1. PCI Compliance and the Restaurant of the Future October 8, 2013 Presented by WEBINAR Jim Lippard Senior Product Manager Security Products EarthLink Business Kamran Chaudhary Director of Compliance Technology Qualified Security Assessor (QSA) ANX eBusiness

2. About EarthLink Leading provider of data, voice, and IT services for businesses, with services that include managed security and PCI compliance solutions for retailers. About ANX eBusiness: Qualified Security Assessor (QSA) and Authorized Scanning Vendor (ASV) with the PCI Council. The ANX mission is to protect our customers' information, secure their business interactions and be their trusted platform for collaboration. Introduction Speakers Jim Lippard Sr. Product Manager Security Products EarthLink Business Kamran Chaudhary Director of Compliance Technology Qualified Security Assessor (QSA) ANX eBusiness 2

3. The basics of PCI DSS compliance The risks of non-compliance PCI DSS 3.0 New restaurant technology 4 basic steps for maintaining and achieving compliance EarthLink/ANX PCI compliance solutions Questions Agenda 3

4. What is PCI Compliance? Definition – Payment Card Industry Data Security Standard (PCI-DSS) Set up in 2004 by Visa, MasterCard, American Express, Discover, and JCB to reduce the risk of credit card theft and transfer liability to merchants Requires mandatory adoption by all businesses that store, process, or transmit credit/debit card data 6 Control Objectives 6 Control Objectives 12 Core Requirements 280+ Audit Procedures 4

5. THE EFFECTS OF CREDIT CARD BREACH ON RETAIL BUSINESS ARE DAUNTING is the average direct cost of a data breach $80k of breached businesses are out of business within one year of the attack 70% small businesses will suffer a credit card breach in the next 24 months 1 in 6 Breaches originate from organized criminal groups 98% Average days between intrusion and detection 210 Defining the Market Problem 5

6. What happens if my business is non-compliant and suffers a breach? A credit card breach will cripple your business for months 1.Credit cards transactions – Acquirers may ask merchants to cease 2.Forensic audit – QSA team on-site to determine cause of breach. 3.Implement remediation actions – Can take 90-120 days to complete. 4.Fines and fees – Merchant is responsible for all costs. $80-100K average. 5.Brand equity – Breaches are public knowledge; brand image tarnished. 6

7. The bottom line on PCI Compliance Many myths about PCI compliance It doesnt apply to my business Im already PCI compliant I have a firewall in place so Im compliant My (fill in the blank) has me covered PCI DSS is solely the responsibility of the merchant If merchant cant demonstrate compliance, they cover breach costs. If merchant can demonstrate compliance, bank covers breach costs. >96% of breached businesses were not PCI compliant 7

8. If you cannot answer yes to the three questions below, you are NOT PCI Compliant 1 2 3 Can you demonstrate that ALL cashiers have completed and understood a formal security awareness training upon hire and at least annually? Can you demonstrate that each employee has read and understood the company security policy and procedures? Have you fully completed your annual SAQs and quarterly vulnerability scans with a 100% pass? 8

9. PCI 3.0 Timeline Source: PCI Security Standards Council What this means for you as a merchant: PCI Compliance is here to stay, and is always evolving The process incorporates feedback from merchants and QSAs Each release includes time for merchants to implement requirements and best practices PCI Release November 7, 2013 PCI 2.0 Expires Dec 31, 2014 Best practices become requirements June 2015 9

10. Whats new in PCI DSS 3.0 PCI 3.0 emphasizes security versus compliance, and a more proactive, business-as-usual approach to protecting cardholder data. Key themes: Education & awareness Increased flexibility Security as a shared responsibility Guidance on emerging technologies 3 types of changes: Clarification Additional guidance Evolving requirement 10

11. NEW RESTAURANT TECHNOLOGY 11

12. Payment Technology Key points in both scenarios: Risk is greatly reduced Merchants are still responsible for PCI compliance Technology Visa Chip and Pin (EMV) Point-to-Point or End-to-End Encryption (P2PE or E2EE) What it is Europe, Visa leading. Uses contactless NFC chips and a PIN to for two-factor authentication on credit card purchases. Allows merchants to offer point- to-point encryption of card data from point of entry to settlement. The impact on PCI DSS requirements Annual validation not required for merchants that process 75% of card transactions through chip- enabled terminals. Eliminates exposure to fraud and financial liability for the merchant, and reduces PCI scope to 6 PCI steps. 12

13. Network Technology Secure, reliable network connectivity is essential in transitioning to a Restaurant of the Future Customer-facing systems e.g. POS, mobile POS, consumer Wi-Fi, digital menus, online ordering and phone ordering depend on it Having the right technology in place reduces PCI DSS scope Key technologies to consider: Secure Wi-Fi: Includes rogue wireless scanning, guest access with walled garden Unified Threat Management (UTM): Threat management in a box, including intrusion detection/prevention, anti-malware, anti-virus, anti-spyware MPLS WAN: Private, centrally management network with option to connect POS directly to card processors 13

14. New devices = increased security risk 1980s 1ST GEN Boot viruses 2ND GEN Macro viruses Email DoS Limited hacking 3RD GEN Network DoS Blended threat (worm + virus+ trojan) Turbo worms Widespread system hacking NEXT GEN Infrastructure hacking Flash threats Massive worm driven DDoS Damaging payload viruses and worms 1990sTodayFuture WEEKS DAYS MINUTES SECONDS Individual Computer Individual Networks Multiple Networks Regional Networks Global Infrastructure Impact Target and Scope of Damage All new entry points need to be secured from hackers: Wi-Fi, security cameras, wireless credit card processors, digital menu boards and more interface to networks via IP addresses 14

15. 4 BASIC STEPS TO PCI COMPLIANCE 15

16. How to Proactively Protect Your Business from Breach Step 1: Establish Financial Protection Step 2: Validate PCI Compliance Step 3: Achieve Compliance Step 4: Maintain Compliance 16

17. Step 1: Financially Protect Your Business Acquire adequate breach protection for each store location to help cover direct costs in the event of a breach As little as $1/day per location can cover the costs of: Forensic audit and consultation with a Qualified Security Assessor (QSA) Replacement of credit cards and related expenses Fines and penalties incurred Ensure that coverage is retroactive to cover any undiscovered breach 17

18. RequirementLevel 1Level 2Level 3Level 4 Transaction volume>6 million 1 to 6 million 20,000 to 1 million All other merchants On-Site QSA Audit Annually Self Assessment Questionnaire (SAQ) Annually By a QSA/ISA Authorized Scanning Vendor Scan (ASV) Quarterly Security Awareness Training Upon hire and annually Policy Review and Acceptance Annually Note: Other quarterly or annual requirements will apply based on SAQ. 18 Step 2: Validate PCI Compliance Requirements by Merchant Level

19. Step 3: Achieve PCI Compliance Common issues: Outdated Firewalls Insecure Remote Access Weak security configurations Operating system flaws Lack of staff training Flawed security policies Poor change control procedures Address gaps identified during the validation process Up to 280 requirements depending on your environment 19

20. Step 4: Maintain Compliance Conduct on-going PCI training for employees including cashiers, IT staff Document and enforce security policies Conduct regular assessments and network scans for all locations and remediate gaps Identify and work closely with a PCI Compliance partner who can help 20

21. PCI Compliance Validation Powered by ANX eBusiness, QSA and ASV $100,000 in breach protection per location Portal with all of the tools Level 2-4 merchants need to validate compliance Private MPLS WAN Network Securely connectivity for all of your restaurants, all centrally managed from one location Direct connections from POS to card processors Managed security Firewall, mobile device management, secure remote access EarthLink PCI Compliance Solutions We rely on the EarthLink MPLS network 24/7 to run our restaurant operations. The private network also supports PCI compliance and allows us to control and monitor all 200 restaurants from one location. 21

22. Questions? For more information: http://www.earthlinkbusiness.com/restaurant-pci-compliance/