Your SlideShare is downloading. ×
101007 How To Sell Pci Compliance (External)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

101007 How To Sell Pci Compliance (External)

407
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
407
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • The PCI-DSS Standard May 26, 2011 Copyright © 2006-2007, Network Frontiers LLC. All rights reserved.
  • The PCI-DSS Standard May 26, 2011 Copyright © 2006-2007, Network Frontiers LLC. All rights reserved.
  • The PCI-DSS Standard May 26, 2011 Copyright © 2006-2007, Network Frontiers LLC. All rights reserved. Acquirer and Issuer exchange information. This usually happens within 1 day.
  • The PCI-DSS Standard May 26, 2011 Copyright © 2006-2007, Network Frontiers LLC. All rights reserved.
  • Wireless also gives you the opportunity to offer Internet access to your customers. It can be offered as a free service to attract more customers into restaurants, or perhaps offered as a revenue-generating service on its own. If you’re thinking about setting up hotspot Internet access in your restaurants, you already know it is important to keep your wireless guests out of your private POS network. SonicWALL wireless solutions do this by creating a separate wireless network segment for guests which only allows access to the Internet while sealing off the rest of the POS network.
  • Finally, no security solution is effective is it remains static. The Internet is an incredibly dynamic environment, with new threats emerging every day. Your security solution must be dynamic as well to keep pace with the ever-changing threat environment. It is important to monitor and maintain your protection, whether you do it yourself or outsource it to your preferred IT service provider. Remotely monitoring systems and keeping them up-to-date with SonicWALL management systems will help you address requirement a number of requirements such as 2, 5, 6, 10, and 11. Adam: How has your staff remotely logged in to systems to make sure they’re up-to-date?
  • As a Level 2, 3 or 4 merchant with external facing IP(s), what needs to be submitted to an acquirer in order to be PCI Compliant? (Answer all that apply)   SAQ Attestation of Compliance Results of PCI scan with a passing grade from an ASV Report of Compliance (ROC) is optional Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, passing PCI Scan from an ASV along with any other requested documentation, to an acquirer. A Report of Compliance (ROC) is only required for a Level 1 merchant. A QSA is not required for a Level 2, 3 or 4. Scanning does not apply to all merchants. It is required for Validation Type 4 and 5 – those merchants with external facing IP addresses. Basically if merchant electronically stores cardholder information or if their process systems have any internet connectivity, a quarterly scan by an ASV is required.
  • Transcript

    • 1. How to Sell PCI Compliance With Without PCI Road Ahead SPEED LIMIT 80 SPEED LIMIT 45
    • 2. How to Sell Compliance
    • 3. Agenda
      • Primer on PCI
      • Anatomy of PCI Transaction
      • PCI Mapping to SonicWALL
      • Example of PCI Deployments
      • Strategies & Tactics
      • The Pitch
      • Q&A
    • 4. PCI-DSS Payment Card Industry Data Security Standards
      • PCI Standards Council
        • JCB and Visa International
        • American Express
        • Discover Financial Services
        • MasterCard Worldwide
      • The protection of cardholder data anywhere it resides within , or is transmitted by , a merchant’s system.
      • Enforced by credit card companies, not governments - yet
      • Non-compliance can result in fines, restrictions of credit card services and loss of consumer confidence
    • 5. PCI SSC Responsibilities
    • 6. PCI Industry Standards CONFIDENTIAL All Rights Reserved
    • 7. Roles of the Payment Brands Function Visa M/C Amex Discover JCB Data security program CISP SDP DSOP DISC DSP Service provider VNP TPP / DSE TPP TPP/ PSP TPP Authorization services Clearing services Settlement services Establish operating rules & regulations Issue cards through 3 rd parties Acquire transactions through 3 rd parties Issue cards directly Acquire transactions directly
    • 8. Comparison of US / RoW / WW Compliance Status Validation Update* * Source: http://usa.visa.com/download/merchants/cisp_pcidss_compliancestats.pdf
      • Figures are estimates based upon US PCI DSS Compliance Status report as of September 30, 2009 with US serving as 35% of WW market.
      • Excludes new Level 1 and 2 merchants identified in 2008, due to validate by September 30, 2009 and December 31, 2009, respectively
      • Level 4 compliance is moderate among stand-alone terminal merchants, but lower among merchants using integrated payment applications
      Majority PCI Category (Transactions/ year) US Estimated Population Size RoW Estimated Population Size WW Estimated Population Size Level 1 Merchant** (>6M) 352 1,006 1,358 Level 2 Merchant** (1-6M) 895 2,557 3,452 Level 3 Merchant (e-commerce only 20,000 – 1M) 2,482 7,091 9,573 Level 4 Merchant (<1M) ~5.0M ~14.3M ~19.3M
    • 9. Past and Upcoming PCI DSS Deadlines
      • January 1, 2008
        • New merchants or merchants changing acquiring banks, could not use applications known to be vulnerable
      • July 1, 2008
        • Processors could not allow new applications to connect to their network that are not PA DSS-validated
      • October 1, 2008
        • ( L3/L4) New merchants or merchants changing acquiring banks, had to be PCI DSS compliant or use PA DSS-validated applications.
        • PCI DSS Version 1.2 was made available
      • September 30, 2009
        • Acquirers must attest that Level 1 and 2 merchants do not retain prohibited payment card data subsequent to authorization of a transaction
      • October 1, 2009
        • Processors must block all vulnerable applications from connecting to their network.
      • July 1, 2010
        • All merchants must use only PA DSS-validated applications. All other applications will no longer work on Visa payment network.
      • September 30, 2010
        • PCI DSS compliance validation deadline for Level 1 merchants
      • October 28, 2010
        • PCI DSS 2.0 released
      • June 30, 2011
        • MasterCard requirement for Level 2 s to be assessed by QSA or self-assess with PCI ISA
    • 10. Non-Compliance Risks Fines, Fees, Costs, Loss
      • Damage to brand/reputation
      • Investigation costs
      • Increased auditing requirements
      • Remediation costs
      • Fines & fees
        • Non-compliance (each brand issues separate fines) up to $500,000 per incident
        • Card re-issuance ($20 - $30/card)
        • Fraud loss
      • Victim notification costs
      • Cost of breach at $300/compromised card *
      • Financial loss
      • Data loss
      • Charge-backs for fraudulent transactions
      • Operations disruption
      • Sensitive info disclosure
      • Denial of service to customers
      • Individual executives held liable
      • Possibility of business closure
      • Printing charges for mail notifications
      • Decreased sales due to failed public image
      A non-compliant, compromised business could expect the following: *2008 G artner estimate for data breach remediation for compromised cards
    • 11. Anatomy of PCI Transactions
    • 12. Payment Transaction Flow CONFIDENTIAL All Rights Reserved
    • 13. Example of Payment Industry Ecosystem Merchants Issuer (Consumer Bank) Payment Brand Network Credit Cards Cardholder Acquirer (Merchant Bank)
    • 14. Card Processing - Authorization Merchants CB approves purchase CH swipes card at Merchant MB asks processor to determine CH’s bank Merchant connects to MB 3 4 PBN determines CB & requests approval 5 6 7 8 1 2 PBN sends approval to MB MB sends approval to Merchant Merchant gives receipt to CH Issuer (Consumer Bank) Payment Brand Network Credit Cards Cardholder Acquirer (Merchant Bank)
    • 15. Card Processing - Clearing Merchants CB provides reconciliation to PBN MB sends purchase info to PBN 1 2 PBN sends purchase info to CB 3 4 PBN sends reconciliation to MB Issuer (Consumer Bank) Payment Brand Network Acquirer (Merchant Bank)
    • 16. Card Processing - Settlement Merchants CB sends payment to processor 1 2 3 Processor's settlement bank sends pmt to MB MB pays merchant for CH purchase 4 CB bills CH Issuer (Consumer Bank) Processor Cardholder Acquirer (Merchant Bank)
    • 17. PCI Mapping to SonicWALL
    • 18. Where Does SonicWALL Play?
    • 19. PCI Mapping By Security Product Line PCI DSS Requirement TZ NSA E-Class SSL-VPN EMS GMS Requirement 1 Requirement 2 Requirement 3 Requirement 4 Requirement 5 Requirement 6 Requirement 7 Requirement 8 Requirement 9 Requirement 10 Requirement 11 Requirement 12
    • 20. SonicWALL PCI Solution Set
      • Secure Networking
        • AV, IDS/IPS
        • Anti-spyware (N/A - PCI)
        • Wireless Networking
        • Remote Access (SSL & IPSec)
      • Secure Content Management
        • Endpoint (AV)
        • Email Security
        • Content Security (N/A - PCI)
      • Business Continuity
        • Onsite Backup & Recovery
        • Offsite Storage & Recovery
      • Policy and Management
        • Centralized Management
        • Strong Access Control
        • Comprehensive Audit Trails
        • Dynamic Vulnerability Management
      Comprehensive PCI DSS Solutions Small, Medium & Distributed Networks SonicWALL GMS Devices / Servers Switches SonicWALL Firewalls Remote Clients Clients Data Storage E-mail/IM/P2P Clients Integrated Business Solutions POS Solutions
    • 21. Example of a SonicWALL PCI Deployment
    • 22. Addressing Retail Concerns … And Protecting Systems
      • Single storefront network Requires direct connections (via the Internet) to related business services providers such as credit card processing and warehouses
      • Centralized multi-storefront network All ordering/replenishment and tendering of receipts processed through a central location . The network connections may be a mix of leased line WAN and Internet and may be used by a combination of employees, contractors, and outside vendors
      • De-centralized multi-storefront network Ordering/replenishment and tendering of receipts is managed from multiple locations . A central headquarters maintains visibility into all enterprise activity. The network connections may be a mix of leased line WAN and Internet and may be used by a combination of employees, contractors, and outside vendors
      We classify retail into three groups
    • 23. Typical SonicWALL Quick Service POS Solution
    • 24. Typical SonicWALL Quick Service POS Solution
      • Stop network attacks with firewall protection (Req 1)
    • 25. Typical SonicWALL Quick Service POS Solution
      • Stop network attacks with firewall protection (Req 1)
      • Protect systems with enforced anti-virus protection (Req 5)
    • 26. Typical SonicWALL Quick Service POS Solution
      • Stop network attacks with firewall protection (Req 1)
      • Protect systems with enforced anti-virus protection (Req 5)
      • Secure wireless networking with enhanced security with optional SonicPoints (Req 11)
    • 27. Typical SonicWALL Quick Service POS Solution
      • Stop network attacks with firewall protection (Req 1)
      • Protect systems with enforced anti-virus protection (Req 5)
      • Secure wireless networking with enhanced security with optional SonicPoints (Req 11)
      • Also deploy hot spot Internet access for patrons
    • 28. Typical SonicWALL Quick Service POS Solution 5. Create secure, reliable VPN connections over broadband (Req 4)
    • 29. Typical SonicWALL Quick Service POS Solution
      • Create secure, reliable VPN connections over broadband (Req 4)
      • Control Internet use with content filtering (Req 8)
    • 30. Typical SonicWALL Quick Service POS Solution
      • Create secure, reliable VPN connections over broadband (Req 4)
      • Control Internet use with content filtering (Req 8)
      • Monitor systems and keep protection up-to-date (Req 2,5,6,10,11)
    • 31. PCI Pitch
    • 32. Steps to Prepare for Compliance CONFIDENTIAL All Rights Reserved * Report of Compliance (ROC).
    • 33. Problem - Pain Point - Product Problem Question Pain Point SonicWALL Product/Feature SonicWALL Benefit How concerned are you about Rogue Access Points (RAP)? Finding RAPs connected to the network. (Req. 11) SonicOS, SonicPoints and GMS Single appliance option for RAP detection Would you like to throttle unauthorized merchant activity and increase store site productivity? Non-business traffic is killing the pipe while legitimate business traffic suffers (Req 2) Application intelligence control Policy-based block/restrict throttles CHD traffic with bandwidth management How difficult do you find it to maintain consistent policy control across your protected CHD environment? Maintaining unified policies, controlling access and avoiding orphaned policies and security gaps. GMS – Policy management Easily create security policies and enforce them at the global, group or unit level. How are you mitigating your exposure to web-facing vulnerabilities? Protect against XSS, CSRF, SQL injection, etc. (Req. 6.6) WAF Integrated WAF protection with DPI How do you limit scope and protect CHD in transit? Network segmentation SonicOS (PortSchield, Zones) Integrated segmentation of CHD
    • 34. How We Help with PCI Compliance?
    • 35.
      • PCI FAQ & Self-Assessment
      • Business & Technology Focuses
        • PCI compliance timelines
        • Who has to be PCI compliant
        • What happens in a failed audit
      • SonicWALL SAQ
      • PCI SAQ (A, B, C, D)
      • PCI Whitepapers
      • PCI Presentation
      Marketing Material
      • SonicWALL PCI Implementation Guides
      • Addresses the most common installation and configurations settings on products
      • Configurations backed & approved by an independent PCI QSA
        • GMS
        • SonicOS Standard
        • SonicOS Enhanced
    • 36. SonicWALL Reference Customers
    • 37. PCI & Security Resource Center
      • Analyst Coverage
      • Video Testimonials
      • Datasheets
      • Customer Case Studies
      • White Papers
      • Solutions Briefs
      • Podcasts
      • Product Demos & Downloads
      Visit www.SonicWALL.com
    • 38. Take the Fast lane to PCI Compliance
      • SonicWALL PCI Solutions allow you to Accelerate Compliance Initiatives …
      • Guess which path most Resellers/End-Users choose…
      With SonicWALL Without SonicWALL Design and build piecemeal security solution… Deliver solid security solutions that streamline compliance configurations, allow for scalability and are approved by a PCI QSA PCI Road Ahead SPEED LIMIT 80 SPEED LIMIT 45
    • 39. Q&A
    • 40. Thank you Email Questions to PCI @SonicWALL.com

    ×