101007 how to sell pci compliance (external)
TRANSCRIPT
With
Without
PCI Road
Ahead
SPEEDLIMIT
80
SPEED
LIMIT
45
How to Sell PCI Compliance
How to Sell Compliance
Agenda
Primer on PCI
Anatomy of PCI Transaction
PCI Mapping to SonicWALL
Example of PCI Deployments
Strategies & Tactics
The Pitch
Q&A
PCI-DSSPayment Card Industry Data Security Standards
PCI Standards Council JCB and Visa International American Express Discover Financial Services MasterCard Worldwide
The protection of cardholder data anywhere it resides within, or is transmitted by, a merchant’s system.
Enforced by credit card companies, not governments - yet
Non-compliance can result in fines, restrictions of credit card services and loss of consumer confidence
PCI SSC Responsibilities
PCI Industry Standards
CONFIDENTIAL All Rights Reserved6
Roles of the Payment Brands
Function Visa M/C Amex Discover JCB
Data security program CISP SDP DSOP DISC DSP
Service provider VNP TPP / DSE TPP TPP/ PSP TPP
Authorization services
Clearing services
Settlement services
Establish operating rules & regulations
Issue cards through 3rd parties
Acquire transactions through 3rd parties
Issue cards directly
Acquire transactions directly
Comparison of US / RoW / WWCompliance Status Validation Update*
PCI Category (Transactions/ year)
USEstimated
Population Size
RoWEstimated
Population Size
WW Estimated Population Size
Level 1 Merchant**(>6M) 352 1,006 1,358
Level 2 Merchant**(1-6M) 895 2,557 3,452
Level 3 Merchant(e-commerce only 20,000 – 1M) 2,482 7,091 9,573
Level 4 Merchant (<1M) ~5.0M ~14.3M ~19.3M
*Source: http://usa.visa.com/download/merchants/cisp_pcidss_compliancestats.pdf
Figures are estimates based upon US PCI DSS Compliance Status report as of September 30, 2009 with US serving as 35% of WW market.
Excludes new Level 1 and 2 merchants identified in 2008, due to validate by September 30, 2009 and December 31, 2009, respectively
Level 4 compliance is moderate among stand-alone terminal merchants, but lower among merchants using integrated payment applications
Majority
Past and Upcoming PCI DSS Deadlines
January 1, 2008 New merchants or merchants changing acquiring banks,
could not use applications known to be vulnerable
July 1, 2008 Processors could not allow new applications to connect to
their network that are not PA DSS-validated
October 1, 2008 (L3/L4) New merchants or merchants changing acquiring banks, had to be PCI DSS compliant or use PA DSS-
validated applications. PCI DSS Version 1.2 was made available
September 30, 2009 Acquirers must attest that Level 1 and 2 merchants do not retain prohibited payment card data subsequent to
authorization of a transaction
October 1, 2009 Processors must block all vulnerable applications from connecting to their network.
July 1, 2010 All merchants must use only PA DSS-validated applications. All other applications will no longer work on Visa
payment network.
September 30, 2010 PCI DSS compliance validation deadline for Level 1 merchants
October 28, 2010 PCI DSS 2.0 released
June 30, 2011 MasterCard requirement for Level 2 s to be assessed by QSA or self-assess with PCI ISA
99
Non-Compliance Risks Fines, Fees, Costs, Loss
Damage to brand/reputation
Investigation costs
Increased auditing requirements
Remediation costs
Fines & fees Non-compliance (each brand issues
separate fines) up to $500,000 per incident
Card re-issuance ($20 - $30/card) Fraud loss
Victim notification costs
Cost of breach at $300/compromised card *
Financial loss
Data loss
Charge-backs for fraudulent transactions
Operations disruption
Sensitive info disclosure
Denial of service to customers
Individual executives held liable
Possibility of business closure
Printing charges for mail notifications
Decreased sales due to failed public image
A non-compliant, compromised business could expect the following:
*2008 Gartner estimate for data breach remediation for compromised cards
Anatomy of PCI Transactions
Payment Transaction Flow
CONFIDENTIAL All Rights Reserved12
13
Example of Payment Industry Ecosystem
Merchants
Issuer(Consumer Bank)
Payment Brand
Network
Credit CardsCardholder
Acquirer(Merchant Bank)
14
Card Processing - Authorization
Merchants
Issuer(Consumer Bank) Payment
Brand Network
Credit CardsCardholder
Acquirer(Merchant Bank)
CB approves purchase
CH swipes card at Merchant
MB asks processor to determine CH’s bank
Merchant connects
to MB
34
PBN determines CB & requests approval
5 6
7
8
1
2
PBN sends approval to
MB
MB sends approval to Merchant
Merchant gives receipt
to CH
15
Card Processing - Clearing
Merchants
Issuer(Consumer Bank) Payment
Brand Network
Acquirer(Merchant Bank)
CB provides reconciliation
to PBN
MB sends purchase info to PBN
12
PBN sends purchase info to CB
3 4
PBN sends reconciliation
to MB
16
Card Processing - Settlement
Merchants
Issuer(Consumer Bank)
Processor
Cardholder
Acquirer(Merchant Bank)
CB sends payment to processor
1 2
3
Processor's settlement bank sends pmt to MB
MB pays merchant for CH purchase
4
CB bills CH
PCI Mapping to SonicWALL
Where Does SonicWALL Play?
18
PCI Mapping By Security Product Line
PCI DSS Requirement
TZ NSA E-Class SSL-VPN EMS GMS
Requirement 1
Requirement 2
Requirement 3
Requirement 4
Requirement 5
Requirement 6
Requirement 7
Requirement 8
Requirement 9
Requirement 10
Requirement 11
Requirement 12
SonicWALL PCI Solution Set
Secure Networking AV, IDS/IPS
Anti-spyware (N/A - PCI)
Wireless Networking
Remote Access (SSL & IPSec)
Secure Content Management Endpoint (AV)
Email Security
Content Security (N/A - PCI)
Business Continuity Onsite Backup & Recovery
Offsite Storage & Recovery
Policy and Management Centralized Management
Strong Access Control
Comprehensive Audit Trails
Dynamic Vulnerability Management
Comprehensive PCI DSS Solutions Small, Medium & Distributed Networks
Clients
Data StorageE-mail/IM/P2P
Clients
Integrated Business Solutions
POS Solutions
SonicWALL GMS
Devices / Servers
Switches
SonicWALL Firewalls
Remote Clients
Example of a SonicWALL PCI Deployment
Addressing Retail Concerns … And Protecting Systems
Single storefront networkRequires direct connections (via the Internet) to related business services providers such as credit card processing and warehouses
Centralized multi-storefront network All ordering/replenishment and tendering of receipts processed through a central location. The network connections may be a mix of leased line WAN and Internet and may be used by a combination of employees, contractors, and outside vendors
De-centralized multi-storefront network Ordering/replenishment and tendering of receipts is managed from multiple locations. A central headquarters maintains visibility into all enterprise activity. The network connections may be a mix of leased line WAN and Internet and may be used by a combination of employees, contractors, and outside vendors
We classify retail into three groups
Typical SonicWALL Quick Service POS Solution
Typical SonicWALL Quick Service POS Solution
1. Stop network attacks with firewall protection (Req 1)
Typical SonicWALL Quick Service POS Solution
1. Stop network attacks with firewall protection (Req 1)2. Protect systems with enforced anti-virus protection (Req 5)
Typical SonicWALL Quick Service POS Solution
1. Stop network attacks with firewall protection (Req 1)2. Protect systems with enforced anti-virus protection (Req 5)3. Secure wireless networking with enhanced security with optional SonicPoints (Req 11)
Typical SonicWALL Quick Service POS Solution
1. Stop network attacks with firewall protection (Req 1)2. Protect systems with enforced anti-virus protection (Req 5)3. Secure wireless networking with enhanced security with optional SonicPoints (Req 11)4. Also deploy hot spot Internet access for patrons
Typical SonicWALL Quick Service POS Solution
5. Create secure, reliable VPN connections over broadband (Req 4)
Typical SonicWALL Quick Service POS Solution
5. Create secure, reliable VPN connections over broadband (Req 4)6. Control Internet use with content filtering (Req 8)
Typical SonicWALL Quick Service POS Solution
5. Create secure, reliable VPN connections over broadband (Req 4)6. Control Internet use with content filtering (Req 8)7. Monitor systems and keep protection up-to-date (Req 2,5,6,10,11)
PCI Pitch
Steps to Prepare for Compliance
CONFIDENTIAL All Rights Reserved32
*Report of Compliance (ROC).
Problem - Pain Point - Product
33
Problem Question Pain Point SonicWALL Product/Feature
SonicWALL Benefit
How concerned are you about Rogue Access Points (RAP)?
Finding RAPs connected to the network. (Req. 11)
SonicOS, SonicPoints and GMS
Single appliance option for RAP detection
Would you like to throttle unauthorized merchant activity and increase store site productivity?
Non-business traffic is killing the pipe while legitimate business traffic suffers (Req 2)
Application intelligence control
Policy-based block/restrict throttles CHD traffic with bandwidth management
How difficult do you find it to maintain consistent policy control across your protected CHD environment?
Maintaining unified policies, controlling access and avoiding orphaned policies and security gaps.
GMS – Policy management
Easily create security policies and enforce them at the global, group or unit level.
How are you mitigating your exposure to web-facing vulnerabilities?
Protect against XSS, CSRF, SQL injection, etc. (Req. 6.6)
WAF Integrated WAF protection with DPI
How do you limit scope and protect CHD in transit?
Network segmentation SonicOS (PortSchield, Zones)
Integrated segmentation of CHD
How We Help with PCI Compliance?
34
PCI FAQ & Self-Assessment
Business & Technology Focuses PCI compliance timelines Who has to be PCI compliant What happens in a failed audit
SonicWALL SAQ
PCI SAQ (A, B, C, D)
PCI Whitepapers
PCI Presentation
Marketing Material
SonicWALL PCI Implementation Guides
Addresses the most common installation and configurations settings on products
Configurations backed & approved by an independent PCI QSA
GMS SonicOS Standard SonicOS Enhanced
PCI & Security Resource Center
Analyst Coverage
Video Testimonials
Datasheets
Customer Case Studies
White Papers
Solutions Briefs
Podcasts
Product Demos & Downloads
37
Visit www.SonicWALL.com
With SonicWALL
Without SonicWALL
PCI Road
Ahead
SPEEDLIMIT
80
SPEED
LIMIT
45
Take the Fast lane to PCI Compliance
SonicWALL PCI Solutions allow you to Accelerate Compliance Initiatives …
Guess which path most Resellers/End-Users choose…
Design and buildpiecemeal security solution…
Deliver solid security solutions that streamline compliance configurations, allow for scalability and are approved by a PCI QSA
Q&A
Thank you
Email Questions to PCI @SonicWALL.com