data security and payment card acceptance presented by: brian ridder senior vice president first...
TRANSCRIPT
Data Security and Payment Card Acceptance
Presented by:
Brian Ridder
Senior Vice President
First National
September 10, 2009
Presentation Overview
• Why Should I Care?• Safety in “Numbers”• PCI – What is This? • PCI “Digital Dozen” – Does it Make
a Difference?• Legislation – Uncle Sam and
Friends are Here to Help• Future Steps• I’ve Been Breached, What Happens
Next?
SAMPLE TEXT
© FIRST NATIONAL BANK
Data Security and Payment Cards
Why Should I Care?• Do you have insurance for identifiable business
risks?• Is it challenging to attract new and retain existing
customers?• Are credit or debit cards are meaningful percentage
of your payment tender types?• Do you want to focus your resources on growing
your business or possibly seeking out your customers to notify them that they payment card information has been compromised?
• Do you believe negative events at your company can impact your brand?
SAMPLE TEXT
© FIRST NATIONAL BANK
Data Security and Payment Cards
Safety in Numbers? Not so much …
• 2004 – BJ’s Wholesale• 2005 – Designer Shoe Warehouse (DSW)• 2007 – TJ Maxx, OfficeMax, Dave & Busters, 7- 11• 2008 – Hannaford Brothers Grocery
• Dec 2007 to March 2008 – 4 million cards• 1,800 fraudulent charges made – 21 civil claims
• 2009 – Heartland Payment Systems• Fall 2008 to January 2009 - to date $12.5 million in fines.
SAMPLE TEXT
© FIRST NATIONAL BANK
Data Security and Payment Cards
According to a report released August 17, 2009 by the Ponemon Institute and funded by encryption firm PGP, the cost of a data breach for companies has risen to $202 per lost record, up from $197 in the institute's 2007 study. For the 47 companies audited in the study, those costs added up to $6.6 million per incident.
SAMPLE TEXT
© FIRST NATIONAL BANK
Data Security and Payment Cards
PCI – What is This?
Collaborative based approach by major card brands: Visa, MasterCard, Discover, Amex, JCB to address card industry data security on a proactive and unified approach.
SAMPLE TEXT
© FIRST NATIONAL BANK
Data Security and Payment Cards
PCI “Digital Dozen” – Does it Make a Difference?Build and Maintain a Secure Network1. Install and maintain a firewall configuration to
protect data2. Do not use vendor-supplied defaults for system
passwords and other security parametersProtect Cardholder Data3. Protect stored cardholder data4. Encrypt transmission of cardholder data across
public networks
SAMPLE TEXT
© FIRST NATIONAL BANK
Data Security and Payment Cards
Maintain a Vulnerability Management Program5. Use and regularly update anti-virus software6. Develop and maintain secure systems and
applicationsImplement Strong Access Control Measures7. Restrict access to data by business need to
know.8. Assign a unique ID to each person with
computer access.9. Restrict physical access to cardholder data
SAMPLE TEXT
© FIRST NATIONAL BANK
Data Security and Payment Cards
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security.
SAMPLE TEXT
© FIRST NATIONAL BANK
Data Security and Payment Cards
To become compliant what does a company need to do?
1. Complete a Self Assessment Questionnaire (SAQ)2. Complete a network vulnerability scan if you have a
external connection.3. On site PCI audit if you are a large card transacting
merchant.
SAMPLE TEXT
© FIRST NATIONAL BANK
Data Security and Payment Cards
Does PCI - the Digital Dozen make a difference?
Merchant awareness :
Merchant action:
Post breach forensic findings:
SAMPLE TEXT
© FIRST NATIONAL BANK
Data Security and Payment Cards
Legislation – Uncle Sam and Friends are Here to Help You.
• 2009 Legislation
• 2008 and prior legislation
SAMPLE TEXT
© FIRST NATIONAL BANK
Data Security and Payment Cards
Likely Future Industry Steps
• Credit card processors will really expect compliance
• Solutions for non-access storage
• End to end encryption
•
SAMPLE TEXT
© FIRST NATIONAL BANK
Data Security and Payment Cards
I’ve Been Breached, What Do I Do?
1. Immediately contain and limit the exposure. Prevent further loss of data by conducting a thorough investigation of the suspected or confirmed compromise of information. Preserve evidence and help facilitate the investigation.
2. Alert all necessary parties immediately. :
– Your internal information security group and incident response team. – Your merchant bank. – Your local office of the United States Secret Service.
3. Provide all compromised payment card accounts to your merchant bank within 10 business days. The payment brands will distribute the compromised account numbers to Issuers and ensure the confidentiality of entity and non-public information
Contact information:Brian Ridder
Senior Vice President
First National Merchant Solutions
402-633-1875