pci dss managed service solution october 18, 2011
DESCRIPTION
PCI DSS Managed Service Solution October 18, 2011. Who is Vendor Safe?. Founded in 1989 in Houston, Texas: 20 Plus Years of Security Experience Internet Security Network Security Data Security Transformation in 2007: Managed Firewall Architecture - PowerPoint PPT PresentationTRANSCRIPT
PCI DSS Managed Service Solution
October 18, 2011
Who is Vendor Safe?
Founded in 1989 in Houston, Texas:20 Plus Years of Security Experience
Internet Security Network Security Data Security
Transformation in 2007:Managed Firewall ArchitectureProvide Security First – PCI Compliance Will FollowPCI DSS Security Experts
2
“Many Franchise owners and IT
Managers underestimate the
high risk of credit card fraud
and the consequences that
follow.”
Why Care about PCI Compliance
The Problem:
3
PCI - Terms
• PA - DSS ( Payment Application)
• PCI- DSS ( Data Security)
• SAQ -( Self Assessment Questionnaire)
• Scans - External, Internal, Wireless
• ASV - Authorized Scanning Vendor
• QSA – Qualified Security Assessor
• Compliance vs. Validation
7 Data Security and Privacy You agree to post and maintain on all your Web Sites both your consumer data policy (which must comply with all Payment Brand Rules, Regulations, and Guidelines) and your method of transaction security. You may not retain or store CW2/CVC2 data or PIN data subsequent to the authorization. You must comply with all Security Standards published by the Payment Brands and the PCISSC including, but not limited to, Visa’s Customer Information Security Program (“CISP”), MasterCard’s Security Data Program (“MDSP”) and the Payment Card Industry Data Security Standard (“PCIDSS”). Pursuant to the Security Standards, you must,
among other things: (i) install and maintain a working network firewall to protect data accessible via the internet; (ii) keep security patches up to date; (iii) encrypt stored data and data sent over open networks; (iv) use and update antivirus software; (v) restrict access to employees
who are on a “need to know” basis; (vi) assign a unique ID to each person with computer access to data; (vii) not use vendor-supplied defaults for system passwords and other security parameters; (viii) track access to data by unique ID; (ix) regularly test security systems and processes; (x) maintain a policy
that addresses information security for employees and contractors; (xi) restrict physical access to Customer information; (xii) when outsourcing administration of information assets , networks, or data you must retain legal control of proprietary information and use limited “need to know” access to such assets, networks or data; and (xiii) reference the protection of Customer Information and compliance with the Security Standards in contracts with other service providers. You must notify Paymentech of any third party vendor with access to Customer Information, and you are responsible for ensuring that all third party vendors are compliant with the Security Standards, to the extent applicable. The Security Standards may require that you engage an approved third party vendor to conduct quarterly perimeter scans and/or security reviews can be accessed through Visa and Mastercard websites at www.Visa.com and www.MasterCard.com
I Signed What?
Merchants have already agreed to be PCI Compliant !!
5
It Won’t Happen to Me!
6
Hacking at small businesses "is a prolific problem," says Dean Kinsman, a special agent in the Federal Bureau of Investigation's cyber division, which has more than 400 active investigations into these crimes. "It's going to get much worse before it gets better."
Hackers Shift Attacks to Small Firms
Joe Angelastri, owner of City News stand in the Chicago area, is out $22,000 because cyber hackers attacked his stores' payment system.
Article – Wall Street Journal 7-21-2011
Breach - Ugly Facts
• Forensic Audit 6k - 10K (per location)
• Audit sent to Card Brands and Merchant Bank
• Scope of Breach Determined
• Fees / Fines Assessed (+ 10k cards)
• Remediation - Required for Lack of Security – or Additional Fines (5k)
• Customer Loss and Brand Damage
PCI Solution Overview
PCI is More Than POS
8
PCI Solution Overview 12-28612 Requirements Vendor Safe Solutions
Install and Maintain a Firewall • Vendor Safe Global Security Mesh / Security Services
Change Default Passwords • Vendor Safe Equipment and Remote Access is compliant • Policy to assist client with LAN management
Protect Stored Data • Vendor Safe Security Policy provided to address credit card data
Encrypt Credit Card Transmissions • Vendor Safe equipment can encrypt to the highest standards (wired and wireless)
Updated Anti-Virus Software • Optional Vendor Safe Managed Anti-Virus Service or POS Reseller provided
Develop Secure Applications • Vendor Safe does NOT Provide Payment Software (PA-DSS Certified Versions)
Restrict Access to Data • Vendor Safe Hierarchical remote access VPN architecture• Vendor Safe Customer policies and procedure templates
Assign a unique ID for users • Vendor Safe two factor remote access (different account for each user)• Vendor Safe Customer policies and procedure templates
Restrict Physical Access • Vendor Safe Training material (Web Videos / Policy and Procedure Templates)
Track and Monitor Data Access • Vendor Safe Workstation Logging client available Lanscribe™
Regularly Test Vulnerabilities • Vendor Safe Internal and External Vulnerability scanning services • Vendor Safe Penetration Testing Guide
Maintain Policy and Procedures • Vendor Safe Template Provided and maintained by customer • Vendor Safe available for professional services if needed
9
10
VST Value Proposition
• Heavy Lifting Components of PCI - DSS– High End Firewall, Secure Network Segments required (In
Scope) Devices for PCI DSS
– Provides Secure Remote Access, Policy Based
– 2 Factor Authentication, SMS or Email
– Logging and Storage – Firewall, Remote Access
– Managed Service, Updates, and 24x7 Monitoring
– System Logs and File Integrity Monitoring (LAN Scribe)
– Internal Scan
– Wireless Detection Scan
Platinum Package
Global Security Mesh™ $100,000 TrustVault™ CertificateManaged Juniper Firewall with VPN Implementation, Set-up, and ConfigurationGateway Session Logging
Logs Stored Online for 1 Year
Secure Remote Access with Two Factor Authentication
SMS / Email OTP Validation Forced Configuration Manager™
Ensures Secure Communications Enforces Antivirus policies
11
Platinum Package Cont’d
Global Security Mesh™ Network Segmentation to meet PCI Standards IPS / IDSWeb Filtering / Content Management24 x 7 x 365 Event Logging, Monitoring, and SupportCentralized Firewall Configuration ManagementFirewall Security Policy Template UpdatesOngoing Firewall Change Control and Policy Updates
Includes Technological Changes to PCI-DSS Standard
Next Business Day Hardware
Replacement
12
Platinum Package
Package Geared towards SAQ D Attestation Level Merchants
Automated security policies that reflect the more complicated requirements of the environment
LANScribe™ - Workstation Logging and File Integrity Monitoring (Up to 6 Workstations)
13
Beyond PCI™ Security
Beyond PCI Security Services
• Rogue Device Manager™Identifies unknown devices plugged into network“Block” Mechanism Built into System
• IP Data Blocker™Centrally managed system to prevent
unauthorized data transmission to unknown IP addresses for an organization
14
TrustVault™ Certificate
The Vendor Safe Guarantee: Covers up to $100,000 in Direct Expenses Relating to a Data Breach
including:
Mandatory Security Audit
Card Replacement Fees
Fines and Penalties, ex. VISA
Covers Electronic Data Breach at Every Franchisee Location
15
PCI Solution Validation
Web Portal Services:Self Assessment Questionnaire
SAQuick™ Questionnaire On-Line Access to Compliance Status
Quarterly Vulnerability Scanning Schedule scans automatically Print out vulnerability reports ASV on record 403-Labs
Report Generator Real-time Report Generator Print SAQ and Scan reports
PCI Compliance Reporting Services
16