to get much worse before it gets better."
Joe Angelastri, owner of City
News stand in the Chicago area,
is out $22,000 because cyber
hackers attacked his stores'
payment system.
Article – Wall Street Journal 7-21-2011
6
Breach - Ugly Facts
• Forensic Audit 6k - 10K (per location)
• Audit sent to Card Brands and Merchant
Bank
• Scope of Breach Determined
• Fees / Fines Assessed (+ 10k cards)
• Remediation - Required for Lack of
Security – or Additional Fines (5k)
• Customer Loss and Brand Damage
PCI Solution Overview
PCI is More Than POS
8
PCI Solution Overview 12-286
12 Requirements
Vendor Safe Solutions
Install and Maintain a Firewall
•
Vendor Safe Global Security Mesh / Security Services
Change Default Passwords
•
•
Vendor Safe Equipment and Remote Access is compliant
Policy to assist client with LAN management
Protect Stored Data
•
Vendor Safe Security Policy provided to address credit card data
Encrypt Credit Card Transmissions
•
Vendor Safe equipment can encrypt to the highest standards (wired and wireless)
Updated Anti-Virus Software
•
Optional Vendor Safe Managed Anti-Virus Service or POS Reseller provided
Develop Secure Applications
•
Vendor Safe does NOT Provide Payment Software (PA-DSS Certified Versions)
Restrict Access to Data
•
•
Vendor Safe Hierarchical remote access VPN architecture
Vendor Safe Customer policies and procedure templates
Assign a unique ID for users
•
•
Vendor Safe two factor remote access (different account for each user)
Vendor Safe Customer policies and procedure templates
Restrict Physical Access
•
Vendor Safe Training material (Web Videos / Policy and Procedure Templates)
Track and Monitor Data Access
•
Vendor Safe Workstation Logging client available Lanscribe™
Regularly Test Vulnerabilities
•
•
Vendor Safe Internal and External Vulnerability scanning services
Vendor Safe Penetration Testing Guide
Maintain Policy and Procedures
•
•
Vendor Safe Template Provided and maintained by customer
Vendor Safe available for professional services if needed
9
VST Value Proposition
• Heavy Lifting Components of PCI - DSS
– High End Firewall, Secure Network Segments required (In
Scope) Devices for PCI DSS
– Provides Secure Remote Access, Policy Based
– 2 Factor Authentication, SMS or Email
– Logging and Storage – Firewall, Remote Access
– Managed Service, Updates, and 24x7 Monitoring
– System Logs and File Integrity Monitoring (LAN Scribe)
– Internal Scan
– Wireless Detection Scan
Platinum Package
Global Security Mesh™
 $100,000 TrustVault™ Certificate
 Managed Juniper Firewall with VPN
 Implementation, Set-up, and Configuration
 Gateway Session Logging
 Logs Stored Online for 1 Year
 Secure Remote Access with Two Factor
Authentication
 SMS / Email OTP Validation
 Forced Configuration Manager™
 Ensures Secure Communications
 Enforces Antivirus policies
11
Platinum Package Cont’d
Global Security Mesh™
 Network Segmentation to meet PCI Standards
 IPS / IDS
 Web Filtering / Content Management
 24 x 7 x 365 Event Logging, Monitoring, and Support
 Centralized Firewall Configuration Management
 Firewall Security Policy Template Updates
 Ongoing Firewall Change Control and Policy Updates
 Includes Technological Changes to PCI-DSS Standard
 Next Business Day Hardware
Replacement
12
Platinum Package
 Package Geared towards SAQ D Attestation Level
Merchants
 Automated security policies that reflect the more
complicated requirements of the environment
 LANScribe™ - Workstation Logging and File Integrity
Monitoring (Up to 6 Workstations)
13
Beyond PCI™ Security
Beyond PCI Security Services
• Rogue Device Manager™
Identifies unknown devices plugged into network
“Block” Mechanism Built into System
• IP Data Blocker™
Centrally managed system to prevent
unauthorized data transmission to unknown IP
addresses for an organization
14
TrustVault™ Certificate
The Vendor Safe Guarantee:
 Covers up to $100,000 in Direct Expenses Relating to a
Data Breach including:
 Mandatory Security Audit
 Card Replacement Fees
 Fines and Penalties, ex. VISA
 Covers Electronic Data Breach at Every Franchisee Location
15
PCI Solution Validation
PCI Compliance Reporting Services
Web Portal Services:
 Self Assessment Questionnaire
 SAQuick™ Questionnaire
 On-Line Access to Compliance Status
 Quarterly Vulnerability Scanning
 Schedule scans automatically
 Print out vulnerability reports
 ASV on record 403-Labs
 Report Generator
 Real-time Report Generator
 Print SAQ and Scan reports
16
Questions
David Bones
dbones@vedorsafe.com
210-412-4756
17