SlideShare a Scribd company logo

Protecting Customer Data An Essential Part Of Doing Business Wp101174

E
Erik Ginalick
1 of 5
Download to read offline
Protecting Customer Data: An Essential Part of Doing Business What You Need to Know About Payment Card Industry Compliance Personally identifiable data is everywhere—and Payment Card Industry Compliance: everywhere at risk, especially when this data is kept on laptops and other mobile devices. Social security numbers A Security Mandate appear in employment and school applications, real estate To address this growing problem, the major payment transactions and medical records. Websites ask for user card systems, including Visa, MasterCard and American names and passwords to access content. Credit and debit Express, founded the Payment Card Industry (PCI) card information is transmitted over wired and wireless Security Standards Council and created the Data Security networks, from brick-and-mortar stores and online. Smaller Standard (DSS). Based on industry best practices, this set companies, which face particular constraints on time and of 12 comprehensive requirements includes measures resources, can be especially vulnerable. to prevent, detect and react to security incidents, and enhance the security of payment accounts. The goal is One notable area of concern is credit card data. And it’s to make it easier for any business to understand how to not just retailers who must be aware of the risks and the safeguard private data and stay ahead of threats to its required steps to prevent breaches. Anyone who transmits, business and its customers’ privacy. processes or stores payment card data is at risk—from stores and restaurants to doctor’s offices and auto repair shops. In fact, Visa estimates that approximately 85% of Why Does PCI Compliance data breaches occur at the small business level.1 Matter to You? Point-of-sale devices, personal computers or servers, • PCI compliance is not optional. It is an industry wireless networks, Web shopping applications, paper- mandate strictly enforced by the major payment card based and electronic data storage and unsecured brands based on the DSS. The DSS applies to transmission of cardholder data to service providers are all everyone who transmits, processes or stores payment vulnerable. On top of that, there may be vulnerabilities in card data—regardless of company size or how few the financial institutions that connect merchants and card card payments it may process. Card payment payment companies. companies require PCI compliance even if the business processes just a single payment. 1 http://www.bbb.org/data-security/intro-to-small-businesses/ ©2011 CenturyLink, Inc. All Rights Reserved. Not to be distributed or reproduced by anyone other than CenturyLink entities and CenturyLink Channel Alliance members. WP101174 07/11
• Your company’s reputation is on the line. When it For example, every time you add a new application or comes to a security breach, there is no such thing as device, you need to take precautions to ensure that it good publicity. Stolen data equals stolen trust, and meets security standards and is properly integrated with once lost, it may never be recovered. the rest of your system. A key vulnerability that many business owners may not even be aware of is improperly— • You could be personally liable. Simply put, you could or inadvertently—storing cardholder data. Contact your get sued if your customers’ information is stolen. POS provider to see what you’re storing on your system. Failing to meet security standards can subject you to potential gross negligence or class-action lawsuits. Ensure that the network is secure and available. Your signature on the application to become part of Because breaches can still occur after a company passes any payment card network means that you become its audit, you need to: liable if gross negligence can be shown. • Regularly test security systems and processes to make • Fines and penalties can be costly. If you do not sure they are up to date. Make changes if necessary. meet PCI compliance requirements, payment card companies may assess steep penalties—up to • Maintain an information security policy so all $500,000 per incident.1 They may even stop you employees are aware of the sensitivity of cardholder from handling credit and debit card payments. data and their responsibilities for protecting it. • It’s good business to be safe. Beyond legal obligations • Maintain a plan for responding to incidents. and financial considerations, network security and data protection are an essential part of doing business. Enforcement of PCI DSS Compliance By taking the proper steps to protect the privacy and data of your customers, clients or patients, you Compliance requirements depend on the number of credit establish trusting relationships and a positive brand card transactions that are processed per year, with more image. True, it costs money to comply. You must rigorous monitoring and testing required for businesses pay for infrastructure, technology and time. But just that handle more transactions. Businesses are also one security breach could cost much more. In short, required to demonstrate ongoing compliance through the cost of compliance is a cost of doing business. quarterly testing and an annual assessment. Any company may be audited, whether it processes thousands of transactions or just a few. How Can You Ensure PCI Compliance? Adhere to regulations. In addition to applicable federal Within the PCI Security Standards Council, each payment and state laws and regulations, businesses that process card company maintains its own compliance enforcement credit card payments have a responsibility to ensure that program. Businesses fall into one of four “merchant levels” they meet the PCI compliance requirements and stay up to with any card payment company, based on the number of date. At a minimum, you must: transactions with that company. • Install a firewall and anti-virus software. • Make sure patches are up to date. • Turn off remote access when not needed. • Change passwords often. • Stay informed about what is required to maintain compliance. ©2011 CenturyLink, Inc. All Rights Reserved. Not to be distributed or reproduced by anyone other than CenturyLink entities and CenturyLink Channel Alliance members. WP101174 07/11
Merchant Levels In addition, all but the largest businesses (which must be assessed on-site) are required to complete a self- Level 1: Any merchant that suffered a breach that assessment questionnaire (SAQ) every year. The SAQ compromised its accounts and/or any merchant includes a series of yes-or-no questions, and “no” answers processing: must include a plan for fixing the problem. • More than 6 million Visa or MasterCard transactions/year Important Updates • And/or 2.5 million American Express The payment card companies issue new mandates as transactions/year necessary to help members maintain security as new threats evolve. Level 2: Any merchant processing: • As of April 1, 2010, Visa requires every merchant to be PCI-compliant before accepting Visa card • 1–6 million Visa or MasterCard transactions/year payments. • And/or 50,000–2.5 million American Express • MasterCard has redefined its merchant-level transactions/year categories and deadlines with stricter compliance validation procedures. Level 3: Any merchant processing: • 20,000–1 million Visa or MasterCard e-commerce PCI compliance is in everyone’s best interest—the transactions/year payment card company, the merchant or service provider and the consumer. However, it can be difficult for smaller • And/or fewer than 50,000 American Express businesses to keep up with new security threats and the transactions/year industry standards and practices created to address them. Level 4 (Visa and MasterCard only): All others, How CenturyLink Business Can Help estimated at more than 5 million businesses • Up to 20,000 Visa or MasterCard e-commerce CenturyLink Business facilitates compliance by giving transactions/year customers a single point of contact for all PCI-compliance needs. • Or up to 1 million Visa or MasterCard transactions/year in all channels Offering an ideal combination of local know-how and personalized service, CenturyLink can help you understand what’s required to achieve and maintain compliance—from The card payment companies require regular monitoring basics like installing a firewall and maintaining anti-virus and testing to ensure that each business remains software to identifying what’s stored on your system. We compliant with the DSS over time. For all levels, network can also help you stay up to date on new technologies and scans are required quarterly by an approved scan vendor responses to ever-changing threats, helping you to build an (ASV). ASVs are trained and qualified by the PCI Security effective long-term compliance strategy while making the Standards Council to perform the network and systems most of your internal resources. scans required by the DSS. ©2011 CenturyLink, Inc. All Rights Reserved. Not to be distributed or reproduced by anyone other than CenturyLink entities and CenturyLink Channel Alliance members. WP101174 07/11
Data Protection Solutions from CenturyLink Business CenturyLink Business services include penetration testing, vulnerability assessments, remediation consulting, gap analysis, pre-audit assessments and more. Our solutions, customized to your needs, can help you: • Stop virus, spam and other dangers from reaching your business. • Securely transfer data to wherever it’s needed. • Provide reports for auditors and alerts to staff to optimize processes running over the network. • Provide mobile access to the Internet that offers secure access to your company network via optional VPN client. PCI Compliance Checklist Build and Maintain a Secure Network Implement Strong Access Control Measures  1. Install and maintain a firewall to protect  7. Restrict access to cardholder data by business cardholder data. need-to-know.  2. Do not use vendor-supplied defaults for  8. Assign a unique ID to each person with system passwords and other security settings. computer access.  9. Restrict physical access to cardholder data. Protect Cardholder Data  3. Protect stored cardholder data. Regularly Monitor and Test Networks  4. Encrypt transmission of cardholder data  10. Track and monitor all access to network across open, public networks. resources and cardholder data.  11. Regularly test security systems and processes. Maintain a Vulnerability Management Program  5. Use and regularly update anti-virus software. Maintain an Information Security Policy  6. Develop and maintain secure systems  12. Maintain a policy that addresses and applications. information security. ~From the PCI Data Security Standard Learn More > ©2011 CenturyLink, Inc. All Rights Reserved. Not to be distributed or reproduced by anyone other than CenturyLink entities and CenturyLink Channel Alliance members. WP101174 07/11
Other Resources Better Business Bureau, Data Security Made Simpler, 2010 View pdf > PCI Security Standards Council, Data Storage Dos and Don’ts, 2008 View pdf > PCI Security Standards Council, PCI Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard Version 1.2, 2008 View pdf > PCI Security Standards Council, Skimming Prevention: Overview of Best Practices for Merchants, 2009 View pdf > PCI Security Standards Council, Ten Common Myths of PCI DSS, 2008 View pdf > Protecting Payment Card Data, CenturyLink Business, 2009 View pdf > CenturyLink Service Assurance, 2009 View pdf > ©2011 CenturyLink, Inc. All Rights Reserved. Not to be distributed or reproduced by anyone other than CenturyLink entities and CenturyLink Channel Alliance members. WP101174 07/11

Recommended

Rogerio sepuveda 14 00
Rogerio sepuveda 14 00Rogerio sepuveda 14 00
Rogerio sepuveda 14 00forumsustentar
 
Open Science Grid security-atlas-t2 Bob Cowles
Open Science Grid security-atlas-t2 Bob CowlesOpen Science Grid security-atlas-t2 Bob Cowles
Open Science Grid security-atlas-t2 Bob CowlesInformation Security Awareness Group
 
Global scenarios 2014
Global scenarios 2014Global scenarios 2014
Global scenarios 2014Иван Глебов
 
sfsa
sfsasfsa
sfsathinkingeurope2011
 
Ip3 powerpoint 97 2003
Ip3 powerpoint 97 2003Ip3 powerpoint 97 2003
Ip3 powerpoint 97 2003Deborah Swartzentruber
 
High speed downlink packet access
High speed downlink packet accessHigh speed downlink packet access
High speed downlink packet accessPankaj Khodifad
 
Closing The Clinical It Chasm Wp101198
Closing The Clinical It Chasm Wp101198Closing The Clinical It Chasm Wp101198
Closing The Clinical It Chasm Wp101198Erik Ginalick
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 

Recommended

Rogerio sepuveda 14 00
Rogerio sepuveda 14 00Rogerio sepuveda 14 00
Rogerio sepuveda 14 00forumsustentar
 
Open Science Grid security-atlas-t2 Bob Cowles
Open Science Grid security-atlas-t2 Bob CowlesOpen Science Grid security-atlas-t2 Bob Cowles
Open Science Grid security-atlas-t2 Bob CowlesInformation Security Awareness Group
 
Global scenarios 2014
Global scenarios 2014Global scenarios 2014
Global scenarios 2014Иван Глебов
 
sfsa
sfsasfsa
sfsathinkingeurope2011
 
Ip3 powerpoint 97 2003
Ip3 powerpoint 97 2003Ip3 powerpoint 97 2003
Ip3 powerpoint 97 2003Deborah Swartzentruber
 
High speed downlink packet access
High speed downlink packet accessHigh speed downlink packet access
High speed downlink packet accessPankaj Khodifad
 
Closing The Clinical It Chasm Wp101198
Closing The Clinical It Chasm Wp101198Closing The Clinical It Chasm Wp101198
Closing The Clinical It Chasm Wp101198Erik Ginalick
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
Infrastructures For Innovation Wp090974
Infrastructures For Innovation Wp090974Infrastructures For Innovation Wp090974
Infrastructures For Innovation Wp090974Erik Ginalick
 
Inspiratinal quate
Inspiratinal quateInspiratinal quate
Inspiratinal quatePankaj Khodifad
 
Clock distribution in high speed board
Clock distribution in high speed boardClock distribution in high speed board
Clock distribution in high speed boardPankaj Khodifad
 
Wireless network in aircraft
Wireless network in aircraftWireless network in aircraft
Wireless network in aircraftPankaj Khodifad
 
Terminaters
TerminatersTerminaters
TerminatersPankaj Khodifad
 
Saha lecture updated1
Saha lecture updated1Saha lecture updated1
Saha lecture updated1Nomun Bukh-Ochir
 
slideOLOGY 2.0
slideOLOGY 2.0slideOLOGY 2.0
slideOLOGY 2.0Matt Schreier
 
Term Paper on Fiber Optic Sensors
Term Paper on Fiber Optic SensorsTerm Paper on Fiber Optic Sensors
Term Paper on Fiber Optic SensorsPankaj Khodifad
 
Operational Excellence - The Digital Way
Operational Excellence - The Digital WayOperational Excellence - The Digital Way
Operational Excellence - The Digital WayGE Intelligent Platforms
 
Slide-OLOGY
Slide-OLOGYSlide-OLOGY
Slide-OLOGYMatt Schreier
 
Tyler objective model group presentation
Tyler objective model group presentationTyler objective model group presentation
Tyler objective model group presentationJordan Adinit
 
RAM and ROM Memory Overview
RAM and ROM Memory OverviewRAM and ROM Memory Overview
RAM and ROM Memory OverviewPankaj Khodifad
 
Unleashing The Power Of Customer Data Wp091047
Unleashing The Power Of Customer Data Wp091047Unleashing The Power Of Customer Data Wp091047
Unleashing The Power Of Customer Data Wp091047Erik Ginalick
 
Understand Benefits Of Electronic Health Records Wp091005
Understand Benefits Of Electronic Health Records Wp091005Understand Benefits Of Electronic Health Records Wp091005
Understand Benefits Of Electronic Health Records Wp091005Erik Ginalick
 
Reaching For The Cloud Wp101366
Reaching For The Cloud Wp101366Reaching For The Cloud Wp101366
Reaching For The Cloud Wp101366Erik Ginalick
 
Qmoe For Manufacturing Wp090862
Qmoe For Manufacturing Wp090862Qmoe For Manufacturing Wp090862
Qmoe For Manufacturing Wp090862Erik Ginalick
 
Qmoe For Public Sector Wp090863
Qmoe For Public Sector Wp090863Qmoe For Public Sector Wp090863
Qmoe For Public Sector Wp090863Erik Ginalick
 
Sip Trunk Services The Cornerstone Of Unified Communications Wp101194
Sip Trunk Services The Cornerstone Of Unified Communications Wp101194Sip Trunk Services The Cornerstone Of Unified Communications Wp101194
Sip Trunk Services The Cornerstone Of Unified Communications Wp101194Erik Ginalick
 
The Worry Free Network Wp091050
The Worry Free Network Wp091050The Worry Free Network Wp091050
The Worry Free Network Wp091050Erik Ginalick
 
Qmoe For Financial Services Wp090860
Qmoe For Financial Services Wp090860Qmoe For Financial Services Wp090860
Qmoe For Financial Services Wp090860Erik Ginalick
 
Qmoe For Healthcare Wp090861
Qmoe For Healthcare Wp090861Qmoe For Healthcare Wp090861
Qmoe For Healthcare Wp090861Erik Ginalick
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Erik Ginalick
 

More Related Content

Viewers also liked

Infrastructures For Innovation Wp090974
Infrastructures For Innovation Wp090974Infrastructures For Innovation Wp090974
Infrastructures For Innovation Wp090974Erik Ginalick
 
Clock distribution in high speed board
Clock distribution in high speed boardClock distribution in high speed board
Clock distribution in high speed boardPankaj Khodifad
 
Wireless network in aircraft
Wireless network in aircraftWireless network in aircraft
Wireless network in aircraftPankaj Khodifad
 
Term Paper on Fiber Optic Sensors
Term Paper on Fiber Optic SensorsTerm Paper on Fiber Optic Sensors
Term Paper on Fiber Optic SensorsPankaj Khodifad
 
Tyler objective model group presentation
Tyler objective model group presentationTyler objective model group presentation
Tyler objective model group presentationJordan Adinit
 
RAM and ROM Memory Overview
RAM and ROM Memory OverviewRAM and ROM Memory Overview
RAM and ROM Memory OverviewPankaj Khodifad
 

Viewers also liked (12)

Infrastructures For Innovation Wp090974
Infrastructures For Innovation Wp090974Infrastructures For Innovation Wp090974
Infrastructures For Innovation Wp090974
 
Inspiratinal quate
Inspiratinal quateInspiratinal quate
Inspiratinal quate
 
Clock distribution in high speed board
Clock distribution in high speed boardClock distribution in high speed board
Clock distribution in high speed board
 
Wireless network in aircraft
Wireless network in aircraftWireless network in aircraft
Wireless network in aircraft
 
Terminaters
TerminatersTerminaters
Terminaters
 
Saha lecture updated1
Saha lecture updated1Saha lecture updated1
Saha lecture updated1
 
slideOLOGY 2.0
slideOLOGY 2.0slideOLOGY 2.0
slideOLOGY 2.0
 
Term Paper on Fiber Optic Sensors
Term Paper on Fiber Optic SensorsTerm Paper on Fiber Optic Sensors
Term Paper on Fiber Optic Sensors
 
Operational Excellence - The Digital Way
Operational Excellence - The Digital WayOperational Excellence - The Digital Way
Operational Excellence - The Digital Way
 
Slide-OLOGY
Slide-OLOGYSlide-OLOGY
Slide-OLOGY
 
Tyler objective model group presentation
Tyler objective model group presentationTyler objective model group presentation
Tyler objective model group presentation
 
RAM and ROM Memory Overview
RAM and ROM Memory OverviewRAM and ROM Memory Overview
RAM and ROM Memory Overview
 

More from Erik Ginalick

Unleashing The Power Of Customer Data Wp091047
Unleashing The Power Of Customer Data Wp091047Unleashing The Power Of Customer Data Wp091047
Unleashing The Power Of Customer Data Wp091047Erik Ginalick
 
Understand Benefits Of Electronic Health Records Wp091005
Understand Benefits Of Electronic Health Records Wp091005Understand Benefits Of Electronic Health Records Wp091005
Understand Benefits Of Electronic Health Records Wp091005Erik Ginalick
 
Reaching For The Cloud Wp101366
Reaching For The Cloud Wp101366Reaching For The Cloud Wp101366
Reaching For The Cloud Wp101366Erik Ginalick
 
Qmoe For Manufacturing Wp090862
Qmoe For Manufacturing Wp090862Qmoe For Manufacturing Wp090862
Qmoe For Manufacturing Wp090862Erik Ginalick
 
Qmoe For Public Sector Wp090863
Qmoe For Public Sector Wp090863Qmoe For Public Sector Wp090863
Qmoe For Public Sector Wp090863Erik Ginalick
 
Sip Trunk Services The Cornerstone Of Unified Communications Wp101194
Sip Trunk Services The Cornerstone Of Unified Communications Wp101194Sip Trunk Services The Cornerstone Of Unified Communications Wp101194
Sip Trunk Services The Cornerstone Of Unified Communications Wp101194Erik Ginalick
 
The Worry Free Network Wp091050
The Worry Free Network Wp091050The Worry Free Network Wp091050
The Worry Free Network Wp091050Erik Ginalick
 
Qmoe For Financial Services Wp090860
Qmoe For Financial Services Wp090860Qmoe For Financial Services Wp090860
Qmoe For Financial Services Wp090860Erik Ginalick
 
Qmoe For Healthcare Wp090861
Qmoe For Healthcare Wp090861Qmoe For Healthcare Wp090861
Qmoe For Healthcare Wp090861Erik Ginalick
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Erik Ginalick
 
Planning For Disaster And Everyday Threats Wp111438
Planning For Disaster And Everyday Threats Wp111438Planning For Disaster And Everyday Threats Wp111438
Planning For Disaster And Everyday Threats Wp111438Erik Ginalick
 
Mpls Future Proofing Enterprise Networks For Long Term Success Wp101094
Mpls Future Proofing Enterprise Networks For Long Term Success Wp101094Mpls Future Proofing Enterprise Networks For Long Term Success Wp101094
Mpls Future Proofing Enterprise Networks For Long Term Success Wp101094Erik Ginalick
 
Plan For Success White Paper
Plan For Success White PaperPlan For Success White Paper
Plan For Success White PaperErik Ginalick
 
Optimizing Your Communications In A Recession Wp090993
Optimizing Your Communications In A Recession Wp090993Optimizing Your Communications In A Recession Wp090993
Optimizing Your Communications In A Recession Wp090993Erik Ginalick
 
Is Cloud Computing Right For You Wp101305
Is Cloud Computing Right For You Wp101305Is Cloud Computing Right For You Wp101305
Is Cloud Computing Right For You Wp101305Erik Ginalick
 
Ipv Technical White Paper Wp111504
Ipv Technical White Paper Wp111504Ipv Technical White Paper Wp111504
Ipv Technical White Paper Wp111504Erik Ginalick
 
Ipv6 Technical White Paper Wp111504
Ipv6 Technical White Paper Wp111504Ipv6 Technical White Paper Wp111504
Ipv6 Technical White Paper Wp111504Erik Ginalick
 
Healthcare It Security Necessity Wp101118
Healthcare It Security Necessity Wp101118Healthcare It Security Necessity Wp101118
Healthcare It Security Necessity Wp101118Erik Ginalick
 
Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Erik Ginalick
 
Finding The Right Cloud Solution Wp111455
Finding The Right Cloud Solution Wp111455Finding The Right Cloud Solution Wp111455
Finding The Right Cloud Solution Wp111455Erik Ginalick
 

More from Erik Ginalick (20)

Unleashing The Power Of Customer Data Wp091047
Unleashing The Power Of Customer Data Wp091047Unleashing The Power Of Customer Data Wp091047
Unleashing The Power Of Customer Data Wp091047
 
Understand Benefits Of Electronic Health Records Wp091005
Understand Benefits Of Electronic Health Records Wp091005Understand Benefits Of Electronic Health Records Wp091005
Understand Benefits Of Electronic Health Records Wp091005
 
Reaching For The Cloud Wp101366
Reaching For The Cloud Wp101366Reaching For The Cloud Wp101366
Reaching For The Cloud Wp101366
 
Qmoe For Manufacturing Wp090862
Qmoe For Manufacturing Wp090862Qmoe For Manufacturing Wp090862
Qmoe For Manufacturing Wp090862
 
Qmoe For Public Sector Wp090863
Qmoe For Public Sector Wp090863Qmoe For Public Sector Wp090863
Qmoe For Public Sector Wp090863
 
Sip Trunk Services The Cornerstone Of Unified Communications Wp101194
Sip Trunk Services The Cornerstone Of Unified Communications Wp101194Sip Trunk Services The Cornerstone Of Unified Communications Wp101194
Sip Trunk Services The Cornerstone Of Unified Communications Wp101194
 
The Worry Free Network Wp091050
The Worry Free Network Wp091050The Worry Free Network Wp091050
The Worry Free Network Wp091050
 
Qmoe For Financial Services Wp090860
Qmoe For Financial Services Wp090860Qmoe For Financial Services Wp090860
Qmoe For Financial Services Wp090860
 
Qmoe For Healthcare Wp090861
Qmoe For Healthcare Wp090861Qmoe For Healthcare Wp090861
Qmoe For Healthcare Wp090861
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010
 
Planning For Disaster And Everyday Threats Wp111438
Planning For Disaster And Everyday Threats Wp111438Planning For Disaster And Everyday Threats Wp111438
Planning For Disaster And Everyday Threats Wp111438
 
Mpls Future Proofing Enterprise Networks For Long Term Success Wp101094
Mpls Future Proofing Enterprise Networks For Long Term Success Wp101094Mpls Future Proofing Enterprise Networks For Long Term Success Wp101094
Mpls Future Proofing Enterprise Networks For Long Term Success Wp101094
 
Plan For Success White Paper
Plan For Success White PaperPlan For Success White Paper
Plan For Success White Paper
 
Optimizing Your Communications In A Recession Wp090993
Optimizing Your Communications In A Recession Wp090993Optimizing Your Communications In A Recession Wp090993
Optimizing Your Communications In A Recession Wp090993
 
Is Cloud Computing Right For You Wp101305
Is Cloud Computing Right For You Wp101305Is Cloud Computing Right For You Wp101305
Is Cloud Computing Right For You Wp101305
 
Ipv Technical White Paper Wp111504
Ipv Technical White Paper Wp111504Ipv Technical White Paper Wp111504
Ipv Technical White Paper Wp111504
 
Ipv6 Technical White Paper Wp111504
Ipv6 Technical White Paper Wp111504Ipv6 Technical White Paper Wp111504
Ipv6 Technical White Paper Wp111504
 
Healthcare It Security Necessity Wp101118
Healthcare It Security Necessity Wp101118Healthcare It Security Necessity Wp101118
Healthcare It Security Necessity Wp101118
 
Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112
 
Finding The Right Cloud Solution Wp111455
Finding The Right Cloud Solution Wp111455Finding The Right Cloud Solution Wp111455
Finding The Right Cloud Solution Wp111455
 

Protecting Customer Data An Essential Part Of Doing Business Wp101174

  • 1. Protecting Customer Data: An Essential Part of Doing Business What You Need to Know About Payment Card Industry Compliance Personally identifiable data is everywhere—and Payment Card Industry Compliance: everywhere at risk, especially when this data is kept on laptops and other mobile devices. Social security numbers A Security Mandate appear in employment and school applications, real estate To address this growing problem, the major payment transactions and medical records. Websites ask for user card systems, including Visa, MasterCard and American names and passwords to access content. Credit and debit Express, founded the Payment Card Industry (PCI) card information is transmitted over wired and wireless Security Standards Council and created the Data Security networks, from brick-and-mortar stores and online. Smaller Standard (DSS). Based on industry best practices, this set companies, which face particular constraints on time and of 12 comprehensive requirements includes measures resources, can be especially vulnerable. to prevent, detect and react to security incidents, and enhance the security of payment accounts. The goal is One notable area of concern is credit card data. And it’s to make it easier for any business to understand how to not just retailers who must be aware of the risks and the safeguard private data and stay ahead of threats to its required steps to prevent breaches. Anyone who transmits, business and its customers’ privacy. processes or stores payment card data is at risk—from stores and restaurants to doctor’s offices and auto repair shops. In fact, Visa estimates that approximately 85% of Why Does PCI Compliance data breaches occur at the small business level.1 Matter to You? Point-of-sale devices, personal computers or servers, • PCI compliance is not optional. It is an industry wireless networks, Web shopping applications, paper- mandate strictly enforced by the major payment card based and electronic data storage and unsecured brands based on the DSS. The DSS applies to transmission of cardholder data to service providers are all everyone who transmits, processes or stores payment vulnerable. On top of that, there may be vulnerabilities in card data—regardless of company size or how few the financial institutions that connect merchants and card card payments it may process. Card payment payment companies. companies require PCI compliance even if the business processes just a single payment. 1 http://www.bbb.org/data-security/intro-to-small-businesses/ ©2011 CenturyLink, Inc. All Rights Reserved. Not to be distributed or reproduced by anyone other than CenturyLink entities and CenturyLink Channel Alliance members. WP101174 07/11
  • 2. • Your company’s reputation is on the line. When it For example, every time you add a new application or comes to a security breach, there is no such thing as device, you need to take precautions to ensure that it good publicity. Stolen data equals stolen trust, and meets security standards and is properly integrated with once lost, it may never be recovered. the rest of your system. A key vulnerability that many business owners may not even be aware of is improperly— • You could be personally liable. Simply put, you could or inadvertently—storing cardholder data. Contact your get sued if your customers’ information is stolen. POS provider to see what you’re storing on your system. Failing to meet security standards can subject you to potential gross negligence or class-action lawsuits. Ensure that the network is secure and available. Your signature on the application to become part of Because breaches can still occur after a company passes any payment card network means that you become its audit, you need to: liable if gross negligence can be shown. • Regularly test security systems and processes to make • Fines and penalties can be costly. If you do not sure they are up to date. Make changes if necessary. meet PCI compliance requirements, payment card companies may assess steep penalties—up to • Maintain an information security policy so all $500,000 per incident.1 They may even stop you employees are aware of the sensitivity of cardholder from handling credit and debit card payments. data and their responsibilities for protecting it. • It’s good business to be safe. Beyond legal obligations • Maintain a plan for responding to incidents. and financial considerations, network security and data protection are an essential part of doing business. Enforcement of PCI DSS Compliance By taking the proper steps to protect the privacy and data of your customers, clients or patients, you Compliance requirements depend on the number of credit establish trusting relationships and a positive brand card transactions that are processed per year, with more image. True, it costs money to comply. You must rigorous monitoring and testing required for businesses pay for infrastructure, technology and time. But just that handle more transactions. Businesses are also one security breach could cost much more. In short, required to demonstrate ongoing compliance through the cost of compliance is a cost of doing business. quarterly testing and an annual assessment. Any company may be audited, whether it processes thousands of transactions or just a few. How Can You Ensure PCI Compliance? Adhere to regulations. In addition to applicable federal Within the PCI Security Standards Council, each payment and state laws and regulations, businesses that process card company maintains its own compliance enforcement credit card payments have a responsibility to ensure that program. Businesses fall into one of four “merchant levels” they meet the PCI compliance requirements and stay up to with any card payment company, based on the number of date. At a minimum, you must: transactions with that company. • Install a firewall and anti-virus software. • Make sure patches are up to date. • Turn off remote access when not needed. • Change passwords often. • Stay informed about what is required to maintain compliance. ©2011 CenturyLink, Inc. All Rights Reserved. Not to be distributed or reproduced by anyone other than CenturyLink entities and CenturyLink Channel Alliance members. WP101174 07/11
  • 3. Merchant Levels In addition, all but the largest businesses (which must be assessed on-site) are required to complete a self- Level 1: Any merchant that suffered a breach that assessment questionnaire (SAQ) every year. The SAQ compromised its accounts and/or any merchant includes a series of yes-or-no questions, and “no” answers processing: must include a plan for fixing the problem. • More than 6 million Visa or MasterCard transactions/year Important Updates • And/or 2.5 million American Express The payment card companies issue new mandates as transactions/year necessary to help members maintain security as new threats evolve. Level 2: Any merchant processing: • As of April 1, 2010, Visa requires every merchant to be PCI-compliant before accepting Visa card • 1–6 million Visa or MasterCard transactions/year payments. • And/or 50,000–2.5 million American Express • MasterCard has redefined its merchant-level transactions/year categories and deadlines with stricter compliance validation procedures. Level 3: Any merchant processing: • 20,000–1 million Visa or MasterCard e-commerce PCI compliance is in everyone’s best interest—the transactions/year payment card company, the merchant or service provider and the consumer. However, it can be difficult for smaller • And/or fewer than 50,000 American Express businesses to keep up with new security threats and the transactions/year industry standards and practices created to address them. Level 4 (Visa and MasterCard only): All others, How CenturyLink Business Can Help estimated at more than 5 million businesses • Up to 20,000 Visa or MasterCard e-commerce CenturyLink Business facilitates compliance by giving transactions/year customers a single point of contact for all PCI-compliance needs. • Or up to 1 million Visa or MasterCard transactions/year in all channels Offering an ideal combination of local know-how and personalized service, CenturyLink can help you understand what’s required to achieve and maintain compliance—from The card payment companies require regular monitoring basics like installing a firewall and maintaining anti-virus and testing to ensure that each business remains software to identifying what’s stored on your system. We compliant with the DSS over time. For all levels, network can also help you stay up to date on new technologies and scans are required quarterly by an approved scan vendor responses to ever-changing threats, helping you to build an (ASV). ASVs are trained and qualified by the PCI Security effective long-term compliance strategy while making the Standards Council to perform the network and systems most of your internal resources. scans required by the DSS. ©2011 CenturyLink, Inc. All Rights Reserved. Not to be distributed or reproduced by anyone other than CenturyLink entities and CenturyLink Channel Alliance members. WP101174 07/11
  • 4. Data Protection Solutions from CenturyLink Business CenturyLink Business services include penetration testing, vulnerability assessments, remediation consulting, gap analysis, pre-audit assessments and more. Our solutions, customized to your needs, can help you: • Stop virus, spam and other dangers from reaching your business. • Securely transfer data to wherever it’s needed. • Provide reports for auditors and alerts to staff to optimize processes running over the network. • Provide mobile access to the Internet that offers secure access to your company network via optional VPN client. PCI Compliance Checklist Build and Maintain a Secure Network Implement Strong Access Control Measures  1. Install and maintain a firewall to protect  7. Restrict access to cardholder data by business cardholder data. need-to-know.  2. Do not use vendor-supplied defaults for  8. Assign a unique ID to each person with system passwords and other security settings. computer access.  9. Restrict physical access to cardholder data. Protect Cardholder Data  3. Protect stored cardholder data. Regularly Monitor and Test Networks  4. Encrypt transmission of cardholder data  10. Track and monitor all access to network across open, public networks. resources and cardholder data.  11. Regularly test security systems and processes. Maintain a Vulnerability Management Program  5. Use and regularly update anti-virus software. Maintain an Information Security Policy  6. Develop and maintain secure systems  12. Maintain a policy that addresses and applications. information security. ~From the PCI Data Security Standard Learn More > ©2011 CenturyLink, Inc. All Rights Reserved. Not to be distributed or reproduced by anyone other than CenturyLink entities and CenturyLink Channel Alliance members. WP101174 07/11
  • 5. Other Resources Better Business Bureau, Data Security Made Simpler, 2010 View pdf > PCI Security Standards Council, Data Storage Dos and Don’ts, 2008 View pdf > PCI Security Standards Council, PCI Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard Version 1.2, 2008 View pdf > PCI Security Standards Council, Skimming Prevention: Overview of Best Practices for Merchants, 2009 View pdf > PCI Security Standards Council, Ten Common Myths of PCI DSS, 2008 View pdf > Protecting Payment Card Data, CenturyLink Business, 2009 View pdf > CenturyLink Service Assurance, 2009 View pdf > ©2011 CenturyLink, Inc. All Rights Reserved. Not to be distributed or reproduced by anyone other than CenturyLink entities and CenturyLink Channel Alliance members. WP101174 07/11