pci compliance: protect your business from data breach - whitepaper
DESCRIPTION
Good initial overview of PCI Compliancy.TRANSCRIPT
1
Whitepaper
PCI Compliance: Protect Your Business from Data Breach
The security and safety of personal and financial data is increasingly threatened. Nowhere is that more apparent than in the retail industry —a primary target for cyber criminals.
Retail businesses are particularly vulnerable because of the volume of credit card information, the fact that this information is distributed among many locations, the lengthy amount of time it can take them to detect a breach, and the often inadequate staff and safeguards they have in place.
Some experts forecast that as many as one in six small businesses will be breached.1 Small businesses are particularly vulnerable; according to Visa, 97% of U.S. events occurred at small merchants, and 91% of those were brick and mortar merchants.2
Larger organizations, too, are vulnerable to the consequences of such a breach. Examples from recent years include Bank of America, Boston Market, Sports Authority, and Forever 21. A particularly devastating case was the breach of TJX Corp., which resulted in the loss of at least 45 million credit card numbers to a single hacker.
Merchants often underestimate the financial impact of a breach, which can be significant. Smaller retailers that suffer a major and widely publicized breach of credit card data may actually find themselves out of business due to costs associated with fees, fines, and remediation, as well as ongoing damage to their brands and reputations.
For example, the average cost of a breach is estimated at $80,000 per location for Level 4 merchants, and can reach into the millions depending on the size of the merchant and the extent of the breach.3 Direct costs include mandatory forensic audits, credit card replacement, fees, fines, and breach remediation to prevent a recurrence.
PCI COMPLIANCE IS ESSENTIAL FOR SECURE TRANSACTIONS AND FINANCIAL STABILITY
Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation.
2
Whitepaper
For these reasons, complying with PCI-DSS (Payment Card Industry Data Security Standard, also known simply as PCI) is much more than just a technical goal for retailers. It is necessary for business stability.
PCI was originally created as a joint initiative by Visa, MasterCard, American Express, JCB, and Discover to protect card-holder information and reduce data theft and fraud. The first version was released in December 2004, and it has since then undergone two significant updates. The current version, 2.0, was issued in October 2010.
PCI compliance is mandatory for all organizations who accept Visa and MasterCard credit cards. If a retailer is found to be noncompliant, it could incur significant fines and be restricted from accepting credit cards until compliance is achieved.
While no standard can guarantee 100% prevention of a major credit card data breach, PCI compliance can significantly reduce the probability of such an event. Being PCI compliant means that merchants are pursuing established best practices specifically designed to protect sensitive credit card data from unauthorized access—critical both for themselves and their customers.
What is PCI-DSS?
Table 1: Typical Breach/Remediation Timeline
Day 1Notification of breach
Stop taking credit cards
Pay for a forensic audit
Monitor media/social media
Day 5Forensic audit complete
Contact a Qualified Security Assessor (QSA)
Day 7Obtain proposals for remediation
Day 10 toDay 40 -180
Execute remediation and compliance plan
Replace credit cards
Disclose breach/address brand and media impact
Post breach plus one year - revenue impact
Breach remediation can take months, as shown in Table 1. For these reasons, complying with PCI-DSS (Payment Card Industry Data Security Standard, also known simply as PCI) is much more than just a technical goal for retailers. It is necessary for business stability.
3
Whitepaper
All members of the PCI payment card network, including merchants and service providers, must comply with 12 different requirements organized into six core categories:
Source: PCI DSS Requirements and Security Assessment Procedures, Version 2.0, https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
PCI DSS Requirements
Build and Maintain a Secure Network1. Install and maintain a firewall configured to protect card-holder data.2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Card-holder Data3. Protect stored card-holder data.4. Encrypt transmission of card-holder data across open, public networks.
Maintain a Vulnerability Management Program5. Use and regularly update anti-virus software or programs.6. Develop and maintain secure systems and applications.
Implement Strong Access Control Measures7. Restrict access to card-holder data within the organization on the basis of business
need-to-know.8. Assign a unique identifier to each employee with computer access.9. Restrict physical access to card-holder data.
Regularly Monitor and Test Networks10. Track and monitor all access to network resources and card-holder data.11. Regularly test security systems and processes.
Maintain an Information Security Policy12. Maintain a policy that addresses information security for all employees.
• Can you demonstrate that all of your cashiers have been trained upon hire with a PCI-certified training program, and does that training recur every year?
• Can you demonstrate that all of your employees have read and signed an employee awareness security policy?
• Can you demonstrate that all members of your team or your approved vendors are using a secure virtual private network with two-factor authentication to access applications or systems behind your firewall?
Most retailers are aware of the importance of PCI compliance, but many lack the essential safeguards required to fully achieve it.
For example, when retailers who accept credit cards are asked the following questions, frequently at least one answer is “no,” indicating that they are not compliant:
What is required for PCI compliance? All members of the PCI payment card network, including merchants and service providers, must comply with twelve different requirements organized into six core categories.
4
Whitepaper
On-Site Security Audit: Required for Level 1 merchants, this is also known as a Report on Compliance (ROC) and must be completed by a PCI-certified Qualified Security Assessor (QSA).
Annual Self-Assessment Questionnaire: In lieu of a ROC, Level 2-4 merchants must complete one of six Self-Assessment Questionnaires (SAQ) to document PCI compliance status. This must recur annually to identify compliance shortfalls.
Quarterly External Vulnerability Scans: All merchants are required to have external network scans performed by a PCI-certified Authorized- Scanning Vendor (ASV). Scan requirements are rigorous: all 65,000 ports must be scanned, vulnerabilities detected, “high” severity-level vulnerabilities must be remediated, and two key reports completed and filed with the bank card processor.
As this chart shows, merchant validation requirements fall into three groups:
PCI compliance is not a one-time achievement, but is validated on an ongoing basis. The terms of validation vary based of the total number of annual credit card transactions that merchants generate each year, and are organized into four levels:
Level CriteriaOn-Site Security Audit
Self-Assessment Questionnaire
External Vulnerability Scan
1. Any merchant processing more than 6 million transactions per year
Required Annually
Required Quarterly
2. Any merchant processing 1 to 6 million transactions per year
Required Annually
Required Quarterly
3. Any merchant processing 20,000 to 1 million transactions per year
Required Annually
Required Quarterly
4. All other merchants, not in Levels 1, 2 or 3
Required Annually
Required Quarterly
PCI compliance is not a one-time achievement, but is validated on an ongoing basis. The terms of validation vary based of the total number of annual credit card transactions that merchants generate each year, and are organized into four levels.
5
Whitepaper
PCI is a complex set of standards, but is critical to financial stability for any size merchant that accepts credit cards. EarthLink Business offers a full range of services to support merchants on the path to PCI compliance.
This includes EarthLink’s PCI Compliance Solutions services, which provides Level 2-4 merchants with $100,000 in breach protection4 per location subject to per occurrence and yearly aggregate limits of $500,000 to cover eligible expense, as well as tools to validate PCI compliance. Through an easy-to-use web-based portal, merchants can conduct quarterly Authorized Scan Vendor (ASV) scans, Self-Assessment Questionnaires (SAQ), and training, and have access to a security policy and online knowledge base.
EarthLink also provides secure MPLS WAN, secure Point of Sale (POS) transport, managed security and other services to address gaps.
PCI Compliance Solutions from EarthLink Business
Financially Protect Yourself from a Breach: Consider acquiring breach protection for each of your site locations to help cover costs of a forensic audit, fees, fines and credit card replacement in the event of a breach.
Validate PCI Compliance: Select and complete the Self-Assessment Questionnaire (SAQ) based on your environment. Select an Authorized Security Vendor and complete the External Vulnerability Scan. Document the process and file the necessary reports.
Achieve PCI Compliance: Requirements will vary depending on your environment, but basic requirements include: implementing a fully managed, stateful inspection firewall; installing layered, dynamic security with unified threat management; implementing secure remote access with two-factor authentication; educating staff; and implementing and managing a security policy.
Maintain Compliance: Manage and maintain PCI compliance within your organization. This includes conducting regular employee training, documenting and following security policies, and conducting regular assessments and scans to identify and remediate gaps.
It’s advisable to be proactive in protecting your business and customers from credit card data breach; once a breach occurs, much of the damage will have already been done. If you are a Level 2-4 merchant, follow these key steps to start on the path toward compliance:
Proactively protect your business from breachIt’s advisable to be proactive in protecting your business and customers from credit card data breach; once a breach occurs, much of the damage will have already been done.
6
Whitepaper
Retail business success depends upon secure credit card transactions and the protection of sensitive customer data.
Unfortunately, the odds of a security breach grow every year, as hackers, criminal organizations, and malware all grow more sophisticated and aggressive. And in the event that a breach occurs and results in the loss of sensitive credit card information — the consequences could be very serious, from fiscal, legal, and/or public relations standpoints.
Compliance with the PCI-DSS, an end-to-end standard addressing both technology and business processes, is essential to make such breaches far less likely. It’s also legally required for all retailers that take Visa or MasterCard.
PCI-DSS is a complex standard, however, and one that requires ongoing validation to remain in compliance. Many organizations will find that by collaborating with a trusted partner, achieving and maintaining PCI compliance can be both simplified and accelerated. EarthLink Business delivers the tools, experience, and service to help retailers achieve, maintain, and validate PCI-DSS compliance requirements.
Notes:1. PCI Standards Council Annual Meeting 2011, QSA/ASV General Session,
9/20/11 – IC3 Executive.
2. Visa Data Security & Authentication Symposium: Securing Your Business Growth, 6/6/12, http://usa.visa.com/download/merchants/symposium-website-2012.pdf.
3. PCI Standards Council, QSA summary report, 3/12/12.
4. The PCI Compliance Solution Services are provided and serviced by ANXeBusiness Corp. and offered through EarthLink Business, and are subject to the terms and conditions found at http://www.earthlinkbusiness.com/about-us/legal/terms.xea. All Data Breach Protection Service reimbursements are limited to: $100,000.00 a year for each qualifying location, not to exceed $500,000.00 per occurrence for customers with multiple locations, and an aggregate maximum of $500,000.00 per customer. Use of the PCI Compliance Validation Service does not guarantee that a data breach will not occur and alone cannot prevent losses. EarthLink Business makes no representations as to whether the Data Breach Protection Service will apply to or cover a particular claim or loss. The material in this document (or on this site) is intended for informational purposes only, not as professional advice, and is provided on an “AS IS” basis. EARTHLINK BUSINESS DISCLAIMS ALL WARRANTIES OR CONDITIONS, EXPRESS OR IMPLIED, RELATING TO THE PCI COMPLANCE SOLUTION SERVICES, INCLUDING, WITHOUT LIMITATION, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND THE ACCURACY AND COMPLETENESS OF ASSOCIATED INFORMATIONAL CONTENT AND WILL NOT BE LIABLE FOR LOSSES, COSTS OR DAMAGES ARISING FROM THE PCI COMPLIANCE SOLUTION SERVICES OR ANY ASSOCIATED INFORMATIONAL CONTENT.
SUMMARY
Email: [email protected]
Call: 1-877-355-1501
Visit: www.earthlinkbusiness.com
To learn more about how EarthLink can help your organization
© 2
013
Earth
Link,
Inc.
Tra
dem
arks
are
pro
perty
of t
heir
resp
ectiv
e ow
ners
. A
ll rig
hts
rese
rved
107
8-07
155.
PCI-DSS is a complex standard, however, and one that requires ongoing validation to remain in compliance. Many organizations will find that by collaborating with a trusted partner, achieving and maintaining PCI compliance can be both simplified and accelerated.