Home >Documents >EarthLink Business PCI Compliance Solution Services

EarthLink Business PCI Compliance Solution Services

Date post:03-Jan-2016
View:20 times
Download:0 times
Share this document with a friend
EarthLink Business PCI Compliance Solution Services. EarthLink Business: Secure Solutions for Merchants & Retailers. SMB to Fortune 500 retail customers Tens of thousands of store locations Comprehensive network and IT services to support PCI compliance: Nationwide private MPLS - PowerPoint PPT Presentation
  • EarthLink BusinessPCI Compliance Solution Services

  • EarthLink Business: Secure Solutions for Merchants & RetailersSMB to Fortune 500 retail customersTens of thousands of store locationsComprehensive network and IT services to support PCI compliance:Nationwide private MPLSDirect ConnectSecure Point of Sale connectivitySSAE 16 compliant data centers; connect directly via MPLSManaged security servicesPCI Compliance Validation with Breach Protection

  • What is PCI Compliance?Definition Payment Card Industry Data Security Standard (PCI-DSS) Set up by Visa, MasterCard, American Express, Discover, and JCB to reduce the risk of credit card theft and transfer liability to merchants Requires mandatory adoption by all businesses that store, process, transmit credit/debit card data6 Control Objectives6 Control Objectives 12 Core Requirements 250+ AuditProcedures

  • If you cannot answer yes to the three questions below, you are not PCI CompliantHave ALL employees completed a PCI Certified security awareness training program upon hire and annually thereafter ?

    Have all employees read and signed a formal security policy ?

    Can you demonstrate that you run quarterly ASV scans ?

    12397% of U.S. events occurred at small merchants, and 91% of those were brick and mortar merchants. (Visa, 2012)

  • Impact of a Breach on a BusinessA credit card breach can take months to remediateMust stop taking credit cardsPay for forensic auditPay fines and credit card replacement costsPay to implement remediation actions and for future on-site audits by a Qualified Security AssessorThe average business loses $3,007,015 per breach incident due to customer churn, brand damage, etc. (Symantec and Ponemon Institute)

  • Vulnerabilities that Cyber Criminals ExploitNo firewall to separate Point-of-Sale (POS) and Internet trafficInsecure Remote AccessLack of staff training needed to spot scams and protect informationWeak security configurationsOperating system flawsFlawed security policiesPoor change control proceduresRetailer Challenge: Dedicating the Time, Resources, and ExpertiseRequired to Stop Cyber Crime

  • PCI Compliance Data Security Standards Requirements123456Build and Maintain a Secure Network

    Protect cardholder data

    Maintain a vulnerability management program

    Implement strong access control measures

    Regularly monitor and test networks

    Maintain an information security policyInstall and maintain a firewall configuration to protect data.Do not use vendor-supplied defaults for system passwords or other security parameters

    Protect stores dataEncrypt transmission of cardholder data and sensitive information across public networks

    Use and regularly update antivirus softwareDevelop and maintain secure systems and applications

    Restrict access to data by business need to knowAssign a unique ID to each person with computer access Restrict physical access to cardholder data

    Track and monitor all access to network resources and cardholder dataRegularly test security systems and processes

    Maintain a policy that addresses information security

  • Merchant Requirements: Based on Transaction Volume

    LEVELCRITERIAOn-Site Security AuditSelf-Assessment QuestionnaireExternal Vulnerability Scan1Any merchant processing more than 6 million transactions per yearRequired AnnuallyRequired Quarterly2Any merchant processing 1 to 6 million transactions per yearRequired AnnuallyRequired Quarterly3Any merchant processing 20,000 to 1 million transactions per yearRequired AnnuallyRequired Quarterly4All other merchants, not in Levels 1, 2 or 3Required AnnuallyRequired Quarterly

  • Protect and Validate PCI ComplianceFINANCIALLY PROTECT YOUR BUSINESS: Up to $100,000 of data breach expense subject to per occurrence and aggregate limits of $ 500,000 per year, protection per location for less than $1 per day.

    VALIDATE YOUR LEVEL OF PCI COMPLIANCE: Reduce the risk of breach with easy to use web-based tools for validating compliance Designed for Level 2-4 merchants, PCI Compliance Validation is a comprehensive solution to protect business owners and organizations protecting themselves from the crippling financial effects of credit card theft while reducing the risk of data breachSolution powered by ANX eBusiness, an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA)

  • Breach Protection*Breach Protection provides for merchant reimbursement of up to $100,000 per location subject to a per occurrence and aggregate yearly maximum of $ 500,00 to cover expenses if a customers credit card information is breached.

    Covered expenses include:Forensic audit provided by a Qualified Security Assessor (QSA) as required by PCI DSSReplacement of credit cards and related expensesFines and penalties incurred as a result of the breachTwo-hour telephone consultation with a breach consultant

    *DISCLAIMER NOTICE. The PCI Compliance Solution Services are provided and serviced by ANXeBusiness Corp. and offered through EarthLink Business, and are subject to the terms and conditions found at http://www.earthlinkbusiness.com/about-us/legal/terms.xea. All Data Breach Protection Service reimbursements are limited to: $100,000.00 a year for each qualifying location, not to exceed $500,000.00 per occurrence for customers with multiple locations, and an aggregate maximum of $500,000.00 per customer. Use of the PCI Compliance Validation Service does not guarantee that a data breach will not occur and alone cannot prevent losses. EarthLink Business makes no representations as to whether the Data Breach Protection Service will apply to or cover a particular claim or loss. The material in this document (or on this site) is intended for informational purposes only, not as professional advice, and is provided on an AS IS basis. EARTHLINK BUSINESS DISCLAIMS ALL WARRANTIES OR CONDITIONS, EXPRESS OR IMPLIED, RELATING TO THE PCI COMPLANCE SOLUTION SERVICES, INCLUDING, WITHOUT LIMITATION, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND THE ACCURACY AND COMPLETENESS OF ASSOCIATED INFORMATIONAL CONTENT AND WILL NOT BE LIABLE FOR LOSSES, COSTS OR DAMAGES ARISING FROM THE PCI COMPLIANCE SOLUTION SERVICES OR ANY ASSOCIATED INFORMATIONAL CONTENT.

  • PCI Self Assessment Questionnaire (SAQ) wizard with question and answer supportTask Management and ReportingSecurity Policy TemplatesExternal Vulnerability ScanningPCI eLearning course (versions for cashier, IT and owner)EarthLink PCI Compliance Validation

  • Proactively Protect Your Business from BreachStep 1: Financially Protect Yourself from a Breach

    Step 2: Validate PCI Compliance

    Step 3: Achieve Compliance

    Step 4: Maintain ComplianceHow can EarthLink help you achieve PCI Compliance ?

    We obviously have customers in many vertical markets, but retail is EarthLinks #1 focus. This focus extends beyond just sales & marketing. Its about getting all of our functional organizations aligned to support the unique needs of retailers - from developing products specifically for retail to aligning support with peak holiday seasons to making sure our sales and sales engineering organizations can address retail-specific challenges. Youll see examples of this throughout this presentation, which will provide you with an overview of our retail solutions.*So lets change gears here and take a look at PCI compliance.

    What exactly is PCI compliance and does it really matter?

    In a nutshell, its a required way to reduce the risk of credit card theft and YES, unlike many requirements out there, it really does matter.

    Theres a lot of confusion and mis information about PCI compliance.

    To begin, lets address who it applies to..the answer.every business, large or small, that accepts a credit card must be PCI compliant. If youre a small restaurant owner and havent heard about PCI compliance from your bank yet, you will.and sooner rather than later. In the early days of PCI compliance, the banks focused on inspecting compliance with the largest retailersthose with more than 1 million credit card transactions in year. However, since smaller victims are the preferred target, banks are spending more time and effort to inspect the level of PCI compliance with small businesses like restaurants. Were getting calls from many restaurants who received a letter from the bank asking them for a copy of their PCI self-assessment questionnaire. Other banks are placing a PCI non-compliance fee on the monthly statement until the restaurant proves their compliance.

    PCI compliance is NOT a government regulation. However, dont let that convince you that it doesnt have teeth. It does! All the credit card companies and banks adhere to PCI compliance. And the rules, fines, and pass through costs are very real.

    Another misconception out there is WHO is accountable for PCI compliance. Its not equipment vendors. If theres a breach, 100% of the accountability is passed to the business owner.

    So you might be wondering, does PCI compliance really work?

    In other words, if youre PCI compliant, can you still get breached? The answer is YES. However, statistics clearly show that being PCI compliant significantly reduces the chance that your restaurant will be a victim. The standard does a great job of addressing vulnerabilities. Becoming PCI compliant really means that youre paying serious attention to security. And when youre paying serious attention, the risk of becoming a victim is greatly diminished.

    **Symantec and Ponemon Institute, Cost of a Data Breach Report

    *To break into POS servers they use a combination of tactics

    Lets take a closer look at the top root causes of data breach. The top 2 reasons are:

    outdated firewalls and insecure remote access.

    Criminals literally pry open the virtual door to your business and help themselves to your information.

    Many restaurants in particular make 2 big mistakes with firewalls. First, they purchase consumer grade devices instead of models designed for business. A restaurant firewall should include comprehensive anti-malware capabilities that are frequently updated. New threats are created each day so your defenses must evolve as well. Some restaurant owners think they are safe because each computer in their store has a local copy of anti-malware like Norton or Symantec. While those are good tools in the fight against cyber crime, its also essential to run anti-malware from the firewall gateway. Its an important second line of defense in case the malware program is turned off or not updated.

    The second problem with firewalls is misconfiguration. Just taking a firewall out of the box and plugging it in is a common practice. There are many configuration settings with a firewall and a trained security expert should be used when setting up a firewall. For example, if you run a WiFi network, you can place your restaurant at risk simply by plugging the wireless adapter into the wrong port on the firewall.

    The other top cause of data breach is insecure remote access. Remote access is typically the weakest link in a restaurants security profile. Criminals know that restaurant owners and vendors access store data remotely using programs like GoToMy PC. Just steal the user name and password and its like stealing the keys to the front door.

    Some other common causes of data breach include:

    Weak security configurationsOperating system flawsLack of staff trainingFlawed security policiesGood old fashioned negligence (stuff like writing down credit card numbers in a rolodex and have that roledex stolen by a fired employee)AndPoor change control procedures

    Put another way.Too many restaurant owners purchase inadequate technology and dont know how to properly configure it. Plus, they dont focus on training their employees to recognize and report suspicious activity.

    *As for the PCI requirements themselves, think of them as layers to on an onion. At first glance, it doesnt seem like much. There are just 6 control objectives which are

    build and maintain a secure network, 2 protect cardholder data, 3, maintain a vulnerability management program, 4, implement strong access control measures, 5, monitor and test networks, and 6, maintain an information security policy.

    Not bad, right?well, then those objectives than turn into 12 requirements which are commonly referred to as the the digital dozen. 12 is still a management number. Where it becomes overwhelming for most restaurant owners is when you dive into the annual self assessment questionnaire. In order to address the digital dozen, the business owner must answer over 200 detailed questions. And many of those questions are of the technical variety.

    Its no wonder then, why the vast majority of restaurants are not PCI compliant. They simply underestimate how long it will take and the resources required to fully meet the requirement.


Popular Tags:

Click here to load reader

Reader Image
Embed Size (px)