The document discusses PCI DSS compliance requirements for businesses that accept credit cards. It covers what PCI DSS is, who it applies to, how compliance is achieved, why the standards were established, impacts of non-compliance such as fraud and fines, and steps businesses need to take to protect customer payment data and stay compliant.

1. PCI DSS Education & Compliance Seminar Many card accepting businesses have felt the pain associated with a network penetration and data breach. It can happen to you! Learn how the bad guys are doing their dirty work and how you can protect your business! David Frick, Phil Kluge and Jesse Snyder are Co-Founders of Transaction, Resources, Inc. (TRI) TRI offers innovative payment processing solutions to merchants by combining the latest technologies with a passion for customer service and competitive rates. Transaction Resources, Inc., doing business as TRI, is a registered ISO/MSP of Wells Fargo Bank, N.A., Walnut Creek, CA.

2. What is PCI DSS? P ayment C ard I ndustry D ata S ecurity S tandard

3. Is There a Single Standard for the Payment Card Industry? Yes, this program was established through a collaboration between Visa, MasterCard, American Express, JCB, Discover and Diners to create a single standard

4. To Whom Does PCI DSS Apply? “ PCI DSS compliance is required of all merchants and service providers that store, process, or transmit Visa cardholder data. The program applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce” no matter the size of the business All Merchants

5. How is Compliance Achieved? Adherence to the requirements laid out under PCI DSS. Identification and remediation of vulnerabilities through the compliance validation process

6. Why Were the PCI Data Security Standards Established? Cyber crime is growing in diversity and sophistication Integrated POS Systems are increasingly targeted Frequently, magnetic stripe data is stolen from log files as opposed to traditional databases Sensitive data is often unknowingly stored leading to risk Hackers are targeting centralized servers with Internet connectivity, not just e-commerce merchants

7. What are the Account Data Compromise Impacts? Counterfeit cards and fraud Significant chargeback risk Penalties, fines, losses Negative media coverage Damage to reputation Re-issuance and monitoring of cards Impacts to consumer confidence Potential of new legislation

8. Fraud Loss Example SCENARIO: Merchant A is storing track data in its server. Fraudster hacks into the system and steals cardholder track data. Fraudster creates counterfeit plastics from stolen cardholder data and these plastics are subsequently used at Merchant A, B, C, and D QUESTIONS: Is Merchant A liable for losses that result from use of the counterfeit cards at Merchant A?

9. Fraud Loss Example SCENARIO: Merchant A is storing track data in its server. Fraudster hacks into the system and steals cardholder track data. Fraudster creates counterfeit plastics from stolen cardholder data and these plastics are subsequently used at Merchant A, B, C, and D QUESTIONS: Is Merchant A liable for losses that result from use of the counterfeit cards at Merchant A? Yes

10. Fraud Loss Example Is Merchant A liable for losses that result from use of the counterfeit cards at Merchant B, C, or D?

11. Fraud Loss Example Is Merchant A liable for losses that result from use of the counterfeit cards at Merchant B, C, or D? Merchant A may become liable for the fraud losses which occurred from the compromised cards at Merchants B, C, and D through the compliance case process Yes

12. Fraud Loss Example EXAMPLE: 500,000 cards stolen. 10,000 cards used fraudulently at each of Merchant B, C, and D = 10,000 x 3 Merchants = 30,000 cards COMPLIANCE CASE PROCESS: 30,000 cards x $500 average ticket = $15,000,000 In addition, Merchant A will be responsible for fines and monitoring expenses

13. Example of Monetary Loss to Businesses 6 Credit Cards compromised Level 4 Merchant $36,000

14. Example of Monetary Loss to Businesses 6 Credit Cards compromised Level 4 Merchant $36,000 40 Million Credit Cards compromised Service Provider Put out of business

15. Example of Monetary Loss to Businesses 6 Credit Cards compromised Level 4 Merchant $36,000 40 Million Credit Cards compromised Service Provider Put out of business Laptop Stolen with card data Level 4 merchant $110,000

16. Example of Monetary Loss to Businesses 6 Credit Cards compromised Level 4 Merchant $36,000 40 Million Credit Cards compromised Service Provider Put out of business Laptop Stolen with card data Level 4 merchant $110,000 More Level 4 Merchants are compromised than any other group!

17. Fraud Costs Lost Goods & Services Investigation Costs Card Re-issuance Fines

18. Merchant Classifications Level 1 All Channels >6MM Visa or MC transactions per year Level 2 All Channels 1MM to 6MM Visa or MC transactions per year Level 3 20,000 - 999,999 e-commerce Visa or MC transactions per year Level 4 <20,000 Visa or MC e-commerce transactions per year or <1MM non-e-commerce transactions Visa or MC transaction per year

19. What is a Compromise? Incidents involving an electronic or physical breach of cardholder information and/or card data

20. Types of Breaches E lectronic Breach: Data vulnerability in transit and storage, application-level attacks via web servers or websites, private key mismanagement and unauthorized access to encryption keys, identity and access related to user ID/ password based security, misconfigurations and other administrative network performance problems Physical Breach : Physical theft of documents or equipment (e.g., cardholder receipts, files, PC’s, POS terminals, etc.) Skimming: Capturing magnetic stripe data using an external device (e.g., a card reader or pad attached to an ATM or POS terminal) to create counterfeit cards

21. Common Vulnerabilities 1) Inappropriate data storage (e.g. full track, CVV2, PIN blocks) 2) Insecure wireless 3) Vendor default settings and passwords (PC Anywhere is extremely vulnerable) 4) Lack of network segmentation (POS system on PC with external internet) 5) Unnecessary and vulnerable services on servers 6) Missing or Outdated Security Patches

22. PCI DSS Basic Requirements Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for systems passwords and other security parameters Protect Cardholder Data 3. Protect Stored Data 4. Encrypt transmission of cardholder data and sensitive information across public networks

23. PCI DSS Basic Requirements Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data

24. PCI DSS Basic Requirements Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security that all employees are informed of and adhere to

25. What Does Each Merchant Need to Provide to Their Credit Card Processing Bank? Complete and validate an Annual PCI Self-Assessment Questionnaire Complete Quarterly Network Scans to check your systems for vulnerabilities Do annual penetration testing to test that your systems are hacker-resistant Ensure that these security scans are performed by a qualified independent scan vendor

26. Safe Harbor Safe harbor provides members protection from fines and compliance exposure in the event a merchant or service provider experiences a compromise. To attain safe harbor status: A member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation A member must demonstrate that prior to the compromise their merchant had already met the compliance validation requirements, demonstrating full compliance It is important to note that the submission of compliance validation documentation, in and of itself, does not provide the member safe harbor status. The entity must have adhered to all the requirements at the time of the compromise

27. Keeping your Business Compliant DO NOT STORE TRACK, PIN OR CVV2 / CVC2 data. Educate your employees on PCI DSS Compliance and associated risks Ensure your third party POS vendors are PCI DSS compliant (anyone touching your data for any purpose) Utilize a Qualified Data Security Assessment Firm

28. Websites for More Information www.visa.com/cisp sdp.mastercardintl.com for compliance tips and PCI DSS requirements www.pcisecuritystandards.org www.transactionresources.com/pci/

29. QUESTIONS?