Create a Tokenization Layer Around Your Enterprise                                  – Don’t Handle Sensitive Data         ...
SPEAKER                                          STEWART COMRIE                                          VP STRATEGIC PROD...
AGENDA     ABOUT PAYMETRIC     UNDERSTANDING PCI AND THE SAQs     DATA INTERCEPT SOLUTIONS     DISCUSSION ABOUT PCI CH...
ABOUT PAYMETRIC     Paymetric is the leading provider of integrated and secure payment processing and     tokenization sol...
AWARD-WINNING COMPANY                                       2011 TAG Top 40                                       TECHNOLO...
PAYMETRIC CUSTOMERS                                       Cross-Market &                                             Indus...
What is PCI Compliance?    Category                                        Section    Build and Maintain a Secure Network ...
Merchant Validation Levels & Requirements    VISA / MasterCard Merchant Levels                   Validation Actions       ...
Fitting PCI DSS and Self-Assessment Together9   Trusted Solutions. Securely Integrated.    Integrated and Secure Payment P...
5 SAQ Types                                                                                                    Number     ...
Qualifying for SAQ-A – PCI Self-Assessment Questionnaire |     Qualifying for SAQ-A reduces the number of security require...
DATA PROTECTION STRATEGY TIMELINE                                                                                         ...
Reducing Effort and Cost of Compliance                                                                  Eliminate         ...
THE FUTURE | Eliminate Handling of Sensitive Data Altogether                                                              ...
DATA INTERCEPT | eCommerce         CLIENT BROWSERClient Browser         <script> Src=“https://paypage.paymetric.com/dnld.j...
DATA INTERCEPT FOR SAP                                             DATA INTERCEPT                                         ...
DI and PCI Audit Considerations         PCI Audit Process             Data-flows, where is your data?             Deter...
Benefits of Data Intercept   Seamless process   Reduced risk of a data security breach   Provides logging for PCI Audit...
WHY PAYMETRIC?     Performance                          Over 400 of the world’s most respected brands have leveraged      ...
Q     QUESTIONS                                                    ?                                                Stewar...
Upcoming SlideShare
Loading in...5
×

Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.

687

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
687
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Gary and Kathleen
  • Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.

    1. 1. Create a Tokenization Layer Around Your Enterprise – Don’t Handle Sensitive Data Length: 60 minutes Presenter: Stewart ComrieIntegrated and Secure Payment Processing
    2. 2. SPEAKER STEWART COMRIE VP STRATEGIC PRODUCTS PAYMETRIC, INC.Trusted Solutions. Securely Integrated. 2
    3. 3. AGENDA  ABOUT PAYMETRIC  UNDERSTANDING PCI AND THE SAQs  DATA INTERCEPT SOLUTIONS  DISCUSSION ABOUT PCI CHALLENGES  Q&A3 Trusted Solutions. Securely Integrated.
    4. 4. ABOUT PAYMETRIC Paymetric is the leading provider of integrated and secure payment processing and tokenization solutions that enable companies to streamline the order-to-cash process, reduce the scope and financial burden of achieving PCI compliance, and improve return on electronic payment acceptance.  Founded in 1998  75 Employees  Privately Held – Austin Ventures and Palomar Portfolio Company  450+ Enterprise Customers4 Trusted Solutions. Securely Integrated. Integrated and Secure Payment Processing
    5. 5. AWARD-WINNING COMPANY 2011 TAG Top 40 TECHNOLOGY COMPANIES IN GEORGIA Global Excellence MANAGEMENT TEAM OF THE YEAR 2010 TAG Top 40 MOST INNOVATIVE COMPANIES IN GEORGIA Global Product Excellence TOKENIZATION SOLUTION5 Trusted Solutions. Securely Integrated. Integrated and Secure Payment Processing
    6. 6. PAYMETRIC CUSTOMERS Cross-Market & Industry Cross-Geography6 Trusted Solutions. Securely Integrated. Integrated and Secure Payment Processing
    7. 7. What is PCI Compliance? Category Section Build and Maintain a Secure Network 1. Install and maintain a firewall configuration 2. Do not use vendor-supplied defaults for system passwords Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and card data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security “ANY ORGANIZATION THAT STORES, PROCESSES WHO MUST COMPLY? OR TRANSMITS CREDIT CARD DATA” Source: www.pcidatasecuritystandards.org7 Trusted Solutions. Securely Integrated. Integrated and Secure Payment Processing 10/07/12
    8. 8. Merchant Validation Levels & Requirements VISA / MasterCard Merchant Levels Validation Actions On-Site Security Self – Assessment Merchant Level Criteria Network Vulnerability Scans Assessment Questionnaire Report on Compliance Level 1 (ROC) 6+ million transactions annually from any Not Applicable Required Quarterly (Submitted to Acquirer acceptance channel with one card brand Annually) Level 2 Submitted to Acquirer 1 million to 6 million transactions annually from Not Applicable Required Quarterly Annually any acceptance channel with one card brand Level 3 Submitted to Acquirer 20,000 to 1 million e-commerce transactions Not Applicable Required Quarterly Annually - Required Annually annually with one card brand Level 4 Required Annually Less than 20,000 e-commerce or less than 1 Not Applicable Required Quarterly (submission (submission to acquirer million transactions from any acceptance channel to acquirer not mandatory) not mandatory) annually with one card brand8 Trusted Solutions. Securely Integrated. Integrated and Secure Payment Processing 10/07/12
    9. 9. Fitting PCI DSS and Self-Assessment Together9 Trusted Solutions. Securely Integrated. Integrated and Secure Payment Processing 10/07/12
    10. 10. 5 SAQ Types Number of SAQ Summary Who is Eligible Question s Card-not-present (e-commerce or mail/telephone-order)SAQ A Outsource all CHD merchants, all cardholder data functions outsourced. This 13 would never apply to face-to-face merchants. Imprint or Imprint-only merchants with no electronic cardholder dataSAQ B standalone dial- storage, or standalone, dial-out terminal merchants with 29 out terminals only no electronic cardholder data storage Merchants using only web-based virtual terminals, no Virtual terminalsSAQ C-VT electronic cardholder data storage. This would never apply 51 only to e-commerce merchants or card swipe. Internet- connected Merchants with payment application systems connected toSAQ C 40 payment the Internet, no electronic cardholder data storage application All other All other merchants not included in descriptions for SAQSAQ D merchants and all types A through C above, and all service providers defined 288 service providers by a payment brand as eligible to complete an SAQ.10 Trusted Solutions. Securely Integrated. Integrated and Secure Payment Processing 10/07/12
    11. 11. Qualifying for SAQ-A – PCI Self-Assessment Questionnaire | Qualifying for SAQ-A reduces the number of security requirements from 205 to 14 Criteria That Has to be Met:  Company only handles Card Not Present (CNP) transactions  Company does not store, process or transmit any cardholder data on premise; relying on third-party providers  Third Party Service Provider is confirmed PCI DSS compliant  Company retains only paper reports or receipts with cardholder data and said documents are not received electronically  Company does not store any cardholder data in electronic format **Please consult your acquirer or QSA to confirm that Paymetric’s Data Intercept solution will help you qualify for PCI SAQ-A.**11 Trusted Solutions. Securely Integrated. Integrated and Secure Payment Processing 10/07/12
    12. 12. DATA PROTECTION STRATEGY TIMELINE Elimination TECHNOLOGY Tokenization (SaaS) Centralization Encryption 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 V1.0 V1.1 V1.2 V1.2.1 PCI DSS DRIVERS $138 $182 $197 $202 $204 $214 $4.5M $4.7M $6.3M $6.7M $6.8M $7.4M COST OF A DATA BREACH 1 38 46 NUMBER OF STATES WITH DATA BREACH NOTIFICATION LAWS 52M 48M 129M 49M 222M NUMBER OF RECORDS BREACHED12 Trusted Solutions. Securely Integrated. Integrated and Secure Payment Processing
    13. 13. Reducing Effort and Cost of Compliance Eliminate Move to a Reduce Burden Systems from “Lesser” SAQ on Systems Scope Reduced Effort and Cost13 Trusted Solutions. Securely Integrated. Integrated and Secure Payment Processing 10/07/12
    14. 14. THE FUTURE | Eliminate Handling of Sensitive Data Altogether M EN ER TE CH RP AN RI T LE GA SE YC Da ta In te rc ep El t im in at eS ys te M m in sf Dr im ro as ize m tic PC all PC IA yR IC ud14 Trusted Solutions. Securely Integrated. Integrated and Secure Payment Processing ed os it uc ts Sc o
    15. 15. DATA INTERCEPT | eCommerce CLIENT BROWSERClient Browser <script> Src=“https://paypage.paymetric.com/dnld.js <Cardholder Data> Credit card number: Card Type: Expiration Date: mm yy CVV: What’s this? Cardholder Name: MERCHANT SYSTEMS Web Server 15 Trusted Solutions. Securely Integrated. Integrated and Secure Payment Processing
    16. 16. DATA INTERCEPT FOR SAP DATA INTERCEPT TOKENIZATION Data Intercept Client is Invoked When CSR Attempts to Enter SAP Server Makes Immediate Call for Token Number into SAP Credit Card Field Enter CC Number Card Data TouchesNever Touches in PCI Scope Card Data SAP Placing it SAP Removing it From PCI Scope Card Data is Never Stored, Minimizing Scope of PCI Requirement 316 Trusted Solutions. Securely Integrated. Integrated and Secure Payment Processing
    17. 17. DI and PCI Audit Considerations  PCI Audit Process  Data-flows, where is your data?  Determination of scope  Use of tokenization removes SAP/Web App from the dataflow  Assessment focused on data entry systems only  What does that mean from a resource perspective  Eliminate core application used by all employees from scope  What does it mean to be “In Scope”  Audit Logging, Vulnerability Scanning, Patching, Access Controls, System Hardening, Penetration Testing, Monitoring, File Integrity  Elimination of data/scope allows an organization to focus resources on critical points of interaction17 Trusted Solutions. Securely Integrated. Integrated and Secure Payment Processing
    18. 18. Benefits of Data Intercept  Seamless process  Reduced risk of a data security breach  Provides logging for PCI Audit Purposes  More tightly control access to data  No Storage of sensitive data  Ease compliance efforts with regulations PCI  Grant your organization safe harbor from new data breach notification laws  Increased security and brand protectionTrusted Solutions. Securely Integrated.Integrated and Secure Payment Processing
    19. 19. WHY PAYMETRIC? Performance Over 400 of the world’s most respected brands have leveraged Paymetric solutions over the past decade. Expertise Paymetric employees have hundreds of years of combined experience in the payments industry and ERP landscape. Credibility Paymetric has been the recipient of many awards recognizing the accomplishments of the company and our solutions. Innovation Paymetric is consistently first to market with cutting edge solutions that help companies grow their business and increase security. Value On-demand model makes it affordable to experienced the benefits of integrated payment card processing and tokenization. Service 24 x 7 support includes incident and problem resolution, access to publications and best practices and so much more.19 Trusted Solutions. Securely Integrated. Integrated and Secure Payment Processing
    20. 20. Q QUESTIONS ? Stewart Comrie VP, Product Managment scomrie@paymetric.com20 Trusted Solutions. Securely Integrated. Integrated and Secure Payment Processing

    ×