This document discusses the consequences of data breaches for merchants, provides an overview of PCI compliance requirements, and describes tools that can help merchants protect payment data and simplify PCI compliance. It notes that data breaches are costly and common, even among small merchants, and that PCI focuses on them because they are vulnerable targets. It outlines PCI's 12 requirements and prioritized approach. It then describes tokenization, value-added services like risk management, and hosted payment pages as tools that can help merchants address PCI requirements more easily.

1. The Easy Way to Accept and Protect Payment Account Data Commerce Security Fundamentals July 12, 2011

2. Who You Are Interacting with Today Kerry Murdock Editor and Publisher Practical eCommerce

3. Who You Are Interacting with Today Tyler Hannan Platform Evangelist IP Commerce

4. Who You Are Interacting with Today David Herrald Consulting Architect – Information Security Global Technology Resources, Inc.

5. Sponsored by

7. What Is PCI Compliance?

8. Status of Payment Card Industry Data Security Standard

9. PCI responsibilities of the merchant and developer

10. Tools to Assist with Security and Compliance

11. Tokenization

13. What Data Compromise Looks Like

15. Data breach called the “biggest ever”

16. Initial estimates have the number of breached accounts at a few million

19. Proved to be an easy target

20. SQL injection vulnerabilities

21. Unencrypted or poorly encrypted stored passwords

22. 77 million records compromised

25. 86%of victims had evidence of attack in their log files however

26. 61% of breaches discovered by a third party

27. 96% of breaches were avoidable through simple or intermediate controls

28. 79% of victims subject to PCI had not achieved compliance

29. 30% of victims met PCI requirement 3 to Protect Stored Card DataSource: Verizon 2010 Data Breach Investigations Report

30. Consequences for the Merchant Source: “Calculating the Cost of a Security Breach,” Forrester Research.

31. Consequences for the Merchant Source: “Calculating the Cost of a Security Breach,” Forrester Research.

33. 80% of software breaches

34. 99% of Visa’s merchant base

35. 64% feel invulnerable to attack*

36. 1 million est. small business victims *

37. 60% of small businesses do not understand fines they are subject to* *National Retail Federation (NRF) and First Data Corporation 2010 survey of US Small Business

38. What Is PCI Compliance?

39. PCI Security Standards Council “The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards… “All five payment brands share equally in the Council’s governance, have equal input into the PCI Security Standards Council and share responsibility for carrying out the work of the organization.” - https://www.pcisecuritystandards.org/organization_info/index.php

40. What Does PCI-DSS Consist Of? 1. Install and maintain a firewall to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. Build and Maintain a Secure Network 1 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across open, public networks. Protect Cardholder Data 2 Maintain a Vulnerability Management Program 3 5. Use and regularly update anti-virus software or programs. 6. Develop and maintain secure systems and applications. 7. Restrict access to cardholder data by business need to know. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data. Implement Strong Access Control Measures 4 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. Regularly Monitor and Test Networks 5 12. Maintain a policy that addresses information security for all personnel. Maintain an Information Security Policy 6

41. “Is there anyone who can save me from all this?”

42. Tools to Assist with Security and Compliance

44. The PCI Councilhas released the Prioritized Approach to Pursue PCI DSS Compliance.

45. Milestone 1: Remove cardholder data and sensitive authentication data.

46. Helps integrate the concept of risk management with PCI DSS compliance.

48. Token can be leveraged for future use, such as recurring payments.

49. The data is stored in a PCI Compliant data center, removing that element of risk.How It Works Payment Account data is sent from the merchant’s website, POS system to the Platform for tokenizing. A copy of the payment account data is assigned a token and stored securely. The Platform securely passes payment account data to the desired payment service provider. A token is returned in the transaction response and can be stored, instead of the payment account data, and used for subsequent transactions.

51. Services that do not “remove” compliance but “address” risk

53. Each transaction is inspected

54. Each transaction returns a approve/decline based on risk thresholds

55. ChargeBack Management

56. Transaction information is provided, securely, to chargeback specialist

59. Callback to hidden URL upon payment completion

60. Easy to implement CSS to support merchant look/feel

62. Populate Your Cart

63. Check Out Securely

64. Return to Website

65. Q&A Tyler Hannan Platform Evangelist, IP Commerce thannan@ipcommerce.com @tylerhannan David Herrald Consulting Architect - Information Security, Global Technology Resources Inc. dherrald@gtri.com @daveherrald http://www.e-similate.com