2. PCI Compliance

3. Introduction Scott Jerabek The CBORD Group Product Manager
Founded in 1975
Foodservice, Campus Card and Security solutions to College and University and Healthcare markets

4. CBORD Product Portfolio
College & University Applications
Card Systems
Foodservice
Housing
Online Ordering
Commerce
Security

5. Agenda Introduction Payment Card Industry standards Credit card risks
CBORD® products and PCI
MICROS® point-of-sale
Changes in PCI regulations
Discussion

6. Payment Card Industry Standards
Entities that store, process, or transmit cardholder data
PCI Data Security Standard (PCI-DSS)
Covers merchants and service providers
Payment Application Data Security Standard (PA-DSS)
Covers third-party applications deployed on site

7. PCI Landscape
CBORD® is a Service Provider and provides validated payment applications.
MICROS provides validated payment applications.
MerchantLink , Elavon, and Shift4 are credit card gateway solutions for MICROS.

9. Who Is Responsible for Compliance?
On-site systems: the merchant
Systems hosted 100% off-site: the service provider
Hybrid systems with off-site and on-site components that handle cardholder data
Service provider responsible for off-site
Merchant responsible for on-site

10. PCI DSS Goal Requirement Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability
Management Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access
Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information
Security Policy
12. Maintain a policy that addresses information security for
employees and contractors

11. Impact of Compliance Policies and procedures Training Implementation
Ex: Password and remote access policies
Ex: Quarterly vulnerability scans
Training
Ex: Information security training for staff
Implementation
Ex: Using firewalls to secure network resources
Ex: Intrusion detection and anti-virus software
Annual compliance assessment and remediation

12. PCI Scope
Any network component, server, or application that is included in or connected to the cardholder data environment
Reducing scope reduces risk and cost of compliance
Move cardholder data processing off-site to third parties
Segment on-site systems that touch cardholder data
Limit number of personnel with full access to cardholder data (personnel other than cashiers)

13. Credit Card Risks
PCI DSS represents a minimum level of security that should be applied to your organization’s handling of credit cards.
A security breach will:
Damage your reputation
Cost significant time, effort, and dollars
Negatively impact your customers

14. Breach Liabilities Average cost to institution₁
$202/breached patron record ($90 to $305)
Average $6.6M in direct and indirect costs
TJX
100 million credit card numbers
Estimated cost to TJX range from $118M to $1.3B
Target
One of the largest breaches in U.S. retail history
Investigation is ongoing
70 million credit card numbers
1 Forrester Research
If you only have 5,000 cards it is still a $1M issue
Forrester data is 2008
Gartner $939 / card
Symantec $214 / card $7M per organization
Sony – bigger than TJX

15. Breach Liabilities Required forensic audit ($50k)
Treated at Level 1 (no more self assessment)
Fines up to $500k
May not be able to continue to accept credit cards

16. CBORD Products and Services
CBORD supports your MICROS point-of-sale
Support uses tools that allow you to maintain compliance
Hosted products
CBORD responsible for compliance (service provider)
Minimal PCI impact on your organization
ManageMyID®/NetCardManager®
Webfood® online ordering
GET Funds

17. CBORD Products (cont.) Housing systems
Website payment integration with third parties
Catering
All credit card processing is hosted by CBORD

18. CBORD Hosting Layered Tech Validation Process
PCI compliant, SSAE 16 Type 2 compliant
Physical and Virtual Machines
Validation Process
CBORD uses Trustwave for validation
Trustwave reviews our environment & processes, performs monthly and yearly scans

19. MICROS Point-of-Sale MICROS information security resources
MICROS PA-DSS validated versions
Implementation guides and other documentation
MICROS security patch documentation
Operating-system patch testing results
Use network segmentation to separate MICROS from the rest of your network, including CS Gold® /Odyssey PCS ®

20. MICROS 3700/RES Refer to MICROS information security link for versions
MICROS implementation guide
Password policies
Database/transport encryption
Auditing, purging, etc.
Vaulting used to move cardholder data off-site
TransactionVault from MerchantLink
Card data never stored in on-site MICROS database
Point-to-Point Encryption
Merchantlink or Shift4 solutions utilize external readers

21. MICROS 9700/HMS Refer to MICROS information security link for versions
MICROS implementation guide
Password policies
Database/transport encryption
Auditing, purging, etc.
Vaulting used to move cardholder data off-site
Shift4
Card data never stored in on-site MICROS database
Point-to-Point Encryption
Shift4 solution utilizes external readers

22. MICROS Simphony Refer to MICROS information security link for versions
MICROS implementation guide
Password policies
Database/transport encryption
Auditing, purging, etc.
Vaulting used to move cardholder data off-site
Merchantlink, Shift4, Elavon
Point-to-Point Encryption
Merchantlink (Simphony 2.5, coming in 1.7), Shift4

23. Micros Resources

24. Grandfathering PA-DSS
Acceptable for existing
Acceptable for new deployments
New criteria:
Adding credit cards (new)
Adding Merchant ID (new)
Add revenue center (existing)
For Existing, if it was listed at the time of installation

25. Where are we headed?

26. PA-DSS and PCI-DSS 3.0 Effective January 1, 2014
PCI-DSS 2.0 remains active until December 31, 2014

27. PCI-DSS 3.0 Updates include:
Penetration testing must follow an industry accepted methodology
In Scope component inventory
Evaluate malware threats for systems not commonly affected by malware
Protect POS terminals from tampering and substitution
Maintain information about which PCI requirements are managed by service providers vs. merchant

28. Point-to-Point Encryption (P2PE)
Card data is encrypted at the reader and transmitted in encrypted format
POS server never “sees” protected card data
P2PE can reduce PCI scope

29. P2PE roadmap - Micros
Micros 3700 – Available now with Merchantlink Transaction Shield
Micros 9700 – Available now with Shift4
Micros Simphony –
Simphony 2.5 MR4 (Merchantlink Transaction Shield)
Simphony 1.7 (Q1 2014) (Merchantlink)
Shift4 is testing on both platforms & waiting for a few Micros bug fixes

30. EMV Initiatives
Visa has issued incentives to drive smart card adoption (EMV)
Both Issuers and Acquirers impacted
Carrots: Relief from PCI-DSS
Sticks: Liability Shift (October 2015)
Micros, Merchantlink, & Shift4 are all working on EMV though it is not yet available on any Micros platforms.
European Visa & Mastercard
TIP program
Effective October 1, 2012
• October 2012: Visa's Technology Innovation Program (TIP) and MasterCard's program go into effect. That means Visa and MasterCard will no longer require merchants to validate PCI DSS compliance, as long as they use dual-interface (contact and contactless), EMV chip-enabled POS terminals for at least 75 percent of transactions.
• April 2013: Payment processors must be able to process EMV transactions by this date.
• October 2015: A liability shift goes into effect, which means that processors will become responsible for fraud losses from merchants that don't have EMV terminals. The financial responsibility likely will be transferred to operators, so investigate how your POS provider is adapting.

31. Resources PCI Security Standards Council Quick Reference Guide
Quick Reference Guide
Prioritized Approach for Beginners
Ten Common PCI Myths
Validated Service Providers
Validated Payment Applications

32. Thank You! Scott Jerabek smj@cbord.com
Discussion
Thank You! Scott Jerabek

34. Forrester Research
Breakdown of Individual Breach Costs In order to account for the different variable costs that can be incurred during a data breach, a survey conducted by Forrester Research provided averages in five major cost categories:  
Discovery, Response and Notification on average run about $50 per record. This cost includes “outside legal fees, notification costs, increased call center costs, marketing and PR costs, and discounted product offers.”
Lost employee productivity on average costs about $30 per record. Dealing with the bad press and legal responsibilities are the major distractions for employees after a breach.
Additional regulatory fines. This cost can vary greatly from $0.00 to $10 million, as ChoicePoint found out when paying civil penalties to settle the Federal Trade Commission case. Also, Visa increased the fine for mismanaging sensitive customer data from $3.4 million in 2005 to $4.6 million in 2006.
Opportunity costs average about $98 per record, but it significantly varies from industry to industry. Forrester estimates “10% - 20% of potential customers will be scared away by a security breach in a given year,” and Ponemon’s survey indicated that 74% of its respondents lost current customers due to the breach.
Indirect costs (for high-profile breaches) often include:
Restitution costs - ChoicePoint is the first security breach victim to have to pay restitution costs, wherein they agreed to establish a $5 million consumer restitution fund.
Additional security and audit requirements - For example, “DSW’s settlement with the FTC in its 2005 data breach of more than 1.4 million records requires DSW to establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. It also requires DSW to obtain, every two years for 20 years, an audit from a qualified, independent, third-party professional to assure that its security program meets the standards of the order,” per Forrester Research. 
Other liabilities - Replacing credit cards is a substantial ‘other cost.’ For example, Sovereign Bank was hit twice by the BJ’s Wholesale Club breach, as the first set of 81,000 replacement cards was malfunctioned.