1 / 22

PCI Compliance and the Restaurant of the Future

Webinar. PCI Compliance and the Restaurant of the Future. October 8, 2013. Presented by. Kamran Chaudhary Director of Compliance Technology Qualified Security Assessor (QSA) ANX eBusiness. Jim Lippard Senior Product Manager Security Products EarthLink Business. Introduction. Speakers.

alisa
Download Presentation

PCI Compliance and the Restaurant of the Future

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Webinar PCI Complianceand the Restaurant of the Future October 8, 2013 Presented by Kamran Chaudhary Director of Compliance Technology Qualified Security Assessor (QSA) ANX eBusiness Jim Lippard Senior Product Manager Security ProductsEarthLink Business

  2. Introduction Speakers About EarthLink Leading provider of data, voice, and IT services for businesses, with services that include managed security and PCI compliance solutions for retailers. About ANX eBusiness: Qualified Security Assessor (QSA) and Authorized Scanning Vendor (ASV) with the PCI Council. The ANX mission is to protect our customers' information, secure their business interactions and be their trusted platform for collaboration. Jim Lippard Sr. Product Manager Security Products EarthLink Business Kamran Chaudhary Director of Compliance Technology Qualified Security Assessor (QSA) ANX eBusiness 2

  3. Agenda • The basics of PCI DSS compliance • The risks of non-compliance • PCI DSS 3.0 • New restaurant technology • 4 basic steps for maintaining and achieving compliance • EarthLink/ANX PCI compliance solutions • Questions 3

  4. What is PCI Compliance? • Definition – Payment Card Industry Data Security Standard (PCI-DSS) • Set up in 2004 by Visa, MasterCard, American Express, Discover, and JCB to reduce the risk of credit card theft and transfer liability to merchants • Requires mandatory adoption by all businesses that store, process, or transmit credit/debit card data 6 Control Objectives 12 Core Requirements 6 Control Objectives 280+ Audit Procedures

  5. Defining the Market Problem THE EFFECTS OF CREDIT CARD BREACH ON RETAIL BUSINESS ARE DAUNTING is the average direct cost of a data breach of breached businesses are out of business within one year of the attack $80k 70% small businesses will suffer a credit card breach in the next 24 months 1 in6 Breaches originate from organized criminal groups 98% Average days between intrusion and detection 210 5

  6. What happens if my business is non-compliant and suffers a breach? • Credit cards transactions – Acquirers may ask merchants to cease • Forensic audit – QSA team on-site to determine cause of breach. • Implement remediation actions – Can take 90-120 days to complete. • Fines and fees – Merchant is responsible for all costs. $80-100K average. • Brand equity – Breaches are public knowledge; brand image tarnished. A credit card breach will cripple your business for months

  7. The bottom line on PCI Compliance • Many myths about PCI compliance • “It doesn’t apply to my business” • “I’m already PCI compliant” • “I have a firewall in place so I’m compliant” • “My (fill in the blank) has me covered” • PCI DSS is solely the responsibility of the merchant • If merchant can’tdemonstrate compliance, they cover breach costs. • If merchant can demonstrate compliance, bank covers breach costs. • >96% of breached businesses were not PCI compliant

  8. If you cannot answer yes to the three questions below, you are NOT PCI Compliant 1 Can you demonstrate that ALL cashiers have completed and understood a formal security awareness training upon hire and at least annually? 2 Can you demonstrate that each employee has read and understood the company security policy and procedures? 3 Have you fully completed your annual SAQs and quarterly vulnerability scans with a 100% pass? 8

  9. PCI 3.0 Timeline What this means for you as a merchant: • PCI Compliance is here to stay, and is always evolving • The process incorporates feedback from merchants and QSAs • Each release includes time for merchants to implement requirements and best practices Best practices become requirements June 2015 PCI Release November 7, 2013 PCI 2.0 Expires Dec 31, 2014 Source: PCI Security Standards Council 9

  10. What’s new in PCI DSS 3.0 PCI 3.0 emphasizes security versus compliance, and a more proactive, business-as-usual approachto protecting cardholder data. • Key themes: • Education & awareness • Increased flexibility • Security as a shared responsibility • Guidance on emerging technologies • 3 types of changes: • Clarification • Additional guidance • Evolving requirement 10

  11. NEW RESTAURANT TECHNOLOGY

  12. Payment Technology • Key points in both scenarios: • Risk is greatly reduced • Merchants are still responsible for PCI compliance 12

  13. Network Technology • Secure, reliable network connectivity is essential in transitioning to a “Restaurant of the Future” • Customer-facing systems e.g. POS, mobile POS, consumer Wi-Fi, digital menus, online ordering and phone ordering depend on it • Having the right technology in place reduces PCI DSS scope • Key technologies to consider: • Secure Wi-Fi: Includes rogue wireless scanning, guest access with walled garden • Unified Threat Management (UTM): “Threat management in a box, including intrusion detection/prevention, anti-malware, anti-virus, anti-spyware • MPLS WAN: Private, centrally management network with option to connect POS directly to card processors

  14. New devices = increased security risk All new entry points need to be secured from hackers: Wi-Fi, security cameras, wireless credit card processors, digital menu boards and more interface to networks via IP addresses Target and Scope of Damage SECONDS GlobalInfrastructureImpact • NEXT GEN • Infrastructure hacking • Flash threats • Massive worm driven • DDoS • Damaging payload viruses and worms RegionalNetworks MINUTES • 3RD GEN • Network DoS • Blended threat (worm + virus+ trojan) • Turbo worms • Widespread system hacking MultipleNetworks DAYS • 2ND GEN • Macro viruses • Email • DoS • Limited hacking IndividualNetworks WEEKS • 1ST GEN • Boot viruses IndividualComputer 1980s 1990s Today Future

  15. 4 basic steps to pci compliance

  16. How to Proactively Protect Your Business from Breach Step 1: Establish Financial Protection Step 2: Validate PCI Compliance Step 3: Achieve Compliance Step 4: Maintain Compliance

  17. Step 1: Financially Protect Your Business Acquire adequate breach protection for each store location to help cover direct costs in the event of a breach • As little as $1/day per location can cover the costs of: • Forensic audit and consultation with a Qualified Security Assessor (QSA) • Replacement of credit cards and related expenses • Fines and penalties incurred • Ensure that coverage is retroactive to cover any undiscovered breach 17

  18. Step 2: Validate PCI Compliance Requirements by Merchant Level Note: Other quarterly or annual requirements will apply based on SAQ.

  19. Step 3: Achieve PCI Compliance • Address gaps identified during the validation process • Up to 280 requirements depending on your environment • Common issues: • Outdated Firewalls • Insecure Remote Access • Weak security configurations • Operating system flaws • Lack of staff training • Flawed security policies • Poor change control procedures 19

  20. Step 4: Maintain Compliance • Conduct on-going PCI training for employees including cashiers, IT staff • Document and enforce security policies • Conduct regular assessments and network scans for all locations and remediate gaps • Identify and work closely with a PCI Compliance partner who can help 20

  21. EarthLink PCI Compliance Solutions • PCI Compliance Validation • Powered by ANX eBusiness, QSA and ASV • $100,000 in breach protection per location • Portal with all of the tools Level 2-4 merchants need to validate compliance • Private MPLS WAN Network • Securely connectivity for all of your restaurants, all centrally managed from one location • Direct connections from POS to card processors • Managed security • Firewall, mobile device management, secure remote access “We rely on the EarthLink MPLS network 24/7 to run our restaurant operations. The private network also supports PCI compliance and allows us to control and monitor all 200 restaurants from one location.” 21

  22. Questions? • For more information:http://www.earthlinkbusiness.com/restaurant-pci-compliance/

More Related