PCI Complianceand the

Restaurant of the FutureOctober 8, 2013

Presented by

WEBINAR

Jim LippardSenior Product ManagerSecurity ProductsEarthLink Business

Kamran ChaudharyDirector of Compliance TechnologyQualified Security Assessor (QSA)ANX eBusiness

About EarthLink

Leading provider of data, voice, and IT services for businesses, with services that include managed security and PCI compliance solutions for retailers.

About ANX eBusiness:

Qualified Security Assessor (QSA) and Authorized Scanning Vendor (ASV) with the PCI Council. The ANX mission is to protect our customers' information, secure their business interactions and be their trusted platform for collaboration.

Introduction

Speakers

Jim LippardSr. Product Manager

Security Products

EarthLink Business

Kamran ChaudharyDirector of Compliance Technology

Qualified Security Assessor (QSA)

ANX eBusiness

2

The basics of PCI DSS compliance

The risks of non-compliance

PCI DSS 3.0

New restaurant technology

4 basic steps for maintaining and achieving compliance

EarthLink/ANX PCI compliance solutions

Questions

Agenda

3

What is PCI Compliance?

Definition – Payment Card Industry Data Security Standard (PCI-DSS)

Set up in 2004 by Visa, MasterCard, American Express, Discover, and JCB to reduce the risk of credit card theft and transfer liability to merchants

Requires mandatory adoption by all businesses that store, process, or transmit credit/debit card data

6 Control

Objectives

6 Control Objectives

12 Core

Requirements

280+ Audit

Procedures

4

THE EFFECTS OF CREDIT CARD BREACH ON RETAIL BUSINESS ARE DAUNTING

is the average direct cost of a data breach$80

k

of breached businesses are out of business within

one year of the attack

70%

small businesses will suffer a credit card breach

in the next 24 months1 in

6

Breaches originate from organized criminal groups98%

Average days between intrusion and detection210

Defining the Market Problem

5

What happens if my business is non-compliant and suffers a breach?

A credit card breach will cripple your business for months

1. Credit cards transactions – Acquirers may ask merchants to cease

2. Forensic audit – QSA team on-site to determine cause of breach.

3. Implement remediation actions – Can take 90-120 days to complete.

4. Fines and fees – Merchant is responsible for all costs. $80-100K average.

5. Brand equity – Breaches are public knowledge; brand image tarnished.

6

The bottom line on PCI Compliance

Many myths about PCI compliance• “It doesn’t apply to my business”

• “I’m already PCI compliant”

• “I have a firewall in place so I’m compliant”

• “My (fill in the blank) has me covered”

PCI DSS is solely the responsibility of the merchant• If merchant can’t demonstrate compliance, they cover breach costs.

• If merchant can demonstrate compliance, bank covers breach costs.

>96% of breached businesses were not PCI compliant

7

If you cannot answer yes to the three questions below, you are NOT PCI Compliant

1

2

3

Can you demonstrate that ALL cashiers have completed and understood a formal security awareness training upon hire and at least annually?

Can you demonstrate that each employee has read and understood the company security policy and procedures?

Have you fully completed your annual SAQs and quarterly vulnerability scans with a 100% pass?

8

PCI 3.0 Timeline

Source: PCI Security Standards Council

What this means for you as a merchant:•PCI Compliance is here to stay, and is always evolving

•The process incorporates feedback from merchants and QSAs

•Each release includes time for merchants to implement requirements and best practices

PCI ReleaseNovember 7,

2013

PCI 2.0 ExpiresDec 31,

2014

Best practices become

requirementsJune 2015

9

What’s new in PCI DSS 3.0

PCI 3.0 emphasizes security versus compliance, and a more proactive, business-as-usual approach

to protecting cardholder data.

Key themes:•Education & awareness•Increased flexibility•Security as a shared responsibility•Guidance on emerging technologies

3 types of changes:•Clarification•Additional guidance•Evolving requirement

10

NEW RESTAURANT TECHNOLOGY

11

Payment Technology

Key points in both scenarios: •Risk is greatly reduced•Merchants are still responsible for PCI compliance

Technology Visa Chip and Pin (EMV)

Point-to-Point or End-to-End Encryption (P2PE or E2EE)

What it is Europe, Visa leading. Uses contactless NFC chips and a PIN to for two-factor authentication on credit card purchases.

Allows merchants to offer point-to-point encryption of card data from point of entry to settlement.

The impact on PCI DSS requirements

Annual validation not required for merchants that process 75% of card transactions through chip-enabled terminals.

Eliminates exposure to fraud and financial liability for the merchant, and reduces PCI scope to 6 PCI steps.

12

Network Technology

• Secure, reliable network connectivity is essential in transitioning to a “Restaurant of the Future”

• Customer-facing systems e.g. POS, mobile POS, consumer Wi-Fi, digital menus, online ordering and phone ordering depend on it

• Having the right technology in place reduces PCI DSS scope

• Key technologies to consider:

− Secure Wi-Fi: Includes rogue wireless scanning, guest access with walled garden

− Unified Threat Management (UTM): “Threat management in a box, including intrusion detection/prevention, anti-malware, anti-virus, anti-spyware

− MPLS WAN: Private, centrally management network with option to connect POS directly to card processors

13

New devices = increased security risk

1980s

1ST GEN• Boot viruses

2ND GEN• Macro viruses• Email • DoS• Limited

hacking

3RD GEN• Network DoS• Blended threat

(worm + virus+ trojan)

• Turbo worms • Widespread

system hacking

NEXT GEN• Infrastructure

hacking • Flash threats• Massive worm

driven • DDoS• Damaging

payload viruses and worms

1990s Today Future

WEEKS

DAYS

MINUTES

SECONDS

IndividualComputer

IndividualNetworks

MultipleNetworks

RegionalNetworks

GlobalInfrastructur

eImpact

Target and Scope

of Damage

All new entry points need to be secured from hackers:Wi-Fi, security cameras, wireless credit card processors, digital menu boards and more interface to networks via IP addresses

14

4 BASIC STEPS TO PCI COMPLIANCE

15

How to Proactively Protect Your Business from Breach

Step 1: Establish Financial Protection

Step 2: Validate PCI Compliance

Step 3: Achieve Compliance

Step 4: Maintain Compliance

16

Step 1: Financially Protect Your Business

Acquire adequate breach protection for each store location to help cover direct costs in the event of a breach

As little as $1/day per location can cover the costs of:

•Forensic audit and consultation with a Qualified Security Assessor (QSA)

•Replacement of credit cards and related expenses

•Fines and penalties incurred

Ensure that coverage is retroactive to cover any undiscovered breach

17

Requirement Level 1 Level 2 Level 3 Level 4

Transaction volume >6 million 1 to 6 million

20,000 to 1 million

All other merchants

On-Site QSA AuditAnnually

Self Assessment Questionnaire (SAQ) Annually

By a QSA/ISA

Authorized Scanning Vendor Scan (ASV)Quarterly

Security Awareness TrainingUpon hire and annually

Policy Review and AcceptanceAnnually

Note: Other quarterly or annual requirements will apply based on SAQ.

18

Step 2: Validate PCI Compliance

Requirements by Merchant Level

Step 3: Achieve PCI Compliance

Common issues:Outdated Firewalls

Insecure Remote Access

Weak security configurations

Operating system flaws

Lack of staff training

Flawed security policies

Poor change control procedures

Address gaps identified during the validation process

Up to 280 requirements depending on your environment

19

Step 4: Maintain Compliance

• Conduct on-going PCI training for employees including cashiers, IT staff

• Document and enforce security policies

• Conduct regular assessments and network scans for all locations and remediate gaps

• Identify and work closely with a PCI Compliance partner who can help

20

PCI Compliance Validation Powered by ANX eBusiness, QSA and ASV

$100,000 in breach protection per location

Portal with all of the tools Level 2-4 merchants need to validate compliance

Private MPLS WAN Network Securely connectivity for all of your restaurants,

all centrally managed from one location

Direct connections from POS to card processors

Managed security Firewall, mobile device management, secure

remote access

EarthLink PCI Compliance Solutions

“We rely on the EarthLink MPLS network 24/7 to run our restaurant operations. The private network also supports PCI compliance

and allows us to control and monitor all 200 restaurants from one location.”

21

Questions?

For more information:http://www.earthlinkbusiness.com/restaurant-pci-

compliance/