Top 10 Things Your Merchants Should Know about PCI

1. Top 10 Things Your Merchants Should Know about PCI Presenters: Chris Bucolo – Senior Business Development Manager, ControlScan Stephanie Sperry – Senior Marketing Manager, Merchant Warehouse

2. About Merchant Warehouse • Established in 1998 • Over 80,000 active merchants • 170+ employees • Award winning: • Three-time recipient of the Boston Business Journal Pacesetter Award • 100 Best’s 2010 Merchant Account Provider of the Year • 2009 ETA ISO of the Year

3. About ControlScan Established in 2005 Specialize in Payment Card Industry (PCI) Compliance Exclusive focus on all Level 4 merchants Comprehensive PCI 1-2-3 program drives high merchant compliance rates An Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA) Active partnerships with banks, ISOs and processors

4. Talking Points The Level 4 merchant profile and unique challenges Common myths & stumbling blocks Merchant best practices Agent best practices & merchant retention Top 10 things your merchants should know about PCI

5. Level 4 Merchant • Profile • We have seen 2 distinct categories: mom and pop merchants with little or no IT/security knowledge (i.e. micro-merchants) and larger level 4 merchants with technical support staff, or an IT services partner. • Unique Challenges • Cannot use a one size fits all approach to addressing PCI compliance and security with merchants. • Because there are not a lot of “small” breaches reported in the media, many Level 4 merchants still believe they are not a target and it will not happen to them. • Merchants with dial terminals often feel that they are not to be concerned because they do not have an IP facing device that can easily be hacked into.

6. Key Findings: Fraudsters Like Low Hanging Fruit These Days The # of breached records is way down, but the number of breach events is way up. This is bad news for level 4 merchants. Source: Verizon 2011 Data Breach Investigations Report

7. Key Findings: Industry Breakdown It is important to continue stressing the need for more vigilance in the Hospitality sector. Restaurants and hotels continue to be a major source of attack. Source: Verizon 2011 Data Breach Investigations Report

8. Common PCI Myths • Myth #1: PCI does not apply to me, since I only accept a few cards. • Reality: PCI compliance is required for any merchant that accepts payment cards, even if the quantity is just one. • Myth #2: I’m using tokenization technology so I’m exempt from PCI. • Reality: While tokenization technology may help reduce risk and potentially the effort to comply with PCI, it does not exempt a merchant from being PCI compliant. • Myth #3: I’m using a compliant payment application, therefore I’m PCI compliant. • Reality: Using a certified payment application will help facilitate PCI compliance, but does not make you compliant in and of itself.

9. Common PCI Myths • Myth #4: We outsource card processing, so we don’t need to comply with PCI. • Reality: A merchant is accountable and is still required to ensure that any third party processor is also PCI compliant. Physical and Information Security Policies still apply. • Myth #5: I’m a mom and pop store, so hackers won’t attack me. • Reality: According to Visa, over 85% of compromised events occur within the small merchant space (Level 4). • Myth #6: I completed my PCI validation, so I can’t get breached. • Reality: While achieving PCI compliance is a critical step in reducing the likelihood of suffering a breach, it is only a periodic measurement and not a guarantee. Constant vigilance is vital!

10. Common PCI Myths • Myth #7: I already pay a PCI fee, so I’m compliant. • Reality: Paying a PCI fee or enrolling in a program does not make the business PCI compliant or validate compliance. • Myth #8: I don’t use a POS system, so I don’t need to be PCI compliant. • Reality: PCI compliance is not limited to POS systems. Any business that stores, processes or transmits credit card data must validate compliance. The compliance process for merchants using terminals is not intrusive.

11. Merchant Stumbling Blocks How do I figure out what type of system or application I have? What does it mean to mask the PAN? Who is a service provider or third-party service provider? My machine already truncates card numbers. What is meant by “Sensitive Authentication Data” How do I know if I am electronically storing card holder data? I don’t need policies because I am a small business. I don’t have enough resources to comply with PCI. I don’t have technical expertise, how do I answer these questions?

12. Merchant Best Practices Buy and use only approved PIN entry devices at your point-of-sale Buy and use only PA-DSS validated payment software at your POS or Website shopping cart Do not store any sensitive cardholder data in your computers or on paper Use a firewall on your network and PCs Make sure your wireless router is password-protected and uses encryption Use strong passwords – be sure to change default passwords on hardware and software Regularly check PIN devices and PCs to make sure no one has installed rogue software or “skimming” devices Train your employees and establish policies around security and protecting cardholder data Follow the PCI standard

13. Agent Best Practices • Tailor the approach by Level 4 segment • Micro-merchants require more upfront education around PCI to set context, followed by more tactical education based on where they are in the compliance process • Use segmentation strategies based on SAQ types • Team with micro-merchants to mentor them through the PCI DSS compliance process • Offer “hands-on” assistance through multiple touch points or consider outsourcing this effort to make the process easier (e.g., outbound calling, email/direct campaigns, statement messages, FAQs) • Maintain a healthy skepticism with regard to the Self-Assessment Questionnaire responses (e.g., education programs, random audits)

14. Agent Best Practices – Improve Retention Educating and mentoring your merchants will help build your relationship with them and in turn improve merchant retention and referrals Take the time to educate yourself on the topic and have the resources you need to help your merchants become compliant

15. Top Ten Things your Merchants Should Know PCI is here to stay: Card Brand focus/Legislative momentum. Technology enhancements are bringing increased focus on PCI. Hackers increasingly target small businesses. Most data breaches remain very preventable. Complying with PCI does not cost a lot for the typical Level 4 Merchant. Not complying with PCI has the potential to be very expensive. PCI helps create a strong foundation for a data security culture. Data security and privacy protection are huge concerns of customers. Reputational and brand damage are hard to measure if the merchant is breached. Merchant relationships can be strengthened if they understand the value of being PCI compliant.

16. Agent & ISO Program Benefits The security of a financially sound ISO Generous bonuses and benefits Uniquely fair agent contract Innovative technology In-house/dedicated customer and technical support Guaranteed lifetime residuals Marketing support In-depth sales training Online tools and resources Coming soon – Cost analysis tool and CB App Express!

17. Questions? Download Complete Level 4 Merchant Study Report: https://www.controlscan.com/whitepapers/merchant_study_2010.php Download Complete Level 4 Merchant Study Webinar: https://www.controlscan.com/webcasts/diversity_reigns_pci_compliance_level4_merchant.php For questions regarding this presentation, please contact Chris Bucolo at cbucolo@controlscan.com If you are interested in becoming an independent sales agent for Merchant Warehouse, please contact Doug Small @ 617-896-5590 x 2535 or dsmall@merchantwarehouse.com