PCI Data Security Standard Benjamin Hosack, Sales Director 2 May 2007

Agenda One-SEC Overview Typical Merchant Questions The PCI Data Security Standard Merchant information Timelines Data Compromise Steps to become Compliant Summary and Questions PCI Data Security Standard

One-SEC Overview

Typical Merchant Questions

The PCI Data Security Standard

Merchant information

Timelines

Data Compromise

Steps to become Compliant

Summary and Questions

One-SEC Overview Company Facts Headquartered in Kingston-Upon-Thames, UK Offices in The Netherlands, Ireland, Luxembourg and South Africa Middle Eastern presence Global coverage via partners and associated consultants Qualified to carry out assessments against all aspects of the PCI DSS PCI Data Security Standard

Company Facts

Headquartered in Kingston-Upon-Thames, UK

Offices in The Netherlands, Ireland, Luxembourg and South Africa

Middle Eastern presence

Global coverage via partners and associated consultants

Qualified to carry out assessments against all aspects of the PCI DSS

One-SEC Overview… Market Update ~60% of listed service providers across Europe, Middle East and Africa are One-SEC customers Working with major UK/European acquiring banks to rollout their PCI Data Security Standard programs (AIB, LloydsTSB Cardnet, Streamline, Barclaycard, Interpay etc) Exclusive PCI DSS partner to Visa CEMEA Service offerings to Merchants, Service Providers, Application Providers, Hosting Providers, Acquiring Banks and card schemes Forensic Partner to the Card Schemes

Market Update

~60% of listed service providers across Europe, Middle East and Africa are One-SEC customers

Working with major UK/European acquiring banks to rollout their PCI Data Security Standard programs (AIB, LloydsTSB Cardnet, Streamline, Barclaycard, Interpay etc)

Exclusive PCI DSS partner to Visa CEMEA

Service offerings to Merchants, Service Providers, Application Providers, Hosting Providers, Acquiring Banks and card schemes

Forensic Partner to the Card Schemes

Typical Merchant Questions What is the PCI DSS? Does it apply to me? What do I need to do? What are the timeframes? What if I do not become compliant? What happens if I get compromised?

What is the PCI DSS?

Does it apply to me?

What do I need to do?

What are the timeframes?

What if I do not become compliant?

What happens if I get compromised?

What is the PCI Data Security Standard? PCI Data Security Standard (PCI DSS) is a framework co-written by Visa and MasterCard and endorsed by all card schemes (Amex, JCB, Diners, Discover) Managed by the PCI Security Standards Council used as a verification method to achieve compliance to Visa AIS/CISP and MasterCard SDP PCI Data Security Standard Based on industry best practices for risk reduction, with focus on: Technical systems Policies and Procedures Broader info sec benefits Protect brand / reputation, user confidence, reduce fraud

PCI Data Security Standard (PCI DSS)

is a framework co-written by Visa and MasterCard and endorsed by all card schemes (Amex, JCB, Diners, Discover)

Managed by the PCI Security Standards Council

used as a verification method to achieve compliance to Visa AIS/CISP and MasterCard SDP

Based on industry best practices for risk reduction, with focus on:

Technical systems

Policies and Procedures

Broader info sec benefits

Protect brand / reputation, user confidence, reduce fraud

PCI Data Security Standard Protect stored data Encrypt transmission of cardholder data and sensitive information across public networks Protect Cardholder Data Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Build and Maintain a Secure Network

Protect stored data

Encrypt transmission of cardholder data and sensitive information across public networks

Install and maintain a firewall configuration to protect cardholder data

Do not use vendor-supplied defaults for system passwords and other security parameters

PCI Data Security Standard Restrict access to data by business need-to-know Assign a unique ID to each person with computer access Implement Strong Access Control Measures Use and regularly update anti-virus software Develop and maintain secure applications Maintain a Vulnerability Management Program

Restrict access to data by business need-to-know

Assign a unique ID to each person with computer access

Use and regularly update anti-virus software

Develop and maintain secure applications

PCI Data Security Standard 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security Maintain an Information Security Policy 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data Regularly Monitor and Test Networks

PCI DSS Compliance is required for all companies that “store, process or transmit” cardholder information Merchants Service Providers Application Providers Hosting Providers Acquiring Banks Includes card present retailers (CP) and card not present (CNP) applications / vendors / entities (MOTO and e-commerce) Does it apply to me? PCI Data Security Standard

PCI DSS Compliance is required for all companies that “store, process or transmit” cardholder information

Merchants

Service Providers

Application Providers

Hosting Providers

Acquiring Banks

Includes card present retailers (CP) and card not present (CNP) applications / vendors / entities (MOTO and e-commerce)

Example Transaction Flow E-Commerce Merchant Cardholder VisaNet Acquirer (Merchant Bank) Processor Processor Issuer Payment Gateway / Processor / Service Provider Merchant

What do I need to do? PCI Data Security Standard Requirements Annual Self-Assessment Questionnaire Quarterly Scan Validation no later than 30 June 2005 Level 2 Merchants Any e-commerce merchant processing 150,000 to 6,000,000 transactions per year Requirements Annual Onsite Assessment Quarterly Scan Independent Security Assessor or Internal Audit if signed by Officer of the company Qualified Independent Scan Vendor Validation no later than 30 June 2005 Level 1 Merchants Any merchant - regardless of acceptance channel - processing over 6,000,000 Visa transactions per year Any merchant that has suffered a hack or an attack that resulted in an account data compromise. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimise risk to the Visa system Any merchant identified by another payment card brand as a Level 1.

Requirements

Annual Self-Assessment Questionnaire

Quarterly Scan

Validation no later than 30 June 2005

Level 2 Merchants

Any e-commerce merchant processing 150,000 to 6,000,000 transactions per year

Requirements

Annual Onsite Assessment

Quarterly Scan

Independent Security Assessor or Internal Audit if signed by Officer of the company

Qualified Independent Scan Vendor

Validation no later than 30 June 2005

Level 1 Merchants

Any merchant - regardless of acceptance channel - processing over 6,000,000 Visa transactions per year

Any merchant that has suffered a hack or an attack that resulted in an account data compromise.

Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimise risk to the Visa system

Any merchant identified by another payment card brand as a Level 1.

Continued… PCI Data Security Standard Requirements Annual Self-Assessment Questionnaire Quarterly Scan Compliance is mandatory, validation is strongly recommended Level 4 Merchants All other merchants, regardless of acceptance channel Requirements Annual Self-Assessment Questionnaire Quarterly Scan Validation no later than 30 June 2005 Level 3 Merchants Any merchant processing 20,000 to 150,000 e-Commerce transactions per year.

Requirements

Annual Self-Assessment Questionnaire

Quarterly Scan

Compliance is mandatory, validation is strongly recommended

Level 4 Merchants

All other merchants, regardless of acceptance channel

Requirements

Annual Self-Assessment Questionnaire

Quarterly Scan

Validation no later than 30 June 2005

Level 3 Merchants

Any merchant processing 20,000 to 150,000 e-Commerce transactions per year.

Original compliance date June 30th 2005 MasterCard non-compliance fines for acquirers June 30th 2007 Data Compromise What are the timeframes? PCI Data Security Standard

Original compliance date June 30th 2005

MasterCard non-compliance fines for acquirers June 30th 2007

Data Compromise

Obligation to report compromise to the card schemes Trading disruption Clean-up Forensic Investigation Unbudgeted tactical fixes Legal counsel Direct Costs to acquirer / merchant Card monitoring Card re-issue Fraud liability Fines Full Onsite Assessment Brand / reputational damage What happens if my data is compromised? PCI Data Security Standard

Obligation to report compromise to the card schemes

Trading disruption

Clean-up

Forensic Investigation

Unbudgeted tactical fixes

Legal counsel

Direct Costs to acquirer / merchant

Card monitoring

Card re-issue

Fraud liability

Fines

Full Onsite Assessment

Brand / reputational damage

Card Scheme Fines MasterCard Non-compliance Fines ($25,000) Failure to demonstrate Quarterly Progress ($25,000) $100,000 per rule violation post compromise up to $500,00 $25 / compromised account Visa € 5 / compromised account up to €100,000 Forensic Investigation Investigation costs (~ £30,000) Typical “Fine” Structures PCI Data Security Standard

Card Scheme Fines

MasterCard

Non-compliance Fines ($25,000)

Failure to demonstrate Quarterly Progress ($25,000)

$100,000 per rule violation post compromise up to $500,00

$25 / compromised account

Visa

€ 5 / compromised account up to €100,000

Forensic Investigation

Investigation costs (~ £30,000)

Compromises do occur! http://www.privacyrights.org/ar/ChronDataBreaches.htm USA centric: European Card Schemes report an upward trend in major compromises. 4000 personal tax returns Stolen Laptop Tax Service Plus March 20, 2007 153,911,351 TOTAL number of records containing sensitive personal information involved in security breaches 45,7 million Credit and Debit Cards stolen Data Hacked from payment systems TJX Companies -- TJ Maxx and Marshalls March 28, 2007 11,500 Credit Card details stolen Online Hacker Johnny’s Selected Seeds March 3, 2007

http://www.privacyrights.org/ar/ChronDataBreaches.htm

USA centric:

European Card Schemes report an upward trend in major compromises.

Steps to becoming PCI DSS Compliant Familiarise yourself with the PCI DSS – read the documentation Form a Project Team (IT, Security, HR, Legal, Admin, Sales etc) Internal Gap-Analysis Engage with a QSA to validate your Gap Analysis Begin vulnerability scanning Remediate non-compliances Complete certification – get PCI DSS Compliant Maintain Manage your Risk

Familiarise yourself with the PCI DSS – read the documentation

Form a Project Team (IT, Security, HR, Legal, Admin, Sales etc)

Internal Gap-Analysis

Engage with a QSA to validate your Gap Analysis

Begin vulnerability scanning

Remediate non-compliances

Complete certification – get PCI DSS Compliant

Maintain

Thank-you! Benj Hosack One-SEC Limited 12-50 Kingsgate Road Kingston-Upon-Thames KT2 5AA UK Tel: 0845 456 9611 Email: bhosack@one-sec.com or uk-sales@one-sec.com

Benj Hosack

One-SEC Limited

12-50 Kingsgate Road

Kingston-Upon-Thames

KT2 5AA

UK

Tel: 0845 456 9611

Email: bhosack@one-sec.com or

uk-sales@one-sec.com