The Future of Electronic PaymentsSecurity & PCI Compliance

Greg GrantVice President – Managed Security Services

Payment Technology Trends

• Enterprise Class Businesses

• Migration/Early adoption of newer payment technologies such as Point-to-Point

Encryption (P2PE)

• Leading the “charge” for EMV implementation

• Small-to-Mid Sized Businesses (SMB’s)

• Focus on upgrading POS operating systems, equipment, devices

• Remain highest users of traditional Terminal/Server systems

• Movement away from dial-up to Internet connected processing

• Everyone is looking at wireless enabled payment systems

Major driving force behind technology changes is PCI, but not necessarily SECURITY

Payment Technology Realities

• Data breaches and card theft continues to go up

• PCI compliance rates are up / so are breaches ???

• Networks remain “flat” so sensitive data can be targeted via other IP connected devices

• Hackers are looking downstream (SMB’s) because they are the most unsecured

• Most businesses either do not properly deploy and maintain security technologies (plus

resources) or they cannot afford it

• Businesses have adopted a “check box” mentality and are only concerned about getting

their PCI Certificate of Compliance

• Believe that PCI compliance means they are secure

• Confusion over PA DSS and PCI DSS

• Mandates are getting harder to comply with in 2015

• Big emphasis on companies providing services that could impact cardholder data

Common Network Landscape – Highly Unsecure

Common Network Landscape – Highly Unsecure

Common Network Landscape – Highly Unsecure

Common Network Landscape – Highly Unsecure

Properly Secured Data Network

Emphasis on Service Providers

• Service Providers (SP) are defined by the PCI Council as: “Companies directly involved in the processing, storage, or transmission of cardholder data, or companies that provide services that could impact the security of cardholder data.” Common examples include: Transaction Processors, Payment Gateways, Managed Service Providers, or Web Hosting Providers.

• A service provider is any “business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity.” This includes companies that provide services that control or could impact the security of cardholder data.

• There is already a requirement in every SAQ to maintain a written agreement with each SP, and have a process for monitoring a Service Provider’s PCI Compliance status. In addition,

• All SAQ’s now have a place in the Executive Summary to input Service Providers

• New requirement 12.8.5 states a list must be maintained of which PCI DSS requirements are managed by the Service Provider and which by the merchant

Changes To PCI Mandate

• All companies will have to NAME their service provider when filling out their self assessment questionnaire (SAQ) beginning in January 2015

• Clear transfer of risk and exposure to all companies that implement, service or maintain POS systems, IT systems and/or ancillary IP connected equipment/services

• Service providers are largely the ones that companies look to for help with security and PCI

• As a service provider, you must look for ways to ensure your risk and exposure is limited• Become a PCI compliant service provider• Have every implementation and system change “audited” • Outsource

Changes To PCI Mandate

A Solutions Approach

• Look to subscription based managed services that ensure continuous network security

and PCI compliance as a by product

•Focus needs to be on protecting sensitive data systems (payments, health records,

personal information, etc) along with all other Internet traffic - not just the card data!

• Cloud-based - No need for clients to invest in expensive equipment, software or

additional personnel

• Certification – There are many managed offerings on the market, but certification (look

for PCI L1) will ensure you’re not at risk should a breach occur

• Feature Rich – A few offer secure WiFi, 3G/4G backup, Content Filtering and many

more benefits

• Breach Protection/Insurance – Extend the ability to offset unfunded risk should a

breach occur

THANK YOU