Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction Scott Jerabek Product Manager The CBORD Group Founded in 1975 Foodservice, Campus Card and Security solutions to College and University.

Similar presentations


Presentation on theme: "Introduction Scott Jerabek Product Manager The CBORD Group Founded in 1975 Foodservice, Campus Card and Security solutions to College and University."— Presentation transcript:

1

2

3 Introduction Scott Jerabek Product Manager The CBORD Group Founded in 1975 Foodservice, Campus Card and Security solutions to College and University and Healthcare markets

4 CBORD Product Portfolio College & University Applications Card Systems Foodservice Housing Online Ordering Commerce Security

5 Agenda Introduction Payment Card Industry standards Credit card risks CBORD ® products and PCI MICROS ® point-of-sale Changes in PCI regulations Discussion

6 Payment Card Industry Standards Entities that store, process, or transmit cardholder data PCI Data Security Standard (PCI-DSS) Covers merchants and service providers Payment Application Data Security Standard (PA-DSS) Covers third-party applications deployed on site

7 PCI Landscape CBORD ® is a Service Provider and provides validated payment applications. MICROS provides validated payment applications. MerchantLink, Elavon, and Shift4 are credit card gateway solutions for MICROS.

8

9 Who Is Responsible for Compliance? On-site systems: the merchant Systems hosted 100% off-site: the service provider Hybrid systems with off-site and on-site components that handle cardholder data Service provider responsible for off-site Merchant responsible for on-site

10 GoalRequirement Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for employees and contractors PCI DSS

11 Impact of Compliance Policies and procedures Ex: Password and remote access policies Ex: Quarterly vulnerability scans Training Ex: Information security training for staff Implementation Ex: Using firewalls to secure network resources Ex: Intrusion detection and anti-virus software Annual compliance assessment and remediation

12 PCI Scope Any network component, server, or application that is included in or connected to the cardholder data environment Reducing scope reduces risk and cost of compliance Move cardholder data processing off-site to third parties Segment on-site systems that touch cardholder data Limit number of personnel with full access to cardholder data (personnel other than cashiers)

13 Credit Card Risks PCI DSS represents a minimum level of security that should be applied to your organizations handling of credit cards. A security breach will: Damage your reputation Cost significant time, effort, and dollars Negatively impact your customers

14 Breach Liabilities Average cost to institution $202/breached patron record ($90 to $305) Average $6.6M in direct and indirect costs TJX 100 million credit card numbers Estimated cost to TJX range from $118M to $1.3B Target One of the largest breaches in U.S. retail history Investigation is ongoing 70 million credit card numbers 1 Forrester Research

15 Required forensic audit ($50k) Treated at Level 1 (no more self assessment) Fines up to $500k May not be able to continue to accept credit cards Breach Liabilities

16 CBORD Products and Services CBORD supports your MICROS point-of-sale Support uses tools that allow you to maintain compliance Hosted products CBORD responsible for compliance (service provider) Minimal PCI impact on your organization ManageMyID ® /NetCardManager ® Webfood ® online ordering GET Funds

17 CBORD Products (cont.) Housing systems Website payment integration with third parties Catering All credit card processing is hosted by CBORD

18 CBORD Hosting Layered Tech PCI compliant, SSAE 16 Type 2 compliant Physical and Virtual Machines Validation Process CBORD uses Trustwave for validation Trustwave reviews our environment & processes, performs monthly and yearly scans

19 MICROS Point-of-Sale MICROS information security resources MICROS PA-DSS validated versions Implementation guides and other documentation MICROS security patch documentation Operating-system patch testing results Use network segmentation to separate MICROS from the rest of your network, including CS Gold ® /Odyssey PCS ®

20 MICROS 3700/RES Refer to MICROS information security link for versions MICROS implementation guide Password policies Database/transport encryption Auditing, purging, etc. Vaulting used to move cardholder data off-site TransactionVault from MerchantLink Card data never stored in on-site MICROS database Point-to-Point Encryption Merchantlink or Shift4 solutions utilize external readers

21 MICROS 9700/HMS Refer to MICROS information security link for versions MICROS implementation guide Password policies Database/transport encryption Auditing, purging, etc. Vaulting used to move cardholder data off-site Shift4 Card data never stored in on-site MICROS database Point-to-Point Encryption Shift4 solution utilizes external readers

22 MICROS Simphony Refer to MICROS information security link for versions MICROS implementation guide Password policies Database/transport encryption Auditing, purging, etc. Vaulting used to move cardholder data off-site Merchantlink, Shift4, Elavon Point-to-Point Encryption Merchantlink (Simphony 2.5, coming in 1.7), Shift4

23 Micros Resources

24 Grandfathering PA-DSS Acceptable for existing Acceptable for new deployments New criteria: Adding credit cards (new) Adding Merchant ID (new) Add revenue center (existing)

25 Where are we headed?

26 PA-DSS and PCI-DSS 3.0 Effective January 1, 2014 PCI-DSS 2.0 remains active until December 31, 2014

27 PCI-DSS 3.0 Updates include: Penetration testing must follow an industry accepted methodology In Scope component inventory Evaluate malware threats for systems not commonly affected by malware Protect POS terminals from tampering and substitution Maintain information about which PCI requirements are managed by service providers vs. merchant

28 Card data is encrypted at the reader and transmitted in encrypted format POS server never sees protected card data P2PE can reduce PCI scope Point-to-Point Encryption (P2PE)

29 P2PE roadmap - Micros Micros 3700 – Available now with Merchantlink Transaction Shield Micros 9700 – Available now with Shift4 Micros Simphony – Simphony 2.5 MR4 (Merchantlink Transaction Shield) Simphony 1.7 (Q1 2014) (Merchantlink) Shift4 is testing on both platforms & waiting for a few Micros bug fixes

30 Visa has issued incentives to drive smart card adoption (EMV) Both Issuers and Acquirers impacted Carrots: Relief from PCI-DSS Sticks: Liability Shift (October 2015) Micros, Merchantlink, & Shift4 are all working on EMV though it is not yet available on any Micros platforms. EMV Initiatives

31 Resources PCI Security Standards Council https://www.pcisecuritystandards.org Quick Reference Guide https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf Prioritized Approach for Beginners https://www.pcisecuritystandards.org/documents/Prioritized_Approach_V2.0.pdf Ten Common PCI Myths https://www.pcisecuritystandards.org/pdfs/pciscc_ten_common_myths.pdf Validated Service Providers Validated Payment Applications https://www.pcisecuritystandards.org/security_standards/vpa/vpa_approval_list.html

32 Discussion Thank You! Scott Jerabek

33

34 Forrester Research Breakdown of Individual Breach Costs In order to account for the different variable costs that can be incurred during a data breach, a survey conducted by Forrester Research provided averages in five major cost categories: Discovery, Response and Notification on average run about $50 per record. This cost includes outside legal fees, notification costs, increased call center costs, marketing and PR costs, and discounted product offers. Lost employee productivity on average costs about $30 per record. Dealing with the bad press and legal responsibilities are the major distractions for employees after a breach. Additional regulatory fines. This cost can vary greatly from $0.00 to $10 million, as ChoicePoint found out when paying civil penalties to settle the Federal Trade Commission case. Also, Visa increased the fine for mismanaging sensitive customer data from $3.4 million in 2005 to $4.6 million in Opportunity costs average about $98 per record, but it significantly varies from industry to industry. Forrester estimates 10% - 20% of potential customers will be scared away by a security breach in a given year, and Ponemons survey indicated that 74% of its respondents lost current customers due to the breach. Indirect costs (for high-profile breaches) often include: Restitution costs - ChoicePoint is the first security breach victim to have to pay restitution costs, wherein they agreed to establish a $5 million consumer restitution fund. Additional security and audit requirements - For example, DSWs settlement with the FTC in its 2005 data breach of more than 1.4 million records requires DSW to establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. It also requires DSW to obtain, every two years for 20 years, an audit from a qualified, independent, third-party professional to assure that its security program meets the standards of the order, per Forrester Research. Other liabilities - Replacing credit cards is a substantial other cost. For example, Sovereign Bank was hit twice by the BJs Wholesale Club breach, as the first set of 81,000 replacement cards was malfunctioned.


Download ppt "Introduction Scott Jerabek Product Manager The CBORD Group Founded in 1975 Foodservice, Campus Card and Security solutions to College and University."

Similar presentations


Ads by Google