Security & PCI Compliance The Future of Electronic Payments Security & PCI Compliance Greg Grant Vice President – Managed Security Services

Payment Technology Trends Enterprise Class Businesses Migration/Early adoption of newer payment technologies such as Point-to-Point Encryption (P2PE) Leading the “charge” for EMV implementation Small-to-Mid Sized Businesses (SMB’s) Focus on upgrading POS operating systems, equipment, devices Remain highest users of traditional Terminal/Server systems Movement away from dial-up to Internet connected processing Everyone is looking at wireless enabled payment systems Major driving force behind technology changes is PCI, but not necessarily SECURITY

Payment Technology Realities Data breaches and card theft continues to go up PCI compliance rates are up / so are breaches ??? Networks remain “flat” so sensitive data can be targeted via other IP connected devices Hackers are looking downstream (SMB’s) because they are the most unsecured Most businesses either do not properly deploy and maintain security technologies (plus resources) or they cannot afford it Businesses have adopted a “check box” mentality and are only concerned about getting their PCI Certificate of Compliance Believe that PCI compliance means they are secure Confusion over PA DSS and PCI DSS Mandates are getting harder to comply with in 2015 Big emphasis on companies providing services that could impact cardholder dataBig emphasis on companies providing services that could impact cardholder data

Common Network Landscape – Highly Unsecure

Properly Secured Data Network

Emphasis on Service Providers Service Providers (SP) are defined by the PCI Council as: “Companies directly involved in the processing, storage, or transmission of cardholder data, or companies that provide services that could impact the security of cardholder data.” Common examples include: Transaction Processors, Payment Gateways, Managed Service Providers, or Web Hosting Providers. A service provider is any “business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity.” This includes companies that provide services that control or could impact the security of cardholder data. There is already a requirement in every SAQ to maintain a written agreement with each SP, and have a process for monitoring a Service Provider’s PCI Compliance status. In addition, All SAQ’s now have a place in the Executive Summary to input Service Providers New requirement states a list must be maintained of which PCI DSS requirements are managed by the Service Provider and which by the merchant Changes To PCI Mandate

All companies will have to NAME their service provider when filling out their self assessment questionnaire (SAQ) beginning in January 2015 Clear transfer of risk and exposure to all companies that implement, service or maintain POS systems, IT systems and/or ancillary IP connected equipment/services Service providers are largely the ones that companies look to for help with security and PCI As a service provider, you must look for ways to ensure your risk and exposure is limited Become a PCI compliant service provider Have every implementation and system change “audited” Outsource Changes To PCI Mandate

A Solutions Approach Look to subscription based managed services that ensure continuous network security and PCI compliance as a by product Focus needs to be on protecting sensitive data systems (payments, health records, personal information, etc) along with all other Internet traffic - not just the card data! Cloud-based - No need for clients to invest in expensive equipment, software or additional personnel Certification – There are many managed offerings on the market, but certification (look for PCI L1) will ensure you’re not at risk should a breach occur Feature Rich – A few offer secure WiFi, 3G/4G backup, Content Filtering and many more benefits Breach Protection/Insurance – Extend the ability to offset unfunded risk should a breach occur

THANK YOU