PCI DSS Managed Service Solution

October 18, 2011

                   

                                       

Who is Vendor Safe?

Founded in 1989 in Houston, Texas:20 Plus Years of Security Experience

Internet Security Network Security Data Security

Transformation in 2007:Managed Firewall ArchitectureProvide Security First – PCI Compliance Will FollowPCI DSS Security Experts

2

“Many Franchise owners and IT

Managers underestimate the

high risk of credit card fraud

and the consequences that

follow.”

Why Care about PCI Compliance

The Problem:

3

PCI - Terms

• PA - DSS ( Payment Application)

• PCI- DSS ( Data Security)

• SAQ -( Self Assessment Questionnaire)

• Scans - External, Internal, Wireless

• ASV - Authorized Scanning Vendor

• QSA – Qualified Security Assessor

• Compliance vs. Validation

7 Data Security and Privacy You agree to post and maintain on all your Web Sites both your consumer data policy (which must comply with all Payment Brand Rules, Regulations, and Guidelines) and your method of transaction security. You may not retain or store CW2/CVC2 data or PIN data subsequent to the authorization. You must comply with all Security Standards published by the Payment Brands and the PCISSC including, but not limited to, Visa’s Customer Information Security Program (“CISP”), MasterCard’s Security Data Program (“MDSP”) and the Payment Card Industry Data Security Standard (“PCIDSS”). Pursuant to the Security Standards, you must,

among other things: (i) install and maintain a working network firewall to protect data accessible via the internet; (ii) keep security patches up to date; (iii) encrypt stored data and data sent over open networks; (iv) use and update antivirus software; (v) restrict access to employees

who are on a “need to know” basis; (vi) assign a unique ID to each person with computer access to data; (vii) not use vendor-supplied defaults for system passwords and other security parameters; (viii) track access to data by unique ID; (ix) regularly test security systems and processes; (x) maintain a policy

that addresses information security for employees and contractors; (xi) restrict physical access to Customer information; (xii) when outsourcing administration of information assets , networks, or data you must retain legal control of proprietary information and use limited “need to know” access to such assets, networks or data; and (xiii) reference the protection of Customer Information and compliance with the Security Standards in contracts with other service providers. You must notify Paymentech of any third party vendor with access to Customer Information, and you are responsible for ensuring that all third party vendors are compliant with the Security Standards, to the extent applicable. The Security Standards may require that you engage an approved third party vendor to conduct quarterly perimeter scans and/or security reviews can be accessed through Visa and Mastercard websites at www.Visa.com and www.MasterCard.com

I Signed What?

Merchants have already agreed to be PCI Compliant !!

5

It Won’t Happen to Me!

6

Hacking at small businesses "is a prolific problem," says Dean Kinsman, a special agent in the Federal Bureau of Investigation's cyber division, which has more than 400 active investigations into these crimes. "It's going to get much worse before it gets better."

Hackers Shift Attacks to Small Firms

Joe Angelastri, owner of City News stand in the Chicago area, is out $22,000 because cyber hackers attacked his stores' payment system.

Article – Wall Street Journal 7-21-2011

Breach - Ugly Facts

• Forensic Audit 6k - 10K (per location)

• Audit sent to Card Brands and Merchant Bank

• Scope of Breach Determined

• Fees / Fines Assessed (+ 10k cards)

• Remediation - Required for Lack of Security – or Additional Fines (5k)

• Customer Loss and Brand Damage

PCI Solution Overview

PCI is More Than POS

8

PCI Solution Overview 12-28612 Requirements Vendor Safe Solutions

Install and Maintain a Firewall • Vendor Safe Global Security Mesh / Security Services

Change Default Passwords • Vendor Safe Equipment and Remote Access is compliant • Policy to assist client with LAN management

Protect Stored Data • Vendor Safe Security Policy provided to address credit card data

Encrypt Credit Card Transmissions • Vendor Safe equipment can encrypt to the highest standards (wired and wireless)

Updated Anti-Virus Software • Optional Vendor Safe Managed Anti-Virus Service or POS Reseller provided

Develop Secure Applications • Vendor Safe does NOT Provide Payment Software (PA-DSS Certified Versions)

Restrict Access to Data • Vendor Safe Hierarchical remote access VPN architecture• Vendor Safe Customer policies and procedure templates

Assign a unique ID for users • Vendor Safe two factor remote access (different account for each user)• Vendor Safe Customer policies and procedure templates

Restrict Physical Access • Vendor Safe Training material (Web Videos / Policy and Procedure Templates)

Track and Monitor Data Access • Vendor Safe Workstation Logging client available Lanscribe™

Regularly Test Vulnerabilities • Vendor Safe Internal and External Vulnerability scanning services • Vendor Safe Penetration Testing Guide

Maintain Policy and Procedures • Vendor Safe Template Provided and maintained by customer • Vendor Safe available for professional services if needed

9

10

VST Value Proposition

• Heavy Lifting Components of PCI - DSS– High End Firewall, Secure Network Segments required (In

Scope) Devices for PCI DSS

– Provides Secure Remote Access, Policy Based

– 2 Factor Authentication, SMS or Email

– Logging and Storage – Firewall, Remote Access

– Managed Service, Updates, and 24x7 Monitoring

– System Logs and File Integrity Monitoring (LAN Scribe)

– Internal Scan

– Wireless Detection Scan

Platinum Package

Global Security Mesh™ $100,000 TrustVault™ CertificateManaged Juniper Firewall with VPN Implementation, Set-up, and ConfigurationGateway Session Logging

Logs Stored Online for 1 Year

Secure Remote Access with Two Factor Authentication

SMS / Email OTP Validation Forced Configuration Manager™

Ensures Secure Communications Enforces Antivirus policies

11

Platinum Package Cont’d

Global Security Mesh™ Network Segmentation to meet PCI Standards IPS / IDSWeb Filtering / Content Management24 x 7 x 365 Event Logging, Monitoring, and SupportCentralized Firewall Configuration ManagementFirewall Security Policy Template UpdatesOngoing Firewall Change Control and Policy Updates

Includes Technological Changes to PCI-DSS Standard

Next Business Day Hardware

Replacement

12

Platinum Package

Package Geared towards SAQ D Attestation Level Merchants

Automated security policies that reflect the more complicated requirements of the environment

LANScribe™ - Workstation Logging and File Integrity Monitoring (Up to 6 Workstations)

13

Beyond PCI™ Security

Beyond PCI Security Services

• Rogue Device Manager™Identifies unknown devices plugged into network“Block” Mechanism Built into System

• IP Data Blocker™Centrally managed system to prevent

unauthorized data transmission to unknown IP addresses for an organization

14

TrustVault™ Certificate

The Vendor Safe Guarantee: Covers up to $100,000 in Direct Expenses Relating to a Data Breach

including:

Mandatory Security Audit

Card Replacement Fees

Fines and Penalties, ex. VISA

Covers Electronic Data Breach at Every Franchisee Location

15

PCI Solution Validation

Web Portal Services:Self Assessment Questionnaire

SAQuick™ Questionnaire On-Line Access to Compliance Status

Quarterly Vulnerability Scanning Schedule scans automatically Print out vulnerability reports ASV on record 403-Labs

Report Generator Real-time Report Generator Print SAQ and Scan reports

PCI Compliance Reporting Services

16

Questions

David Bones dbones@vedorsafe.com 210-412-4756

17