The document discusses PCI Data Security Standards for merchants. It outlines the 12 key requirements of PCI compliance including protecting cardholder data, access controls, monitoring networks, maintaining security policies and vulnerability management. Merchants of different levels have different validation requirements to comply with PCI DSS. Evolution Security Systems provides PCI compliance services like gap analysis, remediation assistance and certification to help merchants achieve and maintain compliance.

1. PCI Data Security Standards information for Merchants by Evolution Security Systems

2. Agenda Company Background Background of PCI 12 Key Requirements of PCI What if I am not compliant? What should I do? Summary Questions and Answers

3. Company Background Founded in 1999 in the UK, Evolution is a specialised network and Internet system security firm. Headquarters of the group is located in London, and with offices in 7 locations worldwide. Hong Kong is the regional quarter for APAC. Provides full range of System Security and Network Management solutions, including both the Products and Services aspects.

4. Enhance security posture by applying Preventive-Detective-Corrective optimization of assets and appropriate controls, Evolution's consultants have expertise with industry leading security solutions and services below, as your trusted partner: Product and Service Coverage • Information Security Policy • Incident Management (eSecure) • Security Management • Compliance (PCI, ISO27001) • Vulnerability and Risk Assessment • Web / Application Penetration Testing • GAP Analysis • Independent Assessment • Incident Response Services • Security Managed Services • Professional Services and Consulting • Firewall/Virtual Private Network (VPN) • Access Control (Network & End-Point) • Data Loss Prevention Intrusion Prevention Solution • Encryption • Authentication • Antivirus & AntiSpam • Content Filtering • Application Security

5. Valued Vendor Partners

6. Our Clients

7. Background of PCI

8. In 2006, 40 million Credit Card data was hacked due to breaches at third party payment processors

9. PCI DSS is a joint effort by Visa, MasterCard, American Express, Discover and JCB. PCI applies to all merchants and services providers that process, transmit, or store credit card information. The standard is enforced by the card companies and acquirer banks.

10. When Should I Act? “ All Deadlines had Passed” Bob Russo Director, PCI Security Standards Council

11. The Pressure is Here… Recently Visa has issued letters to service providers demanding them to be complied and certified by as early as June 2008 . This is a long-awaited final call to the industry. No more excuse of “I don’t know” or “PCI has nothing to do with my organization”.

12. 12 Key Requirements of PCI

13. 12 Key Requirements for All Organizations Protect Cardholder Data 1. Protect stored data (in both hardcopy and electronic copy) 2. Encrypt transmissions of cardholder data (electronic copy) Implement Strong Access Control Measures 3. Restrict access by need-to-know 4. Assign unique IDs to all users 5. Restrict physical access to cardholder data (hardcopy) Regularly Monitor and Test Networks 6. Track and monitor access to cardholder data 7. Regularly test security systems and processes Maintain an Information Security Policy 8. Maintain an information security policy Build and Maintain a Secure Network 9. Install and maintain a firewall 10. Do not use vendor default password Maintain a Vulnerability Management Program 11. Use and update antivirus software 12. Develop and maintain secure systems and applications

14. Guidelines for Credit Card Data Storage Data Element Storage Permitted Protection Required PCI DSS REQ. 3.4 Cardholder Data (in both hardcopy and electronic copy) Primary Account Number (PAN) Yes Yes Yes Cardholder Name Yes Yes No Service Code Yes Yes No Expiration Date Yes Yes No Sensitive Authentication Data Full Magnetic Stripe No N/A N/A CVC2 / CVV2 / CID No N/A N/A PIN / PIN Block No N/A N/A

15. What if I am not compliant?

16. What if my business is not PCI complaint? In case of compromise, your business is in risk of potential financial liabilities (including the full cost of any fraud perpetrated on compromised card accounts) In additional, your business may have to bare investigative and legal costs, as well as charges to re-issue compromised credit cards Invasive media attention could cause significant damage to the image of your business In some cases, a single compromise can cause enough damage to close down a business PCI DSS protects cardholders and minimises the risk to your business

17. By being PCI Compliant A compromise is less likely to happen You obtained “Safe Harbor” status: credit card companies will not levy compromise fees if confirmed that the organisation was PCI compliant at the time of compromise Easily identify any risks in the way you store or transmit customer data Provide a clear path of action and remediation to address any data security risks Ensure that your service providers do not put your business at risk Demonstrate to your customers that you are serious about their data Most importantly, as a merchant, PCI compliant is compulsory

18. What should I do?

19. Merchant Levels Annual Self-Assessment Questionnaire Quarterly network scan by ASV (if applicable) Annual Self-Assessment Questionnaire Quarterly network scan by ASV Annual Self-Assessment Questionnaire Quarterly network scan by ASV Annual Onsite Review (optional) Annual onsite assessment by QSA Quarterly network scan by ASV Self-assessment Questionnaire (optional) Others Processing 20,000 to 1,000,000 e-commerce transactions annually Processing 1,000,000 to 6,000,000 transactions annually Processing over 6,000,000 transactions annually OR Merchants that card company determines should meet the Level 1 merchant requirements

20. 6-Step PCI Compliance Process Define which merchant level your business belongs to Map out the data flows in your business Conduct a Gap Analysis and scope the project Plan and implement remediation Obtain certification Staying compliant Step 2 Step 1 Step 4 Step 3 Step 6 Step 5

21. Evolution’s Full PCI Cycle Seeking assistance from QSA and Consultants Conducting Gap Analysis Prioritizing Remediation Implementing changes & safeguards Maintaining Compliance

22. Summary

23. Work… Scanning the required network with credit card information transaction On-site Audit and perform Interview session Review all the related agreement with 3 rd party on credit card information handling Review all the related procedure document and policy

24. Remember… All merchants must comply with PCI DSS, regardless of size. The only difference is the type of validation required All deadline had passed. All parties that process credit card data must comply now . A single compromise can cause significant damages to your company, or even put you out of business Evolution provides a full cycle of PCI QSA services, helping you understand, assess, remediate, obtain certification, and stay compliant

25. Questions and Answers For more information, visit http://pci.evolve-online.com

26. Contact Us Global Headquarters and Other Locations Global Headquarters 11 La Rue Grellier Rue des Pres Trading Est St. Saviour JE1 3UP Jersey Tel: +44 (0)1534 728827 UK Headquarters 42 Bloomsbury Street London, United Kingdom WC1B 3QJ Tel: +44 (0)870 112 5434 EMEA Solutions and sales office Roseneath, The Grange St. Peter Port GY1 2QJ Guernsey Tel:+44 (0)870 112 5434 UK Solutions and sales (North) IC2, Keele University Science Park Keele, Staffordshire United Kingdom ST5 5NH Tel: +44 (0)870 112 5434 UK Solutions and sales (Midlands) Tochi House, Park Circle Swan Valley, Northampton NN4 9BH United Kingdom Tel: +44 (0)870 112 5434 UK Solutions and sales (South) Portsmouth Technopole Kingston Crescent Portsmouth, Hampshire, United Kingdom PO2 8FA Tel: +44 (0)870 112 5434