Payment Card Industry Data Security Standards

1. Payment Card Industry Data Security Standards • The Card Associations are concerned about cardholder information getting into the wrong hands for illegal use. Therefore, the Card Associations have adopted the PCI Standards to better secure cardholder information.

2. What is PCI & PCIDSS • Payment Card Industry (PCI) • Data Security Standard (DSS) so (PCIDSS) • PCIDSS was developed jointly by all the credit card brands (Amex, DC, JCB, MC and Visa) to protect the merchants business, their customers (cardholders), and the integrity of the payment system from the rising incidences of stolen cardholder account data.

3. Why is PCI compliance important? PCI helps protect the merchant business from: • fraud • substantial fines from the card associations • customer dissatisfaction and distrust if their cardholder data is compromised and misused as result of the merchants business being compromised. The credit card brands have made PCI compliance mandatory for merchants.

4. How Could Cardholder Information be Compromised? • Hackers could illegally access a merchant’s POS System. • Employees could be conned into revealing passwords, logons, or other sensitive data. • Credit card data such as reports or receipts could be thrown in the trash by merchants and retrieved by anyone digging through the dumpster.

5. Who Must Comply with the PCI Data Security Standards? • All merchants who accept credit and debit cards. • All credit card processors, issuers and acquirers (such as Heartland), third party processors, and gateways. • Developers and software providers.

6. PCI Data Security Standards Defined by the Card Associations Require Merchants to: Build and maintain a secure network. Protect cardholder data. Maintain a Vulnerability Management Program. Implement strong access control measures. Regularly monitor and test networks. Maintain an information security policy.

7. 1. Build and Maintain a Secure Network • Merchants using the Internet for transmitting credit/debit card information, must install and maintain a firewall. Internet firewall security needs to be installed and functional on all computers and POS Systems using IP connectivity. POS systems with a dial connection to the Internet are required to comply with this standard as well.

8. 2. Protect Cardholder Data • Merchants Must Use Passwords and Other Security Measures • Merchants must implement personalized logons and passwords for all users of computers and POS systems to limit access to cardholder information.

9. 3. Maintain a Vulnerability Management Program to Protect Stored Data. • Hard copies of batch reports and paper receipts must be placed in a secured area where only authorized personnel can enter. • Unneeded reports and receipts must be shredded before disposal. • Databases and files containing credit/debit card information must be encrypted. • Encryption software is required for POS systems using internet connectivity for transmission of cardholder information.

10. 4. Install Antivirus Software. • Merchants must install and maintain updated antivirus software on their computers and POS Systems.

11. 5. Regularly Monitor and Test Networks. • Merchants must track and monitor all access to network resources. • Merchants must show proof that they track and monitor who has access to their computers and POS systems.

12. 6. Maintain an Information Security Policy. • Merchants must have a written and enforceable policy that details safeguarding of credit/debit card information

13. Merchant Levels of Compliance • Levels of PCI Security compliance are based on size, type of business and the number of transactions per year. • Compliance requirements are based on 4 levels. Must comply & pass third party audits Level 1 – Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transaction per year. Any merchant that has suffered a hack or an attack that resulted in an account data compromise. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system Any merchant identified by any other payment card brand as level 1. Level 2 –Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year. eCommerce merchants (1m trans/yr – 6M trans/yr)

14. Merchant Levels of Compliance • Levels of PCI Security compliance are based on size, type of business and the number of transactions per year. • Compliance requirements are based on 4 levels. Required to comply Level 3 – Any Merchant processing 20,000 to 1,000,000 Visa e-commerce transaction per year. Level 4 –All other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year. And all merchant processing fewer than 20,000 Visa e-commerce transactions per year,

15. Level 1 – Large Retail Merchants • Level 1 merchants must undergo annual on-site audits by certified auditors. • Level 1 merchants must incur the cost of quarterly scans of their Internet facing systems for vulnerabilities from viruses and hackers. • Adhering to the PCI standards can cost Level 1 merchants hundreds of thousands of dollars per year to ensure compliance. Level of compliance is determined by merchant’s size Large Retail Merchants (Wal-Mart, Target, etc) All merchants (regardless of size) are subject to annual audits and quarterly scans if they have a compromised data situation.

16. Level 1 – Large Retail Merchants

17. Level 2 - Mid/Large Merchants • Level 2 and 3 merchants must undergo annual self-assessments (no outside validation required). • Level 2 and 3 merchants must undergo quarterly scans of their Internet facing systems for vulnerabilities from viruses and hackers. • Internet facing system scans can generally cost $1,000 to $3,000 dollars.

18. Level 2 - Mid/Large Merchants

19. Level 3 – Mid/Low Merchants • Level 2 and 3 merchants must undergo annual self-assessments (no outside validation required). • Level 2 and 3 merchants must undergo quarterly scans of their Internet facing systems for vulnerabilities from viruses and hackers. • Internet facing system scans can generally cost $1,000 to $3,000 dollars.

20. Level 3 – Mid/Low Merchants

21. Level 4 - Small Merchants • PCI standards recommend Level 4 merchants undergo annual self-assessment (no outside validation required). • The standards also recommend the merchant conduct quarterly scans of their Internet facing systems for vulnerabilities from viruses and hackers. • These are only “recommendations” for security practices.

22. Level 4* - Small Merchants *The PCI DDS requires that all merchants perform external network scanning to achieve compliance. Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants.

23. POS Software Developers must be PABP Compliant • POS system software should only extract and store the cardholder number, expiration date, and cardholder name from the magnetic stripe. • The POS software must encrypt all cardholder information. • The POS software must truncate the cardholder number on receipts, reports and display screens. • The POS software must encrypt all Internet transactions, generally done by SSL (Secure Socket Layer) encryption. Merchant’s software can never store the CVV data

24. POS Software Developers must be PABP Compliant • POS • CCV Card Code is never allowed to be stored

25. How do you know which POS Software Complies with PABP Standards? • Merchants must contact their VAR/dealer or software developer to determine if their POS System software is PABP compliant.

26. Why Should Merchants Comply with PCI Standards? • To protect their business reputation. • To protect their customer’s card information. • To limit their risk of being fined and forced to undergo forensics (Visa/MasterCard on-site audit to determine the cause of the compromise) which can cost tens of thousands of dollars and put them out of business.

27. First Violation Second Violation Third Violation $50,000 $100,000 Management discretion Potential Cost to a Merchant for a Compromise • If security is compromised, regardless of the merchant’s tier level, they will be required to undergo an on-site security audit. • Merchants will be fined and assessed all costs and expenses related to the forensic investigation. They must pay a consultant to conduct the audit. The merchant must pass the audit and continue to do audits on an annual basis. Failure to notify Visa of a suspected or confirmed loss or theft of credit card data is subject to a fine of $100,000 per incident. • Costs of forensic investigations begin at $50,000 and could be as high as $100,000 per investigation. • Costs of audits can range from $15,000 - $20,000 per audit.

28. Summary of Steps to Compliance • PCI standards apply to all credit and debit cards. • Every merchant is mandated by the Card Associations to comply. • The six basic standards are as follows: • Build and Maintain a Secure Network • Protect Cardholder Data • Maintain a Vulnerability Management Program • Implement Strong Access Control Measures • Regularly Monitor and Test Networks • Maintain an Information Security Policy • The fines, investigations and audits for certification and compromises can be expensive.

29. Visa Alerts 10:54:07 by David Press • News Green Sheet Magazine • “Visa alerts restaurants to lax POS installation a spike in data security compromises at restaurants prompted Visa U.S.A. to issue a data security alert in July. It emphasized the proper installation and use of POS equipment and systems. The card association also issued a reminder of ways merchants can protect themselves against lapses.”

30. Visa alerts • Visa alerts restaurants to lax POS installation Visa's recommended mitigation strategy "If there is one theme that is most helpful to the merchant and ISO community, it is to make sure your payment applications are not inadvertently storing track data.“ – Martin Elliott, Visa's Vice President for Emerging Risk

31. Credit Firms Push to Thwart Fraud Merchants Face a Penalty If Steps Aren't Taken to Curb Identity Theft; Visa Misses Own Security Deadline By ROBIN SIDEL, Wall Street JournalSeptember 25, 2006; Page C1 . Credit Firms Push to Thwart Fraud • MasterCard Inc. and Visa USA Inc. are clamping down on merchants that flout rules aimed at protecting card transactions from fraudsters.

32. An article appeared in the September 25th edition of the Wall Street Journal • “The Journal article begins “MasterCard Inc. and Visa USA Inc. are clamping down on merchants that flout rules aimed at protecting card transactions from fraudsters. In recent weeks, MasterCard has imposed fines on merchants that haven't met its requirements to keep transactions secure. Saturday, Visa will take aim at the nation's largest merchants with fines that start at $10,000 a month and can rise to $100,000 a month.”

33. An article appeared in the September 25th edition of the Wall Street Journal The article goes on to describe the various issues the credit card industry faces regarding data security and how it plans to deal with them in the coming months and years. The fact is that although the credit card companies are starting their efforts to enforce PCIDSS standards with the big retailers, it is the small and mid sized businesses like yours that are the easiest and most lucrative targets for cyber criminals.

34. An article appeared in the September 25th edition of the Wall Street Journal • For example, restaurants from coast to coast have already had to pay fines ranging from $5,000 to $350,000. In addition, they faced the immediate loss of their ability to accept credit cards and had to pay for initial and ongoing security audits that cost thousands more.”

35. Compromise Statistics: Industry Cases By Industry SpiderLabs data is gathered from more than 140 card compromise cases. Food Service Industry represents the majority of the compromises.

36. Compromise Statistics: Acceptance Cases by Card Acceptance About 4 out of every 5 cases is a traditional Brick and Mortar environment. Card Present Merchants are not aware of these risks!

37. Compromise Statistics: System Type Cases By System Type Majority of the cases involved a compromise of a Software based POS system. None of these systems were Visa PABP or PCI DSS compliant.

38. Compromise Statistics: Connectivity Cases By Connectivity All Internet connectivity should be considered high risk. SpiderLabs has tracked a trend in migration from T1 and Dial-Up to DSL/Cable.

39. Compromise Statistics: Error Merchant Error vs. 3rd Party Error Half of the compromises were caused by a fault in the service provided by a 3rd party to a Merchant. POS Developers, Integrators, IT Firms are not following PCI DSS and leaving Merchants at Risk!

40. Compromise Statistics: Track Data Brick and Mortar Cases w/ Track Data Storage Track Data storage is never permitted in any environment post authorization. Non-Compliant software packages are storing Track Data and the Merchants did not know until it was too late!

41. Compromise Statistics: PCI DSS Violations Most Common “Not In-Place” Requirement 1:Install and maintain a firewall to protect data Requirement 3:Protect stored data Requirement 6:Develop and maintain secure systems and applications Requirement 8:Assign a unique ID to each person with computer access Requirement 10:Track and monitor all access to network and card data Requirement 11:Regularly test security systems and processes

42. Compromise Statistics: SpiderLabs Top 10 Top 10 Reasons/Methods of Compromise • Backdoor / Trojan • No Firewall • SQL Injection • Internal Theft • Remote Access • FTP Access to Data • Remote Exploit • Remote Buffer Overflow • Login Credential Leak • Password Brute Force

43. Compromise Statistics: Riskiest Merchant Profile of the Merchant w/ Greatest Compromise Potential Industry:Food Service Payment Acceptance:Card Present System Type:Non-Compliant Software POS Connectivity:DSL or Cable Modem

44. Websites • http://www.usa.visa.com/business/accepting_visa/ops_risk_management/cisp_merchants.html • https://www.pcisecuritystandards.org/tech/supporting_documents.htm • https://www.pcisecuritystandards.org/index.htm