The Easy WAy to Accept & Protect Credit Card Data
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


The Easy WAy to Accept & Protect Credit Card Data



The recorded version of this webinar is available at: ...

The recorded version of this webinar is available at:

"The Easy Way to Accept & Protect Credit Card Data" is a free, educational webinar. The moderator is Kerry Murdock, editor and publisher of Practical eCommerce. The presenters are Tyler Hannan, platform evangelist for IP Commerce, a leading cloud-computing payment platform, and David Herrald, an information security consultant with Global Technology Resources, Inc., an international security and technology firm.

e-Similate, a leading provider of payment integration tools, is the sponsor of the webinar.



Total Views
Views on SlideShare
Embed Views



2 Embeds 4 3 1


Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • WelcomeResponsibilities of protecting payment dataConsequences and examples of not protecting dataTools, options to help protect data, and shift responsibility
  • Tyler Hannan is an experienced technologist and the platform evangelist for IP Commerce, a leading cloud-computing payment platform. Tyler facilitates collaboration and coordination with companies in the payment processing and technology market to drive innovation and deliver understanding of IP Commerce. His blog, Reflections on Emergent Commerce and Technology,helps industry leaders break down technology silos and deliver on-demand commerce services.
  • David Herrald is an information security consultant with 17 years of information technology experience in the financial services, software, and payments industries. He has built information-security and PCI DSS compliance programs from the ground up, and he has advised many software companies and merchants on information security and PCI DSS compliance topics. He is now consulting architect for information security with Global Technology Resources, Inc., an international security and technology firm.

The Easy WAy to Accept & Protect Credit Card Data Presentation Transcript

  • 1. The Easy Way to Accept and Protect Payment Account Data
    Commerce Security Fundamentals
    July 12, 2011
  • 2. Who You Are Interacting with Today
    Kerry Murdock
    Editor and Publisher
    Practical eCommerce
  • 3. Who You Are Interacting with Today
    Tyler Hannan
    Platform Evangelist
    IP Commerce
  • 4. Who You Are Interacting with Today
    David Herrald
    Consulting Architect – Information Security
    Global Technology Resources, Inc.
  • 5. Sponsored by
  • 6. Agenda
    • Consequences of a Data Breach
    • 7. What Is PCI Compliance?
    • 8. Status of Payment Card Industry Data Security Standard
    • 9. PCI responsibilities of the merchant and developer
    • 10. Tools to Assist with Security and Compliance
    • 11. Tokenization
    • 12. Hosted payment solutions
  • Consequences of a Data Breach
  • 13. What Data Compromise Looks Like
  • 14. TJX: Anatomy of a Data Breach
    TJX Data Breach, Announced January 2007
    • TJX owns retail companies: T.J. Max, Marshalls, Bob’s Stores
    • 15. Data breach called the “biggest ever”
    • 16. Initial estimates have the number of breached accounts at a few million
    • 17. By December 2007, it has been confirmed that at least 94 million customers have had their information stolen
    What did it cost?
    • Credibility
    • 18. $4.5 billion (estimated)
  • Sony: Anatomy of a Data Breach
    Sony Data Breach, 2011
    • Sony Playstationnetwork is targeted by a malicious hacker groups
    • 19. Proved to be an easy target
    • 20. SQL injection vulnerabilities
    • 21. Unencrypted or poorly encrypted stored passwords
    • 22. 77 million records compromised
    • 23. Ongoing attacks against other Sony business units - Sony Pictures (1 million users accounts hacked)
    What did it cost?
    • Credibility
    • 24. Estimates range from $1.5 billion to $4.6 billion
  • Data Breach Statistics
    • 85%of attacks were not considered highly difficult
    • 25. 86%of victims had evidence of attack in their log files however
    • 26. 61% of breaches discovered by a third party
    • 27. 96% of breaches were avoidable through simple or intermediate controls
    • 28. 79% of victims subject to PCI had not achieved compliance
    • 29. 30% of victims met PCI requirement 3 to Protect Stored Card Data
    Source: Verizon 2010 Data Breach Investigations Report
  • 30. Consequences for the Merchant
    Source: “Calculating the Cost of a Security Breach,” Forrester Research.
  • 31. Consequences for the Merchant
    Source: “Calculating the Cost of a Security Breach,” Forrester Research.
  • 32. Focus on Small Merchants
    If I am a small merchant…does this really matter?
    Why is there a focus on the smallest of merchants?
    • 5% of all exposed accounts
    • 33. 80% of software breaches
    • 34. 99% of Visa’s merchant base
    • 35. 64% feel invulnerable to attack*
    • 36. 1 million est. small business victims *
    • 37. 60% of small businesses do not
    understand fines they are subject to*
    *National Retail Federation (NRF) and First Data Corporation 2010 survey of US Small Business
  • 38. What Is PCI Compliance?
  • 39. PCI Security Standards Council
    “The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards…
    “All five payment brands share equally in the Council’s governance, have equal input into the PCI Security Standards Council and share responsibility for carrying out the work of the organization.”
  • 40. What Does PCI-DSS Consist Of?
    1. Install and maintain a firewall to protect cardholder data.
    2. Do not use vendor-supplied defaults for system passwords and other security parameters.
    Build and Maintain a Secure Network
    3. Protect stored cardholder data.
    4. Encrypt transmission of cardholder data across open, public networks.
    Protect Cardholder Data
    Maintain a Vulnerability Management Program
    5. Use and regularly update anti-virus software or programs.
    6. Develop and maintain secure systems and applications.
    7. Restrict access to cardholder data by business need to know.
    8. Assign a unique ID to each person with computer access.
    9. Restrict physical access to cardholder data.
    Implement Strong Access Control Measures
    10. Track and monitor all access to network resources and cardholder data.
    11. Regularly test security systems and processes.
    Regularly Monitor and Test Networks
    12. Maintain a policy that addresses information security for all personnel.
    Maintain an Information Security Policy
  • 41. “Is there anyone who can save me from all this?”
  • 42. Tools to Assist with Security and Compliance
  • 43. Prioritized Approach
    Where Should a Merchant Start?
    • The PCI DSS contains over 200 individual requirements.
    • 44. The PCI Councilhas released the Prioritized Approach to Pursue PCI DSS Compliance.
    • 45. Milestone 1: Remove cardholder data and sensitive authentication data.
    • 46. Helps integrate the concept of risk management with PCI DSS compliance.
    • 47. Remember: There are a total of 6 milestones in the prioritized approach, and every requirement in the PCI DSS must be met to be compliant.
  • Tokenization
    Eliminate the Complexity of Secure Data Storage
    • Protect sensitive customer payment account data by encrypting and assigning it a unique token.
    • 48. Token can be leveraged for future use, such as recurring payments.
    • 49. The data is stored in a PCI Compliant data center, removing that element of risk.
    How It Works
    Payment Account data is sent from the merchant’s website, POS system to the Platform for tokenizing.
    A copy of the payment account data is assigned a token and stored securely.
    The Platform securely passes payment account data to the desired payment service provider.
    A token is returned in the transaction response and can be stored, instead of the payment account data, and used for subsequent transactions.
  • 50. Value-Added Services
    What is a Value-Added Service?
    • Services that are injected into the payment transaction
    • 51. Services that do not “remove” compliance but “address” risk
    • 52. Capabilities that can be added “point-in-time” when appropriate for the Merchant customer without additive integration work
    Examples of Value-Added Services
    • Risk Management
    • 53. Each transaction is inspected
    • 54. Each transaction returns a approve/decline based on risk thresholds
    • 55. ChargeBack Management
    • 56. Transaction information is provided, securely, to chargeback specialist
    • 57. People, product, and process manage chargeback behavior on the merchant ‘s behalf
  • Commerce Hosted Payment Page
    PCI-Compliant Payment Page
    • PCI Compliance obligation is reduced to completion of a Self-Assessment Questionnaire (SAQ A)
    Fully Customizable
    • No harsh transitions from retailer site to another checkout page
    • 58. Fewer abandoned shopping carts
    Simple Integration
    • One method call to initiation (http-post)
    • 59. Callback to hidden URL upon payment completion
    • 60. Easy to implement CSS to support merchant look/feel
    • 61. Adding payments is a matter of hours from conception to “go live”
  • Choose Your Product
  • 62. Populate Your Cart
  • 63. Check Out Securely
  • 64. Return to Website
  • 65. Q&A
    Tyler Hannan
    Platform Evangelist, IP Commerce
    David Herrald
    Consulting Architect - Information Security,
    Global Technology Resources Inc.