Data breaches are hitting the news now more than ever before and the trend is getting nothing but worse. View our presentation to learn how deep a breach can go, common misconceptions and best practice solutions to keep your SAP-based business protected.

1. From Bad to Worse: How to Stay Protected from a Mega Data Breach
Presenter: Jennifer Rossi, Vice President , Channel Sales, Paymetric
October 3, 2014 ©2014. Paymetric. All Rights Reserved. 1

2. Webinar Agenda
 About Paymetric
 Data Breaches in the News
 Data Breach Impact and Cost
 The Myth of the “Silver Bullet”
 Prevailing PCI Solution Options
 Tokenization Technology
 Five Best Practices for an SAP-based Enterprise
October 3, 2014
2
©2014. Paymetric. All Rights Reserved.

3. About Paymetric
October 3, 2014
3
©2014. Paymetric. All Rights Reserved.

4. Award-Winning Company
Paymetric is Recognized for Electronic Payments Innovation
Paymetric is an award-winning company built on
shared purpose, an unremitting pursuit of excellence,
lasting collaboration, accountability and integrity. For
more than 15 years, we have been recognized for our
work and honored with awards for technical innovation
and thought leadership.
October 3, 2014
4
©2014. Paymetric. All Rights Reserved.

5. Data Breaches in the News
• More than 37 percent of data breach incidents involved a malicious or
criminal attack
• 35 percent of data breach incidents involved a negligent employee or
contractor (human factor)
• 29 percent of data breach incidents involved system glitches that
includes both IT and business process failures
October 3, 2014
5
©2014. Paymetric. All Rights Reserved.
*Distribution of the benchmark sample by root cause of the data breach
Human factor
Malicious or criminal attack
System glitches
Source: Ponemon Institute

6. Data Breach Impact and Cost
October 3, 2014
6
©2014. Paymetric. All Rights Reserved.
Source: Ponemon Institute 2013 Cost of Data Breach Study: Global Analysis
Overview
 Dollars spent per data record when
there is a data breach
 All industries are at risk, even
though Retail makes the news
the most
 Healthcare breaches are the most
expensive by far due to personal
identifiable data (PII) being exposed

7. The Impact to Your Organization
 Fines and Litigation
 Cost of investigation and audit
 Loss of business/customer trust
 Potential decline in share value
 Brand reputation
October 3, 2014
7
©2014. Paymetric. All Rights Reserved.

8. Getting Negative
Dominant industry rule of thumb:
1. There is no “silver bullet” single solution to prevent
a data breach
2. It is not “if”, but “when” you will be breached
So, now what?
October 3, 2014
8
©2014. Paymetric. All Rights Reserved.

9. So, Now What?
• Thieves cannot steal what is no longer there to
steal
– i.e. Render what is left in the system...worthless
• Even if they can see it and exfiltrate it, they
cannot use it outside of the merchant
• Understand the prevailing PCI solutions
– Tokenization
– P2PE
– EMV
October 3, 2014
9
©2014. Paymetric. All Rights Reserved.

10. Prevailing PCI Solution Options
PCI solutions and their primary application scenario
October 3, 2014
10
©2014. Paymetric. All Rights Reserved.
Ecommerce
(CNP)
Call Center
(CNP: MOTO)
Retail
(CP)
Tokenization ✔ ✔ ✔
P2PE ✔
EMV ✔
Most SAP-based
Enterprise Environments

11. What is Tokenization?
• A token is a substitute value: sensitive data is replaced with data that is of no value to
hackers or thieves
• Protected systems no longer store the RAW sensitive or encrypted data
• Unlike encryption – tokens can’t be reverse engineered to the original data
• Tokens are not mathematically created; they are random
• If system is compromised the real data can’t be taken, only tokens
October 3, 2014
11
©2014. Paymetric. All Rights Reserved.

12. Tokens for the Enterprise
 Multi-use token
 Same data  same token
 Data consistency for secure reporting, queries, customer service
 Usable parts of the original data retained in the token
 Token has business meaning so processes continue securely
 Token retains permitted parts of the original, e.g. last 4 digits of a
credit card
 Tokenize only what is needed
 Tokenize the sensitive data only
 Enterprise retains full control of separate data fields
 A neutral credit card token vault
 Token is NOT processor specific
October 3, 2014
12
©2014. Paymetric. All Rights Reserved.

13. Tokenize at the Edge; Then Share & Reuse
October 3, 2014
13
©2014. Paymetric. All Rights Reserved.
WEB
CRM ERP

14. Tokens Protect More Than Card Data
 PII is information that can be used uniquely or with other
sources to identify, contact or locate a single person. For
example:
 Social Security Number
 Bank Account
 Email
 Drivers License Number
 PII Tokenization
 Format Preserving Tokens
 Protect PII Affordably
 Achieve Safe Harbor from Data Breach Notifications Laws
 Employee, vendor and customer data
October 3, 2014
14
©2014. Paymetric. All Rights Reserved.

15. An Overview of Card Tokenization Technology
Encryption
Centralized/
Non-centralized
October 3, 2014
15
©2014. Paymetric. All Rights Reserved.

16. 5 Best Practices for an SAP-based Enterprise
Encryption
Centralized/
Non-centralized
October 3, 2014
16
©2014. Paymetric. All Rights Reserved.

17. #1: Understand Enterprise Decision Drivers
October 3, 2014
17
©2014. Paymetric. All Rights Reserved.
Project
Priority,
Budget &
Visibility
C-Level Visibility
PCI DSS Compliance
Internal Security &
Compliance Team
Risk Mitigation
Brand
Reputation/Customer
Perception
PII Protection

18. #2: Identify the Enterprise Risk Workflows
Identify workflows, entry points and use
cases where payment cards are being
used
October 3, 2014
18
©2014. Paymetric. All Rights Reserved.

19. #3: Protect Data in Transit and at Entry
October 3, 2014
19
©2014. Paymetric. All Rights Reserved.
Once you understand the
workflows – now understand
what data is in those workflows
• Is data at rest, at entry, and
in transit?
• Where is it entered?
• Where is it being
transmitted –
communicated?
• Where is it being stored?

20. #4: Avoid Technology Lock-In
• Focus on being processor agnostic
• Keep your options open
• Avoid processor lock in
• Separate processing requirements from security requirements
• This allows you to be covered for expansion and change – be able to
scale up for security and payments
October 3, 2014
20
©2014. Paymetric. All Rights Reserved.

21. #5: Understand Your C-Level Criteria
• Increased breach activity has brought new players into the payment
security space
• Payment security is critical to the enterprise
– Getting this wrong has serious impact
• What are your C-Level vendor selection criteria for this mission critical
solution?
– Vendor product suite functionality?
– Vendor and product scalability?
– Vendor technology investment?
– Vendor resource focus?
– Vendor experience and reputation?
– Vendor stability?
– Vendor cost?
October 3, 2014
21
©2014. Paymetric. All Rights Reserved.

22. Best Practice Summary
①Understand Enterprise Decision Drivers
②Identify the Enterprise Risk Workflows
③ Protect Data in Transit and at Entry (& Stored Data)
④ Avoid Technology Lock-In
⑤ Understand Your C-level Criteria
October 3, 2014
22
©2014. Paymetric. All Rights Reserved.

23. Questions? Contact our presenter:
October 3, 2014
23
©2014. Paymetric. All Rights Reserved.