About this Presentation…

This presentation was given initially at RSPA’ 2008 R t ilN C tiRSPA’s 2008 RetailNow Convention and later at Fall/Winter 2008 SPS-2000 Dealer MeetingsDealer Meetings. CRS thanks Datacap Systems, Inc. and Mercury Payment Systems forMercury Payment Systems for providing content and assistance in preparing this material

1

preparing this material.

The Issue The Problem(s)

SAM4s SPS-2000PABP Update &

The Problem(s) Datacap Update

R l t R iPABP Update & Training

Regulatory Review Compliance

C li Compliance ResponsibilitySPS 2000 B t SPS-2000 Best Practices & Checklist

2

PCIPCI:The Issue (What’s Going On Here?)

Bad guys are stealing card info and using it to make fraudulent purchases big time (and identity theft)fraudulent purchases, big time (and identity theft)

– Characterized as big-time international electronic organized crime– Caught a ring responsible for TJ Maxx, Barnes&Noble etc recently, but more out

there

Card Associations (Vi MC t ) can’t charge anyone Card Associations (Visa, MC, etc) can t charge anyone for fraudulent purchases, so they are losing $$$ and everyones’ rates rise to cover the losses and costs to pursueto pursue

Involved merchants spend a lot of time and expense supporting pursuit

3

PCIPCI:The Issue (What’s Going On Here?)

Card fraud (and Identity theft) is very expensive, disruptive and far reaching for card holders involved Don’t payand far reaching for card holders involved. Don t pay for fraudulent charges, but takes time and effort to document fraudulent charges, correct credit history and rating etcand rating etc

Gov’t threatens to deal with it if card industry can’t self manage, and has taken some steps at state and federal levelsfederal levels

Everyone is/was storing card info in ways that make it easy to steal

4

Compromise StatisticsAn Internet Problem?

About 5 out of every 6 cases isCard Not Present

15%

About 5 out of every 6 cases isa traditional Brick and Mortarenvironment.

Retail ‘Card Present’ Merchantsare not aware of these risks! (“Not My Problem”)

Card Present

It’s not just an internet or e‐commerce problem.

585%

Compromise StatisticsWhich Systems are Problems?

None of the systemsCases By System Type

Shoping Cart

Backend2%

Mainframe1%

ywere PA DSS compliant(until recently)

Majority of the cases

PC POS

Shoping Cart12%

Physical1%

involved a compromise ofa PC based POS system

But embedded ECRs?84% So… No Need to Worry?          

(Hint: using a compliant solution not = to compliant)

6

Compromise StatisticsWhat Info is Stolen?

Brick and Mortar Cases w/ Track Data Storage

No1%

Criminals target track data, securitycodes and PINs (storage is neverpermitted post authorization)

g

permitted post authorization)

80% of breaches are level 4 merchants!mostly in restaurant space (though most 

d b l i f l l 1)

Yes99%

card nbr loss is from level 1)

Non‐compliant software packagesstored track data and the merchantsdid k il i l !

7

did not know until it was too late!

S Wh t’ th Bi D l?So What’s the Big Deal?Bottom Line

Everyone needs to be compliant NOW

Or be LIABLE for the consequences if/when they Or be LIABLE for the consequences if/when they get caught (compromised)

And the loopholes you are all thinking about ARE being closed

8

S Wh t’ th Bi D l?So What’s the Big Deal?New PCI (Visa) Small Merchant Mandates

01/01/08 Newly boarded merchants must not use known vulnerable payment applications – so acquirers now ask.p y pp q

10/01/08 Newly boarded level 3&4 merchants must use PA-DSS validated applications or be PABP compliant (except hardware terminals)hardware terminals)

10/01/09 Acquirers must decertify known vulnerable payment applications.

7/01/10 Acquirers must ensure all merchants are using PABP 7/01/10 Acquirers must ensure all merchants are using PABP compliant applications.

Visa Excepts “hardware terminals” but:– Don’t/Won’t clearly define (Ambiguity is King)

9

y ( g y g)– “Tell” Merchants they MUST use compliant solutions– We’re all between a rock and a very hard place

S Wh t’ th Bi D l?So What’s the Big Deal?The Threat - How fines are assessed

In proportion to total card numbers lost Based on type of lost data (Track data vs Account number

and expiration date)

Fines increase if additional factors are involved Fines increase if additional factors are involved(Example: Storage of full track data; Attitude)

Cover cost of reissuing cards ($20-$30/card) Can exceed $100,000 for loss of a modest number of

cards Card association to ‘processor’ to merchant no POS

10

Card association to processor to merchant… no POS resellers sued yet… but ‘share-sies’?

Greatest Sales Opportunity for Dealers Since Y2K 10/1/08 – “Compliance” demonstration required when

hchange processors (seems that compliant middleware does it for embedded hardware users)

7/1/10 – Acquirers must ensure all customers are

11

7/1/10 Acquirers must ensure all customers are compliant - 2-Years to Upgrade or Replace ALL Non-Compliant Systems

Summary and Datacap Update

Can fight it, but resistance is futile. Prepare to be assimilated We all need to complyassimilated. We all need to comply.

And protect yourselves – ‘hold harmless’ letters recommended (need to get Visa/someone to be the heavy)( g y)

More mandates coming 10/08. Probably based on further compromises and transition from data bases to data-in-transit.

Datacap Datacap– PCI validation 2006 for NETePay and DIALePay/DataTran– PABP validation 7/08 on new Trans (TwinTran, IPTran,

12DialTran).

– PABP validation on DataTran is fast tracking

R iReview:Regulatory Environment

PCI DSS (Visa CISP + MC SDP + AmEx + Disc)Payment Card Industry Data Security StandardPayment Card Industry Data Security Standard

FACTA (receipt masking)Fair & Accurate Credit Transactions Act

PABP (Visa Program)Payment Applications Best PracticesPA DSS PA-DSS (PCI version of PABP)New!Payment Applications Data Security Standards

13

PCI DSS

2006 Release Industry Self-Regulation Standard 5- Largest Card Companies Covers Secure Networks, Cardholder

Protection & Security Standards Enforceable by Card Company Fines &

Sanctions

14

FACTA

Started in States, evolved to National Allows consumers to see free credit reports protects Allows consumers to see free credit reports, protects

against identity theft, etc. Key Provision Covers Printing of Card Numbers:

“No person that accepts credit cards or debit cardsNo person that accepts credit cards or debit cards for the transaction of business shall print more than the last five digits of the card number or the expiration date upon any receipt provided to theexpiration date upon any receipt provided to the cardholder at the point of the sale or transaction.”

Updated in 2008 to eliminate “pure expiration date” actions.

15

PABP

Adopted November 2007 Used by PCI to help Acquirers Enforce Payment Application Used by PCI to help Acquirers Enforce Payment Application

Vendors Compliance Validated & Vulnerable Applications are Listed Key Dates: y

– 1/1/08 Newly boarded Merchants may not use vulnerable applications

– 10/1/08 Newly boarded Merchants must be PA-DSS validated or use PABP compliant solutions (except hardware terminals)use PABP compliant solutions (except hardware terminals)

– 10/01/09 Acquirers must decertify known vulnerable payment applications

– 7/1/10 Acquirers must insure that all of their merchants use only

16

q yPABP compliant, validated Applications

More Info at: www.pcisecuritystandards.org

PA-DSS

Announced November 2007 by PCI Security St d d C ilStandards Council

Based on Visa’s PABP PABP will transition into PA-DSS in 2008 Validations migrate (carry forward) More Info at: www.pcisecuritystandards.org

17

Q C liQ: Compliance: Who is Responsible?

A. POS ManufacturerB. ResellerC. Payment ProcessorD. Merchant

18

Answer: All of the Above

“U i PABP lid t d t“Using PABP validated payment applications does not alone guarantee or ensure compliance with the PCI DSS “ensure compliance with the PCI DSS…

19

Resources For Dealers

Retail Systems Provider Association (RSPA) G RSPA(RSPA) www.GoRSPA.org

– PCI News– DVD “Are you at Risk”DVD Are you at Risk– Handbook (Standard Documents & Letters)– Research & ReportsYour Payment Processing Partners Your Payment Processing Partners

CRS Website Datacap Website and People

20

Datacap Website and People

SPS-2000 Specific PABP

Encryption: Save Passwords Employee/S Mode Save Passwords Employee/S-Mode IRC of Card Numbers

For the System Programmer Installer: Each Employee should be set-up as a

t l ith iseparate employee with a unique EMPLOYEE ID in the employee file. There should be no “generic” employee log-in that

21

g p y gall employees use.

SPS-2000 Specific PABP

For the System Programmer Installer: All Managers should be set up as separate All Managers should be set up as separate

employees with a unique EMPLOYEE ID in the employee file.

All Manager ID’s\Passwords should be changed from the default settings.

When there is management turnover all When there is management turnover, all Manager ID’s\Passwords should be changed.

22

SPS-2000 Specific PABP

Employee Programming Screen

Must be Unique--NOTUnique--NOT

DEFAULT

U Diff tUse Different Operating &

Clock In

23

Clock In Codes

SPS-2000 Specific PABP

For the System Programmer Installer: Managers must use the SIGN ON by MCR

method.

Refer to the SPS-2000 Program Manual Chapter: “Employee Time Keeping withChapter: Employee Time Keeping with MCR – Program Guide” for detailed setup instructions.

24

SPS-2000 Specific PABP

For the System Programmer Installer:It i d d th t M th St It is recommended that Managers use the Strong Password method

Requires SignRequires SignIn Code &MCRC d R d Card Reader Enabled & Employee Sign On=

NEWOption

25

p y gEMPLOYEE #

SPS-2000 Specific PABP

For the System Programmer Installer:O l M h ld h t REP Only Managers should have access to REP mode in the SPS-2000.

If necessary, employee authorized reports can be done in REG mode through report

d l th i d EFTmacros and employee authorized EFT function such as tip entry can be done in REG mode through the EFT function key.

26

g y

SPS-2000 Specific PABP

S-Mode Password Programming

Set a niq eSet a unique Report Mode password &

distribute only to

managers

27

managers

SPS-2000 Specific PABP

General Printing Options: Page 5

Set MaskingSet Masking Option to

YES

28

SPS-2000 Specific PABP

Memory Stick Insert into

Bottom USB Records PABP.log

(Audit Info)M h t h ld th USB M Merchants should secure these USB Memory Sticks (place in the safe each night)

29

SPS 2000 S ifi PABP/SPS-2000 Specific PABP/When Using a Wireless Network…

6.1 For wireless networks transmitting cardholder data, encrypt the transmissions by using WiFi Protected Access (WPA or WPA2) technology IPSEC VPN or SSL/TLS Never rely exclusively ontechnology, IPSEC VPN, or SSL/TLS. Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN.

If WEP is used, do the following: • Use with a minimum 104-bit encryption key and 24 bitinitialization

value.• Use ONLY in conjunction with WiFi Protected Access (WPA or

WPA2) technology VPN or SSL/TLSWPA2) technology, VPN, or SSL/TLS.• Rotate shared WEP keys quarterly (or automatically if the technology

permits)• Rotate shared WEP keys whenever there are changes in personnel

ith t k

30with access to keys.

• Restrict access based on media access code (MAC) address.

SPS 2000 S ifi PABP/SPS-2000 Specific PABP/When Using a Wireless Network…

6.2 For wireless payment applications, and other wireless applications connected to cardholder data environments, verify that the wireless , ytechnology has been protected with a firewall configuration and that wireless vendor defaults have been changed per PCI Data Security Standard 1.3.8 and 2.1.1.

31

SPS-2000 Specific PABP

Merchant Training Merchants should be instructed that they must

use due diligence in securing all printed credit card transactions and reports with card holdercard transactions and reports with card holder data printed.

32

SPS-2000 PABP Checklist

Upgrade to Version 3.00g or above Unique Employee IDs Unique Employee IDs Separate Manager IDs/Not Default Passwords Different Operating & Clock-In Codes Manager Strong Password (ID + MCR) REP Mode Restricted to Managers Set Masking to YES Set Masking to YES Install Memory Stick to Record PABP.log Comply with Security Req. when using wireless network

33

p y y q g Merchant Training Hold Harmless Letter to Merchants