The State of Security and Compliance for E- Commerce and Retail

The State of Security and Compliance for

E-Commerce and Retail

• Current state of security • PCI regulations and compliance

• Does the data you hold require PCI compliance • Security and safeguarding against a breach

• Implementing a framework for security • $100 gift card drawing

Presented by :

Who Are We

 Headquartered in Colorado  Hybrid IT provider

 Offer comprehensive suite of world-class data centers & an IaaS

portfolio of colocation, cloud,

managed services, and security and compliance, all wrapped with a customer centered support experience

 Expanding footprint with 178,000 square feet of data center capacity in 2015 − 138,000 – Oregon − 40,000 – Calgary, Alberta Cen tere d A ro u n d Yo u

 29 data centers in 8 regions

 Industry Leading PUE

 760,000+ sf. of raised floor

 120 MW power capacity

 29 unique telecommunication carriers

 18 geographically diverse mirrored operations centers

 100% uptime commitment on power and network

 100% SLA and satisfaction guarantee

Your Trusted Business Partner

About AppliedTrust

 Founded in 2001 by Ned McClain and Trent R. Hein  Headquartered in Boulder, Colorado

 Leader in Secure DevOps, specializing in the areas of IT infrastructure, security, opensource, performance, and high availability

 Authors of best selling Unix Administration Handbook, Linux Administration Handbook series (translated into more than 20 languages)

 Certified expertise, including CCIE, CISA, CISSP, CSSLP, GCFA, ITIL, MCITP, MCP, MCSE, PCI QSA, SCADA, RHCT  Vendor and technology neutral

 Serves large and small clients in a variety of

industries, including hospitality, healthcare, financial services, recreation, and government

Point of Sale Attacks - More Than Just

Retails Problems

In 2014, the most frequently reported type of data

breach was Point of Sale (POS) system attacks,

representing 28.5% of all breaches.

POS attacks accounted for:



91% of accommodation industry breaches



73% of entertainment industry breaches



70% of retail industry breaches



12% of healthcare industry breaches

Who is Targeting the Industry and How?

Malware vs. physical security

Where are you Keeping Sensitive Data?

Sensitive cardholder data can be stolen from:

• Compromised card readers

• Paper stored in a filing cabinet

• Data in a payment system database

• Hidden camera recording entry of authentication

data

Points of Sensitivity

Insiders are still a threat. The number of

incidents involving insiders remain quite

stable over time; 10.6% of all reported

incidents in 2014 were related to

insiders.*

A Company’s Responsibility

The company must protect cardholder data through the entire payment process which includes:

• Card readers & point of sale systems • Networks & wireless access routers • Payment card data storage and

transmission

• Payment card data stored in paper-based records

What Would a Breach Costs You?

Cost of:

• Fines & Penalties (Fines for breaches resulting from non-compliance range from $5,000 to $125,000 per month until all compliance issues are

addressed; even if fully

compliant, companies can be fined $50-$90 per cardholder

data compromised) • Business interruptions • Investigations • Legal settlements • Stricter compliance • Customer notifications

Loss of:

• Customer and public confidence

PCI DSS

To reduce crime, credit card companies have created the

Payment Card Industry Data Security Standards (PCI DSS).

• All credit cards enforce PCI DSS

• All merchants, including the company, must meet PCI DSS • Company policies written and reviewed to be compliant with

PCI Requirements

PCI touches all aspects of

how a credit card is

• Handled • Processed • Transmitted • Stored

Staff impacted

• Front desk Point of Sale • Business Managers

• Financial Administrators • IT support

• Temp or contract staff • Vendors/Service Providers

Job duties impacted

• Business practices & procedures

• Accessing & managing software

• Setting up and managing and computer networks

• Document storage and shredding procedures

• Policies and annual training and awareness program

• Vendor support and contracts • Annual assessments,

Now It’s Your Job To…

1. Protect Card Information

Handle, process, transmit, and store card information securely &

confidentially

2. Comply with Security Policies

• Review policies upon hire &

annually thereafter

• Confirm in writing that you

received training

• Perform your job

PCI DSS v2.0 vs. PCI DSS v.3.0

• V3.0 primarily added many new points of additional guidance and clarification within existing requirements.

• V3.0 also added 19 new requirements, most notably:

• Requirement (11.3.4) to verify methods used to segment the cardholder data environment (CDE) from other areas.

• Requirement (2.4) to maintain an inventory of system components in scope for PCI DSS.

• Requirements (12.8.5, 12.9) for explicit documentation about which PCI DSS requirements are managed by vendors vs. which are

More Requirement Changes

• Requirement (5.1.2) to "identify and evaluate evolving malware threats" for "systems considered to be not commonly affected by malicious software."

• Requirements(9.3, 9.9) that merchants control physical access for on-site personnel; that access be authorized and based on

individual job function; that access be revoked immediately upon termination; and that merchants "protect devices that capture payment card data … from tampering and substitution."

For a detailed summary of all changes:

VISA Merchant Tiers & Requirements for

Audit

Level/Tier Merchant Criteria Validation Requirements

1 Merchants processing > 6M Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region

•Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) or Internal Auditor if signed by officer of the company (The internal auditor is highly recommended to obtain the PCI SSC Internal Security Assessor (“ISA”) certification)

•Quarterly network scan by Approved Scan Vendor (“ASV”)

•Attestation of Compliance Form 2 Merchants processing 1M to 6M Visa

transactions annually (all channels)

•Annual Self-Assessment Questionnaire (“SAQ”) •Quarterly network scan by ASV

•Attestation of Compliance Form

3 Merchants processing 20K to 1M Visa e-commerce transactions annually

•Annual SAQ

•Quarterly network scan by ASV •Attestation of Compliance Form 4 Merchants processing < 20K Visa

e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually

•Annual SAQ recommended

•Quarterly network scan by ASV if applicable

Cardholder Data Storage Rules

Data element Storage rules

Cardholder Data

Primary Account Number (PAN)

The full 16-digits can Never be stored electronically, per company policy

The last 4-digits may be stored electronically

The full 16-digits may be stored on paper , but only as absolutely necessary and it must be protected as per PCI Cardholder Name Yes, it may be stored on paper or electronically

Must be protected as per PCI if stored in conjunction with PAN

Service code Yes, it may be stored on paper or electronically

Must be protected as per PCI if stored in conjunction with PAN

Expiration date Yes, it may be stored on paper or electronically

Must be protected as per PCI if stored in conjunction with PAN

Sensitive

Authentication Data

Full Magnetic Strip Never

CVC2/Cvv2/CID Never

Tips to Avoiding Storage Rules

The best step you can take is to not store any cardholder

data.

• Just use the last 4-digits

How We Can Help

We help mitigate customer’s risk across the entire cyber

security risk program lifecycle. We accomplish this by

providing technology, products, solutions, managed services

and advisory services within a secure infrastructure.

PCI DSS Gap Assessment / Penetration Testing /

Report on Compliance / Compliance Assistance

• PCI DSS gap analysis includes collecting and evaluating evidence of control design effectiveness in meeting the PCI DSS and documenting any compliance gaps. This includes:

• Reviewing the cardholder environment to validate test samples, including all systems that collect, store, process, and transmit cardholder data.

• Reviewing each PCI-DSS requirement for relevance through interviews and observations.

• Penetration testing includes network- and application-layer penetrating tests designed to meet PCI DSS Requirement 11.3.

• Report on compliance (ROC) includes reviewing the current state of the client environment for PCI DSS compliance per the controls delineated in the standard, and providing a ROC as outlined by the PCI DSS

Security Council.

Take Away

Start with a 3

_{Party risk assessment on the whole}

organization

• Segment your credit card data

• Tokenize and encrypt

• Secure wireless data

• Patch and update anti-virus

• Strict access by role and necessity

24

If today’s webinar brought up questions on your network’s security we are here to help!