1WhitepaperPCI Compliance: Protect Your Business fromData BreachThe security and safety of personal and financial data is increasinglythreatened. Nowhere is that more apparent than in the retail industry—a primary target for cyber criminals.Retail businesses are particularly vulnerable because of the volume of creditcard information, the fact that this information is distributed among manylocations, the lengthy amount of time it can take them to detect a breach,and the often inadequate staff and safeguards they have in place.Some experts forecast that as many as one in six small businesses will bebreached.1Small businesses are particularly vulnerable; according to Visa,97% of U.S. events occurred at small merchants, and 91% of those werebrick and mortar merchants.2Larger organizations, too, are vulnerable to the consequences of such abreach. Examples from recent years include Bank of America, Boston Market,Sports Authority, and Forever 21. A particularly devastating case was thebreach of TJX Corp., which resulted in the loss of at least 45 million creditcard numbers to a single hacker.Merchants often underestimate the financial impact of a breach, which canbe significant. Smaller retailers that suffer a major and widely publicizedbreach of credit card data may actually find themselves out of businessdue to costs associated with fees, fines, and remediation, as well asongoing damage to their brands and reputations.For example, the average cost of a breach is estimated at $80,000 perlocation for Level 4 merchants, and can reach into the millions dependingon the size of the merchant and the extent of the breach.3Direct costs includemandatory forensic audits, credit card replacement, fees, fines, and breachremediation to prevent a recurrence.PCI COMPLIANCE IS ESSENTIAL FOR SECURE TRANSACTIONSAND FINANCIAL STABILITYMerchants oftenunderestimate thefinancial impact of abreach. Direct costsinclude mandatoryforensic audits, creditcard replacement,fees, fines andbreach remediation.
2WhitepaperFor these reasons, complying with PCI-DSS (Payment Card Industry DataSecurity Standard, also known simply as PCI) is much more than just atechnical goal for retailers. It is necessary for business stability.PCI was originally created as a joint initiative by Visa, MasterCard,American Express, JCB, and Discover to protect card-holder informationand reduce data theft and fraud. The first version was released inDecember 2004, and it has since then undergone two significantupdates. The current version, 2.0, was issued in October 2010.PCI compliance is mandatory for all organizations who accept Visaand MasterCard credit cards. If a retailer is found to be noncompliant,it could incur significant fines and be restricted from accepting creditcards until compliance is achieved.While no standard can guarantee 100% prevention of a majorcredit card data breach, PCI compliance can significantly reduce theprobability of such an event. Being PCI compliant means that merchantsare pursuing established best practices specifically designed to protectsensitive credit card data from unauthorized access—critical both forthemselves and their customers.What is PCI-DSS?Table 1: Typical Breach/Remediation TimelineDay 1Notification of breachStop taking credit cardsPay for a forensic auditMonitor media/social mediaDay 5Forensic audit completeContact a Qualified Security Assessor (QSA)Day 7Obtain proposals for remediationDay 10 toDay 40 -180Execute remediation and compliance planReplace credit cardsDisclose breach/address brand and media impactPost breach plus one year - revenue impactBreach remediation can take months, as shown in Table 1. For these reasons,complying withPCI-DSS (PaymentCard Industry DataSecurity Standard,also known simplyas PCI) is much morethan just a technicalgoal for retailers.It is necessary forbusiness stability.
3WhitepaperAll members of the PCI payment card network, including merchants andservice providers, must comply with 12 different requirements organizedinto six core categories:Source: PCI DSS Requirements and Security Assessment Procedures, Version 2.0,https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdfPCI DSS RequirementsBuild and Maintain a Secure Network1. Install and maintain a firewall configured to protect card-holder data.2. Do not use vendor-supplied defaults for system passwords and other security parameters.Protect Card-holder Data3. Protect stored card-holder data.4. Encrypt transmission of card-holder data across open, public networks.Maintain a Vulnerability Management Program5. Use and regularly update anti-virus software or programs.6. Develop and maintain secure systems and applications.Implement Strong Access Control Measures7. Restrict access to card-holder data within the organization on the basis of businessneed-to-know.8. Assign a unique identifier to each employee with computer access.9. Restrict physical access to card-holder data.Regularly Monitor and Test Networks10. Track and monitor all access to network resources and card-holder data.11. Regularly test security systems and processes.Maintain an Information Security Policy12. Maintain a policy that addresses information security for all employees.• Can you demonstrate that all of your cashiers have been trained uponhire with a PCI-certified training program, and does that training recurevery year?• Can you demonstrate that all of your employees have read and signedan employee awareness security policy?• Can you demonstrate that all members of your team or your approvedvendors are using a secure virtual private network with two-factorauthentication to access applications or systems behind your firewall?Most retailers are aware of the importance of PCI compliance, but manylack the essential safeguards required to fully achieve it.For example, when retailers who accept credit cards are asked thefollowing questions, frequently at least one answer is “no,” indicatingthat they are not compliant:What is required for PCI compliance? All members of thePCI payment cardnetwork, includingmerchants andservice providers,must comply withtwelve differentrequirementsorganized into sixcore categories.
4WhitepaperOn-Site Security Audit: Required for Level 1 merchants, this is alsoknown as a Report on Compliance (ROC) and must be completedby a PCI-certified Qualified Security Assessor (QSA).Annual Self-Assessment Questionnaire: In lieu of a ROC, Level 2-4merchants must complete one of six Self-Assessment Questionnaires (SAQ)to document PCI compliance status. This must recur annually to identifycompliance shortfalls.Quarterly External Vulnerability Scans: All merchants are required tohave external network scans performed by a PCI-certified Authorized-Scanning Vendor (ASV). Scan requirements are rigorous: all 65,000ports must be scanned, vulnerabilities detected, “high” severity-levelvulnerabilities must be remediated, and two key reports completedand filed with the bank card processor.As this chart shows, merchant validation requirements fall into three groups:PCI compliance is not a one-time achievement, but is validated on anongoing basis. The terms of validation vary based of the total number ofannual credit card transactions that merchants generate each year, andare organized into four levels:Level CriteriaOn-SiteSecurityAuditSelf-AssessmentQuestionnaireExternalVulnerabilityScan1. Any merchantprocessing morethan 6 milliontransactions peryearRequiredAnnuallyRequiredQuarterly2. Any merchantprocessing 1to 6 milliontransactions peryearRequiredAnnuallyRequiredQuarterly3. Any merchantprocessing20,000 to1 milliontransactions peryearRequiredAnnuallyRequiredQuarterly4. All othermerchants, not inLevels 1, 2 or 3RequiredAnnuallyRequiredQuarterlyPCI complianceis not a one-timeachievement, butis validated on anongoing basis. Theterms of validationvary based of thetotal number ofannual credit cardtransactions thatmerchants generateeach year, and areorganized intofour levels.
5WhitepaperPCI is a complex set of standards, but is critical to financial stability for anysize merchant that accepts credit cards. EarthLink Business offers a full rangeof services to support merchants on the path to PCI compliance.This includes EarthLink’s PCI Compliance Solutions services, which providesLevel 2-4 merchants with $100,000 in breach protection4per location subjectto per occurrence and yearly aggregate limits of $500,000 to cover eligibleexpense, as well as tools to validate PCI compliance. Through an easy-to-useweb-based portal, merchants can conduct quarterly Authorized Scan Vendor(ASV) scans, Self-Assessment Questionnaires (SAQ), and training, and haveaccess to a security policy and online knowledge base.EarthLink also provides secure MPLS WAN, secure Point of Sale (POS)transport, managed security and other services to address gaps.PCI Compliance Solutions from EarthLink BusinessFinancially Protect Yourself from a Breach: Consider acquiring breachprotection for each of your site locations to help cover costs of a forensicaudit, fees, fines and credit card replacement in the event of a breach.Validate PCI Compliance: Select and complete the Self-AssessmentQuestionnaire (SAQ) based on your environment. Select an AuthorizedSecurity Vendor and complete the External Vulnerability Scan. Documentthe process and file the necessary reports.Achieve PCI Compliance: Requirements will vary depending on yourenvironment, but basic requirements include: implementing a fully managed,stateful inspection firewall; installing layered, dynamic security with unifiedthreat management; implementing secure remote access with two-factorauthentication; educating staff; and implementing and managing asecurity policy.Maintain Compliance: Manage and maintain PCI compliance withinyour organization. This includes conducting regular employee training,documenting and following security policies, and conducting regularassessments and scans to identify and remediate gaps.It’s advisable to be proactive in protecting your business and customersfrom credit card data breach; once a breach occurs, much of the damagewill have already been done. If you are a Level 2-4 merchant, follow thesekey steps to start on the path toward compliance:Proactively protect your business from breachIt’s advisable tobe proactive inprotecting yourbusiness andcustomers fromcredit card databreach; once abreach occurs,much of the damagewill have alreadybeen done.