EarthLink BusinessPCI Compliance Solution Services

EarthLink Business: Secure Solutions for Merchants & Retailers

• SMB to Fortune 500 retail customers

• Tens of thousands of store locations

• Comprehensive network and IT services to support PCI compliance:

– Nationwide private MPLS

– Direct Connect

• Secure Point of Sale connectivity

– SSAE 16 compliant data centers; connect directly via MPLS

– Managed security services

– PCI Compliance Validation with Breach Protection

What is PCI Compliance?

Definition – Payment Card Industry Data Security Standard (PCI-DSS)

Set up by Visa, MasterCard, American Express, Discover, and JCB to reduce the risk of credit card theft and transfer liability to merchants

Requires mandatory adoption by allbusinesses that store, process, transmit credit/debit card data

6 Control Objectives

6 Control Objectives

12 Core Requirements

250+ Audit

Procedures

If you cannot answer yes to the three questions below, you are not PCI Compliant

Have ALL employees completed a PCI Certified security awareness training program upon hire and annually thereafter ?

Have all employees read and signed a formal security policy ?

Can you demonstrate that you run quarterly ASV scans ?

1

2

3

97% of U.S. events occurred at small merchants, and 91% of those were brick and mortar merchants. (Visa, 2012)

Impact of a Breach on a Business

A credit card breach can take months to remediate

1. Must stop taking credit cards2. Pay for forensic audit3. Pay fines and credit card replacement costs4. Pay to implement remediation actions and

for future on-site audits by a Qualified Security Assessor

The average business loses $3,007,015 per breach incident due to customer churn, brand damage, etc.

(Symantec and Ponemon Institute)

Vulnerabilities that Cyber Criminals Exploit

No firewall to separate Point-of-Sale (POS) and Internet traffic

Insecure Remote Access Lack of staff training needed to

spot scams and protect information

Weak security configurations Operating system flaws Flawed security policies Poor change control procedures

Retailer Challenge: Dedicating the Time, Resources, and Expertise

Required to Stop Cyber Crime

PCI Compliance Data Security Standards Requirements

1

2

3

4

5

6

Build and Maintain a Secure Network

Protect cardholder data

Maintain a vulnerability management program

Implement strong access control measures

Regularly monitor and test networks

Maintain an information security policy

1. Install and maintain a firewall configuration to protect data.

2. Do not use vendor-supplied defaults for system passwords or other security parameters

3. Protect stores data4. Encrypt transmission of cardholder data and sensitive information across public networks

5. Use and regularly update antivirus software6. Develop and maintain secure systems and

applications

7. Restrict access to data by business need to know8. Assign a unique ID to each person with computer

access 9. Restrict physical access to cardholder data

10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes

1. Maintain a policy that addresses information security

LEVEL CRITERIA On-Site Security

Audit

Self-Assessment Questionnaire

External Vulnerability

Scan

  1

Any merchant processing more than 6 million transactions

per year

Required Annually

  Required Quarterly

  2

Any merchant processing 1 to 6

million transactions per year

  Required Annually Required Quarterly

  3

Any merchant processing 20,000 to 1 million transactions per

year

  Required Annually Required Quarterly

 4

All other merchants, not in Levels 1, 2 or 3

  Required Annually Required Quarterly

Merchant Requirements:Based on Transaction Volume

Protect and Validate PCI Compliance

FINANCIALLY PROTECT YOUR BUSINESS: Up to $100,000 of data breach expense subject to per occurrence and aggregate limits of $ 500,000 per year, protection per location for less than $1 per day.

VALIDATE YOUR LEVEL OF PCI COMPLIANCE: Reduce the risk of breach with easy to use web-based tools for validating compliance

Designed for Level 2-4 merchants, PCI Compliance Validation is a comprehensive solution to protect business owners and organizations protecting themselves from the crippling financial effects of credit card theft while reducing the risk of data breach

Solution powered by ANX eBusiness, an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA)

Breach Protection*

Breach Protection provides for merchant reimbursement of up to $100,000 per location subject to a per occurrence and aggregate yearly maximum of $ 500,00 to cover expenses if a customer’s credit card information is breached.

Covered expenses include: Forensic audit provided by a Qualified Security Assessor

(QSA) as required by PCI DSS Replacement of credit cards and related expenses Fines and penalties incurred as a result of the breach Two-hour telephone consultation with a breach consultant*DISCLAIMER NOTICE. The PCI Compliance Solution Services are provided and serviced by ANXeBusiness Corp. and offered through EarthLink Business, and

are subject to the terms and conditions found at http://www.earthlinkbusiness.com/about-us/legal/terms.xea. All Data Breach Protection Service reimbursements are limited to:  $100,000.00 a year for each qualifying location, not to exceed $500,000.00 per occurrence for customers with multiple locations, and an aggregate maximum of $500,000.00 per customer. Use of the PCI Compliance Validation Service does not guarantee that a data breach will not occur and alone cannot prevent losses. EarthLink Business makes no representations as to whether the Data Breach Protection Service will apply to or cover a particular claim or loss. The material in this document (or on this site) is intended for informational purposes only, not as professional advice, and is provided on an “AS IS” basis. EARTHLINK BUSINESS DISCLAIMS ALL WARRANTIES OR CONDITIONS, EXPRESS OR IMPLIED, RELATING TO THE PCI COMPLANCE SOLUTION SERVICES, INCLUDING, WITHOUT LIMITATION, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND THE ACCURACY AND COMPLETENESS OF ASSOCIATED INFORMATIONAL CONTENT AND WILL NOT BE LIABLE FOR LOSSES, COSTS OR DAMAGES ARISING FROM THE PCI COMPLIANCE SOLUTION SERVICES OR ANY ASSOCIATED INFORMATIONAL CONTENT.

PCI Self Assessment Questionnaire (SAQ) wizard with question and answer support

Task Management and Reporting

Security Policy Templates

External Vulnerability Scanning

PCI eLearning course (versions for cashier, IT and owner)

EarthLink PCI Compliance Validation

Proactively Protect Your Business from Breach

Step 1: Financially Protect Yourself from a Breach

Step 2: Validate PCI Compliance

Step 3: Achieve Compliance

Step 4: Maintain Compliance

How can EarthLink help you achieve PCI Compliance ?